LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

A perf ABI fix

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

BSD-style securelevel comes to Linux — again

BSD-style securelevel comes to Linux — again

Posted Sep 11, 2013 21:26 UTC (Wed) by geofft (subscriber, #59789)
In reply to: BSD-style securelevel comes to Linux — again by Cyberax
Parent article: BSD-style securelevel comes to Linux — again

Yeah, I'm using "capability" here in the research-literature sense, not in the Linux sense.

I think "don't provide capabilities to programs that don't need them" is so underspecified as to not be useful. Let's take the USB example -- say a process is the USB driver on some awesome microkernel architecture. Then USB 3 shows up, and something in the USB 3 spec means that several users want to be more careful about what can speak to USB 3 host controllers (maybe it interacts with power consumption), but several other users also don't care. Should the USB capability -- the ability to drive any USB 1 or 2 host controller on the system -- also grant access to a USB 3 host controller? "Yes" means that you've lost some of the security promise of a capability architecture; "no" means that the users who don't care complain about breaking userspace.

(Log in to post comments)

BSD-style securelevel comes to Linux — again

Posted Sep 11, 2013 22:51 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link]

Nope. USB3 controller would have its own capability, so only processes that need it would be able to get access to it.

If USB3 needs some special handling then this logic would be encapsulated in some kind of server process.

BSD-style securelevel comes to Linux — again

Posted Sep 11, 2013 23:01 UTC (Wed) by geofft (subscriber, #59789) [Link]

Yes, but now you took an OS where you could plug in a flashdrive and have it work, changed hardware, and now that no longer works without modifications to userspace. By making USB3 a separate capability, you've broken userspace.

(Or so goes the argument against adding a new Linux-style capability for Secure Boot.)

BSD-style securelevel comes to Linux — again

Posted Sep 11, 2013 23:13 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link]

Sure, but these modifications will be confined to policies. End-user programs won't have to be modified in any way.

BSD-style securelevel comes to Linux — again

Posted Sep 12, 2013 20:22 UTC (Thu) by zooko (subscriber, #2589) [Link]

Sigh. I wonder how much damage has been done by Linux using the word "capabilities" for their non-capabilities access control scheme?

"It seems that there is a fundamental flaw in the capability model: it is nearly impossible to add new capability bits without risking problems with applications that do not know about the new bits."

If you mean Linux's non-capabilities "capabilities", then yes! Your article succinctly explains the fundamental problem with them. If you mean real capabilities, then no! Real capability systems do not have this problem.

Blame POSIX not Linux

Posted Sep 12, 2013 22:26 UTC (Thu) by david.a.wheeler (subscriber, #72896) [Link]

The terminology problem is from POSIX, not Linux. There was a POSIX group ("POSIX Security Extensions") that defined a draft spec that used the term "capabilities" for something completely different than what many other people called capabilities. Linux implemented that draft POSIX spec, and thus uses its terminology.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds