On Sat, Jan 28, 2012 at 8:28 AM, Andrew Lutomirski <luto@xxxxxxx> wrote: > On Fri, Jan 27, 2012 at 3:24 PM, Will Drewry <wad@xxxxxxxxxxxx> wrote: >> Filter programs will be inherited across fork/clone and execve. >> However, if the task attaching the filter is unprivileged >> (!CAP_SYS_ADMIN) the no_new_privs bit will be set on the task. This >> ensures that unprivileged tasks cannot attach filters that affect >> privileged tasks (e.g., setuid binary). > > This makes me nervous -- I don't think that the behavior of any new > API should be different depending on privilege level -- adding a > privilege should just make things work that would otherwise fail. You > might end up with bugs where a program is completely safe if run > without CAP_SYS_ADMIN but, if run with CAP_SYS_ADMIN, bad things > happen. (The behavior of setuid(geteuid()) is an example of this > problem.) > > One way to fix it is to make setting a filter program fail unless > capable(CAP_SYS_ADMIN ) || no_new_privs. Good call. I'll upgrade the interaction with no_new_privs to be explicit in the next revision. It is certainly more transparent and removes the risk of unintended consequences. thanks! -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
