Lower Process Capabilities
jmorris at namei.org
Mon Jul 27 09:25:46 UTC 2009
On Sun, 26 Jul 2009, Steve Grubb wrote:
> The basic idea goes something like this: We would like to do something to
> prevent priv escalation for processes running as root. For this example, lets
> take cupsd to be a good case in point. If the attacker can find a vuln with
> cupsd, then they can have root privs and all that goes with it. (SE Linux may
> prevent total compromise, but some people turn it off.)
We should put effort into improving SELinux rather than papering things
over with new or previously discarded security schemes.
Capabilities are inherently problematic in that you can't meaningfully
reason about overall system behavior with them.
e.g. what does CAP_SYS_ADMIN actually mean?
Here's where the symbol is found in the kernel source:
I challenge anyone to explain the boundary of privilege for any process
which has this capability, and how the propagation of that privilege is
bounded within the system as a whole.
We can do that with SELinux (in fact it's been somehwat designed for this
purpose), and that's how we should approach the problem.
<jmorris at namei.org>
More information about the devel