Bug 517659 - Changes for lowering capabilities project
Changes for lowering capabilities project
Product: Fedora
Classification: Fedora
Component: gpm (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Nikola Pajkovsky
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks: 519823
  Show dependency treegraph
Reported: 2009-08-15 14:55 EDT by Steve Grubb
Modified: 2014-02-02 17:13 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-01-11 12:40:07 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch to drop capabilities (1.68 KB, patch)
2009-08-15 14:55 EDT, Steve Grubb
no flags Details | Diff

  None (edit)
Description Steve Grubb 2009-08-15 14:55:14 EDT
Created attachment 357546 [details]
Patch to drop capabilities

Description of problem:
As part of the lowering capabilities project, we should drop all unnecessary
capabilities in gpm
Comment 1 Zdenek Prikryl 2009-08-20 04:55:30 EDT
The patch is added in rawhide. Thanks.
Comment 2 Steve Grubb 2009-08-24 08:31:52 EDT
Thanks for applying the patch. I forgot to mention that you need to add a BuildRequires: libcap-ng-devel so configure finds the library. Do you mind re-spinning with the BR added? Thanks.
Comment 3 Eduard Benes 2010-01-08 09:46:27 EST
Patch for this bug had to be actually dropped in gpm-1.20.6-8. Lowering the capabilities as proposed in the patch introduced bug #537724. Current state is that we do not lower the proposed capabilities in gpm.

Brief summary:

SELinux provides -
   allow gpm_t gpm_t : capability { dac_override setuid setpcap sys_admin sys_tty_config } ; 

The patch provides - 

Adding CAP_DAC_OVERRIDE capability to the patch, which unfortunately gives the daemon ability to do almost anything to the system, fixes the bug #537724. 
Therefore it would be useless to confine the gpm in a such way and the patch 
can be dropped. 

Steve, is this correct? Is there anything else we can do for lowering capabilities in gpm?
Comment 4 Steve Grubb 2010-01-08 10:09:57 EST
That is correct. If you allow DAC_OVERRIDE, then gpm can read or write any file on the system and its pointless to protect against anything. Gpm may not be able to directly perform privileged ops like open a raw socket, but it would be able to write a root cron job that would. So, in the threat model I am trying to protect against, DAC_OVERRIDE presents too big of a hole.
Comment 5 Nikola Pajkovsky 2010-01-11 12:40:07 EST
 closing per comments 3,4

Note You need to log in before you can comment on or make changes to this bug.