On Sat, Jan 16, 2010 at 8:48 PM, Michael Stone <[email protected]> wrote:
> Andrew Morgan wrote:
>>
>> Please use CAP_NET_ADMIN for this feature (and add the corresponding
>> comment in include/linux/capabilities.h).
>
> Sure.
> However, to make sure I understand the purpose of the adjustment, would you
> mind saying a word or two about what considerations cause you to recommend
> CAP_NET_ADMIN instead of (or in addition to?) CAP_SETPCAP?
If you take a look at the capabilities.h file, you'll see that each of
the capabilities is preceded by an explanation of what privilege it
enables.
CAP_SETPCAP refers to privileged manipulation of capabilities
(permission to violate the normal capability rules) and nothing to do
with the network.
You are adding something akin to a per-process tree firewall setting -
deny/enable network access to this process. I think you'll agree that
the CAP_NET_ADMIN description is a much better match for this.
Cheers
Andrew
>
> Thanks for your feedback,
>
> Michael
>
Quoting Andrew G. Morgan ([email protected]):
> On Sat, Jan 16, 2010 at 8:48 PM, Michael Stone <[email protected]> wrote:
> > Andrew Morgan wrote:
> >>
> >> Please use CAP_NET_ADMIN for this feature (and add the corresponding
> >> comment in include/linux/capabilities.h).
> >
> > Sure.
> > However, to make sure I understand the purpose of the adjustment, would you
> > mind saying a word or two about what considerations cause you to recommend
> > CAP_NET_ADMIN instead of (or in addition to?) CAP_SETPCAP?
>
> If you take a look at the capabilities.h file, you'll see that each of
> the capabilities is preceded by an explanation of what privilege it
> enables.
>
> CAP_SETPCAP refers to privileged manipulation of capabilities
> (permission to violate the normal capability rules) and nothing to do
> with the network.
>
> You are adding something akin to a per-process tree firewall setting -
> deny/enable network access to this process.
I think I originally suggested CAP_SETPCAP - because it's not deny network
access to this process, but deny network access to all child processes as
well, even if they are more privileged (through setuid-root or file caps).
CAP_NET_ADMIN is probably more straightforward, though. Who's going to
think to add CAP_SETPCAP to a binary that is intended to drop network
perms, realistically...
> I think you'll agree that
> the CAP_NET_ADMIN description is a much better match for this.
I think it'll be more intuitive to most people so I agree.
-serge