Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752872AbbKJNT0 (ORCPT ); Tue, 10 Nov 2015 08:19:26 -0500 Received: from tschil.ethgen.ch ([5.9.7.51]:35977 "EHLO tschil.ethgen.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752468AbbKJNTY (ORCPT ); Tue, 10 Nov 2015 08:19:24 -0500 Date: Tue, 10 Nov 2015 14:19:08 +0100 From: Klaus Ethgen To: "Theodore Ts'o" , Andy Lutomirski , Serge Hallyn , Kees Cook , Christoph Lameter , "Serge E. Hallyn" , Andrew Morton , Richard Weinberger , Austin S Hemmelgarn , LKML , Linus Torvalds Subject: Re: [KERNEL] [PATCH] Kernel 4.3 breaks security in systems using capabilities Message-ID: <20151110131907.GB2958@ikki.ethgen.ch> Mail-Followup-To: Theodore Ts'o , Andy Lutomirski , Serge Hallyn , Kees Cook , Christoph Lameter , "Serge E. Hallyn" , Andrew Morton , Richard Weinberger , Austin S Hemmelgarn , LKML , Linus Torvalds References: <20151106175619.GA19491@ikki.ethgen.ch> <20151106181820.GB16749@mail.hallyn.com> <20151107110246.GA7230@ikki.ethgen.ch> <5640C999.5050807@gmail.com> <20151109172340.GF3714@ikki.ethgen.ch> <5640EDB4.70407@gmail.com> <20151109212937.GA17624@ikki.ethgen.ch> <20151110115526.GA2958@ikki.ethgen.ch> <20151110124043.GC3717@thunk.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="3lcZGd9BuhuYXNfi" Content-Disposition: inline In-Reply-To: <20151110124043.GC3717@thunk.org> OpenPGP: id=79D0B06F4E20AF1C; url=http://www.ethgen.ch/~klaus/79D0B06F4E20AF1C.txt; preference=signencrypt User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 7683 Lines: 198 --3lcZGd9BuhuYXNfi Content-Type: multipart/mixed; boundary="ikeVEW9yuYc//A+q" Content-Disposition: inline --ikeVEW9yuYc//A+q Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Hi Ted, hy others in this discussion, Am Di den 10. Nov 2015 um 13:40 schrieb Theodore Ts'o: > On Tue, Nov 10, 2015 at 12:55:27PM +0100, Klaus Ethgen wrote: > > > You can tell other people that they write privileged programs in the > > > wrong programming language if you like. > > > > Hey, it is not about programming languages. I never said something in > > that direction! > > > > I brought python programs for a bad example in programming and how > > developers work. But that example can be made in any language. Moreover, > > as python is a script language, I would not like it at all, having any > > raised capabilities. And that is also valid for perl that I like much > > more. > > And that's the fundamenal problem. Saying that you can only be secure > if **no** scripting languages can be used for **any** privileged > operations is something that _might_ work for you, but it doesn't work > for the 99.99999999999% of the Linux systems out there, many of which > have shell scripts to configure networking, or any host of other > things. Arguably, it's why Posix capalities have utterly failed as > far as usage except for a very, very, very, tiny, limited market. But this is use case 1 of two that I described earlier. And this is the main use case that is addressed by the ambient capabilities. I'm fine with that. That is nothing that I would object. What I want to get fixed is the second use case of capabilities that was completely ignored by the design of ambient capabilities. It is about _raising_ explicitly single capabilities for _unprivileged_ binaries/users. > Scripting languages are just too fundamental to Unix and Linux > systems. And I while I won't speak for Linus here, I suspect this is > one of the places where he'll tell you that this is a prime example of > why many security people are crazy (or in his colorful language, > M***** Monkeys). Might be. I like his colorful language. ;-) > You can, after all, simply make any computer 100% secure by the > applied use of thermite --- but the computer won't be very useful > afterwards. That is true too. But I can try to make it as secure as possible. > If you want to create a patch, my recommendation would be to do one > that turns off ambient capabilities as a CONFIG option, and hide it > under CONFIG_EXPERT. Would be an approach. Another is to have a kernel command line switch. > Or maybe adding a new securebit which disables ambient capabilities. That already exists. But it is not workable for overall system than only for user