Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp1290381pxb; Fri, 21 Jan 2022 14:30:32 -0800 (PST) X-Google-Smtp-Source: ABdhPJx9+B8BT22Ue1SasSIBOflmrUTapGchwamkP5WzphgoYSkF0r2dxgTy+dGkrbsrk0GdsUSb X-Received: by 2002:a17:902:7481:b0:14b:23d0:87e with SMTP id h1-20020a170902748100b0014b23d0087emr3071530pll.165.1642804232006; Fri, 21 Jan 2022 14:30:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642804232; cv=none; d=google.com; s=arc-20160816; b=jSz1O/91nicIHRdhRpLpBIBXtyQT95NK+a7E6CxJGWGXh1l9Sm/bK44QwIekwfxq+2 4JeZVDyVmlmM260W3FmpKeOb2PNA5AK1pS75Qf8VaQAOYDqIKwz2BGEdldd9V/sGpovf 6IW2V9gaKDgIuD4fC7DoPN7g7DfaiA5WUxcdF2gbF19uxAT50KWDz7VU0XMrY59cGXe3 SRH+xpVHY2GPJNRTqY/uDHD4T0nkHZTLbFuPWLcRcHTAqMhVGrj7j7NhrnpmB815qJTW 5rP1HKS5HEBIk4BXEfoqlEIKg3tHvAm2lPvbwhCpBpWooRmCG31ZAsXGJCxFCQbBOvgs f8rg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:subject:mime-version:user-agent:message-id :in-reply-to:date:references:cc:to:from; bh=HiXZ6tztpfagjcYAKK1o5bRgZXdq5Nptx5q71neEKNU=; b=zDyG6eb4vBksVkVvtatOr/JHcCKwwVfEjdTuPZWCsWVnIfMYpJu1GZ/JSFQsoqbSI5 V7iGtyEx0uYY4y1H5ktXwR+BROx+6x0tQwl/0d418KlGhJ2bubimOMxWh92aOCeNX3Zy Esna6Y28S0xwxKHa+Ve58iwQPIPiq8kygHUbMMTyGzeIJHgolaD2x9Ob8bJoPScwC5Zm LJkLpscPeMx69oRJ4rSaCcb8XqKcdxf3JQxFH3Q2g+NyP/+x828YCm5i9RvS56hzPwRY /xlVogCDTYifwLlWIiHxeiTHBh01HPvR8QLHNcyMNMQCT7ZCEEJBhr24XQQ0tXJRbITx Yi9g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 17si7405229pfl.234.2022.01.21.14.30.18; Fri, 21 Jan 2022 14:30:31 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346801AbiATSU1 (ORCPT + 99 others); Thu, 20 Jan 2022 13:20:27 -0500 Received: from out03.mta.xmission.com ([166.70.13.233]:40736 "EHLO out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236440AbiATSU1 (ORCPT ); Thu, 20 Jan 2022 13:20:27 -0500 Received: from in01.mta.xmission.com ([166.70.13.51]:60404) by out03.mta.xmission.com with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from ) id 1nAc2r-00DwFW-Ih; Thu, 20 Jan 2022 11:20:25 -0700 Received: from ip68-110-24-146.om.om.cox.net ([68.110.24.146]:51394 helo=email.froward.int.ebiederm.org.xmission.com) by in01.mta.xmission.com with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from ) id 1nAc2n-000p0K-7p; Thu, 20 Jan 2022 11:20:25 -0700 From: "Eric W. Biederman" To: Francis Laniel Cc: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, Serge Hallyn , Casey Schaufler References: <20220120180116.167702-1-flaniel@linux.microsoft.com> Date: Thu, 20 Jan 2022 12:20:15 -0600 In-Reply-To: <20220120180116.167702-1-flaniel@linux.microsoft.com> (Francis Laniel's message of "Thu, 20 Jan 2022 19:01:14 +0100") Message-ID: <87wniu2rs0.fsf@email.froward.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1nAc2n-000p0K-7p;;;mid=<87wniu2rs0.fsf@email.froward.int.ebiederm.org>;;;hst=in01.mta.xmission.com;;;ip=68.110.24.146;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX19l8e4H5115J6h+/AI1Jy8YvSk3krMZSYo= X-SA-Exim-Connect-IP: 68.110.24.146 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on sa06.xmission.com X-Spam-Level: * X-Spam-Status: No, score=1.0 required=8.0 tests=ALL_TRUSTED,BAYES_50, DCC_CHECK_NEGATIVE,LotsOfNums_01,T_TM2_M_HEADER_IN_MSG autolearn=disabled version=3.4.2 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.4742] * 1.2 LotsOfNums_01 BODY: Lots of long strings of numbers * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa06 1397; Body=1 Fuz1=1 Fuz2=1] X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: *;Francis Laniel X-Spam-Relay-Country: X-Spam-Timing: total 577 ms - load_scoreonly_sql: 0.09 (0.0%), signal_user_changed: 12 (2.1%), b_tie_ro: 10 (1.8%), parse: 1.87 (0.3%), extract_message_metadata: 8 (1.3%), get_uri_detail_list: 4.2 (0.7%), tests_pri_-1000: 3.1 (0.5%), tests_pri_-950: 1.41 (0.2%), tests_pri_-900: 1.11 (0.2%), tests_pri_-90: 66 (11.4%), check_bayes: 64 (11.1%), b_tokenize: 9 (1.6%), b_tok_get_all: 10 (1.7%), b_comp_prob: 3.0 (0.5%), b_tok_touch_all: 37 (6.5%), b_finish: 0.94 (0.2%), tests_pri_0: 460 (79.7%), check_dkim_signature: 1.01 (0.2%), check_dkim_adsp: 3.4 (0.6%), poll_dns_idle: 