Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-1843

[RFE] Improve capabilities presentation layer for capsh --print command

    • rhel-sst-security-special-projects
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • If docs needed, set a value
    • None

      3. What is the nature and description of the request?

      • The format that is used by "capsh --print" to print capabilities is misleading (when not having read trough "man cap_to_text") since it has a counter-intuitive interpretation.

      Example:

      1. capsh --print |cat -n|head -3
        1 Current: =ep
        2 Bounding set = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
        3 Ambient set =

      Interpretation:

      • The "Bounding set" stands out: It has lots of capabilities.
      • Conclusion: when capabilities are here, there are clearly shown/printed
      • The "Ambient Set" is empty, "The Current" is also empty and has a "ep" annotation. That annotation will do nothing as the set is empty anyway.

      Reality:

      • All Bits are set, that means FULL capabilities.
      1. cat /proc/$$/status|grep Cap |cat -n
        1 CapInh: 0000000000000000
        2 CapPrm: 000001ffffffffff
        3 CapEff: 000001ffffffffff <- here
        4 CapBnd: 000001ffffffffff
        5 CapAmb: 0000000000000000

      4. Why does the customer need this? (List the business requirements here)

      • Prevent misinterpretation of capabilities when not aware of cap_to_text peculiarities.
      • Security related features should be easy to understand and designed in a way which does not lead to misunderstanding.

      5. How would the customer like to achieve this? (List the functional requirements here)

      a) cap_to_text shall be changed to print "all=ep" instead "=ep" (same for "i"). That will resolve the misunderstanding.
      b) The "Bounding set" and "Ambient set" should print ":" instead of "=", (the "=" comes from cap_to_text)

      6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

      Above example output should look like this:

      1. capsh --print
        Current: all=ep -> "all" is printed
        Bounding set: all -> "all" is printed rather than every singe capability
        Ambient set: none -> "none" is printed rather than empty output

      7. Is there already an existing RFE upstream or in Red Hat Bugzilla?

      • no

      8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL8, RHEL9)?

      • no, asap

      9. Is the sales team involved in this request and do they have any additional input?

      • no

      10. List any affected packages or components.

      • libcap-2.48-2.el8.x86_64

      11. Would the customer be able to assist in testing this functionality if implemented?

      • yes

              ansasaki@redhat.com Anderson Sasaki
              rhn-support-pjasbuti Phil Jasbutis
              Anderson Sasaki Anderson Sasaki
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: