Re: [PATCH] support cap inheritable (Re: [PATCH] scaled-back caps,take 4 (was Re: [PATCH] capabilites, take 2)

From: Andy Lutomirski
Date: Tue May 18 2004 - 20:37:32 EST

Next message: Andy Lutomirski: "Re: [PATCH] scaled-back caps, take 4"
Previous message: john moser: "ADM8211 chipset (DWL-650)"
Next in thread: Chris Wright: "Re: [PATCH] support cap inheritable (Re: [PATCH] scaled-back caps, take 4 (was Re: [PATCH] capabilites, take 2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Chris Wright wrote:

* Chris Wright (chrisw@xxxxxxxx) wrote:

* Andy Lutomirski (luto@xxxxxxxxxxxxx) wrote:

This version throws out the inheritable mask. There is no change in
behavior with newcaps=0.

Alright, I tried to write up my expectations for all the various modes
w.r.t dropping privs, keeping them, setuid apps, etc. I then wrote some
tests to get a baseline, and well as a way to compare results. Finally
I wrote a patch that meets the requirements I laid out, and compared it
against yours. With one minor exception, the capabilities bits match
up. You drop effective caps when a non-root users execs a non-root
setuid app, and I the caps alone. One side note, you're changes effect
the user/group saved ids unexpectedly.

Disclaimer: I haven't had a chance to boot this version.

The tests are available at:
http://developer.osdl.org/~chrisw/capabilities/testcap.tar.bz2

patch is there too and is also inline below:
http://developer.osdl.org/~chrisw/capabilities/2.6.6-mm2/chris_cap.patch

--- linux-2.6.6-mm2-cap/include/linux/capability.h.orig 2004-05-09 19:32:26.000000000 -0700
+++ linux-2.6.6-mm2-cap/include/linux/capability.h 2004-05-17 23:24:08.143860096 -0700
@@ -309,7 +309,9 @@
#define CAP_EMPTY_SET to_cap_t(0)
#define CAP_FULL_SET to_cap_t(~0)
#define CAP_INIT_EFF_SET to_cap_t(~0 & ~CAP_TO_MASK(CAP_SETPCAP))
-#define CAP_INIT_INH_SET to_cap_t(0)
+#define CAP_INIT_INH_SET to_cap_t(~0)
+/* ~0 is legacy inheritable mode and can never be capset by user */
+#define cap_orig_inh(_cap) (cap_t((_cap)) == ~0)

So how do you say "inherit all caps"?

[...]

@@ -56,10 +59,13 @@
int cap_capset_check (struct task_struct *target, kernel_cap_t *effective,
kernel_cap_t *inheritable, kernel_cap_t *permitted)
{
+ kernel_cap_t target_inheritable = target->cap_inheritable;
+ if (cap_orig_inh(target_inheritable))
+ target_inheritable = 0;
/* Derived from kernel/capability.c:sys_capset. */
/* verify restrictions on target's new Inheritable set */
if (!cap_issubset (*inheritable,
- cap_combine (target->cap_inheritable,
+ cap_combine (target_inheritable,
current->cap_permitted))) {
return -EPERM;
}

What stops legacy mode from being reenabled?

[...]

I think you missed the case when root-but-no-caps execs setuid root -- I don't see anything that would enable secureexec.

--Andy
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andy Lutomirski: "Re: [PATCH] scaled-back caps, take 4"
Previous message: john moser: "ADM8211 chipset (DWL-650)"
Next in thread: Chris Wright: "Re: [PATCH] support cap inheritable (Re: [PATCH] scaled-back caps, take 4 (was Re: [PATCH] capabilites, take 2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]