Bug 517659
| Summary: | Changes for lowering capabilities project | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Steve Grubb <sgrubb> | ||||
| Component: | gpm | Assignee: | Nikola Pajkovsky <npajkovs> | ||||
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | rawhide | CC: | dhoward, ebenes, npajkovs, pertusus, zprikryl | ||||
| Target Milestone: | --- | Keywords: | Reopened | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2010-01-11 17:40:07 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 519823 | ||||||
| Attachments: |
|
||||||
The patch is added in rawhide. Thanks. Thanks for applying the patch. I forgot to mention that you need to add a BuildRequires: libcap-ng-devel so configure finds the library. Do you mind re-spinning with the BR added? Thanks. Patch for this bug had to be actually dropped in gpm-1.20.6-8. Lowering the capabilities as proposed in the patch introduced bug #537724. Current state is that we do not lower the proposed capabilities in gpm. Brief summary: SELinux provides - allow gpm_t gpm_t : capability { dac_override setuid setpcap sys_admin sys_tty_config } ; The patch provides - CAP_SYS_ADMIN, CAP_SYS_TTY_CONFIG Adding CAP_DAC_OVERRIDE capability to the patch, which unfortunately gives the daemon ability to do almost anything to the system, fixes the bug #537724. Therefore it would be useless to confine the gpm in a such way and the patch can be dropped. Steve, is this correct? Is there anything else we can do for lowering capabilities in gpm? That is correct. If you allow DAC_OVERRIDE, then gpm can read or write any file on the system and its pointless to protect against anything. Gpm may not be able to directly perform privileged ops like open a raw socket, but it would be able to write a root cron job that would. So, in the threat model I am trying to protect against, DAC_OVERRIDE presents too big of a hole. |
Created attachment 357546 [details] Patch to drop capabilities Description of problem: As part of the lowering capabilities project, we should drop all unnecessary capabilities in gpm