From owner-freebsd-hackers@freebsd.org  Mon Oct 26 12:17:53 2020
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 310B4443B43
 for <freebsd-hackers@mailman.nyi.freebsd.org>;
 Mon, 26 Oct 2020 12:17:53 +0000 (UTC)
 (envelope-from jonathan@freebsd.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "smtp.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4CKYkn0Wyxz49WV;
 Mon, 26 Oct 2020 12:17:53 +0000 (UTC)
 (envelope-from jonathan@freebsd.org)
Received: from mail-vs1-f45.google.com (mail-vs1-f45.google.com
 [209.85.217.45])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 (Authenticated sender: jonathan/mail)
 by smtp.freebsd.org (Postfix) with ESMTPSA id E9E7222E2C;
 Mon, 26 Oct 2020 12:17:52 +0000 (UTC)
 (envelope-from jonathan@freebsd.org)
Received: by mail-vs1-f45.google.com with SMTP id d19so4680356vso.10;
 Mon, 26 Oct 2020 05:17:52 -0700 (PDT)
X-Gm-Message-State: AOAM531ow3ZE0FpDrtLbDgZtdFywThKOZpX6c3LXfvZMoWsUqfSe511r
 nI3uip90DWZxPz7WkbexMt5T/vRXIxf0+nq+Aw==
X-Google-Smtp-Source: ABdhPJyd/PfB44v1BuRRJcd2glNh7tDzCL8QOJVHQJMmBD2Boi8JiCSJXGvzPxwbOkQc2STWQj1OlU3z7zFzhx3Yrsg=
X-Received: by 2002:a67:c90b:: with SMTP id w11mr19719295vsk.25.1603714672231; 
 Mon, 26 Oct 2020 05:17:52 -0700 (PDT)
MIME-Version: 1.0
References: <CALH631mtv0yFUVwKEwgHPg7_TP9WLdAuQMv=-e1YY3OvR86xsQ@mail.gmail.com>
In-Reply-To: <CALH631mtv0yFUVwKEwgHPg7_TP9WLdAuQMv=-e1YY3OvR86xsQ@mail.gmail.com>
From: Jonathan Anderson <jonathan@freebsd.org>
Date: Mon, 26 Oct 2020 09:47:41 -0230
X-Gmail-Original-Message-ID: <CAMGEAwAa3SJHkKtCm54tb_L1paRjqwaWFz1+WT=B7ND=yx-EYw@mail.gmail.com>
Message-ID: <CAMGEAwAa3SJHkKtCm54tb_L1paRjqwaWFz1+WT=B7ND=yx-EYw@mail.gmail.com>
Subject: Re: Mapping Linux capabilities(7) to our Capsicum rights(4)
To: Gleb Popov <arrowd@freebsd.org>
Cc: freebsd-hackers <freebsd-hackers@freebsd.org>
Content-Type: text/plain; charset="UTF-8"
X-Content-Filtered-By: Mailman/MimeDel 2.1.33
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Oct 2020 12:17:53 -0000

Hi Gleb,

There won't be a clear mapping between the two, as Linux "capabilities"
(actually privileges, but unfortunately Symbian and POSIX.1e both called
their privileges "capabilities" [1]) describe things that a process can do,
whereas Capsicum capabilities (which are object capabilities) describe
things that a file descriptor can do. If you want to constrain the
behaviour of a process, Capsicum provides cap_enter(2), giving up access to
global namespaces, but that approach may not fit with the Linux-tailored
software you're porting.

What's the fundamental security goal of the software in question? Dropping
privileges is one mechanism to try to accomplish your goal, but there may
well be a very different way of accomplishing it. In many situations (e.g.,
sandboxing), Linux "capabilities" and seccomp-bpf are a bit of an awkward
fit... maybe we can help you find a better way?


Jon

[1]
https://en.wikipedia.org/wiki/Capability-based_security#POSIX_capabilities

On Sun, 25 Oct 2020 at 06:10, Gleb Popov <arrowd@freebsd.org> wrote:

> Hello hackers!
>
> I'm porting a software that employs Linux capabilities to constrain the
> running process. The code looks like
>
> if (!haveCapability(CAP_SYS_CHROOT)
>     || !haveCapability(CAP_MKNOD)
>     || !haveCapability(CAP_FOWNER))
> {
> errorOut();
> }
>
> dropCapability(CAP_SYS_CHROOT);
> dropCapability(CAP_MKNOD);
> dropCapability(CAP_FOWNER);
>
> The CAP_MKNOD looks much like our CAP_MKNODAT. The CAP_FOWNER looks more
> complex, but it seems it is implemented at higher granularity in Capsicum.
> Finally, I haven't found anything for CAP_SYS_CHROOT.
>
> I'll continue digging this up, but any hints would be appreciated.
> Thanks in advance.
> _______________________________________________
> freebsd-hackers@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
>


-- 
jonathan@FreeBSD.org
http://freebsd.org/~jonathan/