Quoting Andrew Morgan ([EMAIL PROTECTED]):
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Let's try that again with fewer exotic characters. (Still not exactly
> sure how I was attacked by i18n.)
>
> Cheers
>
> Andrew
>
> Andrew Morgan wrote:
> > Andrew Morgan wrote:
> >> Serge E. Hallyn wrote:
> >>>> 0. fix the implementation of cap_setpcap. It is supposed to mean 'this
> >>>> process can raise capabilities, outside its permitted set, in _its own_
> >>>> inheritable set'.
> >
> > Here is support for the new CAP_SETPCAP behavior. I've implemented it as
> > only taking effect if you compile with filesystem capabilities. Thanks
> > to Sergey for comments and suggestions!
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
>
> iD8DBQFGxSbNQheEq9QabfIRAgiKAJ97Ib1AByU2rvzX7BuN2jp34oD5FgCfeYqa
> Rm0ms+zbMZ9VjJysUhToPio=
> =zto9
> -----END PGP SIGNATURE-----
> >From 20a905dbcaaddaba352f48bfc2ab6b09661e140e Mon Sep 17 00:00:00 2001
> From: Andrew Morgan <[EMAIL PROTECTED]>
> Date: Wed, 15 Aug 2007 07:27:29 -0700
> Subject: [PATCH] File capabilities implementation of CAP_SETPCAP
>
> The non-filesystem capability meaning of CAP_SETPCAP is that a
> process, p1, can change the capabilities of another process, p2. This
> is not the meaning that was intended for this capability at all, and
> this implementation came about purely because, without filesystem
> capabilities, there was no way to use capabilities without one process
> bestowing them on another.
>
> Since we now have a filesystem support for capabilities we can fix the
> implementation of CAP_SETPCAP.
>
> The most significant thing about this change is that, with it in
> effect, no process can set the capabilities of another process.
>
> The capabilities of a program are set via the capability convolution
> rules:
>
> pI(post-exec) = pI(pre-exec)
> pP(post-exec) = (X(aka cap_bset) & fP) | (pI(post-exec) & fI)
> pE(post-exec) = fE ? pP(post-exec) : 0
>
> at exec() time. As such, the only influence the pre-exec() program can
> have on the post-exec() program's capabilities are through the pI
> capability set.
>
> The correct implementation for CAP_SETPCAP (and that enabled by this
> patch) is that it can be used to add extra pI capabilities to the
> current process - to be picked up by subsequent exec()s when the above
> convolution rules are applied.
>
> Here is how it works:
>
> Let's say we have a process, p. It has capability sets, pE, pP and pI.
> Generally, p, can change the value of its own pI to pI' where
>
> (pI' & ~pI) & ~pP = 0.
>
> That is, the only new things in pI' that were not present in pI need to
> be present in pP.
>
> The role of CAP_SETPCAP is basically to permit changes to pI beyond
> the above:
>
> if (pE & CAP_SETPCAP) {
> pI' = anything; /* ie., even (pI' & ~pI) & ~pP != 0 */
> }
>
> This capability is useful for things like login, which (say, via
> pam_cap) might want to raise certain inheritable capabilities for use
> by the children of the logged-in user's shell, but those capabilities
> are not useful to or needed by the login program itself.
>
> One such use might be to limit who can run ping. You set the
> capabilities of the 'ping' program to be "= cap_net_raw+i", and then
> only shells that have (pI & CAP_NET_RAW) will be able to run
> it. Without CAP_SETPCAP implemented as described above, login(pam_cap)
> would have to also have (pP & CAP_NET_RAW) in order to raise this
> capability and pass it on through the inheritable set.
