Received: by 2002:a05:6358:489b:b0:bb:da1:e618 with SMTP id x27csp4254718rwn;
        Sun, 11 Sep 2022 08:09:34 -0700 (PDT)
X-Google-Smtp-Source: AA6agR577oWlEypp6IA9dPQ+x3gRZrMOQS8uu+cDDVx1Md4vwFZ2rZ9a96Qcaj2XlXsfTn6RgHLC
X-Received: by 2002:a63:90c9:0:b0:434:b578:3bb4 with SMTP id a192-20020a6390c9000000b00434b5783bb4mr19052957pge.389.1662908974169;
        Sun, 11 Sep 2022 08:09:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1662908974; cv=none;
        d=google.com; s=arc-20160816;
        b=mbIEX5B+sM/tU6kDAEl8Tz2E52ahkNffFnToaKbpOjmmDIStuz/GHPxKYiPcsv7qCE
         88JL5kkQENE4pzWf6JXy5l9ujeJGidOThPTfN2H0LOVuSBqhMJHFve1RIvac1JCEUgvn
         l2kydPPERI9HOq066DoDxGb+TsozVjvnMW9AwrKv8TI3xGH13slzbMG/h3nq+csr/Eza
         7lz8hMDTDva/mLyTq12ytrlDmcGMafDDm81i+Mm+JR8B+Fqbo3xODO8lK5MZz+vs9ccn
         a1lyB5QQ0wpKLdXLmTsFw2t5MT5ji1LMJw1lsTy/sXWzzu5z+lYDGGtD6zZ8A7bWdyfP
         Wc+w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=hJPv6652ahb8MzC7fon360LOpHJzm2WnHUULBpAhCsc=;
        b=cPfgzEJUNAYFhRG6v7T2Yijp7vLHKzakkmgpW/c2gSJrJSoyUKCibnD3u65/eNqnFz
         QYN5D0siD6PaYoO1aUtqsQ3HXBg0DcOoYwNnQhzHPXKVKRDeFat+SeOsccjrMqrqJeJn
         PsaL8sg4N+WfLYP0gVjevImvW8hl5ve266elqAiAad2WsktcM+SqkaJJ5imJY07cT9T2
         RIjbPxNpykx43bv3s0usaXdZkUCAXA5F71J/WTWQGjacwTSLSFj+LUcee4n5utSrixIc
         uuhis34Hvel8QSFrR1Ax8/U/M1KVbVuEJZfrMf4f+OTHHO6deZc1ypO/jcI/hHW/ybew
         7K8A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@mit.edu header.s=outgoing header.b=ThyXbfr1;
       spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu
Return-Path: <linux-nfs-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id q31-20020a631f5f000000b0041ab564a1ecsi6808482pgm.107.2022.09.11.08.09.05;
        Sun, 11 Sep 2022 08:09:34 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@mit.edu header.s=outgoing header.b=ThyXbfr1;
       spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229640AbiIKO7j (ORCPT <rfc822;netamego@gmail.com> + 99 others);
        Sun, 11 Sep 2022 10:59:39 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34576 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229540AbiIKO7g (ORCPT
        <rfc822;linux-nfs@vger.kernel.org>); Sun, 11 Sep 2022 10:59:36 -0400
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 39BE02DC2;
        Sun, 11 Sep 2022 07:59:35 -0700 (PDT)
Received: from letrec.thunk.org ([185.122.133.20])
        (authenticated bits=0)
        (User authenticated as tytso@ATHENA.MIT.EDU)
        by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 28BExOjt020167
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Sun, 11 Sep 2022 10:59:27 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing;
        t=1662908368; bh=hJPv6652ahb8MzC7fon360LOpHJzm2WnHUULBpAhCsc=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To;
        b=ThyXbfr1ATcEaJinbd0Uqg13ruenlZfVebuM/ldJZzA44E2aHRatcfrYgqFfu4vSv
         px5j5djDgx4wf6WevzLHpeqPret3cjWwhQmYwfvDKbF760CuzvQyFVKf51TR3TlAVr
         GzKvpQlgSF+xGl7b9m/QyK+oc9nXsmMPYrp6RraTRWNhBSOfhx54YOLGLNEskwdv3H
         ZlL5KLgdO/YnZtHdDxVRpyaHTh/F7XUN9fGrqsQD0ZjvaJ9/MD9FMvrBET76IYq+sG
         10UpHnWdXMRtoDP6yC93KXs3qItAHtc6N4FSu0UrMs7pV1V8cGKWeeThfJOg0JTDb0
         NLnpmE9QuQSXQ==
Received: by letrec.thunk.org (Postfix, from userid 15806)
        id 64D338C0D1A; Sun, 11 Sep 2022 06:00:41 -0400 (EDT)
Date:   Sun, 11 Sep 2022 06:00:41 -0400
From:   "Theodore Ts'o" <tytso@mit.edu>
To:     Casey Schaufler <casey@schaufler-ca.com>
Cc:     Chuck Lever III <chuck.lever@oracle.com>,
        battery dude <jyf007@gmail.com>,
        Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>,
        "linux-security-module@vger.kernel.org" 
        <linux-security-module@vger.kernel.org>,
        "selinux@vger.kernel.org" <selinux@vger.kernel.org>
Subject: Re: Does NFS support Linux Capabilities
Message-ID: <Yx2xyW5n0ECZX9bJ@mit.edu>
References: <CAMBbDaF2Ni0gMRKNeFTQwgAOPPYy7RLXYwDJyZ1edq=tfATFzw@mail.gmail.com>
 <1D8F1768-D42A-4775-9B0E-B507D5F9E51E@oracle.com>
 <YxsGIoFlKkpQdSDY@mit.edu>
 <8865e109-3ec6-f848-8014-9fe58e3876f4@schaufler-ca.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <8865e109-3ec6-f848-8014-9fe58e3876f4@schaufler-ca.com>
X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00,DATE_IN_PAST_03_06,
        DKIM_INVALID,DKIM_SIGNED,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_NONE,
        T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-nfs.vger.kernel.org>
X-Mailing-List: linux-nfs@vger.kernel.org

