Re: [PATCH 3/3] capabilities: add cap userns sysctl mask

[PATCH 0/3] Introduce user namespace capabilities · Jonathan Calmels <hidden> · 2024-05-16
[PATCH 1/3] capabilities: user namespace capabilities · Jonathan Calmels <hidden> · 2024-05-16
Re: [PATCH 1/3] capabilities: user namespace capabilities · "Jarkko Sakkinen" <jarkko@kernel.org> · 2024-05-16
Re: [PATCH 1/3] capabilities: user namespace capabilities · John Johansen <john.johansen@canonical.com> · 2024-05-16
Re: [PATCH 1/3] capabilities: user namespace capabilities · Jonathan Calmels <hidden> · 2024-05-17
Re: [PATCH 1/3] capabilities: user namespace capabilities · John Johansen <john.johansen@canonical.com> · 2024-05-17
Re: [PATCH 1/3] capabilities: user namespace capabilities · Jonathan Calmels <hidden> · 2024-05-18
Re: [PATCH 1/3] capabilities: user namespace capabilities · John Johansen <john.johansen@canonical.com> · 2024-05-18
Re: [PATCH 1/3] capabilities: user namespace capabilities · Jonathan Calmels <hidden> · 2024-05-19
Re: [PATCH 1/3] capabilities: user namespace capabilities · "Serge E. Hallyn" <serge@hallyn.com> · 2024-05-20
Re: [PATCH 1/3] capabilities: user namespace capabilities · "Serge E. Hallyn" <serge@hallyn.com> · 2024-05-20
[PATCH 2/3] capabilities: add securebit for strict userns caps · Jonathan Calmels <hidden> · 2024-05-16
Re: [PATCH 2/3] capabilities: add securebit for strict userns caps · "Jarkko Sakkinen" <jarkko@kernel.org> · 2024-05-16
Re: [PATCH 2/3] capabilities: add securebit for strict userns caps · "Serge E. Hallyn" <serge@hallyn.com> · 2024-05-20
[PATCH 3/3] capabilities: add cap userns sysctl mask · Jonathan Calmels <hidden> · 2024-05-16
Re: [PATCH 3/3] capabilities: add cap userns sysctl mask · "Jarkko Sakkinen" <jarkko@kernel.org> · 2024-05-16
Re: [PATCH 3/3] capabilities: add cap userns sysctl mask · "Serge E. Hallyn" <serge@hallyn.com> · 2024-05-20
Re: [PATCH 3/3] capabilities: add cap userns sysctl mask · Tycho Andersen <tycho@tycho.pizza> · 2024-05-20
Re: [PATCH 3/3] capabilities: add cap userns sysctl mask · Jonathan Calmels <hidden> · 2024-05-20
Re: [PATCH 3/3] capabilities: add cap userns sysctl mask · Tycho Andersen <tycho@tycho.pizza> · 2024-05-20
Re: [PATCH 3/3] capabilities: add cap userns sysctl mask · "Jarkko Sakkinen" <jarkko@kernel.org> · 2024-05-20
Re: [PATCH 3/3] capabilities: add cap userns sysctl mask · Tycho Andersen <tycho@tycho.pizza> · 2024-05-21
Re: [PATCH 3/3] capabilities: add cap userns sysctl mask · "Jarkko Sakkinen" <jarkko@kernel.org> · 2024-05-21
Re: [PATCH 0/3] Introduce user namespace capabilities · Ben Boeckel <hidden> · 2024-05-16
Re: [PATCH 0/3] Introduce user namespace capabilities · "Jarkko Sakkinen" <jarkko@kernel.org> · 2024-05-16
Re: [PATCH 0/3] Introduce user namespace capabilities · Jonathan Calmels <hidden> · 2024-05-17
Re: [PATCH 0/3] Introduce user namespace capabilities · Paul Moore <paul@paul-moore.com> · 2024-05-16
Re: [PATCH 0/3] Introduce user namespace capabilities · "Jarkko Sakkinen" <jarkko@kernel.org> · 2024-05-16
Re: [PATCH 0/3] Introduce user namespace capabilities · Casey Schaufler <casey@schaufler-ca.com> · 2024-05-16
Re: [PATCH 0/3] Introduce user namespace capabilities · "Jarkko Sakkinen" <jarkko@kernel.org> · 2024-05-16
Re: [PATCH 0/3] Introduce user namespace capabilities · "Jarkko Sakkinen" <jarkko@kernel.org> · 2024-05-16
Re: [PATCH 0/3] Introduce user namespace capabilities · "Jarkko Sakkinen" <jarkko@kernel.org> · 2024-05-16
Re: [PATCH 0/3] Introduce user namespace capabilities · Jonathan Calmels <hidden> · 2024-05-17
Re: [PATCH 0/3] Introduce user namespace capabilities · Casey Schaufler <casey@schaufler-ca.com> · 2024-05-17
Re: [PATCH 0/3] Introduce user namespace capabilities · Jonathan Calmels <hidden> · 2024-05-17
Re: [PATCH 0/3] Introduce user namespace capabilities · "Jarkko Sakkinen" <jarkko@kernel.org> · 2024-05-18
Re: [PATCH 0/3] Introduce user namespace capabilities · "Jarkko Sakkinen" <jarkko@kernel.org> · 2024-05-18
Re: [PATCH 0/3] Introduce user namespace capabilities · "Jarkko Sakkinen" <jarkko@kernel.org> · 2024-05-18
Re: [PATCH 0/3] Introduce user namespace capabilities · John Johansen <john.johansen@canonical.com> · 2024-05-21
Re: [PATCH 0/3] Introduce user namespace capabilities · "Jarkko Sakkinen" <jarkko@kernel.org> · 2024-05-21
Re: [PATCH 0/3] Introduce user namespace capabilities · John Johansen <john.johansen@canonical.com> · 2024-05-21
Re: [PATCH 0/3] Introduce user namespace capabilities · Jonathan Calmels <hidden> · 2024-05-22
Re: [PATCH 0/3] Introduce user namespace capabilities · John Johansen <john.johansen@canonical.com> · 2024-05-31
Re: [PATCH 0/3] Introduce user namespace capabilities · Serge Hallyn <serge@hallyn.com> · 2024-05-18
Re: [PATCH 0/3] Introduce user namespace capabilities · Casey Schaufler <casey@schaufler-ca.com> · 2024-05-19
Re: [PATCH 0/3] Introduce user namespace capabilities · Jonathan Calmels <hidden> · 2024-05-20
Re: [PATCH 0/3] Introduce user namespace capabilities · John Johansen <john.johansen@canonical.com> · 2024-05-21

