From: Andy Lutomirski <luto@amacapital.net>
To: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
James Morris <james.l.morris@oracle.com>,
Eric Paris <eparis@redhat.com>,
"Andrew G. Morgan" <morgan@kernel.org>
Subject: [RFC] Capabilities still can't be inherited by normal programs
Date: Sat, 1 Dec 2012 19:04:56 -0800 [thread overview]
Message-ID: <CALCETrVQxPDfU83-LUWrf330wOBbSsMvKdFXMR3CL4LmDvyfMw@mail.gmail.com> (raw)
I'd like to be able to run programs (like bash!) as nonroot but with
some capabilities granted. After all these years, it's almost, but
not quite, possible. This is because the transition rule (if root
isn't involved or NOROOT is set) is pP' = (pB' & fP) | (pI' & fI),
and, when execing a program without vfs caps set, fI = 0. I want to
set PR_SET_KEEPCAPS, setuid away from root, set some capability as
inheritable, and exec something. That capability stays inheritable,
but it doesn't end up permitted. Oops.
(There's another alarming thing that happens -- programs end up with
capability bits that are inheritable but not permitted. I'd like to
change cap_bprm_set_creds to clear all inheritable bits that don't end
up in the final permitted set to minimize confusion. Of course, this
*could* (but seems unlikely to) trigger security bugs.)
The obvious but scary fix is to make everything act like fI = <all
caps> if vfs caps aren't set. It's not immediately obvious why this
would be bad: no task has any inheritable capabilities by default.
Something like the sendmail bug is unlikely here -- this change would
give *more* caps, not fewer, and it could be done in such a way that
setuid binaries don't inherit caps.
A less scary way would be to make it opt-in: set a securebit if you
want default capability inheritance. This requires CAP_SETPCAP, which
seems to be shorthand for "allow me to shoot myself in the foot".
Sensible programs might set no_new_privs when they set this securebit.
An even less scary way would be to require a new securebit *and* no_new_privs.
Any suggestions? I'm happy to write patches, but I'd rather not cook
up ten patches and have this get stuck in limbo for years.
For some rationale: I want to write a program that has cap_net_raw
permitted as a file capability. That program will do some checks and
then invoke tcpdump. I can't do this: tcpdump can't inherit
capabilities into its permitted set unless I set the cap_net_raw
inheritable bit on it.
--Andy
P.S. The get_file_caps code is gross. Whatever the outcome of this
discussion, I'll submit a patch to clean it up, and I'll probably add
a file to Documentation/security for good measure.
next reply other threads:[~2012-12-02 3:05 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-02 3:04 Andy Lutomirski [this message]
2012-12-02 17:21 ` [RFC] Capabilities still can't be inherited by normal programs Andrew G. Morgan
2012-12-02 18:35 ` Andy Lutomirski
2012-12-02 22:26 ` Andrew G. Morgan
2012-12-02 23:04 ` Andy Lutomirski
2012-12-03 2:20 ` Andrew G. Morgan
2012-12-03 4:48 ` Andy Lutomirski
2012-12-04 13:54 ` Serge E. Hallyn
2012-12-05 19:32 ` Andy Lutomirski
2012-12-05 20:12 ` Markku Savela
2012-12-05 21:05 ` Serge Hallyn
2012-12-05 21:46 ` Andy Lutomirski
2012-12-05 22:20 ` Serge Hallyn
2012-12-07 0:57 ` Casey Schaufler
2012-12-07 14:42 ` Serge E. Hallyn
2012-12-07 17:00 ` Casey Schaufler
2012-12-07 17:07 ` Andrew G. Morgan
2012-12-07 18:39 ` Andy Lutomirski
2012-12-08 22:33 ` Andrew G. Morgan
2012-12-08 23:37 ` Andy Lutomirski
2012-12-08 23:57 ` Andy Lutomirski
2012-12-12 18:29 ` Andy Lutomirski
2012-12-12 18:45 ` Serge Hallyn
2012-12-19 13:14 ` Pádraig Brady
2012-12-10 14:59 ` Serge Hallyn
2012-12-10 15:47 ` Casey Schaufler
2012-12-10 16:27 ` Serge Hallyn
2012-12-10 18:12 ` Andy Lutomirski
2012-12-10 19:13 ` Casey Schaufler
2012-12-10 19:31 ` Andy Lutomirski
2012-12-10 19:51 ` Casey Schaufler
2012-12-10 19:55 ` Andy Lutomirski
2012-12-10 20:17 ` Kees Cook
2012-12-10 18:05 ` Andy Lutomirski
2012-12-10 14:36 ` Serge Hallyn
[not found] ` <CALQRfL6UWLFpTfvan9oirtLdozJqZX4oZwDuQFVnJp8MP06C_Q@mail.gmail.com>
2012-12-10 14:27 ` Serge Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALCETrVQxPDfU83-LUWrf330wOBbSsMvKdFXMR3CL4LmDvyfMw@mail.gmail.com \
--to=luto@amacapital.net \
--cc=eparis@redhat.com \
--cc=james.l.morris@oracle.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=morgan@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).