Re: proposal to refine capability checks when _rlimit_overlimit() is true

From: 孟敬姿
Date: Tue Jan 09 2024 - 06:46:57 EST


I understand change the code here may affect the world outside the
kernel. And there might be useability issues when applications in
userspace are not updated. But the good news is that the
modification's impact on userspace is relatively contained.
Here's a breakdown:

1. Usage statistics for the latest version of Ubuntu show that
applications have limited use of capability.
(1) Under the default configuration, only 28 processes in
Ubuntu 22.04 LTS were found to have capability, with 15
running as root and unaffected by the proposed change.
(2) Among the 59k packages on Ubuntu 21.10, only 29 programs
were configured with capability.[1]

2. For programs that use capability, it is not complicated for developers
or sysadmin to reconfigure it. Programs using capability can be
categorized into two types:
(1) those started by root have full capability by default, which
can be changed with the prctl system call.
(2) and those with capabilities configured directly on the
executable file can be modified by secap command directly.

So the key to using capability is to choose the least privilege that
will accomplish the function. This can't be done without the kernel's
clear delineation of privileges.

This change will make it clear that if you only need to cross system
limits, then sys_resource is the capability you need. This may cause
some processes that are using sys_admin to bypass limits to fail, but
from a least privilege point of view, it may be good to reduce the
unnecessary use of sys_admin.

Best regards,
Jingzi

[1] Hasan, Md Mehedi, Seyedhamed Ghavamnia, and Michalis Polychronakis.
"Decap: Deprivileging programs by reducing their capabilities."
Proceedings of the 25th International Symposium on Research in Attacks,
Intrusions and Defenses. 2022.