Received: by 2002:a25:1104:0:0:0:0:0 with SMTP id 4csp810858ybr; Fri, 22 May 2020 21:30:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzOzYC9zTdBNNxIq0TsInAjx7vt1NGKV1f1LH9chArrer1G9KbccCjIBS4x5BUnmzrK6fYa X-Received: by 2002:a17:906:34c7:: with SMTP id h7mr10651746ejb.300.1590208208620; Fri, 22 May 2020 21:30:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1590208208; cv=none; d=google.com; s=arc-20160816; b=GSAGd5ebTmjQ8jZN8dT4nVzFfnOJE6/y2O3PboqCVEbrY3trelrZk/kalp+QTLwi9o g22JdtJNc5KjYdFqBMrY6B+7UxPchAM6AmxaV5hdkuu6Nk2uimg+nMKJlypUH9kYqpyC e9XSJOEW3uIf3EgcZhXaxjA6hzIhv27X5MAHH0TNWBic5sSoCaL4uxevN/h9Ko7XT6l+ O6Zuj8q/LTK2XSmG1OcDzYFNVU8QDPAPCyq35VmI+bLzKX9XiJtEHPitmriQe7vaQso8 1HWrhWf1ajzYjpY2FFqn32PQnWs4tJhtgzh6nRRHLocpyz1zRQtFbDJRDT7DfY7sUsPX uGJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=C2oaJ/TeH9h/Ses/5flX0t0+2GPRsirL3Ix59rT/3uo=; b=QDUX4qxuYBIUOcaBoha1TvowQjZ0XuddzkBGj4rfTkSWg5KWaCu5RubWTuKxNARDCj WWx1V4o5eBPsdC3IhwQSP1zbqsdeFPVjtuzexIpVAYO9fMUXWvcLwhBFCs654IgF+HrY BOjzASxIw0S6/BbV4aFrYMJyaXP7303Mn59jBmuke8Mzl7gBOt8IOtYbLHbCutQVEDVt 4D3XKum/qhXXiyqinnBt1vJH4tQgo+x1uoSg7v42KvNrVf5uM0ub8Q4DT79zHgDZSOCt VWmtNit/uWHyuioH9pb8OBC4b3uPyhT+G7cse68Le/miIxm8+b0oSIqzKpB8M4/n5SGD lVyA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=UhzY7J9+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v12si6086413ejj.109.2020.05.22.21.29.45; Fri, 22 May 2020 21:30:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=UhzY7J9+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387559AbgEWE1y (ORCPT + 99 others); Sat, 23 May 2020 00:27:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42806 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725535AbgEWE1x (ORCPT ); Sat, 23 May 2020 00:27:53 -0400 Received: from mail-pl1-x644.google.com (mail-pl1-x644.google.com [IPv6:2607:f8b0:4864:20::644]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C8B6CC061A0E; Fri, 22 May 2020 21:27:52 -0700 (PDT) Received: by mail-pl1-x644.google.com with SMTP id q16so5222299plr.2; Fri, 22 May 2020 21:27:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=C2oaJ/TeH9h/Ses/5flX0t0+2GPRsirL3Ix59rT/3uo=; b=UhzY7J9+KCLeMXEB0x5/JYLsXcF2rLqnBYZsezjDmmaWeU2eXzSWAy7ExbfFinlt0h oD+/yx2FqLMUx6oYlhZZ1nAx2okSnaBGN0taiOxwFduM44/t5yL1HcdNYJNPojgy84gK tODEWzdeuhJi30XoaBQXn2nXsAVh7GLIA8aeEq98wBmbi31odtZj15cCH2VT3rnZvKcd gJVl9dVYI+EN9c7Svpj145az+WB83+msRP9vP2ypIcYVcmOdoTjq80jUu0mkQlx4iDYD JlssprdK89mPNrlVxz81XdkpvnHi+MqoPqYnP7WRkAPLA+mJg6SH3K8BQtlvRjI4RwuW rvlA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=C2oaJ/TeH9h/Ses/5flX0t0+2GPRsirL3Ix59rT/3uo=; b=pBLJcHycROc4kxIOtgBnyhBLx8ZAS+mupeaHQ7KGeiNQUgWJvA4gNTCiRcolX4/mRH YuLHzKRR/a13F5XmUrz0dfYJ49a/Lbet/ov+RyfkREDeVVXiC7k+5yKngX17TfI1Qy9Q m7aFo9P45FBkGO7YoputSdnTwsHjeHJ7+8ulXE7R6CUMot6a8iqzeR3DnXFgge0nIolv 7dGdpkKc9HxBoOyk0fBHp4SPF92uFyOj6alibcTXTNnUUiOHSy22QIr/2YKcG/iOWmEB pRsX3srTGFbdjBnTbaQdRiAdB68UhxPP2mNMpFCUsvutAQ8iqBhcAXVdlO/oS7CXGAt7 8WVw== X-Gm-Message-State: AOAM530MZ2kixJwtGfT2OeKYTg3yibwi83HEUC7d00IJiUzNab08IQTA nGzqSX8jLCFtygLZ6fXEBWsizXG7Q0eG1A== X-Received: by 2002:a17:902:848a:: with SMTP id c10mr17901055plo.124.1590208071913; Fri, 22 May 2020 21:27:51 -0700 (PDT) Received: from gmail.com ([2601:600:817f:a132:df3e:521d:99d5:710d]) by smtp.gmail.com with ESMTPSA id t21sm7300922pgu.39.2020.05.22.21.27.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 22 May 2020 21:27:51 -0700 (PDT) Date: Fri, 22 May 2020 21:27:49 -0700 From: Andrei Vagin To: Casey Schaufler Cc: Adrian Reber , Christian Brauner , Eric Biederman , Pavel Emelyanov , Oleg Nesterov , Dmitry Safonov <0x7f454c46@gmail.com>, Nicolas Viennot , =?utf-8?B?TWljaGHFgiBDxYJhcGnFhHNraQ==?= , Kamil Yurtsever , Dirk Petersen , Christine Flood , Mike Rapoport , Radostin Stoyanov , Cyrill Gorcunov , Serge Hallyn , Stephen Smalley , Sargun Dhillon , Arnd Bergmann , Aaron Goidel , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, selinux@vger.kernel.org, Eric Paris , Jann Horn Subject: Re: [PATCH] capabilities: Introduce CAP_RESTORE Message-ID: <20200523042749.GA19115@gmail.com> References: <20200522055350.806609-1-areber@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 22, 2020 at 09:40:37AM -0700, Casey Schaufler wrote: > On 5/21/2020 10:53 PM, Adrian Reber wrote: > > There are probably a few more things guarded by CAP_SYS_ADMIN required > > to run checkpoint/restore as non-root, > > If you need CAP_SYS_ADMIN anyway you're not gaining anything by > separating out CAP_RESTORE. > > > but by applying this patch I can > > already checkpoint and restore processes as non-root. As there are > > already multiple workarounds I would prefer to do it correctly in the > > kernel to avoid that CRIU users are starting to invent more workarounds. > > You've presented a couple of really inappropriate implementations > that would qualify as workarounds. But the other two are completely > appropriate within the system security policy. They don't "get around" > the problem, they use existing mechanisms as they are intended. > With CAP_CHECKPOINT_RESTORE, we will need to use the same mechanisms. The problem is that CAP_SYS_ADMIN is too wide. If a process has CAP_SYS_ADMIN, it can do a lot of things and the operation of forking a process with a specified pid isn't the most dangerous one in this case. Offten security policies don't allow to grant CAP_SYS_ADMIN to any third-party tools even in non-root user namespaces.