From: Andrew Morgan <morgan@kernel.org>
To: casey@schaufler-ca.com
Cc: "Serge E. Hallyn" <serue@us.ibm.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Chris Wright <chrisw@sous-sol.org>,
Andrew Morgan <agm@google.com>, Andrew Morton <akpm@google.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
James Morris <jmorris@namei.org>,
linux-security-module@vger.kernel.org,
lkml <linux-kernel@vger.kernel.org>
Subject: Re: implement-file-posix-capabilities.patch
Date: Thu, 28 Jun 2007 08:50:13 -0700 [thread overview]
Message-ID: <4683D8B5.1060809@kernel.org> (raw)
In-Reply-To: <924812.95310.qm@web36611.mail.mud.yahoo.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Casey Schaufler wrote:
>> The only reason for having an fE bitmap is to allow a capability-aware
>> program (you really trust to do its privileged operations carefully) to
>> be lazy and get some of its capabilities raised for free. Perhaps you
>> can clarify why this is a desirable thing? :-)
>
> No, it's to allow you to grant a subset of the available capabilities
> to a program that is not aware of capabilities. You can give "date"
> the capability to reset the clock without giving it the capability
> to remove other people's files without changing the code or running
> it setuid.
This is precisely what fE = 0 or ~0 provides.
Recall, an exec()'d program gets its p*' capabilities from a convolution
of its exec()er's inheritable set (pI) *and* the file's capabilities
(fI,fP,fE):
pI' = pI
pP' = (X & fP) | (pI & fI)
pE' = pP' & fE
[Linux essentially has cap_bset for X.]
The fine-grain ability for ping to do its thing without becoming
powerful enough to load a kernel module, for example, is facilitated by
the "pP' &" part of the derivation of pE' (and not simply the unfiltered
value of fE!).
As I said before, either the program knows how to raise and lower bits
in its pE set, or it doesn't. In the former case, fE=0. In the latter
case, fE=~0 will ensure that it gets all of the capabilities it is
permitted to exercise at time of execution.
Could you cite some examples of where this position is unreasonable?
Thanks
Andrew
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGg9i1+bHCR3gb8jsRAvViAJ9T5x1fHrLGF4niRq7VhRqg4sej3wCgxkom
oAFQEQwLkd/D6J5gi7Fb3Ww=
=+ZLb
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2007-06-28 15:50 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20070611123714.GA2063@sergelap.austin.ibm.com>
[not found] ` <878322.98602.qm@web36606.mail.mud.yahoo.com>
[not found] ` <afff21250706110926l244ddc28i44289cb08a6721e2@mail.gmail.com>
[not found] ` <20070617135239.GA17689@sergelap>
[not found] ` <4676007F.7060503@kernel.org>
[not found] ` <20070618044017.GW3723@sequoia.sous-sol.org>
[not found] ` <20070620171037.GA28670@sergelap.ibm.com>
[not found] ` <20070620174613.GF3723@sequoia.sous-sol.org>
2007-06-21 16:00 ` implement-file-posix-capabilities.patch Serge E. Hallyn
2007-06-23 8:13 ` implement-file-posix-capabilities.patch Andrew Morgan
2007-06-24 15:51 ` implement-file-posix-capabilities.patch Serge E. Hallyn
2007-06-24 16:18 ` implement-file-posix-capabilities.patch James Morris
2007-06-24 20:58 ` [PATCH][RFC] security: Convert LSM into a static interface James Morris
2007-06-24 22:09 ` Chris Wright
2007-06-24 22:37 ` James Morris
2007-06-25 1:38 ` Chris Wright
2007-06-24 23:40 ` Casey Schaufler
2007-06-25 1:39 ` Chris Wright
2007-06-25 3:37 ` Casey Schaufler
2007-06-25 3:57 ` Chris Wright
2007-06-25 13:02 ` Casey Schaufler
2007-06-25 14:24 ` Roberto De Ioris
2007-06-25 4:33 ` [PATCH try #2] " James Morris
2007-06-25 4:48 ` Petr Vandrovec
2007-06-25 4:58 ` James Morris
2007-06-25 16:59 ` Stephen Smalley
2007-06-25 23:56 ` [PATCH try #3] " James Morris
2007-06-25 20:37 ` [PATCH try #2] " Andreas Gruenbacher
2007-06-25 21:14 ` James Morris
2007-06-26 3:57 ` Serge E. Hallyn
2007-06-26 13:15 ` Adrian Bunk
2007-06-26 14:06 ` Serge E. Hallyn
2007-06-26 14:59 ` Adrian Bunk
2007-06-26 15:53 ` Serge E. Hallyn
2007-06-26 18:52 ` Adrian Bunk
2007-06-26 18:18 ` Greg KH
2007-06-26 18:40 ` Serge E. Hallyn
2007-06-26 4:09 ` Kyle Moffett
2007-06-26 4:25 ` Kyle Moffett
2007-06-26 13:47 ` Serge E. Hallyn
2007-06-27 0:07 ` Kyle Moffett
2007-06-27 0:57 ` Crispin Cowan
2007-06-27 1:22 ` Kyle Moffett
2007-06-27 4:24 ` Chris Wright
2007-06-27 13:41 ` Serge E. Hallyn
2007-06-27 14:36 ` James Morris
2007-06-27 17:21 ` Serge E. Hallyn
2007-06-27 18:51 ` Serge E. Hallyn
2007-06-27 19:28 ` James Morris
2007-06-28 2:48 ` Serge E. Hallyn
2007-06-25 3:57 ` [PATCH][RFC] " Serge E. Hallyn
2007-06-25 4:10 ` Chris Wright
2007-06-25 4:54 ` Serge E. Hallyn
2007-06-25 13:50 ` Casey Schaufler
2007-06-25 13:54 ` James Morris
2007-06-25 14:32 ` Serge E. Hallyn
2007-06-25 15:08 ` Casey Schaufler
2007-06-27 5:00 ` implement-file-posix-capabilities.patch Andrew Morgan
2007-06-27 13:16 ` implement-file-posix-capabilities.patch Serge E. Hallyn
2007-06-28 6:19 ` implement-file-posix-capabilities.patch Andrew Morgan
2007-06-28 13:36 ` implement-file-posix-capabilities.patch Serge E. Hallyn
2007-06-28 15:14 ` implement-file-posix-capabilities.patch Casey Schaufler
2007-06-28 15:38 ` implement-file-posix-capabilities.patch Serge E. Hallyn
2007-06-28 15:56 ` implement-file-posix-capabilities.patch Casey Schaufler
2007-06-29 5:30 ` implement-file-posix-capabilities.patch Andrew Morgan
2007-06-29 13:24 ` implement-file-posix-capabilities.patch Serge E. Hallyn
2007-06-29 14:46 ` implement-file-posix-capabilities.patch Casey Schaufler
2007-06-28 15:50 ` Andrew Morgan [this message]
2007-07-02 14:38 ` implement-file-posix-capabilities.patch Serge E. Hallyn
2007-07-04 21:29 ` implement-file-posix-capabilities.patch Andrew Morgan
2007-07-04 23:00 ` implement-file-posix-capabilities.patch Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4683D8B5.1060809@kernel.org \
--to=morgan@kernel.org \
--cc=agm@google.com \
--cc=akpm@google.com \
--cc=casey@schaufler-ca.com \
--cc=chrisw@sous-sol.org \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=serge@hallyn.com \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).