CAP_PERFMON — and new capabilities in general

Posted Feb 21, 2020 19:17 UTC (Fri) by smurf (subscriber, #17840)
In reply to: CAP_PERFMON — and new capabilities in general by NYKevin
Parent article: CAP_PERFMON — and new capabilities in general

The operative word is "can be". These granular privileges aren't supposed to be granted to any random user process.

The idea is that the program that's been granted the privilege needs only be careful when using that exact privilege.

As an example, a program that has "mount any filesystem" privileges needs only be careful when actually mounting a file system, but not when opening the file that's backing the data for the file system (just as a random example). Similarly, the system profiler might be allowed to profile the system, but not to overwrite /etc/shadow with the resulting data.

CAP_PERFMON — and new capabilities in general

Posted Feb 21, 2020 19:54 UTC (Fri) by smcv (subscriber, #53363) [Link] (1 responses)

> The idea is that the program that's been granted the privilege needs only be careful when using that exact privilege

... and when defending itself against being subverted by processes that don't have the privilege, including its parent process.

CAP_PERFMON — and new capabilities in general

Posted Mar 12, 2020 16:29 UTC (Thu) by immibis (subscriber, #105511) [Link]

I think that was his/her point - you know that any subversion has to go through the mechanism to which permission is granted, so you only need to be especially careful there. You don't need to check the output file path the parent passed to you, because you don't have any special permission to write to files that the parent process couldn't write to anyway.