Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S966771AbbBDQez (ORCPT <rfc822;w@1wt.eu>);
	Wed, 4 Feb 2015 11:34:55 -0500
Received: from mail-la0-f51.google.com ([209.85.215.51]:37000 "EHLO
	mail-la0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S966683AbbBDQex (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Wed, 4 Feb 2015 11:34:53 -0500
MIME-Version: 1.0
In-Reply-To: <CALQRfL4wb=hyEkiugAHVE9iCOHz=H7KqhDVB3X1G0Wt5O_XtKg@mail.gmail.com>
References: <alpine.DEB.2.11.1502021018500.5029@gentwo.org>
 <20150202171257.GD24351@ubuntumail> <alpine.DEB.2.11.1502030920050.6059@gentwo.org>
 <20150203155544.GE2923@mail.hallyn.com> <alpine.DEB.2.11.1502031117100.6368@gentwo.org>
 <20150203172653.GB4748@mail.hallyn.com> <CALQRfL5iyu0n5rJCNLUVNMiekBEXzEnPFU-Fz0AibJ+E0d6o-Q@mail.gmail.com>
 <alpine.DEB.2.11.1502040946080.16341@gentwo.org> <20150204155617.GE16726@mail.hallyn.com>
 <CALQRfL4wb=hyEkiugAHVE9iCOHz=H7KqhDVB3X1G0Wt5O_XtKg@mail.gmail.com>
From: Andy Lutomirski <luto@amacapital.net>
Date: Wed, 4 Feb 2015 08:34:31 -0800
Message-ID: <CALCETrW49xCjaEjBTkhzPUBCTxwFiTD0Zm40WhGNZZRU0V0H3Q@mail.gmail.com>
Subject: Re: [capabilities] Allow normal inheritance for a configurable set of capabilities
To: "Andrew G. Morgan" <morgan@kernel.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>, Christoph Lameter <cl@linux.com>,
        Serge Hallyn <serge.hallyn@ubuntu.com>,
        Serge Hallyn <serge.hallyn@canonical.com>,
        Jonathan Corbet <corbet@lwn.net>, Aaron Jones <aaronmdjones@gmail.com>,
        "Ted Ts'o" <tytso@mit.edu>,
        LSM List <linux-security-module@vger.kernel.org>,
        lkml <linux-kernel@vger.kernel.org>,
        Andrew Morton <akpm@linuxfoundation.org>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1410
Lines: 38

On Wed, Feb 4, 2015 at 8:12 AM, Andrew G. Morgan <morgan@kernel.org> wrote:
> I was thinking more like this:
>
>     int override = secure(SECURE_AMBIENT_PRIVS) &&
> cap_isclear(caps->inheritable.cap);
>
>     CAP_FOR_EACH_U32(i) {
>         __u32 permitted = caps->permitted.cap[i];
>         __u32 inheritable = override ? new->cap_bset.cap[i] :
> caps->inheritable.cap[i];
>     [...]

To elaborate on my objection:

For better or for worse, as a practical matter, if you drop a cap from
pP but keep it in pI, there's no way to get that cap back on the
average system to get that cap back using execve because nothing will
have that bit set in fI.  I am not at all confident that changing this
is safe at this point, since there's lots of legacy code out there.

So, how about:

__u32 inheritable = override ? (new->cap_bset.cap[i] & permitted) :
caps->inheritable.cap[i];

instead?

This still doesn't address the effective set adequately, I think.  I
suspect that we'll want to always start with pE' == pP' in the new
mode, or perhaps pE' = (pP' & pE).  This latter part is also a bit
dangerous and furthers my desire to restrict this to no_new_privs.

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/