Re: [RFC] [PATCH] file posix capabilities

[Eric W. Biederman]

"Serge E. Hallyn" <serue@xxxxxxxxxx> writes:

> In fact my version knowingly ignores CAP_AUDIT_WRITE and
> CAP_AUDIT_CONTROL (because on my little test .iso they didn't exist).
> So a version number may make sense.
>
>> So we need some for of
>> forward/backward compatibility.  Maybe in the cap name?
>
> You mean as in use 'security.capability_v32" for the xattr name?
> Or do you really mean add a cap name to the structure?

I was thinking the xattr name.  But mostly I was looking
for a place where you had possibly stashed a version.

Thinking about it possibly the most portable thing to do
is to assign each cap a well known name.  Say
"security.cap.dac_override" and have a value in there like +1  
add the cap -1 clear the cap.  That at least seems to provide
granularity and some measure of future proofing and some measure of
portability.  The space it would take with those names looks ugly
though.

The practical question is what do you do with a program that
was give a set of capabilities you no longer support? 
Do you run it without any capabilities at all?
Do you give it as many capabilities of what it asked for
   as you can?
Do you complain loudly and refuse to execute it at all?

What is the secure choice that least violates the principle of least surprise?

Eric
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/