Going by the Posix that capabilities are modeled after,
using notation p=process, f=file, "'" (prime) = new, P=Permitted, I=Inherited and
E=Effective
1) pI' = pI & fI ; this allows either the running process OR the file to
; limit what capapabilities can be passed in (Permitted) to
; the new process; this way either a user or a program can
; limit permissions being inherited by the new process
2) pP' = fP | (pP & pI')
; this implies that first any non-inheritible bits are
; stripped out of the old permitted set, then the remaining
; process P-bits are or'ed with explicit Permitted permissions
; that are on the file.
3) pE' = fE & pP'
; this sets the effective set of the process to the desired
; effective set of program bounded by the new Permitted
; cap set.
-----------
The comment in 'compute_creds' (fs/exec.c) leaves out the inclusion
of the previous process's Permitted bits. This Disables the possibility
of running a given UID running with specific Capabilities to perform
specific actions (UID's having 'roles', independant of FS settings) --
for example, if someone wanted to run with a 'root' type user in a
capability environment (say user=admin, has all caps and can only login
on the console) -- (policy for that setup being if an admin has access to console
and physical machine, they can pretty much do as they want).ly
Secondly, the comment doesn't reflect the code -- the effective set
is never computed.
It is said in the POSIX DS, that the effect of executing a file w/no
capabilities is undefined.
I would propose the ability to set this up as a mount option like
'noroot' or 'nosuid'. Administrators could setup a file system mount with
a "default" Permitted, Inheritable and Effective set. Any mount where it
is not specified takes on the set of the "parent' filesystem. Default for
/root for PIE could be none,all,all -- this could be a configurable at
compile time. The default of PIE=NAA would be equivalent to current behavior --
No file grants a capability, but they all can inherit them and ask for all --
so current root with AAA would get pI' = A, pP' = A, pE' = A (current behavior).
In other words mounts would have no effect on systems retaining their current
configuration.
Of course mount options would be in the kernel superblock of a mounted
fs only, not on disk.
-- Linda A Walsh | Trust Technology, Core Linux, SGI law@sgi.com | Voice: (650) 933-5338 _cr- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sat May 27 2000 - 21:30:02 EDT