From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756100AbbBCPka (ORCPT <rfc822;w@1wt.eu>);
	Tue, 3 Feb 2015 10:40:30 -0500
Received: from smtp101.biz.mail.bf1.yahoo.com ([98.139.221.60]:46578 "EHLO
	smtp101.biz.mail.bf1.yahoo.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1754501AbbBCPk0 (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 3 Feb 2015 10:40:26 -0500
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: vReIMpsVM1l2nh_6Khm7ZIX.DrW2pqfZ7SjjpIxdZxJX24O
 30Is89B30Hg7bzXT4xvQ8A0lpI5uMGstmNnfTcxis8dhhCm5T9Q46tFuITO7
 1Sf85hAPVlkKASuVDSvbqSNGHOx2THQMu.EjQZp7nJqcbGdPHq75sgwVnn86
 up.AmZafNTefU5XdgLVX4zGRQXemhTzBynyEhBSQdCKX3tvjoothfrzQuN_1
 GAVJ_qi3RDb5up4H2t6rUNLdreMkktnWR2eY_0JGcIlv4IW.6.aJdbXqZYR6
 mOn01ioe3RgQfw3JyccCYNDPqLm7o.H.k3WlZFhjxAsvs0i1ORtZfvJSQqV0
 HUdydxjd6DXAKgdawsQO_8IsStySCdEv6j4TUboh0_22yj7E0FoLDUvF6bcT
 2oOcm74X_eoRZ28xe9vov9yP8xawgTxnB2gDK3wgErLeTWcoVX2GuTVJq8Xl
 _Z9tTf3xBUqqZu0hXSrk1TYwKiGuAz2XRE8J7gEgNGfMOyepHJcyzETyRazP
 LV9g3joF7PIfnGA_YVGnC5cYo
X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw--
Message-ID: <54D0EBE8.8090203@schaufler-ca.com>
Date: Tue, 03 Feb 2015 07:40:24 -0800
From: Casey Schaufler <casey@schaufler-ca.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Christoph Lameter <cl@linux.com>, Andy Lutomirski <luto@amacapital.net>
CC: Serge Hallyn <serge.hallyn@ubuntu.com>,
        Serge Hallyn <serge.hallyn@canonical.com>,
        Jonathan Corbet <corbet@lwn.net>, Aaron Jones <aaronmdjones@gmail.com>,
        "Ted Ts'o" <tytso@mit.edu>,
        LSM List <linux-security-module@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        Andrew Morton <akpm@linuxfoundation.org>,
        Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [capabilities] Allow normal inheritance for a configurable set
 of capabilities
References: <alpine.DEB.2.11.1502021018500.5029@gentwo.org> <54CFB9B8.8020701@schaufler-ca.com> <20150202180806.GE24351@ubuntumail> <CALCETrXgodHNiEspXKbAm_xGfBtE6n4diESQzp5Rq8xyW14F2w@mail.gmail.com> <alpine.DEB.2.11.1502030917300.6059@gentwo.org>
In-Reply-To: <alpine.DEB.2.11.1502030917300.6059@gentwo.org>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 2/3/2015 7:17 AM, Christoph Lameter wrote:
> On Mon, 2 Feb 2015, Andy Lutomirski wrote:
>
>> None of this could address the problem here, though: if I hold a
>> capability and I want to pass that capability to an exec'd helper, I
>> shouldn't need the fs's help to do this.
> Amen!
>
That's completely consistent with the notion that if a binary has no
file capabilities (as opposed to a set that contains no capabilities)
the process capabilities are unchanged by exec(). If the binary does
have capabilities, however, it must always apply them. That should be
obvious. In your case, the helper would have no file capabilities, and
hence get whatever the invoker has. A program that should never run with
capabilities should have a file attribute stating such. Where it gets
sticky is the case where you want inheritance when invoked by one service
and no capabilities when invoked from another. If we live with the notion
that you have to choose this is easy enough to solve.