Mapping Linux capabilities(7) to our Capsicum rights(4)
Jonathan Anderson
jonathan at freebsd.org
Mon Oct 26 12:17:53 UTC 2020
Hi Gleb,
There won't be a clear mapping between the two, as Linux "capabilities"
(actually privileges, but unfortunately Symbian and POSIX.1e both called
their privileges "capabilities" [1]) describe things that a process can do,
whereas Capsicum capabilities (which are object capabilities) describe
things that a file descriptor can do. If you want to constrain the
behaviour of a process, Capsicum provides cap_enter(2), giving up access to
global namespaces, but that approach may not fit with the Linux-tailored
software you're porting.
What's the fundamental security goal of the software in question? Dropping
privileges is one mechanism to try to accomplish your goal, but there may
well be a very different way of accomplishing it. In many situations (e.g.,
sandboxing), Linux "capabilities" and seccomp-bpf are a bit of an awkward
fit... maybe we can help you find a better way?
Jon
[1]
https://en.wikipedia.org/wiki/Capability-based_security#POSIX_capabilities
On Sun, 25 Oct 2020 at 06:10, Gleb Popov <arrowd at freebsd.org> wrote:
> Hello hackers!
>
> I'm porting a software that employs Linux capabilities to constrain the
> running process. The code looks like
>
> if (!haveCapability(CAP_SYS_CHROOT)
> || !haveCapability(CAP_MKNOD)
> || !haveCapability(CAP_FOWNER))
> {
> errorOut();
> }
>
> dropCapability(CAP_SYS_CHROOT);
> dropCapability(CAP_MKNOD);
> dropCapability(CAP_FOWNER);
>
> The CAP_MKNOD looks much like our CAP_MKNODAT. The CAP_FOWNER looks more
> complex, but it seems it is implemented at higher granularity in Capsicum.
> Finally, I haven't found anything for CAP_SYS_CHROOT.
>
> I'll continue digging this up, but any hints would be appreciated.
> Thanks in advance.
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
>
--
jonathan at FreeBSD.org
http://freebsd.org/~jonathan/
More information about the freebsd-hackers
mailing list