Re: [PATCH] proc: don't show nonexistent capabilities (v2)
Quoting Kees Cook (keesc...@chromium.org): > On Sun, Oct 7, 2012 at 2:56 AM, Andrew Vagin wrote: > > Without this patch it is really hard to interpret a bounding set, > > if CAP_LAST_CAP is unknown for a current kernel. > > > > Non-existant capabilities can not be deleted from a bounding set > > with help of prctl. > > > > E.g.: Here are two examples without/with this patch. > > CapBnd: ffe0fdec > > CapBnd: fdec > > > > I suggest to hide non-existent capabilities. Here is two reasons. > > * It's logically and easier for using. > > * It helps to checkpoint-restore capabilities of tasks, because tasks > > can be restored on another kernel, where CAP_LAST_CAP is bigger. > > > > v2: Non-existent capabilities can not be removed from creds, because > > in this case user cannot set all=eip. This patch cleans up non-existent > > capabilities from content of /proc/pid/status > > > > Cc: Andrew G. Morgan > > Cc: Serge Hallyn Basic capsh tests seem to have no problem with it. Thanks, Andrew. Reviewed-by: Serge E. Hallyn > > Cc: Pavel Emelyanov > > Cc: Andrew Morton > > Cc: Kees Cook > > Cc: KAMEZAWA Hiroyuki > > Signed-off-by: Andrew Vagin > > Seems sensible to me. > > Reviewed-by: Kees Cook > > -Kees > > -- > Kees Cook > Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] proc: don't show nonexistent capabilities (v2)
Quoting Kees Cook (keesc...@chromium.org): On Sun, Oct 7, 2012 at 2:56 AM, Andrew Vagin ava...@openvz.org wrote: Without this patch it is really hard to interpret a bounding set, if CAP_LAST_CAP is unknown for a current kernel. Non-existant capabilities can not be deleted from a bounding set with help of prctl. E.g.: Here are two examples without/with this patch. CapBnd: ffe0fdec CapBnd: fdec I suggest to hide non-existent capabilities. Here is two reasons. * It's logically and easier for using. * It helps to checkpoint-restore capabilities of tasks, because tasks can be restored on another kernel, where CAP_LAST_CAP is bigger. v2: Non-existent capabilities can not be removed from creds, because in this case user cannot set all=eip. This patch cleans up non-existent capabilities from content of /proc/pid/status Cc: Andrew G. Morgan mor...@kernel.org Cc: Serge Hallyn serge.hal...@canonical.com Basic capsh tests seem to have no problem with it. Thanks, Andrew. Reviewed-by: Serge E. Hallyn serge.hal...@canonical.com Cc: Pavel Emelyanov xe...@parallels.com Cc: Andrew Morton a...@linux-foundation.org Cc: Kees Cook keesc...@chromium.org Cc: KAMEZAWA Hiroyuki kamezawa.hir...@jp.fujitsu.com Signed-off-by: Andrew Vagin ava...@openvz.org Seems sensible to me. Reviewed-by: Kees Cook keesc...@chromium.org -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] proc: don't show nonexistent capabilities (v2)
On Sun, Oct 7, 2012 at 2:56 AM, Andrew Vagin wrote: > Without this patch it is really hard to interpret a bounding set, > if CAP_LAST_CAP is unknown for a current kernel. > > Non-existant capabilities can not be deleted from a bounding set > with help of prctl. > > E.g.: Here are two examples without/with this patch. > CapBnd: ffe0fdec > CapBnd: fdec > > I suggest to hide non-existent capabilities. Here is two reasons. > * It's logically and easier for using. > * It helps to checkpoint-restore capabilities of tasks, because tasks > can be restored on another kernel, where CAP_LAST_CAP is bigger. > > v2: Non-existent capabilities can not be removed from creds, because > in this case user cannot set all=eip. This patch cleans up non-existent > capabilities from content of /proc/pid/status > > Cc: Andrew G. Morgan > Cc: Serge Hallyn > Cc: Pavel Emelyanov > Cc: Andrew Morton > Cc: Kees Cook > Cc: KAMEZAWA Hiroyuki > Signed-off-by: Andrew Vagin Seems sensible to me. Reviewed-by: Kees Cook -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH] proc: don't show nonexistent capabilities (v2)
Without this patch it is really hard to interpret a bounding set,
if CAP_LAST_CAP is unknown for a current kernel.
Non-existant capabilities can not be deleted from a bounding set
with help of prctl.
E.g.: Here are two examples without/with this patch.
CapBnd: ffe0fdec
CapBnd: fdec
I suggest to hide non-existent capabilities. Here is two reasons.
* It's logically and easier for using.