From: Tycho Andersen <tycho@tycho.pizza>
Date: 2024-05-21 14:29:42
Also in: keyrings, linux-fsdevel, lkml

On Tue, May 21, 2024 at 01:12:57AM +0300, Jarkko Sakkinen wrote:

On Tue May 21, 2024 at 12:13 AM EEST, Tycho Andersen wrote:

quoted

On Mon, May 20, 2024 at 12:25:27PM -0700, Jonathan Calmels wrote:

quoted

On Mon, May 20, 2024 at 07:30:14AM GMT, Tycho Andersen wrote:

quoted

there is an ongoing effort (started at [0]) to constify the first arg
here, since you're not supposed to write to it. Your usage looks
correct to me, so I think all it needs is a literal "const" here.

Will do, along with the suggestions from Jarkko

quoted

+	struct ctl_table t;
+	unsigned long mask_array[2];
+	kernel_cap_t new_mask, *mask;
+	int err;
+
+	if (write && (!capable(CAP_SETPCAP) ||
+		      !capable(CAP_SYS_ADMIN)))
+		return -EPERM;

...why CAP_SYS_ADMIN? You mention it in the changelog, but don't
explain why.

No reason really, I was hoping we could decide what we want here.
UMH uses CAP_SYS_MODULE, Serge mentioned adding a new cap maybe.

I don't have a strong preference between SETPCAP and a new capability,
but I do think it should be just one. SYS_ADMIN is already god mode
enough, IMO.

Sometimes I think would it make more sense to invent something
completely new like capabilities but more modern and robust, instead of
increasing complexity of a broken mechanism (especially thanks to
CAP_MAC_ADMIN).

I kind of liked the idea of privilege tokens both in Symbian and Maemo
(have been involved professionally in both). Emphasis on the idea not
necessarily on implementation.

Not an LSM but like something that you could use in the place of POSIX
caps. Probably quite tedious effort tho because you would need to pull
the whole industry with the new thing...

And then we have LSM hooks, (ns_)capable(), __secure_computing() plus
a new set of hooks for this new thing sprinkled around. I guess
kernel developers wouldn't be excited about it, let alone the rest of
the industry :)

Thinking out loud: I wonder if fixing the seccomp TOCTOU against
pointers would help here. I guess you'd still have issues where your
policy engine resolves a path arg to open() and that inode changes
between the decision and the actual vfs access, you have just changed
the TOCTOU.

Or even scarier: what if you could change the return value at any
kprobe? :)

Tycho

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help