Re: patch to make Linux capabilities into something useful (v 0.3.1)
From: Kyle Moffett
Date: Thu Sep 07 2006 - 14:31:19 EST
On Sep 07, 2006, at 14:21:15, James Antill wrote:
David Madore <david.madore@xxxxxx> writes:
Hi.
As we all know, capabilities under Linux are currently crippled to
the point of being useless. Attached is a patch (against 2.6.18-
rc6) which attempts to make them work in a reasonably useful way
and at the same time not break anything. On top of the
"additional" capabilities that lead up to root, it also adds
"regular" capabilities which all processes have by default and
which can be removed from specifically untrusted programs.
Just a minor comment, can you break out the OPEN into at least
OPEN_R, OPEN_NONFILE_W and OPEN_W (possibly OPEN_A, but I don't
want that personally). The case I'm thinking about are network
daemons that need to open+write to the syslog socket but only have
read access elsewhere.
Also there is much more than just bind9 using capabilities, the
obvious ones that come to mind are NOATIME and AUDIT.
To be honest, once you get to the point of having an OPEN_NONFILE_W
capability you should really just be using SELinux. Instead of
spewing policy all over your filesystem xattrs you put it all into a
single set of fairly admin-readable policy files, and it includes
more fine-grained operations than you have space for in 32 bits of
"un"-capabilities. It also conveniently supports the existing pseudo-
POSIX capabilities. You can effectively say "root, netadmin, and
netuser users are allowed to run ping programs which automatically
transition into the ping domain and get CAP_NET_RAW privileges" in
your binary policy, then just leave ping as chmod "755" and be done
with it.
Cheers,
Kyle Moffett
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/