Re: [PATCH] proc: don't show nonexistent capabilities (v2)
Quoting Kees Cook (keesc...@chromium.org): > On Sun, Oct 7, 2012 at 2:56 AM, Andrew Vagin wrote: > > Without this patch it is really hard to interpret a bounding set, > > if CAP_LAST_CAP is unknown for a current kernel. > > > > Non-existant capabilities can not be deleted from a bounding set > > with help of prctl. > > > > E.g.: Here are two examples without/with this patch. > > CapBnd: ffe0fdec > > CapBnd: fdec > > > > I suggest to hide non-existent capabilities. Here is two reasons. > > * It's logically and easier for using. > > * It helps to checkpoint-restore capabilities of tasks, because tasks > > can be restored on another kernel, where CAP_LAST_CAP is bigger. > > > > v2: Non-existent capabilities can not be removed from creds, because > > in this case user cannot set all=eip. This patch cleans up non-existent > > capabilities from content of /proc/pid/status > > > > Cc: Andrew G. Morgan > > Cc: Serge Hallyn Basic capsh tests seem to have no problem with it. Thanks, Andrew. Reviewed-by: Serge E. Hallyn > > Cc: Pavel Emelyanov > > Cc: Andrew Morton > > Cc: Kees Cook > > Cc: KAMEZAWA Hiroyuki > > Signed-off-by: Andrew Vagin > > Seems sensible to me. > > Reviewed-by: Kees Cook > > -Kees > > -- > Kees Cook > Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] proc: don't show nonexistent capabilities (v2)
Quoting Kees Cook (keesc...@chromium.org): On Sun, Oct 7, 2012 at 2:56 AM, Andrew Vagin ava...@openvz.org wrote: Without this patch it is really hard to interpret a bounding set, if CAP_LAST_CAP is unknown for a current kernel. Non-existant capabilities can not be deleted from a bounding set with help of prctl. E.g.: Here are two examples without/with this patch. CapBnd: ffe0fdec CapBnd: fdec I suggest to hide non-existent capabilities. Here is two reasons. * It's logically and easier for using. * It helps to checkpoint-restore capabilities of tasks, because tasks can be restored on another kernel, where CAP_LAST_CAP is bigger. v2: Non-existent capabilities can not be removed from creds, because in this case user cannot set all=eip. This patch cleans up non-existent capabilities from content of /proc/pid/status Cc: Andrew G. Morgan mor...@kernel.org Cc: Serge Hallyn serge.hal...@canonical.com Basic capsh tests seem to have no problem with it. Thanks, Andrew. Reviewed-by: Serge E. Hallyn serge.hal...@canonical.com Cc: Pavel Emelyanov xe...@parallels.com Cc: Andrew Morton a...@linux-foundation.org Cc: Kees Cook keesc...@chromium.org Cc: KAMEZAWA Hiroyuki kamezawa.hir...@jp.fujitsu.com Signed-off-by: Andrew Vagin ava...@openvz.org Seems sensible to me. Reviewed-by: Kees Cook keesc...@chromium.org -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] proc: don't show nonexistent capabilities (v2)
On Sun, Oct 7, 2012 at 2:56 AM, Andrew Vagin wrote: > Without this patch it is really hard to interpret a bounding set, > if CAP_LAST_CAP is unknown for a current kernel. > > Non-existant capabilities can not be deleted from a bounding set > with help of prctl. > > E.g.: Here are two examples without/with this patch. > CapBnd: ffe0fdec > CapBnd: fdec > > I suggest to hide non-existent capabilities. Here is two reasons. > * It's logically and easier for using. > * It helps to checkpoint-restore capabilities of tasks, because tasks > can be restored on another kernel, where CAP_LAST_CAP is bigger. > > v2: Non-existent capabilities can not be removed from creds, because > in this case user cannot set all=eip. This patch cleans up non-existent > capabilities from content of /proc/pid/status > > Cc: Andrew G. Morgan > Cc: Serge Hallyn > Cc: Pavel Emelyanov > Cc: Andrew Morton > Cc: Kees Cook > Cc: KAMEZAWA Hiroyuki > Signed-off-by: Andrew Vagin Seems sensible to me. Reviewed-by: Kees Cook -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH] proc: don't show nonexistent capabilities (v2)
