FilesystemCapabilties

Differences between revisions 7 and 8
Revision 7 as of 2010-05-11 07:15:16
Size: 1552
Editor: serge-hallyn
Comment:
Revision 8 as of 2011-09-27 18:44:25
Size: 1699
Editor: jjohansen
Comment:
Deletions are marked like this. Additions are marked like this.
Line 15: Line 15:
   * wrap application in MAC (eg. apparmor) policy and put it in allowed auditing (apparmor complain mode) and collect list of capabilities used.

Dumping ground for notes on supporting filesystem capabilities.

Open Questions

  • Filesystems without xattr support (NFS, squashfs, etc). Possible solutions:
    • VFS 'xattr_backing_file' mount option
    • union mount with xattr-capable ext3 over xattr-challenged NFS
    • stackable FS
    • Wait for fs's to support xattrs Smile :)

  • Determine possible caps needed for programs. Perhaps:
    • walk compiled assembly, listing caps
      • definately needed (i.e. cap_sys_admin for mount)
      • possibly needed (i.e. cap_dac_override)
    • audit?
    • kprobe
    • wrap application in MAC (eg. apparmor) policy and put it in allowed auditing (apparmor complain mode) and collect list of capabilities used.
  • library to wrap syscalls to enable caps
    • tries syscall(SYS_xyz), if fail with -EPERM/EACCESS, then
    • oldcaps = enable_eff_cap_by_syscall(SYS_xyz)
      • looks through library of (syscall->caps_list) pairs

      • copies any x in caps_list which is in pP to pE
      • retries SYS_xyz
      • resets oldcaps

Blockers

Good

  • "cp -a" works

Bad

  • NFS does not support xattr

Ugly

  • libcap2's pam_cap has unexpected parsing results (should allow multiple matches on user)

Fixed

  • libcap2-bin does not install pam_cap.so into the common-auth stack automatically (LP: #534658).

Security/FilesystemCapabilties (last edited 2014-12-19 01:09:24 by kees)