[RFC PATCH v4 0/2] Add capabilities file to securityfs

Francis Laniel flaniel at linux.microsoft.com
Wed Aug 17 11:53:21 UTC 2022


Hi.


Le mardi 16 août 2022, 23:59:41 CEST Paul Moore a écrit :
> On Mon, Jul 25, 2022 at 8:42 AM Francis Laniel
> 
> <flaniel at linux.microsoft.com> wrote:
> > Hi.
> > 
> > First, I hope you are fine and the same for your relatives.
> 
> Hi Francis :)
> 
> > A solution to this problem could be to add a way for the userspace to ask
> > the kernel about the capabilities it offers.
> > So, in this series, I added a new file to securityfs:
> > /sys/kernel/security/capabilities.
> > The goal of this file is to be used by "container world" software to know
> > kernel capabilities at run time instead of compile time.
> 
> ...
> 
> > The kernel already exposes the last capability number under:
> > /proc/sys/kernel/cap_last_cap
> 
> I'm not clear on why this patchset is needed, why can't the
> application simply read from "cap_last_cap" to determine what
> capabilities the kernel supports?

When you capabilities with, for example, docker, you will fill capabilities 
like this:
docker run --rm --cap-add SYS_ADMIN debian:latest echo foo
As a consequence, the "echo foo" will be run with CAP_SYS_ADMIN set.

Sadly, each time a new capability is added to the kernel, it means "container 
stack" software should add a new string corresponding to the number of the 
capabilities [1].

The solution I propose would lead to "container stack" software to get rid of 
such an array and to test at runtime, if the name provided by user on the 
command line matches the name of a capability known by the kernel.
If it is the case, the number associated to the capability will be get by 
"container stack" code to be used as argument of capset() system call.

The advantage of this solution is that it would reduce the time taken between 
a new capability added to the kernel (e.g. CAP_BPF) and the time users can use 
it.
More generally, a solution to this problem would be a way for the kernel to 
expose the capabilities it knows.

Do not hesitate to ask for clarification if I was not clear.


Best regards.
---
[1] https://github.com/containerd/containerd/blob/
1a078e6893d07fec10a4940a5664fab21d6f7d1e/pkg/cap/cap_linux.go#L135




More information about the Linux-security-module-archive mailing list