linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Christoph Lameter <cl@linux.com>
To: "Andrew G. Morgan" <morgan@kernel.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
	LSM List <linux-security-module@vger.kernel.org>,
	Serge Hallyn <serge.hallyn@canonical.com>,
	Michael Kerrisk <mtk.manpages@gmail.com>,
	Jonathan Corbet <corbet@lwn.net>,
	Linux API <linux-api@vger.kernel.org>,
	Mimi Zohar <zohar@linux.vnet.ibm.com>,
	Aaron Jones <aaronmdjones@gmail.com>,
	Andy Lutomirski <luto@amacapital.net>,
	Austin S Hemmelgarn <ahferroin7@gmail.com>,
	Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
	Andrew Morton <akpm@linuxfoundation.org>,
	Markku Savela <msa@moth.iki.fi>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] capabilities: Ambient capability set V2
Date: Tue, 10 Mar 2015 10:47:22 -0500 (CDT)	[thread overview]
Message-ID: <alpine.DEB.2.11.1503100902500.32324@gentwo.org> (raw)
In-Reply-To: <CALQRfL4uG2v7SJWZhN2o=ARnSNLR9JAX6MMsCCsGaAz6JcZTsA@mail.gmail.com>

On Mon, 9 Mar 2015, Andrew G. Morgan wrote:

> If this is new info, perhaps you might reconsider the rationale for your
> patch? I suspect you are focused on addressing a problem that you felt was
> unaddressed before, but given how much appears to have been unclear to you
> about the current implementation it might be worth a pause for thought.

The problems with unclear documentation and a weird counterintuitive
implementation that lots of people have trouble to use do not impact the
approach as far as I can tell. The discovery about how to set inheritable
bits does not help with the use cases here.

Even with this patch there is still the need to write a wrapper to get
the functionality that one would expect to just be possible by setting
inheritable bits on a file. The necessity to set the bits via prctl
in the wrapper complicates matters further and makes it even more
difficult than we thought before to make use of this feature.

> http://ols.fedoraproject.org/OLS/Reprints-2008/hallyn-reprint.pdf

Well maybe one should make sure that this info is properly comunicated
in the man pages and related documentation? This seems to be a big decade
old desaster. I need a Ph.D. in capabilities in order to attempt to use
them (but then oww no they still are not able to handle my use cases).

We get security through obscurity and also have then the inabilty to make
effective use of capabilities? Security measures need to follow
basic conventions, be obvious and easily understandable as well as well
documented. There is a huge risk of a sysadmin misconfiguring one of the
multiple measures that one needs to go through in order to gain some
sort of inheritance of capabilities and thereby adding more functionality
than necessary just in order to get it to work.

The best measure would be to make the inheritance bits work as one
would naturally expect. They just allow full inheritance of the caps.
No wrappers needed and its easily understood what it does.



  parent reply	other threads:[~2015-03-10 15:47 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-02-26 22:14 [PATCH] capabilities: Ambient capability set V2 Christoph Lameter
2015-03-01  4:44 ` Serge E. Hallyn
2015-03-02 15:43   ` Christoph Lameter
2015-03-01 23:33 ` Serge E. Hallyn
2015-03-05 15:26   ` Christoph Lameter
2015-03-05 17:13     ` Serge E. Hallyn
2015-03-05 18:41       ` Christoph Lameter
2015-03-05 23:07         ` Andy Lutomirski
2015-03-06 15:47           ` Christoph Lameter
2015-03-06 15:50       ` Christoph Lameter
2015-03-06 16:34         ` Serge E. Hallyn
2015-03-06 18:53           ` Christoph Lameter
2015-03-06 19:02             ` Andy Lutomirski
2015-03-06 20:08               ` Serge E. Hallyn
2015-03-07 15:09                 ` Christoph Lameter
2015-03-07 21:35                   ` Serge E. Hallyn
2015-03-09 12:05                     ` Christoph Lameter
2015-03-09 14:36                       ` Serge E. Hallyn
     [not found]                         ` <CALQRfL4uG2v7SJWZhN2o=ARnSNLR9JAX6MMsCCsGaAz6JcZTsA@mail.gmail.com>
2015-03-10 15:47                           ` Christoph Lameter [this message]
2015-03-07 15:06               ` Christoph Lameter
2015-03-07 21:35                 ` Serge E. Hallyn
2015-03-14 19:04 ` Pavel Machek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=alpine.DEB.2.11.1503100902500.32324@gentwo.org \
    --to=cl@linux.com \
    --cc=aaronmdjones@gmail.com \
    --cc=ahferroin7@gmail.com \
    --cc=akpm@linuxfoundation.org \
    --cc=corbet@lwn.net \
    --cc=jarkko.sakkinen@linux.intel.com \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=morgan@kernel.org \
    --cc=msa@moth.iki.fi \
    --cc=mtk.manpages@gmail.com \
    --cc=serge.hallyn@canonical.com \
    --cc=serge@hallyn.com \
    --cc=zohar@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).