Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementationof LSM hooks)

From: Crispin Cowan
Date: Tue Apr 18 2006 - 16:13:37 EST

Next message: Török Edwin: "Re: [Fireflier-devel] Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks"
Previous message: Andi Kleen: "Re: [discuss] Re: [PATCH] [6/6] i386: Move CONFIG_DOUBLEFAULT into arch/i386 where it belongs."
In reply to: Stephen Smalley: "Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7]implementation of LSM hooks)"
Next in thread: Valdis . Kletnieks: "Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Valdis.Kletnieks@xxxxxx wrote:
> If we heave the LSM stuff overboard, there's one thing that *will* need
> addressing - what to do with kernel support of Posix-y capabilities. Currently
> some of the heavy lifting is done by security/commoncap.c.
>
> Frankly, that's *another* thing that we need to either *fix* so it works right,
> or rip out of the kernel entirely. As far as I know, there's no in-tree way
> to make /usr/bin/ping be set-CAP_NET_RAW and have it DTRT.
>
This has actually been one of the interesting developments in AppArmor.
I also had no use for POSIX.1e capabilities; I thought they were so
awkward as to be useless. That is, until we integrated capabilities into
AppArmor profiles.

Consider this profile for /bin/stty
/bin/stty {
#include <abstractions/base>

capability sys_tty_config,

/bin/stty r,
}

This policy basically allows stty to run, read its own text file, and
use the capability sys_tty_config. Even though it may run as root, this
profile confines it to *only* have sys_tty_config.

This gives the system administrator the ability to force applications to
"drop" privs even when the application developer didn't bother, or (as
was the case in a Sendmail vulnerability several years ago) the
application *tried* to drop privs and got it wrong, so was running as
full root anyway.

Capabilities are very easy and natural to use in an AppArmor system. And
they don't require any upstream filesystem support. SELinux provides
similar support for Capabilities, so they are worth keeping even without
upstream filesystem support.

Crispin

--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering, Novell http://novell.com

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Török Edwin: "Re: [Fireflier-devel] Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks"
Previous message: Andi Kleen: "Re: [discuss] Re: [PATCH] [6/6] i386: Move CONFIG_DOUBLEFAULT into arch/i386 where it belongs."
In reply to: Stephen Smalley: "Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7]implementation of LSM hooks)"
Next in thread: Valdis . Kletnieks: "Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]