Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp5069235rwb; Wed, 17 Aug 2022 10:27:38 -0700 (PDT) X-Google-Smtp-Source: AA6agR7Caps5wdmLwP4nLJP+E5TstWoHBA8KDMCtvzz1O3W/9Hf8nbnyFehxx68ko/Xx5hU2HXU0 X-Received: by 2002:a05:6402:2949:b0:445:dc8d:44d with SMTP id ed9-20020a056402294900b00445dc8d044dmr3419789edb.60.1660757257991; Wed, 17 Aug 2022 10:27:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660757257; cv=none; d=google.com; s=arc-20160816; b=dslFBrbpR8tGXnpjaK2CJUOM3ixV++fbxdVcs+NqQsOv/aeeYPwzMyu6U8WgADwgjt XByXYQELvOByZ90uxSyq95F0gKkayfPHp4jGRtNYhssM5MVnEMvmMfgJjYZKD5DzTulY SFOY9gDK/OonCyI8OkVtl+NYx5qCCx0h3R2e0qH1cIB8s5i7lFRCdMh/ikVILOFQ1Ym2 fNN08dcBqPyhZZzuSXfcXVXPdrOT5jInSwVF9elE1xVhqVwp95SyIeIhlyk4MYV4k2D7 QSnODYlwdyh3j90EobGqAa2L7B4nCLJI+P4LQtVYfJ4iy6OmYFRg62htu33RyvuceqTp 0rKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=J3VPAc5hc1beoFQlEY8UmpcylWVa8Cg5xRcsnWIJYsU=; b=E6kBPKoGBWH42bfmJx7R2yxB+jV4a5WNPen0EmNaeyrrG5jDwLyAtxgPLHXPfxy71Z /KpSEZXN3dvd/7omsqXEHegQj9Z6zxIvbgoLq1hiU6sM3msxXsbQSGGa4L6kUtZdHNym bWwcvrRDbjt2kCbt/SlSeD4q14BpQUyy0YmLOysWgxvAnBBXJtdibAlm/X8L0GsWz/S7 JlohRkKNzTAhQesSFuqBJM69WEOja6HIFqEjVvRbb9Z/HY/aHrTBs6ituJm6a/kDe6HV 3l40IWNDnJ8bmzn7g/Vo2FqptLUbsd+Ac+oUftOe9A8crRIOZxJsmYRd3O4m6AZESh3M 8caA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=SCfTwXbW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u11-20020a50a40b000000b004408bac1e2fsi2193129edb.370.2022.08.17.10.27.10; Wed, 17 Aug 2022 10:27:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=SCfTwXbW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238406AbiHQRUD (ORCPT + 99 others); Wed, 17 Aug 2022 13:20:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38838 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236907AbiHQRUB (ORCPT ); Wed, 17 Aug 2022 13:20:01 -0400 Received: from mail-oa1-x36.google.com (mail-oa1-x36.google.com [IPv6:2001:4860:4864:20::36]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0816A9D123 for ; Wed, 17 Aug 2022 10:20:00 -0700 (PDT) Received: by mail-oa1-x36.google.com with SMTP id 586e51a60fabf-11c59785966so2186951fac.11 for ; Wed, 17 Aug 2022 10:20:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc; bh=J3VPAc5hc1beoFQlEY8UmpcylWVa8Cg5xRcsnWIJYsU=; b=SCfTwXbWYFitH2mVeMfBTd8oUH/KXZXgT8BIHGPDHUz6Dh2NBNFER7vPRljNHOMTFo KXtqFlvPL4lL17cgNJvrWIL+oBZBL3hfA/4TF/6agOW/b0NEbp1HDA65CyIc4aI0Hg4O 9QrN64jfHSs2gwNJ6GG6Moo1MesbpkxU5f5zMP9wBarJTL4boyoERBQqemFIZS8kZ7sq fYCsSrGuWP1ZKJPDDW1ZXKSMmIYtQKUqVlrehGPAX1JkUdATUfmohOtCPObMo0gcVykX EIK5RsltW8fLfHbazgsMlFWQRFdlFS9An0Zq+IChTVai5fJHiFS7XsnFqGx3Ls8l9FJ0 go0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc; bh=J3VPAc5hc1beoFQlEY8UmpcylWVa8Cg5xRcsnWIJYsU=; b=llc4oLw2clqls74Pzxl/fYFZUJPIn508oSWKaJHWPKB1u0P3ZPMcC4dbLi/PrvEVr2 Ahyzqw/uiH1JX4ZazrRJCn3wcoaeRS3gIjp9pkcDfNGFpAI/TV+z7NLumLgFqbEC+hjd s6yz46ipfUh/49i3p6St6FVdd0RrbhmkVRQcg/bUDwaslKhko0hWNqhm2NEptqjaDxgE uqH0MVJ6Ax50iSR5jeIl79LBvIWoiMagj0caKznXs4UMraaGXScaquckv1yaBu+EF5Im 3PkM1OCxVhzA6laiyrsK7ulzsGNT21FBWzcP3lUCLAP7qgu0pvtUixu8yaEMo3B5s+2I lf4Q== X-Gm-Message-State: ACgBeo3XELm4MPQQV8sCPa0icKgkjGMZ2ioK48qKS4ELfdQmDk6l/oOB o9OpUiPoSxyvh6lD5UOVtPxzpWKn8NlrzdqDbjPd X-Received: by 2002:a05:6870:a78d:b0:11c:437b:ec70 with SMTP id x13-20020a056870a78d00b0011c437bec70mr2325509oao.136.1660756799347; Wed, 17 Aug 2022 10:19:59 -0700 (PDT) MIME-Version: 1.0 References: <20220725124123.12975-1-flaniel@linux.microsoft.com> <4420381.LvFx2qVVIh@pwmachine> <664f29c3-77a6-2ed9-5c55-f181397b09a2@schaufler-ca.com> In-Reply-To: <664f29c3-77a6-2ed9-5c55-f181397b09a2@schaufler-ca.com> From: Paul Moore Date: Wed, 17 Aug 2022 13:19:48 -0400 Message-ID: Subject: Re: [RFC PATCH v4 0/2] Add capabilities file to securityfs To: Casey Schaufler Cc: Francis Laniel , linux-security-module@vger.kernel.org, Eric Biederman , Serge Hallyn , James Morris , open list , "open list:BPF [MISC]" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Aug 17, 2022 at 12:49 PM Casey Schaufler w= rote: > On 8/17/2022 9:10 AM, Paul Moore wrote: > > On Wed, Aug 17, 2022 at 11:50 AM Casey Schaufler wrote: > >> On 8/17/2022 7:52 AM, Paul Moore wrote: > >>> On Wed, Aug 17, 2022 at 7:53 AM Francis Laniel > >>> wrote: > >>>> Le mardi 16 ao=C3=BBt 2022, 23:59:41 CEST Paul Moore a =C3=A9crit : > >>>>> On Mon, Jul 25, 2022 at 8:42 AM Francis Laniel > >>>>> > >>>>> wrote: > >>>>>> Hi. > >>>>>> > >>>>>> First, I hope you are fine and the same for your relatives. > >>>>> Hi Francis :) > >>>>> > >>>>>> A solution to this problem could be to add a way for the userspace= to ask > >>>>>> the kernel about the capabilities it offers. > >>>>>> So, in this series, I added a new file to securityfs: > >>>>>> /sys/kernel/security/capabilities. > >>>>>> The goal of this file is to be used by "container world" software = to know > >>>>>> kernel capabilities at run time instead of compile time. > >>>>> ... > >>>>> > >>>>>> The kernel already exposes the last capability number under: > >>>>>> /proc/sys/kernel/cap_last_cap > >>>>> I'm not clear on why this patchset is needed, why can't the > >>>>> application simply read from "cap_last_cap" to determine what > >>>>> capabilities the kernel supports? > >>>> When you capabilities with, for example, docker, you will fill capab= ilities > >>>> like this: > >>>> docker run --rm --cap-add SYS_ADMIN debian:latest echo foo > >>>> As a consequence, the "echo foo" will be run with CAP_SYS_ADMIN set. > >>>> > >>>> Sadly, each time a new capability is added to the kernel, it means "= container > >>>> stack" software should add a new string corresponding to the number = of the > >>>> capabilities [1]. > >>> Thanks for clarifying things, I thought you were more concerned about > >>> detecting what capabilities the running kernel supported, I didn't > >>> realize it was getting a string literal for each supported capability= . > >>> Unless there is a significant show of support for this > >> I believe this could be a significant help in encouraging the use of > >> capabilities. An application that has to know the list of capabilities > >> at compile time but is expected to run unmodified for decades isn't > >> going to be satisfied with cap_last_cap. The best it can do with that > >> is abort, not being able to ask an admin what to do in the presence of > >> a capability that wasn't around before because the name isn't known. > > An application isn't going to be able to deduce the semantic value of > > a capability based solely on a string value, > > True, but it can ask someone what to do, and in that case a string is > much better than a number ... If you are asking a user what to do, that user can just as easily look up the capability list to translate numbers to intent. If your security approach requires a user knowing all of the subtle details around a capability based on 10~15 character string, I wish you the best of luck :) --=20 paul-moore.com