Without this patch it is really hard to interpret a bounding set,
if CAP_LAST_CAP is unknown for a current kernel.
Non-existant capabilities can not be deleted from a bounding set
with help of prctl.
E.g.: Here are two examples without/with this patch.
CapBnd: ffffffe0fdecffff
CapBnd: 00000000fdecffff
I suggest to hide non-existent capabilities. Here is two reasons.
* It's logically and easier for using.
* It helps to checkpoint-restore capabilities of tasks, because tasks
can be restored on another kernel, where CAP_LAST_CAP is bigger.
v2: Non-existent capabilities can not be removed from creds, because
in this case user cannot set all=eip. This patch cleans up non-existent
capabilities from content of /proc/pid/status
Cc: Andrew G. Morgan <[email protected]>
Cc: Serge Hallyn <[email protected]>
Cc: Pavel Emelyanov <[email protected]>
Cc: Andrew Morton <[email protected]>
Cc: Kees Cook <[email protected]>
Cc: KAMEZAWA Hiroyuki <[email protected]>
Signed-off-by: Andrew Vagin <[email protected]>
---
fs/proc/array.c | 9 +++++++++
1 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/fs/proc/array.c b/fs/proc/array.c
index c5db89c..c814ba5 100644
--- a/fs/proc/array.c
+++ b/fs/proc/array.c
@@ -308,6 +308,10 @@ static void render_cap_t(struct seq_file *m, const char *header,
seq_putc(m, '\n');
}
+/* Remove non-existent capabilities */
+#define NORM_CAPS(v) (v.cap[CAP_TO_INDEX(CAP_LAST_CAP)] &= \
+ CAP_TO_MASK(CAP_LAST_CAP + 1) - 1)
+
static inline void task_cap(struct seq_file *m, struct task_struct *p)
{
const struct cred *cred;
@@ -321,6 +325,11 @@ static inline void task_cap(struct seq_file *m, struct task_struct *p)
cap_bset = cred->cap_bset;
rcu_read_unlock();
+ NORM_CAPS(cap_inheritable);
+ NORM_CAPS(cap_permitted);
+ NORM_CAPS(cap_effective);
+ NORM_CAPS(cap_bset);
+
render_cap_t(m, "CapInh:\t", &cap_inheritable);
render_cap_t(m, "CapPrm:\t", &cap_permitted);
render_cap_t(m, "CapEff:\t", &cap_effective);
--
1.7.1
On Sun, Oct 7, 2012 at 2:56 AM, Andrew Vagin <[email protected]> wrote:
> Without this patch it is really hard to interpret a bounding set,
> if CAP_LAST_CAP is unknown for a current kernel.
>
> Non-existant capabilities can not be deleted from a bounding set
> with help of prctl.
>
> E.g.: Here are two examples without/with this patch.
> CapBnd: ffffffe0fdecffff
> CapBnd: 00000000fdecffff
>
> I suggest to hide non-existent capabilities. Here is two reasons.
> * It's logically and easier for using.
> * It helps to checkpoint-restore capabilities of tasks, because tasks
> can be restored on another kernel, where CAP_LAST_CAP is bigger.
>
> v2: Non-existent capabilities can not be removed from creds, because
> in this case user cannot set all=eip. This patch cleans up non-existent
> capabilities from content of /proc/pid/status
>
> Cc: Andrew G. Morgan <[email protected]>
> Cc: Serge Hallyn <[email protected]>
> Cc: Pavel Emelyanov <[email protected]>
> Cc: Andrew Morton <[email protected]>
> Cc: Kees Cook <[email protected]>
> Cc: KAMEZAWA Hiroyuki <[email protected]>
> Signed-off-by: Andrew Vagin <[email protected]>
Seems sensible to me.
Reviewed-by: Kees Cook <[email protected]>
-Kees
--
Kees Cook
Chrome OS Security
Quoting Kees Cook ([email protected]):
> On Sun, Oct 7, 2012 at 2:56 AM, Andrew Vagin <[email protected]> wrote:
> > Without this patch it is really hard to interpret a bounding set,
> > if CAP_LAST_CAP is unknown for a current kernel.
> >
> > Non-existant capabilities can not be deleted from a bounding set
> > with help of prctl.
> >
> > E.g.: Here are two examples without/with this patch.
> > CapBnd: ffffffe0fdecffff
> > CapBnd: 00000000fdecffff
> >
> > I suggest to hide non-existent capabilities. Here is two reasons.
> > * It's logically and easier for using.
> > * It helps to checkpoint-restore capabilities of tasks, because tasks
> > can be restored on another kernel, where CAP_LAST_CAP is bigger.
> >
> > v2: Non-existent capabilities can not be removed from creds, because
> > in this case user cannot set all=eip. This patch cleans up non-existent
> > capabilities from content of /proc/pid/status
> >
> > Cc: Andrew G. Morgan <[email protected]>
> > Cc: Serge Hallyn <[email protected]>
Basic capsh tests seem to have no problem with it.
Thanks, Andrew.
Reviewed-by: Serge E. Hallyn <[email protected]>
> > Cc: Pavel Emelyanov <[email protected]>
> > Cc: Andrew Morton <[email protected]>
> > Cc: Kees Cook <[email protected]>
> > Cc: KAMEZAWA Hiroyuki <[email protected]>
> > Signed-off-by: Andrew Vagin <[email protected]>
>
> Seems sensible to me.
>
> Reviewed-by: Kees Cook <[email protected]>
>
> -Kees
>
> --
> Kees Cook
> Chrome OS Security