namespaces. However, that two approaches have a big disadvantage that they also disallow the first use case. I attached a very simple patch to this mail that introduces a new capability to enable ambient capabilities. It will not break use case one but it will give the control back to the admin to control the raised capabilities for unprivileged binaries and/or users. However, it is a fast and minimal hack that I want to test before it gets into any accepted kernel. Please see it as an request for approval. I was surprised how easily capabilities can be implemented in a secure way. So I do not expect any security problem from the patch. In fact, it uses the same way as the securebit stuff to disable them. > Whether or not that will be acceptable upstream, I don't know, mainly > because I think a strong case can be made that such a patch has an > audience of one, and adding more complexity here for an idea which has > been time-tested over decades to be a failure is just not a good idea. I wouldn't tell the implementation until now to be a failure. It helped a lot to keep a system sane. It is true that all distributions ignored capabilities completely but I don't think that is due the design. Regards Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C --ikeVEW9yuYc//A+q Content-Type: text/x-diff; charset=iso-8859-1 Content-Disposition: attachment; filename="0001-capabilities-enable-ambient-capabilities-explicit.patch" >From c9ba01a5761a04f6839cca5857d1bdac36067825 Mon Sep 17 00:00:00 2001 From: Klaus Ethgen Date: Tue, 10 Nov 2015 13:46:11 +0100 Subject: [PATCH] capabilities: enable ambient capabilities explicit Ambient capabilities was introduced by 5831905 recently. This capabilities address a special use case when a process want to limit capabilities but want to be sure that they get inherited over several execve calls. However, there is a flaw in that design as it allows to easily break another use case of capabilities to explicitly _raise_ capabilities for clear defined binaries. Solution ======== With CAP_ENABLE_AMBIENT, there is a new capability that can be set via pP or pI (or even via pA) to explicitly allow the use of ambient capabilities. This would not affect the main use case as long as CAP_ENABLE_AMBIENT is not explicitly removed. But it will fix the problematic use case that now it is up to the admin if he wants to allow the use of ambient capabilities to unprivileged processes. So everybody should be happy with it. Signed-off-by: Klaus Ethgen --- include/uapi/linux/capability.h | 5 ++++- security/commoncap.c | 3 ++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h index 12c37a1..9fee97e 100644 --- a/include/uapi/linux/capability.h +++ b/include/uapi/linux/capability.h @@ -351,8 +351,11 @@ struct vfs_cap_data { #define CAP_AUDIT_READ 37 +/* Capability to allow ambient capabilities explicitely */ -#define CAP_LAST_CAP CAP_AUDIT_READ +#define CAP_ENABLE_AMBIENT 38 + +#define CAP_LAST_CAP CAP_ENABLE_AMBIENT #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP) diff --git a/security/commoncap.c b/security/commoncap.c index 1832cf7..16b03d3 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -994,7 +994,8 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, (!cap_raised(current_cred()->cap_permitted, arg3) || !cap_raised(current_cred()->cap_inheritable, arg3) || - issecure(SECURE_NO_CAP_AMBIENT_RAISE))) + issecure(SECURE_NO_CAP_AMBIENT_RAISE) || + capable(CAP_ENABLE_AMBIENT))) return -EPERM; new = prepare_creds(); -- 2.6.2 --ikeVEW9yuYc//A+q-- --3lcZGd9BuhuYXNfi Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCgAGBQJWQe7FAAoJEKZ8CrGAGfas+EkMAMEelnMue6AdyvpJ7xOhQVbU McfPuywjbonEShLZMiPGW1pUF+lcIMT85ttPE3blAiFx9xO6dIknQ1G8Mk1pXHWQ Krd9bmVmYBEsKS1j+WYjtv1/89Rv1pbLVs2omFEP40UFWxkvLUsv3pdDFSCI/huj kdKqWB6icBXQK2qUiMmPKRmnv0kU0To+P2D+1bnDppRfq4MMa/gSjVK3IZa4SlFt kHpTX5TsTI8xPRrmg3oeHTmGc9RDRVZcMjvPN/svk0nTNuWsh2rLoCJvSixq51ou 1HQSk1VjwFVIcEtZIju5FhpoFVzY/TJABXIZt1BB5fpc/AOGmX3vecD/Hfdy0WR8 7TN2cIy67tweM+cE+g4ljw61BbylrZn9LWaZQG0d2JodAVI9XDEVU1WyqHH8yYmL NTeCvTbINnRrB0jEDcGmOuDPDJj8XPI/8kadoyHRYn2XRRjE3IZsbFNR6EKof+zY TdPyb2qbw1srZrlnmJuHOXg4ZrNRwb2FzBr01mZ32A== =LEBg -----END PGP SIGNATURE----- --3lcZGd9BuhuYXNfi-- -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/