Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933503AbbBBUyE (ORCPT ); Mon, 2 Feb 2015 15:54:04 -0500 Received: from smtp107.biz.mail.bf1.yahoo.com ([98.139.244.55]:39715 "EHLO smtp107.biz.mail.bf1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933046AbbBBUyA (ORCPT ); Mon, 2 Feb 2015 15:54:00 -0500 X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: 83v2f2IVM1mepHPeS9_6X9t6h7jaRW8gnOHDMWHj6jcSLlI KoqopGIHzpm6sBQx_P68SMg7NfGyPbahPxsRMJ61hgrBjdPwRPIDbzKEa6I8 atYJhLew68EHN7Qj_gd_RARECWwcTJ9kQ03m394arwLPTcqMeuhu0EfS84iL KGWSxkKi9A12yrm3rrc0saJWtwYswFqN4zNh0KaNx03aEutkcDsCZ971Q.mN uxS_hv3pdU4WUonoOzRYbvY.mPSpJDRTTgsKvYB9Dnf899Iv4.sFf2BRyPft 2i7mg4iqQFF7SbAsnp_vJ4DSQezho10Go203CSIf.kfR7zhNRDsyEOKNNEHO iDbxin9YgWMCOvnwuW.Fh.fTTKco4GmkmuXb_icMZRTcjOfQUs12_5Q53Uiy 1BbaqOeHN46mtCr2Mf7UQ7qAscvGXlPdsH.e_BdgTxEz3KfIdMk0M04AOZEz DbKG3.wbGnh9aZX8jJZGzW9Fq1401aLssr9QGqFWCZaRKGrkWseTfKogK8GH 14vF8bBh_DK9IHTDPLvitdA-- X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw-- Message-ID: <54CFE3E8.2030402@schaufler-ca.com> Date: Mon, 02 Feb 2015 12:54:00 -0800 From: Casey Schaufler User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: Andy Lutomirski , Serge Hallyn CC: Christoph Lameter , Serge Hallyn , Jonathan Corbet , Aaron Jones , "Ted Ts'o" , LSM List , "linux-kernel@vger.kernel.org" , Andrew Morton , Casey Schaufler Subject: Re: [capabilities] Allow normal inheritance for a configurable set of capabilities References: <54CFB9B8.8020701@schaufler-ca.com> <20150202180806.GE24351@ubuntumail> In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1736 Lines: 34 On 2/2/2015 12:37 PM, Andy Lutomirski wrote: > On Mon, Feb 2, 2015 at 10:08 AM, Serge Hallyn wrote: >> Quoting Casey Schaufler (casey@schaufler-ca.com): >>> I'm game to participate in such an effort. The POSIX scheme >>> is workable, but given that it's 20 years old and hasn't >>> developed real traction it's hard to call it successful. >> Over the years we've several times discussed possible reasons for this >> and how to help. I personally think it's two things: 1. lack of >> toolchain and fs support. The fact that we cannot to this day enable >> ping using capabilities by default because of cpio, tar and non-xattr >> filesystems is disheartening. 2. It's hard for users and applications >> to know what caps they need. yes the API is a bear to use, but we can >> hide that behind fancier libraries. But using capabilities requires too >> much in-depth knowledge of precisely what caps you might need for >> whatever operations library may now do when you asked for something. > None of this could address the problem here, though: if I hold a > capability and I want to pass that capability to an exec'd helper, I > shouldn't need the fs's help to do this. One of the holes in the 1003.1e spec is what to do with a program file that does not have a capability set attached to it. The two options are drop all capabilities and leave the capabilities alone. The latter gives you what you're asking for. The former is arguably safer. > > --Andy > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/