Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Casey Schaufler <casey <at> schaufler-ca.com>
Subject: Re: [PATCH] x86: Lock down MSR writing in secure boot
Newsgroups: gmane.linux.kernel.lsm
Date: Wednesday 13th February 2013 22:58:28 UTC (over 4 years ago)
On 2/13/2013 2:26 PM, H. Peter Anvin wrote:
> On 02/13/2013 09:51 AM, Casey Schaufler wrote:
>>
>> You can't add a new capability where there is an existing capability
>> that can be remotely argued to be appropriate.
>>
>> If you tried to "fix" CAP_SYS_RAWIO and/or CAP_SYS_ADMIN you'd end
>> up with hundreds of capabilities.
>>
>> Your particular problem is *not* so important that you get a
>> capability all to yourself.
>>
>
> {facepalm}
>
> This is exactly the kind of thinking which has led to the capability
> system being so bloody useless.

The reason the capability system is "bloody useless" is
that no one wants to update the core system applications to
use it in favor of good old fashioned worked for dad and
works for me too superuser.

>
> Capabilities need to be associated with resources, not use cases.

There is no such thing as a "resource" in the Linux security
policy model. The Linux security policy model is based on
subjects (tasks) accessing objects (e.g. files). Capabilities
provide a granular mechanism for granting privilege to
violate the Linux security policy.

Because in the Bad Old days of Unix "superuser privilege"
also granted rights to preform configuration activities it
was not possible to eliminate the superuser without extending
the capability mechanism to include these. Thus, there are two
sorts of capabilities, those controlling privileged access and
those controlling restricted activities.

In both cases what you are controlling is an activity. Sorry,
but that is the way it is defined.

I understand that you want capabilities to be associated with
resources. That is *not* what we have, and arguing that its
what we should have is pointless because Linux does not even
have a concept of resources.

>
>     -hpa
>
>

--
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
 
CD: 2ms