Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp4713318rwb; Wed, 17 Aug 2022 05:03:44 -0700 (PDT) X-Google-Smtp-Source: AA6agR6nc8xcJdoBLKYWJ48DPqvw0yqQfXK2HfCFMMMIFOeHkwZdcznGtBhMYFMwQpPhLNhQsu34 X-Received: by 2002:a63:1853:0:b0:41d:70c0:978e with SMTP id 19-20020a631853000000b0041d70c0978emr21940909pgy.32.1660737824080; Wed, 17 Aug 2022 05:03:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660737824; cv=none; d=google.com; s=arc-20160816; b=kLwx2BPn0G57zLSQE3afcDl5bqZz5+BufjNRjbtskC4a8yXIaTp3EkWQ5DRgnZ+enX r1p92J4jSy4Z7ccJ5cjIij4T/5biXesfVPBD0bGmOpxzwyzXqJ6u72HB7SKo7qQ6waoc 36v+VKHRobjRfSWxmAuc7k62co4BEcKaw22XHMzefFAPvjeW/1vo3YiYdKlShQmXSRlE hnOvkf6HSeYi6dDRkN8yW7lvq4fBzgFnXFDTjN6efZc5CKvYW/QvivL5I+U9X3vZytS9 nhz7I3GrdyV7zzSXoP4aQC5ofcPumUTed3SEdb8cJZYapO0e3bgnvfOykdEINgsAWK/M 0R4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-filter; bh=guH8y5jLjdbgCVWwxETH/SVdTiebIYChnq1hy4g1F+E=; b=H90HmHVun9/H7+Jm0srmBV47zRbIjLoZ9di4aUVTRVCnBvuoW0etpOt3J7EQDQtVdV 87FBy7CR0BRQZqX4KX/ZtT1XEA8/kyJ9uMEcb6rfUQcC1Y4jScxWwrlcbT4qbvMh34VR J0BXS1TBLAmsUSdXbXhqXKgT7oulD5h2OA6OWm3ki3NQSq0juMl24VwbGyoo/e9WfKuB wPP4B6a6ioXn7vMecHDhb2LC8r1KZb9Rb7SBT6epVNoHM7OqLYXaw5uSIBXStpyXrOo2 XuptLLFjg6l5nBNbdRX8NkuIovLeEdfY1Qwi7HHCw5yLYId85vxDU6XyAntUO4Wb4VnP 0zSg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=eGt0vt4b; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e22-20020aa78c56000000b0052daec10c3csi14789741pfd.99.2022.08.17.05.03.31; Wed, 17 Aug 2022 05:03:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=eGt0vt4b; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239110AbiHQLxc (ORCPT + 99 others); Wed, 17 Aug 2022 07:53:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41794 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229764AbiHQLx3 (ORCPT ); Wed, 17 Aug 2022 07:53:29 -0400 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 39DF6DEFE; Wed, 17 Aug 2022 04:53:25 -0700 (PDT) Received: from pwmachine.localnet (85-170-37-153.rev.numericable.fr [85.170.37.153]) by linux.microsoft.com (Postfix) with ESMTPSA id 7AE06213B620; Wed, 17 Aug 2022 04:53:23 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 7AE06213B620 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1660737204; bh=guH8y5jLjdbgCVWwxETH/SVdTiebIYChnq1hy4g1F+E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=eGt0vt4bAB41b7jk2M7M4mq5m/iaNiKmjiVOafdLaAWJY2oah+vjeFZBKpFQGG+KL S0s3e3wnWEb/FEJJoXZu94v3gVYecCafOh39CXL1x+MeieNl3jgqwVXklG7wX3b5Nc tDiVn0BXPP8gFzho+8stOgZrGPF3wcmTwzd5zpC0= From: Francis Laniel To: Paul Moore Cc: linux-security-module@vger.kernel.org, Casey Schaufler , Eric Biederman , Serge Hallyn , James Morris , open list , "open list:BPF [MISC]" Subject: Re: [RFC PATCH v4 0/2] Add capabilities file to securityfs Date: Wed, 17 Aug 2022 13:53:21 +0200 Message-ID: <4420381.LvFx2qVVIh@pwmachine> In-Reply-To: References: <20220725124123.12975-1-flaniel@linux.microsoft.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="iso-8859-1" X-Spam-Status: No, score=-11.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_MED,SPF_HELO_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi. Le mardi 16 ao=FBt 2022, 23:59:41 CEST Paul Moore a =E9crit : > On Mon, Jul 25, 2022 at 8:42 AM Francis Laniel >=20 > wrote: > > Hi. > >=20 > > First, I hope you are fine and the same for your relatives. >=20 > Hi Francis :) >=20 > > A solution to this problem could be to add a way for the userspace to a= sk > > the kernel about the capabilities it offers. > > So, in this series, I added a new file to securityfs: > > /sys/kernel/security/capabilities. > > The goal of this file is to be used by "container world" software to kn= ow > > kernel capabilities at run time instead of compile time. >=20 > ... >=20 > > The kernel already exposes the last capability number under: > > /proc/sys/kernel/cap_last_cap >=20 > I'm not clear on why this patchset is needed, why can't the > application simply read from "cap_last_cap" to determine what > capabilities the kernel supports? When you capabilities with, for example, docker, you will fill capabilities= =20 like this: docker run --rm --cap-add SYS_ADMIN debian:latest echo foo As a consequence, the "echo foo" will be run with CAP_SYS_ADMIN set. Sadly, each time a new capability is added to the kernel, it means "contain= er=20 stack" software should add a new string corresponding to the number of the= =20 capabilities [1]. The solution I propose would lead to "container stack" software to get rid = of=20 such an array and to test at runtime, if the name provided by user on the=20 command line matches the name of a capability known by the kernel. If it is the case, the number associated to the capability will be get by=20 "container stack" code to be used as argument of capset() system call. The advantage of this solution is that it would reduce the time taken betwe= en=20 a new capability added to the kernel (e.g. CAP_BPF) and the time users can = use=20 it. More generally, a solution to this problem would be a way for the kernel to= =20 expose the capabilities it knows. Do not hesitate to ask for clarification if I was not clear. Best regards. =2D-- [1] https://github.com/containerd/containerd/blob/ 1a078e6893d07fec10a4940a5664fab21d6f7d1e/pkg/cap/cap_linux.go#L135