FilesystemCapabilties

Differences between revisions 2 and 9 (spanning 7 versions)
Revision 2 as of 2010-03-08 19:11:06
Size: 474
Editor: c-76-105-168-175
Comment:
Revision 9 as of 2014-12-19 01:09:24
Size: 1689
Editor: kees
Comment: squashfs now supports xattrs
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
 * "cp -a" works
 * "rsync -AXa" works
== Open Questions ==
 * Filesystems without xattr support (NFS, etc). Possible solutions:
   * VFS 'xattr_backing_file' mount option
   * union mount with xattr-capable ext3 over xattr-challenged NFS
   * stackable FS
   * Wait for fs's to support xattrs :)
 * Determine possible caps needed for programs. Perhaps:
   * walk compiled assembly, listing caps
     * definately needed (i.e. cap_sys_admin for mount)
     * possibly needed (i.e. cap_dac_override)
   * audit?
   * kprobe
   * wrap application in MAC (eg. apparmor) policy and put it in allowed auditing (apparmor complain mode) and collect list of capabilities used.
 * library to wrap syscalls to enable caps
   * tries syscall(SYS_xyz), if fail with -EPERM/EACCESS, then
   * oldcaps = enable_eff_cap_by_syscall(SYS_xyz)
     * looks through library of (syscall->caps_list) pairs
     * copies any x in caps_list which is in pP to pE
     * retries SYS_xyz
     * resets oldcaps

== Blockers ==
 * "rsync -AXa" works, but "AX" should be part of "a"
Line 10: Line 31:
 * NFS does not support xattr (patches for NFSv3 exist: http://marc.info/?l=linux-security-module&m=126804495005609&w=2)  * dpkg-deb does not know about xattrs.

== Good ==
 * "cp -a" works

== Bad ==
 * NFS does not support xattr

== Ugly ==
 * libcap2's pam_cap has unexpected parsing results (should allow multiple matches on user)

== Fixed ==
 * libcap2-bin does not install pam_cap.so into the common-auth stack automatically (LP: #534658).

Dumping ground for notes on supporting filesystem capabilities.

Open Questions

  • Filesystems without xattr support (NFS, etc). Possible solutions:
    • VFS 'xattr_backing_file' mount option
    • union mount with xattr-capable ext3 over xattr-challenged NFS
    • stackable FS
    • Wait for fs's to support xattrs Smile :)

  • Determine possible caps needed for programs. Perhaps:
    • walk compiled assembly, listing caps
      • definately needed (i.e. cap_sys_admin for mount)
      • possibly needed (i.e. cap_dac_override)
    • audit?
    • kprobe
    • wrap application in MAC (eg. apparmor) policy and put it in allowed auditing (apparmor complain mode) and collect list of capabilities used.
  • library to wrap syscalls to enable caps
    • tries syscall(SYS_xyz), if fail with -EPERM/EACCESS, then
    • oldcaps = enable_eff_cap_by_syscall(SYS_xyz)
      • looks through library of (syscall->caps_list) pairs

      • copies any x in caps_list which is in pP to pE
      • retries SYS_xyz
      • resets oldcaps

Blockers

Good

  • "cp -a" works

Bad

  • NFS does not support xattr

Ugly

  • libcap2's pam_cap has unexpected parsing results (should allow multiple matches on user)

Fixed

  • libcap2-bin does not install pam_cap.so into the common-auth stack automatically (LP: #534658).

Security/FilesystemCapabilties (last edited 2014-12-19 01:09:24 by kees)