On Fri, Sep 09, 2022 at 08:59:41AM -0700, Casey Schaufler wrote:
> 
> Data General's UNIX system supported in excess of 330 capabilities.
> Linux is currently using 40. Linux has deviated substantially from
> the Withdrawn Draft, especially in the handling of effective capabilities.
> I believe that you could support POSIX capabilities or Linux capabilities,
> but an attempt to support both is impractical.

Yeah, good point, I had forgotten about how we (Linux) ended up
diverging from POSIX 1.e when we changed how effective capabilities
were calculated.

> Supporting any given UNIX implementation is possible, but once you
> get past the POSIX defined capabilities into the vendor specific
> ones interoperability ain't gonna happen.

And from an NFS perspective, if we had (for example) a Trusted Solaris
trying to emulate Linux binaries over NFS with capabilities masks, I
suspect trying to map Linux's Capabilities onto Trusted Solaris's
implementation of POSIX 1.e would be the least of Oracle's technical
challenges.  :-)

> > .. and this is why the C2 by '92 initiative was doomed to failure,
> > and why Posix.1e never completed the standardization process.  :-)
> 
> The POSIX.1e effort wasn't completed because vendors lost interest
> in the standards process and because they lost interest in the
> evaluated security process.

It was my sense was that the reason why they lost interested in the
evaluated security process was simply that the business case didn't
make any sense.  That is, the $$$ they might get from US Government
sales was probability not worth the opportunity cost of the engineers
tasked to work on Trusted {AIX,DG,HPUX,Solaris}.  Heck, I'm not sure
the revenue would balance out the _costs_, let alone the opportunity
costs...

> Granularity was always a bone of contention in the working group.
> What's sad is that granularity wasn't the driving force behind capabilities.
> The important point was to separate privilege from UID 0. In the end
> I think we'd have been better off with one capability, CAP_PRIVILEGED,
> defined in the specification and a note saying that beyond that you were
> on your own.

Well, hey, we almost have that already, sort of --- CAP_SYS_ADMIN ==
"root", for almost all intents and purposes.  :-)

						- Ted