Re: [KERNEL] Re: [KERNEL] Re: [KERNEL] [PATCH] Kernel 4.3 breaks security in systems using capabilities

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Am Mi den 11. Nov 2015 um 11:54 schrieb Theodore Ts'o: > On Wed, Nov 11, 2015 at 11:14:34AM +0100, Klaus Ethgen wrote: > > > If you are going to do that level of auditing, then > > > you can also check to make sure it's not trying to explicitly > > >

Re: [KERNEL] Re: [KERNEL] [PATCH] Kernel 4.3 breaks security in systems using capabilities

On Wed, Nov 11, 2015 at 11:14:34AM +0100, Klaus Ethgen wrote: > > If you are going to do that level of auditing, then > > you can also check to make sure it's not trying to explicitly > > manipulate the processes's capability mask to set the bit in the > > ambient capability mask (which is just ano

Re: [KERNEL] Re: [KERNEL] [PATCH] Kernel 4.3 breaks security in systems using capabilities

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Am Mi den 11. Nov 2015 um 3:04 schrieb Theodore Ts'o: > On Tue, Nov 10, 2015 at 02:19:08PM +0100, Klaus Ethgen wrote: > > > And that's the fundamenal problem. Saying that you can only be secure > > > if **no** scripting languages can be used for **

Re: [KERNEL] [PATCH] Kernel 4.3 breaks security in systems using capabilities

On Tue, Nov 10, 2015 at 02:19:08PM +0100, Klaus Ethgen wrote: > > And that's the fundamenal problem. Saying that you can only be secure > > if **no** scripting languages can be used for **any** privileged > > operations is something that _might_ work for you, but it doesn't work > > for the 99.999

Re: [KERNEL] Re: [KERNEL] [PATCH] Kernel 4.3 breaks security in systems using capabilities

On 2015-11-10 12:58, Klaus Ethgen wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Am Di den 10. Nov 2015 um 14:35 schrieb Austin S Hemmelgarn: On 2015-11-10 08:19, Klaus Ethgen wrote: Hi Ted, hy others in this discussion, Am Di den 10. Nov 2015 um 13:40 schrieb Theodore Ts'o: Whether

Re: [KERNEL] Re: [KERNEL] [PATCH] Kernel 4.3 breaks security in systems using capabilities

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Am Di den 10. Nov 2015 um 14:35 schrieb Austin S Hemmelgarn: > On 2015-11-10 08:19, Klaus Ethgen wrote: > >Hi Ted, hy others in this discussion, > > > >Am Di den 10. Nov 2015 um 13:40 schrieb Theodore Ts'o: > >>Whether or not that will be acceptable

Re: [KERNEL] Re: [KERNEL] [PATCH] Kernel 4.3 breaks security in systems using capabilities

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Am Di den 10. Nov 2015 um 14:19 schrieb Klaus Ethgen: > + capable(CAP_ENABLE_AMBIENT))) Should be !capable ... As I wrote, I ask for comments and critics. The implementation is _not_ tested right now! Regards Klaus - --

Re: [KERNEL] [PATCH] Kernel 4.3 breaks security in systems using capabilities

On 2015-11-10 08:19, Klaus Ethgen wrote: Hi Ted, hy others in this discussion, Am Di den 10. Nov 2015 um 13:40 schrieb Theodore Ts'o: Whether or not that will be acceptable upstream, I don't know, mainly because I think a strong case can be made that such a patch has an audience of one, and add

Re: [KERNEL] [PATCH] Kernel 4.3 breaks security in systems using capabilities

Hi Ted, hy others in this discussion, Am Di den 10. Nov 2015 um 13:40 schrieb Theodore Ts'o: > On Tue, Nov 10, 2015 at 12:55:27PM +0100, Klaus Ethgen wrote: > > > You can tell other people that they write privileged programs in the > > > wrong programming language if you like. > > > > Hey, it is