Re: capabilitiescompute_cred

[Andy Lutomirski]

Chris Wright wrote:
> > IMHO, capabilities are a broken idea anyway, and should ultimately be
> > replaced entirely using Type Enforcement (which SELinux includes).  A
> > comparison of the two approaches is in
> > http://www.securecomputing.com/pdf/secureos.pdf.  Today we still stack
> > SELinux with the capabilities module, but long term, I'd like to see us
> > just drop capabilities and use TE by itself to manage privileges.
>
>
> I have the same dislike for capabilities.  It's more like a wart than
> a feature.  I get requests to have RBAC be the core priv system rather
> than capabilities.

I agree in principle, but it would still be nice to have a simple way to 
have useful capabilities without setting up a MAC system.  I don't see a 
capabilities fix adding any significant amount of code; it just takes 
some effort to get it right.

> In the meantime, I've often idly wondered why we don't simply inherit as
> advertised.  The patch below does this, but I haven't even started
> looking for security sensitive failure modes.

I'm not sure that introduces security problems, but I'm also not sure it 
fixes much.  You can find my attempts to get it right in the 
linux-kernel archives, and I'll probably try to get something into 2.7 
when it forks.  With or without MAC, having a functioning capability 
system wouldn't hurt security.

> thanks,
> -chris
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/