* It helps to checkpoint-restore capabilities of tasks, because tasks
can be restored on another kernel, where CAP_LAST_CAP is bigger.
v2: Non-existent capabilities can not be removed from creds, because
in this case user cannot set all=eip. This patch cleans up non-existent
capabilities from content of /proc/pid/status
Cc: Andrew G. Morgan
Cc: Serge Hallyn
Cc: Pavel Emelyanov
Cc: Andrew Morton
Cc: Kees Cook
Cc: KAMEZAWA Hiroyuki
Signed-off-by: Andrew Vagin
---
fs/proc/array.c |9 +
1 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/fs/proc/array.c b/fs/proc/array.c
index c5db89c..c814ba5 100644
--- a/fs/proc/array.c
+++ b/fs/proc/array.c
@@ -308,6 +308,10 @@ static void render_cap_t(struct seq_file *m, const char
*header,
seq_putc(m, '\n');
}
+/* Remove non-existent capabilities */
+#define NORM_CAPS(v) (v.cap[CAP_TO_INDEX(CAP_LAST_CAP)] &= \
+ CAP_TO_MASK(CAP_LAST_CAP + 1) - 1)
+
static inline void task_cap(struct seq_file *m, struct task_struct *p)
{
const struct cred *cred;
@@ -321,6 +325,11 @@ static inline void task_cap(struct seq_file *m, struct
task_struct *p)
cap_bset= cred->cap_bset;
rcu_read_unlock();
+ NORM_CAPS(cap_inheritable);
+ NORM_CAPS(cap_permitted);
+ NORM_CAPS(cap_effective);
+ NORM_CAPS(cap_bset);
+
render_cap_t(m, "CapInh:\t", _inheritable);
render_cap_t(m, "CapPrm:\t", _permitted);
render_cap_t(m, "CapEff:\t", _effective);
--
1.7.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH] proc: don't show nonexistent capabilities (v2)
Without this patch it is really hard to interpret a bounding set,
if CAP_LAST_CAP is unknown for a current kernel.
Non-existant capabilities can not be deleted from a bounding set
with help of prctl.
E.g.: Here are two examples without/with this patch.
CapBnd: ffe0fdec
CapBnd: fdec
I suggest to hide non-existent capabilities. Here is two reasons.
* It's logically and easier for using.
* It helps to checkpoint-restore capabilities of tasks, because tasks
can be restored on another kernel, where CAP_LAST_CAP is bigger.
v2: Non-existent capabilities can not be removed from creds, because
in this case user cannot set all=eip. This patch cleans up non-existent
capabilities from content of /proc/pid/status
Cc: Andrew G. Morgan mor...@kernel.org
Cc: Serge Hallyn serge.hal...@canonical.com
Cc: Pavel Emelyanov xe...@parallels.com
Cc: Andrew Morton a...@linux-foundation.org
Cc: Kees Cook keesc...@chromium.org
Cc: KAMEZAWA Hiroyuki kamezawa.hir...@jp.fujitsu.com
Signed-off-by: Andrew Vagin ava...@openvz.org
---
fs/proc/array.c |9 +
1 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/fs/proc/array.c b/fs/proc/array.c
index c5db89c..c814ba5 100644
--- a/fs/proc/array.c
+++ b/fs/proc/array.c
@@ -308,6 +308,10 @@ static void render_cap_t(struct seq_file *m, const char
*header,
seq_putc(m, '\n');
}
+/* Remove non-existent capabilities */
+#define NORM_CAPS(v) (v.cap[CAP_TO_INDEX(CAP_LAST_CAP)] = \
+ CAP_TO_MASK(CAP_LAST_CAP + 1) - 1)
+
static inline void task_cap(struct seq_file *m, struct task_struct *p)
{
const struct cred *cred;
@@ -321,6 +325,11 @@ static inline void task_cap(struct seq_file *m, struct
task_struct *p)
cap_bset= cred-cap_bset;
rcu_read_unlock();
+ NORM_CAPS(cap_inheritable);
+ NORM_CAPS(cap_permitted);
+ NORM_CAPS(cap_effective);
+ NORM_CAPS(cap_bset);
+
render_cap_t(m, CapInh:\t, cap_inheritable);
render_cap_t(m, CapPrm:\t, cap_permitted);
render_cap_t(m, CapEff:\t, cap_effective);
--
1.7.1
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] proc: don't show nonexistent capabilities (v2)
On Sun, Oct 7, 2012 at 2:56 AM, Andrew Vagin ava...@openvz.org wrote: Without this patch it is really hard to interpret a bounding set, if CAP_LAST_CAP is unknown for a current kernel. Non-existant capabilities can not be deleted from a bounding set with help of prctl. E.g.: Here are two examples without/with this patch. CapBnd: ffe0fdec CapBnd: fdec I suggest to hide non-existent capabilities. Here is two reasons. * It's logically and easier for using. * It helps to checkpoint-restore capabilities of tasks, because tasks can be restored on another kernel, where CAP_LAST_CAP is bigger. v2: Non-existent capabilities can not be removed from creds, because in this case user cannot set all=eip. This patch cleans up non-existent capabilities from content of /proc/pid/status Cc: Andrew G. Morgan mor...@kernel.org Cc: Serge Hallyn serge.hal...@canonical.com Cc: Pavel Emelyanov xe...@parallels.com Cc: Andrew Morton a...@linux-foundation.org Cc: Kees Cook keesc...@chromium.org Cc: KAMEZAWA Hiroyuki kamezawa.hir...@jp.fujitsu.com Signed-off-by: Andrew Vagin ava...@openvz.org Seems sensible to me. Reviewed-by: Kees Cook keesc...@chromium.org -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
