Re: [PATCH 2/2] file capabilities: remove CONFIG_SECURITY_FILE_CAPABILITIES

view
thread

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Serge E. Hallyn

Subject: Re: [PATCH 2/2] file capabilities: remove CONFIG_SECURITY_FILE_CAPABILITIES

Date: Wednesday, September 24, 2008 - 6:02 pm

Quoting Chris Wright (chrisw@sous-sol.org):
quoted text> * Serge E. Hallyn (serue@us.ibm.com) wrote:
> > Remove the option to compile the kernel without file capabilities.  Not
> > compiling file capabilities actually makes the kernel less safe, as it
> > includes the possibility for a task changing another task's capabilities.
> > 
> > Some are concerned that userspace tools (and user education) are not
> > up to the task of properly configuring file capabilities on a system.
> > For those cases, there is now the ability to boot with the no_file_caps
> > boot option.  This will prevent file capabilities from being used in
> > the capabilities recalculation at exec, but will not change the rest
> > of the kernel behavior which used to be switchable using the
> > CONFIG_SECURITY_FILE_CAPABILITIES option.
> 
> (note: defconfig has CONFIG_SECURITY_FILE_CAPABILITIES=y)
>    text    data     bss     dec     hex filename
> 6805157 1018344  671900 8495401  81a129 obj64-defconfig/vmlinux
> 6805151 1018368  671900 8495419  81a13b obj64-defconfig-patch1/vmlinux
> 6805151 1018368  671900 8495419  81a13b obj64-defconfig-patch2/vmlinux
> 6804605 1018344  671900 8494849  819f01 obj64-nofcap/vmlinux
> 6804604 1018344  671900 8494848  819f00 obj64-nofcap-patch1/vmlinux
> 6805150 1018368  671900 8495418  81a13a obj64-nofcap-patch2/vmlinux

(what are you using to get these numbers?)

quoted text> The last 2 show the real diff now, add 570 bytes by effectively forcing
> CONFIG_SECURITY_FILE_CAPABILITIES on.

That surprises me - I thought a reasonable amount of code was cut as
well.  Sounds like it may be worth it to refactor some of the code.

quoted text> What is being done to enable userspace in distros to make those 570
> bytes generally useful?

Fedora 9 and ubuntu intrepid already have full capabilities support and
modern libcap.  Sles is set to ship with a modern libcap, and according
to what Andreas is saying, if we can provide them with the no_file_caps
boot option then suse is willing to have a kernel with capabilities
turned on.  I think gentoo still comes with libcap-1.  Need to look into
changing that.

I suppose the next baby-step will be to do get rid of setuid on little
things like ping.  Actually using inheritable caps for pseudo-admin
'roles' may be a bit farther off, and a particularly interesting problem
will be to take huge pieces of cross-os software like ssh which make
assumptions about setuid behavior, and find ways to make them work
correctly with capabilities, with capabilities in
SECURE_NOROOT|SECURE_NOSETUIDFIXUP, and with non-linux oses.

-serge
--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[PATCH 1/2] file capabilities: add no_file_caps switch (v3), Serge E. Hallyn, (Tue Sep 23, 7:04 pm)

[PATCH 2/2] file capabilities: remove CONFIG_SECURITY_FILE ..., Serge E. Hallyn, (Tue Sep 23, 7:05 pm)

Re: [PATCH 2/2] file capabilities: remove CONFIG_SECURITY_ ..., Andrew G. Morgan, (Tue Sep 23, 9:59 pm)

Re: [PATCH 2/2] file capabilities: remove CONFIG_SECURITY_ ..., Chris Wright, (Wed Sep 24, 4:49 pm)

Re: [PATCH 2/2] file capabilities: remove CONFIG_SECURITY_ ..., Serge E. Hallyn, (Wed Sep 24, 6:02 pm)

Re: [PATCH 2/2] file capabilities: remove CONFIG_SECURITY_ ..., Chris Wright, (Wed Sep 24, 6:19 pm)

Re: [PATCH 2/2] file capabilities: remove CONFIG_SECURITY_ ..., Andreas Gruenbacher, (Wed Sep 24, 6:36 pm)

Navigation

Popular discussions


linux-kernel:
David Howells	[PATCH] KEYS: Use the variable 'key' in keyctl_describe_key()
Greg Kroah-Hartman	[PATCH 17/36] sysdev: detect multiple driver registrations
Greg Kroah-Hartman	[PATCH 09/36] driver core: register_memory/unregister_memory clean ups and bugfix
Pierre Ossman	Re: sdio: enhance IO_RW_EXTENDED support
Greg Kroah-Hartman	[PATCH 05/36] UIO: Remove needless PCI_DEVICE_ID definition from uio_cif.c
git:
Mark Junker	git on MacOSX and files with decomposed utf-8 file names
Johannes Schindelin	Re: error: cannot lock ref 'refs/remotes/origin/*'
Pat Thoyts	[PATCH] git-gui: use themed tk widgets with Tk 8.5
Johannes Schindelin	Re: [PATCH 2/2] git-svn: support fetch with autocrlf on
Jonathan Nieder	Re: [PATCH v2] git-send-email.perl: fix In-Reply-To for second and subsequent patc...
linux-netdev:
David Miller	Re: [PATCH 32/53] netns xfrm: finding policy in netns
Jean-Louis Dupond	Re: tg3 driver not advertising 1000mbit
Jan Engelhardt	[PATCH 1/3] net: tcp: make hybla selectable as default congestion module
Daniel Schaffrath	Re: tcp bw in 2.6
Matt Mackall	Re: [regression] nf_iterate(), BUG: unable to handle kernel NULL pointer dereference
git-commits-head:
Linux Kernel Mailing List	ipv6: fix an oops when force unload ipv6 module
Linux Kernel Mailing List	tracing: protect reader of cmdline output
Linux Kernel Mailing List	KVM: VMX: Clear CR4.VMXE in hardware_disable
Linux Kernel Mailing List	imxfb: Fix margin settings
Linux Kernel Mailing List	USB: set correct configuration in probe of ti_usb_3410_5052
openbsd-misc:
Stas Miasnikou	Re: Another question: device naming convention
Darrin Chandler	Re: That whole "Linux stealing our code" thing
Community First Financial	Teacher A+ Loan
Jan Stary	Re: audio recording levels
Andrej Elizarov	Re: Web Browsers

Colocation donated by:

Syndicate