Re: [PATCH 2/4] security: filesystem capabilities bugfix2
From: David Howells
Date: Mon Jun 30 2008 - 15:12:39 EST
Serge E. Hallyn <serue@xxxxxxxxxx> wrote:
> > With Andrew's patch, capabilities are downgraded regardless of whether we
> > have CAP_SETPCAP or not. I guess that means that if you're tracing a
> > binary whose filecaps say that it wants CAP_SETPCAP, then it retains
> > CAP_SETPCAP.
>
> I don't understand where that last sentence comes from. Why would it
> retain CAP_SETPCAP?
It seems I missed a bit out. It should've read:
I guess that means that if you're tracing a binary that has
CAP_SETPCAP already, and whose filecaps say that it wants CAP_SETPCAP,
then it retains CAP_SETPCAP.
If the debugger has CAP_SYS_PTRACE, then it can attach to a binary that has
CAP_SETPCAP according to cap_ptrace(), even if the debugger doesn't.
> > I wonder if the tracing task should be examined here, and any capability the
> > tracer isn't permitted should be denied the process doing the exec.
>
> That sounds reasonable on its own, but it opens up a dangerous ability
> for the partially-privileged tracer to manipulate the capability set for
> the traced task.
Does it, though? It would only reduce the capabilities of the inferior
process; it wouldn't allow the inferior process or the debugger to get
additional capabilities, apart from what's available under CAP_SETPCAP.
David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/