Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)

From: Serge E. Hallyn
Date: Thu Jan 14 2010 - 10:08:12 EST

Next message: Jason Wessel: "[PATCH 23/40] kgdb: Add the ability to schedule a breakpoint via a tasklet"
Previous message: Jason Wessel: "[PATCH 21/40] powerpc,kgdb: Introduce low level trap catching"
In reply to: Pavel Machek: "Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)"
Next in thread: Michael Stone: "Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quoting Pavel Machek (pavel@xxxxxx):
> > Quoting Michael Stone (michael@xxxxxxxxxx):
> > > Serge Hallyn wrote:
> > > >Michael, I'm sorry, I should go back and search the thread for the
> > > >answer, but don't have time right now - do you really need
> > > >disablenetwork to be available to unprivileged users?
> > >
> > > Rainbow can only drop the networking privileges when we know at app launch time
> > > (e.g. based on a manifest or from the human operator) that privileges can be
> > > dropped. Unfortunately, most of the really interesting uses of disablenetwork
> > > happen *after* rainbow has dropped privilege and handed control the app.
> > > Therefore, having an API which can be used by at least some low-privilege
> > > processes is important to me.
> > >
> > > >is it ok to require CAP_SETPCAP (same thing required for dropping privs from
> > > >bounding set)?
> > >
> > > Let me try to restate your idea:
> > >
> > > We can make disablenetwork safer by permitting its use only where explicitly
> > > permitted by some previously privileged ancestor. The securebits facility
> > > described in
> > >
> > > http://lwn.net/Articles/280279/
> > >
> > > may be a good framework in which to implement this control.
> > >
> > > Did I understand correctly? If so, then yes, this approach seems like it would
> > > work for me.
> >
> > That is a little more than I was saying this time though I think I
> > suggested it earlier.
> >
> > But really I don't think anyone would care to separate a system into
> > some processes allowed to do unprivileged disablenetwork and other
> > processes not allowed to, so a (root-owned mode 644) sysctl seems just
> > as useful.
>
> Global solution like that is always wrong. (And we have better
> solution available.)

All right, so Michael suggested securebits, I personally feel prctl would
be more appropriate, but in any case the suggestion then is:

foo_enable_disablenet() is either prctl(PR_ALLOW_DISABLENET) or
prctl(PR_SET_SECUREBITS, (1 << PR_ALLOW_DISABLENET) | (1 << PR_ALLOW_DISABLENET_LOCK))
and it requires privilege (CAP_NET_ADMIN presumably) to make this call.

prctl(PR_SET_DISABLENETWORK), or whatever Michael was using, does not
require privilege, but requires that foo_enable_disablenet() have been
previously called by a privileged app.

-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jason Wessel: "[PATCH 23/40] kgdb: Add the ability to schedule a breakpoint via a tasklet"
Previous message: Jason Wessel: "[PATCH 21/40] powerpc,kgdb: Introduce low level trap catching"
In reply to: Pavel Machek: "Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)"
Next in thread: Michael Stone: "Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]