463297 – [LTC 6.0 FEAT] 201315:File Capabilities - Kernel

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 463297 - [LTC 6.0 FEAT] 201315:File Capabilities - Kernel

Summary: [LTC 6.0 FEAT] 201315:File Capabilities - Kernel

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	6.0
Hardware:	All
OS:	All
Priority:	high
Severity:	high
Target Milestone:	alpha
Target Release:	6.0
Assignee:	Kevin W Monroe
QA Contact:	Martin Jenner
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	356741 463296
TreeView+	depends on / blocked

Reported:	2008-09-22 20:40 UTC by IBM Bug Proxy
Modified:	2010-05-20 13:21 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-09-23 22:05:19 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description IBM Bug Proxy 2008-09-22 20:40:43 UTC

=Comment: #0=================================================
Emily J. Ratliff <emilyr.com> - 2008-09-16 18:26 EDT
1. Feature Overview:
Feature Id:	[201315]
a. Name of Feature:	File Capabilities - Kernel
b. Feature Description
File capabilities allow an administrator to mark files with POSIX capabilities. When a process is
instantiated from binary, it receives the capabilities with which the on-disk file is marked.
Binaries that would normally require setuid permission can be given only the capabilities required.
The classic example is the ping program. Normally it is setuid because it requires CAP_NET_RAW. With
file capabilities, the binary can be marked on disk as requiring CAP_NET_RAW and no longer needs to
be made setuid. See
http://www.ibm.com/developerworks/library/l-posixcap.html?ca=dgr-lnxw01POSIX-capabilities for more
details. The 2.6.24 version of the kernel or greater is required to pick up from upstream and the
kernel CONFIG_SECURITY_FILE_CAPABILITIES build configuration option needs to be turned on. The
security.capabilities xattr must be supported by target filesystems.

2. Feature Details:
Sponsor:	LTC Security
Architectures:
x86
x86_64
ppc64
s390 native
s390 compat
s390x

Arch Specificity: Purely Common Code
Affects Core Kernel: Yes
Delivery Mechanism: Direct from community
Category:	Security
Request Type:	Kernel - Enhancement from Upstream
d. Upstream Acceptance:	Accepted
Sponsor Priority	1
f. Severity: High
IBM Confidential:	no
Code Contribution:	IBM code
g. Component Version Target:	>= Linux 2.6.24

3. Business Case
Finer grained control over executable capabilities reduces the danger binaries as they no longer
need to be made setuid and only required capabilities can be given to the process. This will
increase customer security and give Linux a competitive advantage over Windows and Solaris.

4. Primary contact at Red Hat: 
John Jarvis
jjarvis

5. Primary contacts at Partner:
Project Management Contact:
Mounir Bsaibes, bsaibes.com, 512-838-1301

Technical contact(s):
George Wilson, gcwilson.com
Serge Hallyn, sergeh.com

IBM Manager:
Bryan Jacobson, bjacobson.com

Comment 1 Bill Nottingham 2008-10-01 21:22:58 UTC

RHEL 6 will include a kernel later than 2.6.24, this should not be an issue.

Comment 2 Bill Nottingham 2008-10-02 02:09:48 UTC

The feature requested has already been accepted into the upstream code base
planned for the next major release of Red Hat Enterprise Linux.

When the next milestone release of Red Hat Enterprise Linux 6 is available,
please verify that the feature requested is present and functioning as
desired.

Comment 3 IBM Bug Proxy 2009-03-02 22:40:54 UTC

File capabilities are upstream since long before 2.6.29.  They are
enabled in all recent fedoras.  They do require

CONFIG_SECURITY_FILE_CAPABILITIES=y

Comment 4 Kevin W Monroe 2009-09-23 22:05:19 UTC

Closing - included in Red Hat Enterprise Linux 6.

Comment 5 IBM Bug Proxy 2010-05-20 13:21:43 UTC

------- Comment From sergeh.com 2010-05-20 09:10 EDT-------
FWIW, both manual tests and the ltp filecaps testcase pass on RHEL6 on ppc64.  Use of
cap_sys_admin+ie (for user with inheritable capabilties, cap_sys_admin+pe, and file
capabilities plus setuid-root were hand-tested.

All appears correct.

Note You need to log in before you can comment on or make changes to this bug.