Does NFS support Linux Capabilities

Theodore Ts'o tytso at mit.edu
Fri Sep 9 09:23:46 UTC 2022 

On Thu, Sep 08, 2022 at 08:24:02PM +0000, Chuck Lever III wrote:
> I'm not sure how closely other implementations come to implementing
> POSIX.1e, but there are enough differences that interoperability
> could be a nightmare. Anything Linux has done differently than
> POSIX.1e would be encumbered by GPL, making it nearly impossible to
> standardize those differences. (Let alone the possible problems
> trying to cite a withdrawn POSIX standard in an Internet RFC!)

I'm not a lawyer and I don't play one on TV; I haven't even stayed at
a Holiday Inn recently.  :-)

However... please note that at least in the US, copyright does not
extend to *interfaces*.  This is why we can replicate interfaces such
as openat(2), which first appeared in Solaris, not to mention things
like the read(2) system call and the options to fsck, which first
appared in Unix systems encumbered by the AT&T Copyright license.

(And some of these licenses even had AT&T's claim that Unix "methods
and concepts" were trade secrets, although MIT had always refused to
sign any such license agreements, since they didn't want to encumber
the brains of their undergraduates.  So I've looked at BSD source code
as an MIT undergraduate without any kind of "Methods and Concepts"
taint, although trying to claim that the Unix methods and concepts are
a "trade secret" are kind of laughable at this point.  :-)

> The NFSv4 WG could invent our own capabilities scheme, just as was
> done with NFSv4 ACLs. I'm not sure everyone would agree that effort
> was 100% successful.

Indeed, what the NFSv4 working group could do is to take a survey of
what capabilities are in use, and more importantly, how they are
defined, and create a superset of all of those capabilities and
publish it as an RFC.  The tricky bit might be there were multiple
versions of the Posix.1e that were published, and different Legacy
Unices shipped implementations conforming to different drafts of
Posix.1e as part of the ill-fated "C2 by '92" initiative.

(The US government was trying to get all Unix systems to have the
minimal Orange Book certification so the US Military could use them in
classified systems, and they hadn't figured out that US procurements
for the computer industry had transitioned from being the body of the
dog to being the tail.  For more details, see Steve Lipner's "The
Birth and Death of the Orange Book" published in the IEEE Annals of
the History of Computing, 2015.)

In any case, what this means is the exact details of what some
particular capability might control could differ from system to
system.  OTOH, I'm not sure how much that matters, since capability
masks are applied to binaries, and it's unlikely that it would matter
that a particular capabiity on an executable meant for Solaris 2.4SE
with C2 certification might be confusing to AIX 4.3.2 (released in
1999; so much for C2 by '92) that supported Orange Book C2, since AIX
can't run Solaris binaries.  :-)

> Given these enormous challenges, who would be willing to pay for
> standardization and implementation? I'm not saying it can't or
> shouldn't be done, just that it would be a mighty heavy lift.
> But maybe other folks on the Cc: list have ideas that could
> make this easier than I believe it to be.

... and this is why the C2 by '92 initiative was doomed to failure,
and why Posix.1e never completed the standardization process.  :-)

Honestly, capabilities are super coarse-grained, and I'm not sure they
are all that useful if we were create blank slate requirements for a
modern high-security system.  So I'm not convinced the costs are
sufficient to balance the benefits.

If I was going to start from scratch, and if I only cared about Linux
systems that supported ext4 and/or f2fs, I'd design something where
executables would use fsverity, and then combine it with an eBPF MAC
policy[1] that would key off of some policy identifier embedded in the
PKCS7 signature block located in the executable's fsverity metadata.
(The fsverity signature would be applied by a secure build service, to
guarantee exact correspondence between the binary and a specific
version checked into source control, to protect against the insider
threat of an engineer sneaking some kind of un-peer-reviewed back door
into the binary.)  The policy identifier might be used to provide some
kind of MAC enforcement, perhaps using seccomp to enforce what system
calls and ioctls said executable would be allowed to execute, or some
other kind of MAC policy.

[1] https://lwn.net/Articles/809645/

Speaking totally hypothetically, of course.  A bunch of what I've
described above isn't upstream, or even implemented yet.  (Although if
someone's interest is piqued in implementing some of this, please
contact me off-line.)

    		     	   	 		- Ted

More information about the Linux-security-module-archive mailing list