Re: ÐÑÐÐÑ: VFS, NFS security bug? Should CAP_MKNOD and CAP_LINUX_IMMUTABLE be added toCAP_FS_MASK?

From: Serge E. Hallyn
Date: Mon Mar 16 2009 - 14:49:46 EST


Quoting Stephen Smalley (sds@xxxxxxxxxxxxx):
> On Fri, 2009-03-13 at 14:00 -0500, Serge E. Hallyn wrote:
> > Quoting Igor Zhbanov (izh1979@xxxxxxxxx):
> > > But ordinary users can't create devices. It seems to me that in time
> > > of implementation of capabilities in kernel 2.4, capabilities related
> > > to filesystem was added first. And mark for them contains all above in
> > > header file. And when CAP_MKNOD was added later, author just forget to
> > > update mask.
> > >
> > > If mask was designed to drop all filesystem related capabilities, then
> > > it must be expanded, because ordinary users cannot create devices etc.
> >
> > I think you thought Bruce was saying we shouldn't change the set of
> > capabilities, but he was just asking exactly what changes Michael was
> > interested in.
> >
> > Igor, thanks for finding this. I never got your original message. Do
> > you have a patdch to add the two capabilities? Do you think the
> > other two I mentioned (CAP_SYS_ADMIN and CAP_SETFCAP) need to be
> > added too?
> >
> > I've added Andrew Morgan, LSM and SELinux mailing lists to get another
> > opinion about adding those two. In particular, we'd be adding them
> > to the fs_masks becuase CAP_SYS_ADMIN lets you change the selinux
> > label, and CAP_SETFCAP lets you change the file capabilities.
>
> I'd be inclined against adding CAP_SYS_ADMIN to the mask; note that it
> is only checked for setting SELinux security contexts (or more broadly
> any attributes in the security namespace) when SELinux is disabled. In
> the SELinux-enabled case, we are checking SELinux-specific permissions
> when setting the SELinux attributes, whether on the client or the
> server.

But that's exactly why it seemed like it ought to be in there. If
SELinux is enabled, then SELinux will continue to perform it's own
checks based on security context and ignoring privileged root. But
outside of that, since we are in a root-is-privileged mode, should it
not be the case that having fsuid=0 means that you can set extended
attributes in the security namespace?

Conversely, if setting fsuid to non-zero, shouldn't all of the
privileged ways of setting file attributes be lost? Or, will we run
into a problem where software wanted to set its fsuid to non-0 but
still be able to call sethostname(2), for instance? In which case
we simply cannot put CAP_SYS_ADMIN in CAP_FS_MASK.

I guess it comes back down to whether those xattrs are considered a
security attribute or a simple file property.

-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/