-
Story
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-9.4
-
rhel-sst-security-special-projects
-
ssg_security
-
None
-
False
-
-
None
-
None
-
None
-
None
-
If docs needed, set a value
-
-
All
-
None
3. What is the nature and description of the request?
- The format that is used by "capsh --print" to print capabilities is misleading (when not having read trough "man cap_to_text") since it has a counter-intuitive interpretation.
Example:
- capsh --print |cat -n|head -3
1 Current: =ep
2 Bounding set = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
3 Ambient set =
Interpretation:
- The "Bounding set" stands out: It has lots of capabilities.
- Conclusion: when capabilities are here, there are clearly shown/printed
- The "Ambient Set" is empty, "The Current" is also empty and has a "ep" annotation. That annotation will do nothing as the set is empty anyway.
Reality:
- All Bits are set, that means FULL capabilities.
- cat /proc/$$/status|grep Cap |cat -n
1 CapInh: 0000000000000000
2 CapPrm: 000001ffffffffff
3 CapEff: 000001ffffffffff <- here
4 CapBnd: 000001ffffffffff
5 CapAmb: 0000000000000000
4. Why does the customer need this? (List the business requirements here)
- Prevent misinterpretation of capabilities when not aware of cap_to_text peculiarities.
- Security related features should be easy to understand and designed in a way which does not lead to misunderstanding.
5. How would the customer like to achieve this? (List the functional requirements here)
a) cap_to_text shall be changed to print "all=ep" instead "=ep" (same for "i"). That will resolve the misunderstanding.
b) The "Bounding set" and "Ambient set" should print ":" instead of "=", (the "=" comes from cap_to_text)
6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.
Above example output should look like this:
- capsh --print
Current: all=ep -> "all" is printed
Bounding set: all -> "all" is printed rather than every singe capability
Ambient set: none -> "none" is printed rather than empty output
7. Is there already an existing RFE upstream or in Red Hat Bugzilla?
- no
8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL8, RHEL9)?
- no, asap
9. Is the sales team involved in this request and do they have any additional input?
- no
10. List any affected packages or components.
- libcap-2.48-2.el8.x86_64
11. Would the customer be able to assist in testing this functionality if implemented?
- yes