Without this patch it is really hard to interpret a bounding set, if CAP_LAST_CAP is unknown for a current kernel. Non-existant capabilities can not be deleted from a bounding set with help of prctl. E.g.: Here are two examples without/with this patch. CapBnd: ffe0fdec CapBnd: fdec I suggest to hide non-existent capabilities. Here is two reasons. * It's logically and easier for using. * It helps to checkpoint-restore capabilities of tasks, because tasks can be restored on another kernel, where CAP_LAST_CAP is bigger. v2: Non-existent capabilities can not be removed from creds, because in this case user cannot set all=eip. This patch cleans up non-existent capabilities from content of /proc/pid/status Cc: Andrew G. Morgan Cc: Serge Hallyn Cc: Pavel Emelyanov Cc: Andrew Morton Cc: Kees Cook Cc: KAMEZAWA Hiroyuki Signed-off-by: Andrew Vagin --- fs/proc/array.c |9 + 1 files changed, 9 insertions(+), 0 deletions(-) diff --git a/fs/proc/array.c b/fs/proc/array.c index c5db89c..c814ba5 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -308,6 +308,10 @@ static void render_cap_t(struct seq_file *m, const char *header, seq_putc(m, '\n'); } +/* Remove non-existent capabilities */ +#define NORM_CAPS(v) (v.cap[CAP_TO_INDEX(CAP_LAST_CAP)] &= \ + CAP_TO_MASK(CAP_LAST_CAP + 1) - 1) + static inline void task_cap(struct seq_file *m, struct task_struct *p) { const struct cred *cred; @@ -321,6 +325,11 @@ static inline void task_cap(struct seq_file *m, struct task_struct *p) cap_bset= cred->cap_bset; rcu_read_unlock(); + NORM_CAPS(cap_inheritable); + NORM_CAPS(cap_permitted); + NORM_CAPS(cap_effective); + NORM_CAPS(cap_bset); + render_cap_t(m, "CapInh:\t", _inheritable); render_cap_t(m, "CapPrm:\t", _permitted); render_cap_t(m, "CapEff:\t", _effective); -- 1.7.1 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH] proc: don't show nonexistent capabilities (v2)
Without this patch it is really hard to interpret a bounding set, if CAP_LAST_CAP is unknown for a current kernel. Non-existant capabilities can not be deleted from a bounding set with help of prctl. E.g.: Here are two examples without/with this patch. CapBnd: ffe0fdec CapBnd: fdec I suggest to hide non-existent capabilities. Here is two reasons. * It's logically and easier for using. * It helps to checkpoint-restore capabilities of tasks, because tasks can be restored on another kernel, where CAP_LAST_CAP is bigger. v2: Non-existent capabilities can not be removed from creds, because in this case user cannot set all=eip. This patch cleans up non-existent capabilities from content of /proc/pid/status Cc: Andrew G. Morgan mor...@kernel.org Cc: Serge Hallyn serge.hal...@canonical.com Cc: Pavel Emelyanov xe...@parallels.com Cc: Andrew Morton a...@linux-foundation.org Cc: Kees Cook keesc...@chromium.org Cc: KAMEZAWA Hiroyuki kamezawa.hir...@jp.fujitsu.com Signed-off-by: Andrew Vagin ava...@openvz.org --- fs/proc/array.c |9 + 1 files changed, 9 insertions(+), 0 deletions(-) diff --git a/fs/proc/array.c b/fs/proc/array.c index c5db89c..c814ba5 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -308,6 +308,10 @@ static void render_cap_t(struct seq_file *m, const char *header, seq_putc(m, '\n'); } +/* Remove non-existent capabilities */ +#define NORM_CAPS(v) (v.cap[CAP_TO_INDEX(CAP_LAST_CAP)] = \ + CAP_TO_MASK(CAP_LAST_CAP + 1) - 1) + static inline void task_cap(struct seq_file *m, struct task_struct *p) { const struct cred *cred; @@ -321,6 +325,11 @@ static inline void task_cap(struct seq_file *m, struct task_struct *p) cap_bset= cred-cap_bset; rcu_read_unlock(); + NORM_CAPS(cap_inheritable); + NORM_CAPS(cap_permitted); + NORM_CAPS(cap_effective); + NORM_CAPS(cap_bset); + render_cap_t(m, CapInh:\t, cap_inheritable); render_cap_t(m, CapPrm:\t, cap_permitted); render_cap_t(m, CapEff:\t, cap_effective); -- 1.7.1 -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] proc: don't show nonexistent capabilities (v2)
On Sun, Oct 7, 2012 at 2:56 AM, Andrew Vagin ava...@openvz.org wrote: Without this patch it is really hard to interpret a bounding set, if CAP_LAST_CAP is unknown for a current kernel. Non-existant capabilities can not be deleted from a bounding set with help of prctl. E.g.: Here are two examples without/with this patch. CapBnd: ffe0fdec CapBnd: fdec I suggest to hide non-existent capabilities. Here is two reasons. * It's logically and easier for using. * It helps to checkpoint-restore capabilities of tasks, because tasks can be restored on another kernel, where CAP_LAST_CAP is bigger. v2: Non-existent capabilities can not be removed from creds, because in this case user cannot set all=eip. This patch cleans up non-existent capabilities from content of /proc/pid/status Cc: Andrew G. Morgan mor...@kernel.org Cc: Serge Hallyn serge.hal...@canonical.com Cc: Pavel Emelyanov xe...@parallels.com Cc: Andrew Morton a...@linux-foundation.org Cc: Kees Cook keesc...@chromium.org Cc: KAMEZAWA Hiroyuki kamezawa.hir...@jp.fujitsu.com Signed-off-by: Andrew Vagin ava...@openvz.org Seems sensible to me. Reviewed-by: Kees Cook keesc...@chromium.org -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/