1.02 (0.2%), tests_pri_10: 3.2 (0.6%), tests_pri_500: 11 (1.8%), rewrite_mail: 0.00 (0.0%) Subject: Re: [RFC PATCH v3 0/2] Add capabilities file to sysfs X-SA-Exim-Version: 4.2.1 (built Sat, 08 Feb 2020 21:53:50 +0000) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Francis Laniel writes: > Hi. > > > First, I hope you are fine and the same for your relatives. > > > Capabilities are used to check if a thread has the right to perform a given > action [1]. > For example, a thread with CAP_BPF set can use the bpf() syscall. > > Capabilities are used in the container world. > In terms of code, several projects related to container maintain code where the > capabilities are written alike include/uapi/linux/capability.h [2][3][4][5]. > For these projects, their codebase should be updated when a new capability is > added to the kernel. > Some other projects rely on [6]. > In this case, this header file should reflect the capabilities offered by the > kernel. > > So, in this series, I added a new file to sysfs: > /sys/kernel/security/capabilities. Actually that is a file in securityfs. Which is related but slightly different. For sysfs this would be immediately unacceptable as it breaks the one value per file rule. I don't know what the rules are for securityfs but I do know files that contain many many lines and get very large tend to be problematic in both their kernel implementation and in userspace parsing speed. So I am looking for what the advantage of this file that justifies the cost of maintaining it. > The goal of this file is to be used by "container world" software to know kernel > capabilities at run time instead of compile time. I don't understand the problem you are trying to solve. If the software needs to updated what benefit is there for all of the information to be available at runtime? > > The "file" is read-only and its content is the capability number associated with > the capability name: > root@vm-amd64:~# cat /sys/kernel/security/capabilities > 0 CAP_CHOWN > 1 CAP_DAC_OVERRIDE > ... > 40 CAP_CHECKPOINT_RESTORE > > The kernel already exposes the last capability number under: > /proc/sys/kernel/cap_last_cap > So, I think there should not be any issue exposing all the capabilities it > offers. > If there is any, please share it as I do not want to introduce issue with this > series. The mapping between capabilities and numbers should never change it is ABI. I seem to remember a version number in the file capability so that if the mappings do change that number can be changed in a way that existing software is not confused. What is the advantage in printing all of the mappings? > > Also, if you see any way to improve this series please share it as it would > increase this contribution quality. > > Change since v2: > * Use a char * for cap_string instead of an array, each line of this char * > contains the capability number and its name. > * Move the file under /sys/kernel/security instead of /sys/kernel. > > Francis Laniel (2): > capability: Add cap_string. > security/inode.c: Add capabilities file. > > include/uapi/linux/capability.h | 1 + > kernel/capability.c | 45 +++++++++++++++++++++++++++++++++ > security/inode.c | 16 ++++++++++++ > 3 files changed, 62 insertions(+) > > > Best regards and thank you in advance for your reviews. > --- > [1] man capabilities > [2] https://github.com/containerd/containerd/blob/1a078e6893d07fec10a4940a5664fab21d6f7d1e/pkg/cap/cap_linux.go#L135 > [3] https://github.com/moby/moby/commit/485cf38d48e7111b3d1f584d5e9eab46a902aabc#diff-2e04625b209932e74c617de96682ed72fbd1bb0d0cb9fb7c709cf47a86b6f9c1 > moby relies on containerd code. > [4] https://github.com/syndtr/gocapability/blob/42c35b4376354fd554efc7ad35e0b7f94e3a0ffb/capability/enum.go#L47 > [5] https://github.com/opencontainers/runc/blob/00f56786bb220b55b41748231880ba0e6380519a/libcontainer/capabilities/capabilities.go#L12 > runc relies on syndtr package. > [6] https://github.com/containers/crun/blob/fafb556f09e6ffd4690c452ff51856b880c089f1/src/libcrun/linux.c#L35 Eric