Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1161398AbbBEAUq (ORCPT ); Wed, 4 Feb 2015 19:20:46 -0500 Received: from h2.hallyn.com ([78.46.35.8]:40852 "EHLO h2.hallyn.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S965444AbbBEAUo (ORCPT ); Wed, 4 Feb 2015 19:20:44 -0500 Date: Thu, 5 Feb 2015 01:20:42 +0100 From: "Serge E. Hallyn" To: Casey Schaufler Cc: Serge Hallyn , Christoph Lameter , Serge Hallyn , Andy Lutomirski , Jonathan Corbet , Aaron Jones , "Ted Ts'o" , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, akpm@linuxfoundation.org Subject: Re: [capabilities] Allow normal inheritance for a configurable set of capabilities Message-ID: <20150205002042.GB23013@mail.hallyn.com> References: <54CFB9B8.8020701@schaufler-ca.com> <20150202180806.GE24351@ubuntumail> <54CFC942.9010502@schaufler-ca.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <54CFC942.9010502@schaufler-ca.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1992 Lines: 34 Quoting Casey Schaufler (casey@schaufler-ca.com): > On 2/2/2015 10:08 AM, Serge Hallyn wrote: > > Quoting Casey Schaufler (casey@schaufler-ca.com): > >> I'm game to participate in such an effort. The POSIX scheme > >> is workable, but given that it's 20 years old and hasn't > >> developed real traction it's hard to call it successful. > > Over the years we've several times discussed possible reasons for this > > and how to help. I personally think it's two things: 1. lack of > > toolchain and fs support. The fact that we cannot to this day enable > > ping using capabilities by default because of cpio, tar and non-xattr > > filesystems is disheartening. 2. It's hard for users and applications > > to know what caps they need. yes the API is a bear to use, but we can > > hide that behind fancier libraries. But using capabilities requires too > > much in-depth knowledge of precisely what caps you might need for > > whatever operations library may now do when you asked for something. > > The fix for that is to a change to the audit system. If the audit system > reported the capabilities relevant to the decision you'd have what you > need. If you failed because you didn't have CAP_CHMOD or you succeeded > because you had CAP_SYS_ADMIN it should show up in the audit record. > Other systems have used this approach. > > You could, of course, create a separate capability result log, and I > believe that Nokia had done something along those lines. I think that > adding it to the audit trail is a more rational approach. I wonder how much that would end up affecting performance, assuming it left an audit message at every ns_capable() failure. Even if it was only done under a certain sysctl, it could certainly be useful. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/