setcap/getcap limitations
Serge E. Hallyn
serge at hallyn.com
Fri May 12 03:37:18 UTC 2017
Quoting Richard Guy Briggs (rgb at redhat.com):
> Capabilities gurus,
I cc:d Andrew as he maintains the source package,
> These may arguably be useless or meaningless combinations, but I found them
> sufficiently puzzling as to need to document and report the behaviour. They
> appear to be leftovers from a time when fE may have been a bitfield rather than
> a boolean.
>
>
> 1 - BUG: setcap manpage refers to non-existant cap_from_text(3) and cap_set_file(3)
> manpages (fedora). (It turns out it is in libcap-devel which makes
> sense, but isn't very useful for users of setcap/getcap(8) rather than
> developers.)
Hm, yeah, I suppose. In the libcap source though they all come
together. Perhaps this is cause for distro bugs to make a
common libcap-doc package which both libcap-devel and libcap2-bin
depend on? Really not sure of the best solution.
> 2 - BUG: setcap requires dummy capability present to set or clear effective bit
Getting ready for a short road trip, will look at the rest this weekend.
> While attempting to issue the setcap command to set or clear the effective bit,
> the latter of which is a boolean rather than a capability set, a fatal error
> was returned with a usage message that didn't make much sense:
> # setcap +e /tmp/test
> fatal error: Invalid argument
> usage: setcap [-q] [-v] (-r|-|<caps>) <filename> [ ... (-r|-|<capsN>) <filenameN> ]
> Note <filename> must be a regular (non-symlink) file.
> So in order to set it, I need to use a dummy capability, such as:
> # setcap cap_sys_admin+e /tmp/test
>
>
> 3- BUG: getcap doesn't show effective bit set if no other fP or fI bits are set
>
> # setcap cap_sys_admin+pe /tmp/test
> # getcap /tmp/test
> /tmp/test = cap_sys_admin+ep
> # getfattr --absolute-names --e hex -n security.capability /tmp/test
> security.capability=0x0100000200002000000000000000000000000000
> # setfattr -n security.capability -v 0x0100000200000000000000000000000000000000 /tmp/test
> # getcap /tmp/test
> /tmp/test =
> # getfattr --absolute-names --e hex -n security.capability /tmp/test
> security.capability=0x0100000200000000000000000000000000000000
> # setcap cap_sys_admin-p /tmp/test
> # getfattr --absolute-names --e hex -n security.capability /tmp/test
> # file: /tmp/test
> security.capability=0x0000000200000000000000000000000000000000
> So, getcap lies, where getfattr is more honest but awkward.
>
>
> Q: How do I set one fP capability and a different fI capability?
>
> >From looking at the manpage for cap_from_text, it appears that capability sets
> can be specified in a similar manner to chmod(1), using "=", "+" and "-"
> operators, but pracitical poking doesn't seem to work that way. "+" seems to
> work like "=" and "-" seems to clear all except the version field.
> Other than resorting to setfattr, how can I set something like
> cap_sys_admin+p with cap_audit_read,cap_audit_write,cap_audit_control+i ?
>
>
> 4 - BUG: The capabilities version doesn't get cleared when all cap bits are
> cleared. This fools kernel into thinking there are fcaps set.
>
> As can be seen above, if setcap is used with "<capability>-<p|e|i>" to unset
> capabilities then the version field is leftover, set. Arguably the -r option
> should have been used to remove the attribute entirely, but in this case, the
> kernel assumes that capabilities are in use due to a valid version number
> present (VFS_CAP_REVISION_MASK). This could be solved in the kernel by
> clearing that attribute field entirely if there are no values set other than
> the version number, or by having "has_cap" check for a value more than just the
> version number. Is it possible to remove some capabilities from a file but not
> all? Or is it intended to simply specify the new set of capabilities that are
> to be set and ignore or strip away the unwanted ones from the set?
>
>
> Thanks!
>
>
> - RGB
>
> --
> Richard Guy Briggs <rgb at redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list