On Fri, Mar 13, 2015 at 12:03 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote: > On Fri, Mar 13, 2015 at 11:52 AM, Kees Cook <keescook@xxxxxxxxxxxx> wrote: >> >> All this said, almost half of the capabilities, if passed to flawed >> children with attacker controlled execution, can be elevated to full >> root privileges pretty easily[1], so I think any documentation around >> this feature should include some pretty dire warnings about using >> this. > > That's a good point. I'll make sure to document that. > > It's worth noting that, for many applications, that list is > overstated. For example, many of the suggested privilege escalations > don't work if you're in a sufficiently restrictive mount namespace. > > For my own use, I plan on adding only CAP_NET_BIND_SERVICE and > CAP_NET_RAW to pA, and I'll be layering seccomp on top to the extent > possible. Right, keeping software authors aware of the fact that their efforts for attack surface reducing may need additional confinement beyond just the capability reduction. -Kees > > --Andy > >> >> -Kees >> >> [1] https://forums.grsecurity.net/viewtopic.php?f=7&t=2522 >> >> -- >> Kees Cook >> Chrome OS Security > > > > -- > Andy Lutomirski > AMA Capital Management, LLC -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
