Re: [RFC] capabilities: add capability cgroup controller

From: Serge E. Hallyn
Date: Wed Jun 22 2016 - 20:01:46 EST


Quoting Kees Cook (keescook@xxxxxxxxxxxx):
> On Wed, Jun 22, 2016 at 11:17 AM, Serge E. Hallyn <serge@xxxxxxxxxx> wrote:
> > Quoting Topi Miettinen (toiwoton@xxxxxxxxx):
> >> On 06/22/16 17:14, Serge E. Hallyn wrote:
> >> > Quoting Topi Miettinen (toiwoton@xxxxxxxxx):
> >> >> On 06/21/16 15:45, Serge E. Hallyn wrote:
> >> >>> Quoting Topi Miettinen (toiwoton@xxxxxxxxx):
> >> >>>> On 06/19/16 20:01, serge@xxxxxxxxxx wrote:
> >> >>>>> apologies for top posting, this phone doesn't support inline)
> >> >>>>>
> >> >>>>> Where are you preventing less privileged tasks from limiting the caps of a more privileged task? It looks like you are relying on the cgroupfs for that?
> >> >>>>
> >> >>>> I didn't think that aspect. Some of that could be dealt with by
> >> >>>> preventing tasks which don't have CAP_SETPCAP to make other tasks join
> >> >>>> or set the bounding set. One problem is that the privileges would not be
> >> >>>> checked at cgroup.procs open(2) time but only when writing. In general,
> >> >>>> less privileged tasks should not be able to gain new capabilities even
> >> >>>> if they were somehow able to join the cgroup and also your case must be
> >> >>>> addressed in full.
> >> >>>>
> >> >>>>>
> >> >>>>> Overall I'm not a fan of this for several reasons. Can you tell us precisely what your use case is?
> >> >>>>
> >> >>>> There are two.
> >> >>>>
> >> >>>> 1. Capability use tracking at cgroup level. There is no way to know
> >> >>>> which capabilities have been used and which could be trimmed. With
> >> >>>> cgroup approach, we can also keep track of how subprocesses use
> >> >>>> capabilities. Thus the administrator can quickly get a reasonable
> >> >>>> estimate of a bounding set just by reading the capability.used file.
> >> >>>
> >> >>> So to estimate the privileges needed by an application? Note this
> >> >>> could also be done with something like systemtap, but that's not as
> >> >>> friendly of course.
> >> >>>
> >> >>
> >> >> I've used systemtap to track how a single process uses capabilities, but
> >> >> I can imagine that without the cgroup, using it to track several
> >> >> subprocesses could be difficult.
> >> >>
> >> >>> Keeping the tracking part separate from enforcement might be worthwhile.
> >> >>> If you wanted to push that part of the patchset, we could keep
> >> >>> discussing the enforcement aspect separately.
> >> >>>
> >> >>
> >> >> OK, I'll prepare the tracking part first.
> >> >
> >> > So this does still have some security concerns, namely leaking information
> >> > to a less privileged process about what privs a root owned process used.
> >> > That's not on the same level as giving away details about memory mappings,
> >> > but could be an issue. Kees (cc'd), do you see that as an issue ?
> >> >
> >> > thanks,
> >> > -serge
> >> >
> >>
> >> Anyone can see the full set of capabilities available to each process
> >
> > But not the capabilities used. That's much more invasive.
> >
> >> via /proc/pid/status. But should I for example add a new flag
> >> CFTYPE_OWNER_ONLY to limit reading capability.used file to only owner
> >> (root) and use it here?
> >
> > Not sure that it's needed, let's see what Kees says. However if it is,
> > then using owner would not suffice, since that's tangential to the
> > privilege level of the task.
>
> I don't see a problem exposing the history of used capabilities to

Thanks, Kees.

> less privileged processes. The only thing I could see that being used
> for would be to improve some kind of race against a buggy process
> where you know caps get used at a certain time in the code, so
> spinning on reading /proc/pid/status might give you a better chance of

It would actually be a cgroup file, I think someone else was suggesting
a /proc/pid/status enhancement to the same effect a few weeks ago.

> timing the race. That seems like a pretty far-out exposure, though. I
> imagine instruction counters would give a way finer grained timing
> too, so I wouldn't object to this being visible.
>
> -Kees
>
> --
> Kees Cook
> Chrome OS & Brillo Security