2006-01-29 20:04:25

by Łukasz Stelmach

[permalink] [raw]
Subject: security capabilities on filesystems

Greetings.

I've poke around for some information but all I got (was this lousy t-shirt)
that there is no support for capablities stored on a filesystem. However, I'd
like to ask if there are any chances to see this feature soon.

Best regards.

PS. Please CC.
--
Było mi bardzo miło. Czwarta pospolita klęska, [...]
>Łukasz< Już nie katolicka lecz złodziejska. (c)PP


Attachments:
signature.asc (256.00 B)
OpenPGP digital signature

2006-01-30 00:00:38

by Peter Gordon

[permalink] [raw]
Subject: Re: security capabilities on filesystems

On 1/29/06, Lukasz Stelmach <[email protected]> wrote:
> Greetings.
>
> I've poke around for some information but all I got (was this lousy t-shirt)
> that there is no support for capablities stored on a filesystem. However, I'd
> like to ask if there are any chances to see this feature soon.
>

What do you mean exactly? Ext2 (and its journalled cousin, Ext3; I'm
not certain of other filesystems) can both store POSIX-style Access
Control Lists (ACLs) and SELinux labeling as part of the inode
metadata. Hope this helps.

2006-01-30 00:34:15

by Łukasz Stelmach

[permalink] [raw]
Subject: Re: security capabilities on filesystems

Peter Gordon wrote:

>>I've poke around for some information but all I got (was this lousy t-shirt)
>>that there is no support for capablities stored on a filesystem. However, I'd
>>like to ask if there are any chances to see this feature soon.
>
> What do you mean exactly? Ext2 (and its journalled cousin, Ext3; I'm
> not certain of other filesystems) can both store POSIX-style Access
> Control Lists (ACLs) and SELinux labeling as part of the inode
> metadata.

Reiserfs, xfs and jfs too.

Yet they all can't store, or I don't know how to set it up, POSIX
capabilities for executables. Those like CAP_NET_RAW or CAP_SYS_RAWIO.
The former is useful for ping the latter (was?) for X11. I know that this
functionality can be achived with SELinux but it's to havy-weight for me.
I'd rather implement BSD seclevels and capabilities.

> Hope this helps.

I am afraid no :-(

Bye.
--
Było mi bardzo miło. Czwarta pospolita klęska, [...]
>Łukasz< Już nie katolicka lecz złodziejska. (c)PP


Attachments:
signature.asc (256.00 B)
OpenPGP digital signature

2006-01-30 08:52:34

by Arjan van de Ven

[permalink] [raw]
Subject: Re: security capabilities on filesystems

On Sun, 2006-01-29 at 21:04 +0100, Lukasz Stelmach wrote:
> Greetings.
>
> I've poke around for some information but all I got (was this lousy t-shirt)
> that there is no support for capablities stored on a filesystem. However, I'd
> like to ask if there are any chances to see this feature soon.

this has been asked many many times, and the answer seems to always have
been "no because that's not secure"; I suggest google as a way to find
out more details...

2006-01-30 16:07:27

by Stephen Smalley

[permalink] [raw]
Subject: Re: security capabilities on filesystems

On Sun, 2006-01-29 at 21:04 +0100, Lukasz Stelmach wrote:
> Greetings.
>
> I've poke around for some information but all I got (was this lousy t-shirt)
> that there is no support for capablities stored on a filesystem. However, I'd
> like to ask if there are any chances to see this feature soon.

Storage of the capability bits isn't the hard part; that is especially
easy these days given the extensible security namespace for extended
attributes that was introduced for SELinux (but not limited to it).

# touch foo
# setfattr -n security.capability.effcap -v 0xdeadbeef foo
# getfattr -e hex -n security.capability.effcap foo
# file: foo
security.capability.effcap=0xdeadbeef

--
Stephen Smalley
National Security Agency