Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp5069235rwb;
        Wed, 17 Aug 2022 10:27:38 -0700 (PDT)
X-Google-Smtp-Source: AA6agR7Caps5wdmLwP4nLJP+E5TstWoHBA8KDMCtvzz1O3W/9Hf8nbnyFehxx68ko/Xx5hU2HXU0
X-Received: by 2002:a05:6402:2949:b0:445:dc8d:44d with SMTP id ed9-20020a056402294900b00445dc8d044dmr3419789edb.60.1660757257991;
        Wed, 17 Aug 2022 10:27:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1660757257; cv=none;
        d=google.com; s=arc-20160816;
        b=dslFBrbpR8tGXnpjaK2CJUOM3ixV++fbxdVcs+NqQsOv/aeeYPwzMyu6U8WgADwgjt
         XByXYQELvOByZ90uxSyq95F0gKkayfPHp4jGRtNYhssM5MVnEMvmMfgJjYZKD5DzTulY
         SFOY9gDK/OonCyI8OkVtl+NYx5qCCx0h3R2e0qH1cIB8s5i7lFRCdMh/ikVILOFQ1Ym2
         fNN08dcBqPyhZZzuSXfcXVXPdrOT5jInSwVF9elE1xVhqVwp95SyIeIhlyk4MYV4k2D7
         QSnODYlwdyh3j90EobGqAa2L7B4nCLJI+P4LQtVYfJ4iy6OmYFRg62htu33RyvuceqTp
         0rKQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=J3VPAc5hc1beoFQlEY8UmpcylWVa8Cg5xRcsnWIJYsU=;
        b=E6kBPKoGBWH42bfmJx7R2yxB+jV4a5WNPen0EmNaeyrrG5jDwLyAtxgPLHXPfxy71Z
         /KpSEZXN3dvd/7omsqXEHegQj9Z6zxIvbgoLq1hiU6sM3msxXsbQSGGa4L6kUtZdHNym
         bWwcvrRDbjt2kCbt/SlSeD4q14BpQUyy0YmLOysWgxvAnBBXJtdibAlm/X8L0GsWz/S7
         JlohRkKNzTAhQesSFuqBJM69WEOja6HIFqEjVvRbb9Z/HY/aHrTBs6ituJm6a/kDe6HV
         3l40IWNDnJ8bmzn7g/Vo2FqptLUbsd+Ac+oUftOe9A8crRIOZxJsmYRd3O4m6AZESh3M
         8caA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=SCfTwXbW;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id u11-20020a50a40b000000b004408bac1e2fsi2193129edb.370.2022.08.17.10.27.10;
        Wed, 17 Aug 2022 10:27:37 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=SCfTwXbW;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S238406AbiHQRUD (ORCPT <rfc822;andreqb@gmail.com> + 99 others);
        Wed, 17 Aug 2022 13:20:03 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38838 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S236907AbiHQRUB (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 17 Aug 2022 13:20:01 -0400
Received: from mail-oa1-x36.google.com (mail-oa1-x36.google.com [IPv6:2001:4860:4864:20::36])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0816A9D123
        for <linux-kernel@vger.kernel.org>; Wed, 17 Aug 2022 10:20:00 -0700 (PDT)
Received: by mail-oa1-x36.google.com with SMTP id 586e51a60fabf-11c59785966so2186951fac.11
        for <linux-kernel@vger.kernel.org>; Wed, 17 Aug 2022 10:20:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20210112.gappssmtp.com; s=20210112;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc;
        bh=J3VPAc5hc1beoFQlEY8UmpcylWVa8Cg5xRcsnWIJYsU=;
        b=SCfTwXbWYFitH2mVeMfBTd8oUH/KXZXgT8BIHGPDHUz6Dh2NBNFER7vPRljNHOMTFo
         KXtqFlvPL4lL17cgNJvrWIL+oBZBL3hfA/4TF/6agOW/b0NEbp1HDA65CyIc4aI0Hg4O
         9QrN64jfHSs2gwNJ6GG6Moo1MesbpkxU5f5zMP9wBarJTL4boyoERBQqemFIZS8kZ7sq
         fYCsSrGuWP1ZKJPDDW1ZXKSMmIYtQKUqVlrehGPAX1JkUdATUfmohOtCPObMo0gcVykX
         EIK5RsltW8fLfHbazgsMlFWQRFdlFS9An0Zq+IChTVai5fJHiFS7XsnFqGx3Ls8l9FJ0
         go0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc;
        bh=J3VPAc5hc1beoFQlEY8UmpcylWVa8Cg5xRcsnWIJYsU=;
        b=llc4oLw2clqls74Pzxl/fYFZUJPIn508oSWKaJHWPKB1u0P3ZPMcC4dbLi/PrvEVr2
         Ahyzqw/uiH1JX4ZazrRJCn3wcoaeRS3gIjp9pkcDfNGFpAI/TV+z7NLumLgFqbEC+hjd
         s6yz46ipfUh/49i3p6St6FVdd0RrbhmkVRQcg/bUDwaslKhko0hWNqhm2NEptqjaDxgE
         uqH0MVJ6Ax50iSR5jeIl79LBvIWoiMagj0caKznXs4UMraaGXScaquckv1yaBu+EF5Im
         3PkM1OCxVhzA6laiyrsK7ulzsGNT21FBWzcP3lUCLAP7qgu0pvtUixu8yaEMo3B5s+2I
         lf4Q==
X-Gm-Message-State: ACgBeo3XELm4MPQQV8sCPa0icKgkjGMZ2ioK48qKS4ELfdQmDk6l/oOB
        o9OpUiPoSxyvh6lD5UOVtPxzpWKn8NlrzdqDbjPd
X-Received: by 2002:a05:6870:a78d:b0:11c:437b:ec70 with SMTP id
 x13-20020a056870a78d00b0011c437bec70mr2325509oao.136.1660756799347; Wed, 17
 Aug 2022 10:19:59 -0700 (PDT)
MIME-Version: 1.0
References: <20220725124123.12975-1-flaniel@linux.microsoft.com>
 <CAHC9VhTmgMfzc+QY8kr+BYQyd_5nEis0Y632w4S2_PGudTRT7g@mail.gmail.com>
 <4420381.LvFx2qVVIh@pwmachine> <CAHC9VhSMeefG5W_uuTNQYmUUZ1xcuqArxYs5sL9KOzUO_skCZw@mail.gmail.com>
 <ab1bbd48-c48d-5f5a-f090-428ffd54c07e@schaufler-ca.com> <CAHC9VhTxYaLXFbS6JnpskOkADNbL8BA5614VuK3sDTHW6DE3uQ@mail.gmail.com>
 <664f29c3-77a6-2ed9-5c55-f181397b09a2@schaufler-ca.com>
In-Reply-To: <664f29c3-77a6-2ed9-5c55-f181397b09a2@schaufler-ca.com>
From:   Paul Moore <paul@paul-moore.com>
Date:   Wed, 17 Aug 2022 13:19:48 -0400
Message-ID: <CAHC9VhTkkhgmj8R6fmuoffLUU+UnYqxOi-kDWmJQ9F9jtwuLxg@mail.gmail.com>
Subject: Re: [RFC PATCH v4 0/2] Add capabilities file to securityfs
To:     Casey Schaufler <casey@schaufler-ca.com>
Cc:     Francis Laniel <flaniel@linux.microsoft.com>,
        linux-security-module@vger.kernel.org,
        Eric Biederman <ebiederm@xmission.com>,
        Serge Hallyn <serge@hallyn.com>,
        James Morris <jmorris@namei.org>,
        open list <linux-kernel@vger.kernel.org>,
        "open list:BPF [MISC]" <bpf@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE,
        T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no
        version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Aug 17, 2022 at 12:49 PM Casey Schaufler <casey@schaufler-ca.com> w=
rote:
> On 8/17/2022 9:10 AM, Paul Moore wrote:
> > On Wed, Aug 17, 2022 at 11:50 AM Casey Schaufler <casey@schaufler-ca.co=
m> wrote:
> >> On 8/17/2022 7:52 AM, Paul Moore wrote:
> >>> On Wed, Aug 17, 2022 at 7:53 AM Francis Laniel
> >>> <flaniel@linux.microsoft.com> wrote:
> >>>> Le mardi 16 ao=C3=BBt 2022, 23:59:41 CEST Paul Moore a =C3=A9crit :
> >>>>> On Mon, Jul 25, 2022 at 8:42 AM Francis Laniel
> >>>>>
> >>>>> <flaniel@linux.microsoft.com> wrote:
> >>>>>> Hi.
> >>>>>>
> >>>>>> First, I hope you are fine and the same for your relatives.
> >>>>> Hi Francis :)
> >>>>>
> >>>>>> A solution to this problem could be to add a way for the userspace=
 to ask
> >>>>>> the kernel about the capabilities it offers.
> >>>>>> So, in this series, I added a new file to securityfs:
> >>>>>> /sys/kernel/security/capabilities.
> >>>>>> The goal of this file is to be used by "container world" software =
to know
> >>>>>> kernel capabilities at run time instead of compile time.
> >>>>> ...
> >>>>>
> >>>>>> The kernel already exposes the last capability number under:
> >>>>>> /proc/sys/kernel/cap_last_cap
> >>>>> I'm not clear on why this patchset is needed, why can't the
> >>>>> application simply read from "cap_last_cap" to determine what
> >>>>> capabilities the kernel supports?
> >>>> When you capabilities with, for example, docker, you will fill capab=
ilities
> >>>> like this:
> >>>> docker run --rm --cap-add SYS_ADMIN debian:latest echo foo
> >>>> As a consequence, the "echo foo" will be run with CAP_SYS_ADMIN set.
> >>>>
> >>>> Sadly, each time a new capability is added to the kernel, it means "=
container
> >>>> stack" software should add a new string corresponding to the number =
of the
> >>>> capabilities [1].
> >>> Thanks for clarifying things, I thought you were more concerned about
> >>> detecting what capabilities the running kernel supported, I didn't
> >>> realize it was getting a string literal for each supported capability=
.
> >>> Unless there is a significant show of support for this
> >> I believe this could be a significant help in encouraging the use of
> >> capabilities. An application that has to know the list of capabilities
> >> at compile time but is expected to run unmodified for decades isn't
> >> going to be satisfied with cap_last_cap. The best it can do with that
> >> is abort, not being able to ask an admin what to do in the presence of
> >> a capability that wasn't around before because the name isn't known.
> > An application isn't going to be able to deduce the semantic value of
> > a capability based solely on a string value,
>
> True, but it can ask someone what to do, and in that case a string is
> much better than a number ...

If you are asking a user what to do, that user can just as easily look
up the capability list to translate numbers to intent.  If your
security approach requires a user knowing all of the subtle details
around a capability based on 10~15 character string, I wish you the
best of luck :)

--=20
paul-moore.com