>
> Signed-off-by: Andrew Morgan <[EMAIL PROTECTED]>
> ---
> include/linux/capability.h | 4 ---
> include/linux/security.h | 5 ++++
> kernel/capability.c | 8 +-----
> kernel/sysctl.c | 2 +-
> security/commoncap.c | 57
> ++++++++++++++++++++++++++++++++++++++++----
> 5 files changed, 59 insertions(+), 17 deletions(-)
>
> diff --git a/include/linux/capability.h b/include/linux/capability.h
> index 8961e7f..7a8d7ad 100644
> --- a/include/linux/capability.h
> +++ b/include/linux/capability.h
> @@ -310,10 +310,6 @@ typedef __u32 kernel_cap_t;
> #define CAP_SETFCAP 31
>
> #ifdef __KERNEL__
> -/*
> - * Bounding set
> - */
> -extern kernel_cap_t cap_bset;
>
> /*
> * Internal kernel functions only
> diff --git a/include/linux/security.h b/include/linux/security.h
> index e38230f..10777d9 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -34,6 +34,11 @@
> #include <linux/xfrm.h>
> #include <net/flow.h>
>
> +/*
> + * Bounding set
> + */
> +extern kernel_cap_t cap_bset;
> +
> struct ctl_table;
>
> /*
> diff --git a/kernel/capability.c b/kernel/capability.c
> index 8c4773c..55aa5f0 100644
> --- a/kernel/capability.c
> +++ b/kernel/capability.c
> @@ -3,7 +3,7 @@
> *
> * Copyright (C) 1997 Andrew Main <[EMAIL PROTECTED]>
> *
> - * Integrated into 2.1.97+, Andrew G. Morgan <[EMAIL PROTECTED]>
> + * Integrated into 2.1.97+, Andrew G. Morgan <[EMAIL PROTECTED]>
> * 30 May 2002: Cleanup, Robert M. Love <[EMAIL PROTECTED]>
> */
>
> @@ -15,12 +15,6 @@
> #include <linux/pid_namespace.h>
> #include <asm/uaccess.h>
>
> -unsigned securebits = SECUREBITS_DEFAULT; /* systemwide security settings */
> -kernel_cap_t cap_bset = CAP_INIT_EFF_SET;
> -
> -EXPORT_SYMBOL(securebits);
> -EXPORT_SYMBOL(cap_bset);
> -
> /*
> * This lock protects task->cap_* for all tasks including current.
> * Locking rule: acquire this prior to tasklist_lock.
> diff --git a/kernel/sysctl.c b/kernel/sysctl.c
> index 8ced8cc..d325986 100644
> --- a/kernel/sysctl.c
> +++ b/kernel/sysctl.c
> @@ -25,7 +25,7 @@
> #include <linux/swap-prefetch.h>
> #include <linux/sysctl.h>
> #include <linux/proc_fs.h>
> -#include <linux/capability.h>
> +#include <linux/security.h>
> #include <linux/ctype.h>
> #include <linux/utsname.h>
> #include <linux/smp_lock.h>
> diff --git a/security/commoncap.c b/security/commoncap.c
> index 7816cdc..6a6c19f 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -25,6 +25,23 @@
> #include <linux/mount.h>
> #include <linux/sched.h>
>
> +#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
> +/*
> + * Because of the reduced scope of CAP_SETPCAP when filesystem
> + * capabilities are in effect, it is safe to allow this capability to
> + * be available in the default configuration.
> + */
> +# define CAP_INIT_BSET CAP_FULL_SET
> +#else /* ie. ndef CONFIG_SECURITY_FILE_CAPABILITIES */
> +# define CAP_INIT_BSET CAP_INIT_EFF_SET
> +#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */
> +
> +unsigned securebits = SECUREBITS_DEFAULT; /* systemwide security settings */
> +EXPORT_SYMBOL(securebits);
> +
> +kernel_cap_t cap_bset = CAP_INIT_BSET; /* systemwide capability bound */
> +EXPORT_SYMBOL(cap_bset);
(Sorry, I should have ran shorter tests to get these results a little
quicker...)
Unfortunately these can't be moved here. If you have
SECURITY=y
SECURITY_CAPABILITIES=n
then commoncap is not compiled, and
security/dummy.c wants securebits
kernel/sysctl.c wants cap_bset.
thanks,
-serge
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
