[PATCH] capabilities: enable ambient capabilities explicit

From: Klaus Ethgen
Date: Tue Nov 10 2015 - 07:46:11 EST

Next message: Borislav Petkov: "Re: [RFC PATCH 3/3] x86/cpufeature: Remove unused and seldomly used cpu_has_xx macros"
Previous message: Pablo Neira Ayuso: "Re: [PATCH] net: netfilter: fix GCC uninitialized warning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ambient capabilities was introduced by 5831905 recently. This
capabilities address a special use case when a process want to limit
capabilities but want to be sure that they get inherited over several
execve calls.

However, there is a flaw in that design as it allows to easily break
another use case of capabilities to explicitly _raise_ capabilities for
clear defined binaries.

Solution
========

With CAP_ENABLE_AMBIENT, there is a new capability that can be set via
pP or pI (or even via pA) to explicitly allow the use of ambient
capabilities.

This would not affect the main use case as long as CAP_ENABLE_AMBIENT is
not explicitly removed. But it will fix the problematic use case that
now it is up to the admin if he wants to allow the use of ambient
capabilities to unprivileged processes.

So everybody should be happy with it.

Signed-off-by: Klaus Ethgen <Klaus@xxxxxxxxx>
---
include/uapi/linux/capability.h | 5 ++++-
security/commoncap.c | 3 ++-
2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
index 12c37a1..9fee97e 100644
--- a/include/uapi/linux/capability.h
+++ b/include/uapi/linux/capability.h
@@ -351,8 +351,11 @@ struct vfs_cap_data {

#define CAP_AUDIT_READ 37

+/* Capability to allow ambient capabilities explicitely */

-#define CAP_LAST_CAP CAP_AUDIT_READ
+#define CAP_ENABLE_AMBIENT 38
+
+#define CAP_LAST_CAP CAP_ENABLE_AMBIENT

#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)

diff --git a/security/commoncap.c b/security/commoncap.c
index 1832cf7..16b03d3 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -994,7 +994,8 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
(!cap_raised(current_cred()->cap_permitted, arg3) ||
!cap_raised(current_cred()->cap_inheritable,
arg3) ||
- issecure(SECURE_NO_CAP_AMBIENT_RAISE)))
+ issecure(SECURE_NO_CAP_AMBIENT_RAISE) ||
+ capable(CAP_ENABLE_AMBIENT)))
return -EPERM;

new = prepare_creds();
--
2.6.2

--ikeVEW9yuYc//A+q--

--3lcZGd9BuhuYXNfi
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCgAGBQJWQe7FAAoJEKZ8CrGAGfas+EkMAMEelnMue6AdyvpJ7xOhQVbU
McfPuywjbonEShLZMiPGW1pUF+lcIMT85ttPE3blAiFx9xO6dIknQ1G8Mk1pXHWQ
Krd9bmVmYBEsKS1j+WYjtv1/89Rv1pbLVs2omFEP40UFWxkvLUsv3pdDFSCI/huj
kdKqWB6icBXQK2qUiMmPKRmnv0kU0To+P2D+1bnDppRfq4MMa/gSjVK3IZa4SlFt
kHpTX5TsTI8xPRrmg3oeHTmGc9RDRVZcMjvPN/svk0nTNuWsh2rLoCJvSixq51ou
1HQSk1VjwFVIcEtZIju5FhpoFVzY/TJABXIZt1BB5fpc/AOGmX3vecD/Hfdy0WR8
7TN2cIy67tweM+cE+g4ljw61BbylrZn9LWaZQG0d2JodAVI9XDEVU1WyqHH8yYmL
NTeCvTbINnRrB0jEDcGmOuDPDJj8XPI/8kadoyHRYn2XRRjE3IZsbFNR6EKof+zY
TdPyb2qbw1srZrlnmJuHOXg4ZrNRwb2FzBr01mZ32A==
=LEBg
-----END PGP SIGNATURE-----

--3lcZGd9BuhuYXNfi--
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Borislav Petkov: "Re: [RFC PATCH 3/3] x86/cpufeature: Remove unused and seldomly used cpu_has_xx macros"
Previous message: Pablo Neira Ayuso: "Re: [PATCH] net: netfilter: fix GCC uninitialized warning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]