Home » Mailing list archives » linux-kernel » 2008 » August » 28

[PATCH 2/2] file capabilities: turn on by default

Previous thread: none

Next thread: [PATCH] x86: split e820 reserved entries record to late v2 by Yinghai Lu on Thursday, August 28, 2008 - 1:34 pm. (6 messages)
[view original message]
From: Serge Hallyn
Subject: [PATCH 1/2] file capabilities: add no_file_caps switch (v2)
Date: Thursday, August 28, 2008 - 12:54 pm

Add a no_file_caps boot option when file capabilities are
compiled into the kernel (CONFIG_SECURITY_FILE_CAPABILITIES=y).

This allows distributions to ship a kernel with file capabilities
compiled in, without forcing users to use (and understand and
trust) them.

When no_file_caps is specified at boot, then when a process executes
a file, any file capabilities stored with that file will not be
used in the calculation of the process' new capability sets.

This means that booting with the no_file_caps boot option will
not be the same as booting a kernel with file capabilities
compiled out - in particular a task with  CAP_SETPCAP will not
have any chance of passing capabilities to another task (which
isn't "really" possible anyway, and which may soon by killed
altogether by David Howells in any case), and it will instead
be able to put new capabilities in its pI.  However since fI
will always be empty and pI is masked with fI, it gains the
task nothing.

We also support the extra prctl options, setting securebits and
dropping capabilities from the per-process bounding set.

The other remaining difference is that killpriv, task_setscheduler,
setioprio, and setnice will continue to be hooked.  That will
be noticable in the case where a root task changed its uid
while keeping some caps, and another task owned by the new uid
tries to change settings for the more privileged task.

Signed-off-by: Serge Hallyn <serue@us.ibm.com>
---
 include/linux/capability.h |    4 ++++
 kernel/capability.c        |   11 +++++++++++
 security/commoncap.c       |    9 +++++++++
 3 files changed, 24 insertions(+), 0 deletions(-)

diff --git a/include/linux/capability.h b/include/linux/capability.h
index 9d1fe30..c96c455 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -359,6 +359,10 @@ typedef struct kernel_cap_struct {
 
 #ifdef __KERNEL__
 
+#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
+extern int file_caps_enabled;
+#endif
+
 /*
  * Internal kernel functions ...
[ message continues ]
[view original message]
From: Serge Hallyn
Subject: [PATCH 2/2] file capabilities: turn on by default
Date: Thursday, August 28, 2008 - 12:54 pm

Now that file capabilities can be turned off at boot, go ahead
and compile them into the kernel by default by making
CONFIG_SECURITY_FILE_CAPABILITIES=y the default.

Note that the boot flag no_file_caps must be specified to turn
file capabilities off, as by default they are on.  So the
default behavior is in fact changed.

Signed-off-by: Serge Hallyn <serue@us.ibm.com>
---
 security/Kconfig |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/security/Kconfig b/security/Kconfig
index 5592939..6fbb233 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -75,12 +75,15 @@ config SECURITY_NETWORK_XFRM
 
 config SECURITY_FILE_CAPABILITIES
 	bool "File POSIX Capabilities"
-	default n
+	default y
 	help
 	  This enables filesystem capabilities, allowing you to give
 	  binaries a subset of root's powers without using setuid 0.
 
-	  If in doubt, answer N.
+	  You can still boot with the no_file_caps option to disable
+	  file capabilities.
+
+	  If in doubt, answer Y.
 
 config SECURITY_ROOTPLUG
 	bool "Root Plug Support"
-- 
1.5.4.3

--


[ message continues ]
[view original message]
From: Andrew G. Morgan
Subject: Re: [PATCH 2/2] file capabilities: turn on by default
Date: Thursday, August 28, 2008 - 5:37 pm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Acked-by: Andrew G. Morgan <morgan@kernel.org>

Cheers

Andrew

Serge Hallyn wrote:
| Now that file capabilities can be turned off at boot, go ahead
| and compile them into the kernel by default by making
| CONFIG_SECURITY_FILE_CAPABILITIES=y the default.
|
| Note that the boot flag no_file_caps must be specified to turn
| file capabilities off, as by default they are on.  So the
| default behavior is in fact changed.
|
| Signed-off-by: Serge Hallyn <serue@us.ibm.com>
| ---
|  security/Kconfig |    7 +++++--
|  1 files changed, 5 insertions(+), 2 deletions(-)
|
| diff --git a/security/Kconfig b/security/Kconfig
| index 5592939..6fbb233 100644
| --- a/security/Kconfig
| +++ b/security/Kconfig
| @@ -75,12 +75,15 @@ config SECURITY_NETWORK_XFRM
|
|  config SECURITY_FILE_CAPABILITIES
|  	bool "File POSIX Capabilities"
| -	default n
| +	default y
|  	help
|  	  This enables filesystem capabilities, allowing you to give
|  	  binaries a subset of root's powers without using setuid 0.
|
| -	  If in doubt, answer N.
| +	  You can still boot with the no_file_caps option to disable
| +	  file capabilities.
| +
| +	  If in doubt, answer Y.
|
|  config SECURITY_ROOTPLUG
|  	bool "Root Plug Support"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIt0Sp+bHCR3gb8jsRAmQuAKDXiLp/7hZ++JDxv1rL1kIVqS/YtgCeJIMk
zmPFh8NjFrUnElWyeF5R/Jo=
=AK55
-----END PGP SIGNATURE-----
--


[ message continues ]
[view original message]
From: Andrew G. Morgan
Subject: Re: [PATCH 1/2] file capabilities: add no_file_caps switch (v2)
Date: Thursday, August 28, 2008 - 5:35 pm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Acked-by: Andrew G. Morgan <morgan@kernel.org>

Cheers

Andrew

Serge Hallyn wrote:
| Add a no_file_caps boot option when file capabilities are
| compiled into the kernel (CONFIG_SECURITY_FILE_CAPABILITIES=y).
|
| This allows distributions to ship a kernel with file capabilities
| compiled in, without forcing users to use (and understand and
| trust) them.
|
| When no_file_caps is specified at boot, then when a process executes
| a file, any file capabilities stored with that file will not be
| used in the calculation of the process' new capability sets.
|
| This means that booting with the no_file_caps boot option will
| not be the same as booting a kernel with file capabilities
| compiled out - in particular a task with  CAP_SETPCAP will not
| have any chance of passing capabilities to another task (which
| isn't "really" possible anyway, and which may soon by killed
| altogether by David Howells in any case), and it will instead
| be able to put new capabilities in its pI.  However since fI
| will always be empty and pI is masked with fI, it gains the
| task nothing.
|
| We also support the extra prctl options, setting securebits and
| dropping capabilities from the per-process bounding set.
|
| The other remaining difference is that killpriv, task_setscheduler,
| setioprio, and setnice will continue to be hooked.  That will
| be noticable in the case where a root task changed its uid
| while keeping some caps, and another task owned by the new uid
| tries to change settings for the more privileged task.
|
| Signed-off-by: Serge Hallyn <serue@us.ibm.com>
| ---
|  include/linux/capability.h |    4 ++++
|  kernel/capability.c        |   11 +++++++++++
|  security/commoncap.c       |    9 +++++++++
|  3 files changed, 24 insertions(+), 0 deletions(-)
|
| diff --git a/include/linux/capability.h b/include/linux/capability.h
| index 9d1fe30..c96c455 100644
| --- a/include/linux/capability.h
| +++ ...
[ message continues ]
Previous thread: none

Next thread: [PATCH] x86: split e820 reserved entries record to late v2 by Yinghai Lu on Thursday, August 28, 2008 - 1:34 pm. (6 messages)