Suggestion for Capability Check Adjustment in caif_create()

From: 孟敬姿
Date: Tue Jan 02 2024 - 21:58:13 EST

Next message: Barry Song: "[PATCH RFC 1/2] crypto: introduce acomp_is_async to expose if a acomp has a scomp backend"
Previous message: kernel test robot: "Re: [PATCH 2/7] workqueue: Share the same PWQ for the CPUs of a pod"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi!

During our code review, we noticed that both CAP_NET_ADMIN and CAP_SYS_ADMIN are currently being checked in the caif_create() function. We propose revisiting the capability checks and considering an adjustment to utilize CAP_NET_ADMIN exclusively. Here's our reasoning for this proposal:

(1) Functionality of caif_create(): The purpose of caif_create() is to initialize a caif socket, involving tasks such as allocating a socket, assigning values to specific fields, etc. Given its role in networking operations, using CAP_NET_ADMIN is more precise and aligned with the principle of least privilege.

(2) Scope of CAP_SYS_ADMIN: Introducing a CAP_SYS_ADMIN check could potentially expand the scope of the capability. As it is already considered as the new "root"(https://lwn.net/Articles/486306/), and the manual page(https://www.man7.org/linux/man-pages/man7/capabilities.7.html) states “Don't choose CAP_SYS_ADMIN if you can possibly avoid it!”. It's beneficial to use the most specific capability required for a given task.

This issue exists in several kernel versions and we have checked it on the latest stable release(Linux 6.6.9).

Your thoughts and feedback on this proposed modification would be highly appreciated. Thank you for your time and consideration

Best regards,
Jingzi

Next message: Barry Song: "[PATCH RFC 1/2] crypto: introduce acomp_is_async to expose if a acomp has a scomp backend"
Previous message: kernel test robot: "Re: [PATCH 2/7] workqueue: Share the same PWQ for the CPUs of a pod"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]