From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <vseleznv@altlinux.org>
Date: Mon, 30 May 2022 18:24:12 +0300
From: "Vladimir D. Seleznev" <vseleznv@altlinux.org>
To: ALT Linux kernel packages development <devel-kernel@lists.altlinux.org>
Message-ID: <YpThnBjF2iWo+aDW@portlab>
References: <20220523134404.4178601-1-vseleznv@altlinux.org>
 <YpSvKHWnXA/yY+Pd@portlab>
 <20220530151125.yq4sncfwc5ns44jx@altlinux.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20220530151125.yq4sncfwc5ns44jx@altlinux.org>
Subject: Re: [d-kernel] [PATCH v5] AltHa: handle setcap binaries in the same
 way as setuid ones
X-BeenThere: devel-kernel@lists.altlinux.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ALT Linux kernel packages development
 <devel-kernel@lists.altlinux.org>
List-Id: ALT Linux kernel packages development
 <devel-kernel.lists.altlinux.org>
List-Unsubscribe: <https://lists.altlinux.org/mailman/options/devel-kernel>,
 <mailto:devel-kernel-request@lists.altlinux.org?subject=unsubscribe>
List-Archive: <http://lists.altlinux.org/pipermail/devel-kernel>
List-Post: <mailto:devel-kernel@lists.altlinux.org>
List-Help: <mailto:devel-kernel-request@lists.altlinux.org?subject=help>
List-Subscribe: <https://lists.altlinux.org/mailman/listinfo/devel-kernel>,
 <mailto:devel-kernel-request@lists.altlinux.org?subject=subscribe>
X-List-Received-Date: Mon, 30 May 2022 15:24:13 -0000
Archived-At: <http://lore.altlinux.org/devel-kernel/YpThnBjF2iWo+aDW@portlab/>
List-Archive: <http://lore.altlinux.org/devel-kernel/>
List-Post: <mailto:devel-kernel@altlinux.org>

On Mon, May 30, 2022 at 06:11:25PM +0300, Vitaly Chikunov wrote:
> Vladimir,
> 
> On Mon, May 30, 2022 at 02:48:56PM +0300, Vladimir D. Seleznev wrote:
> > On Mon, May 23, 2022 at 01:44:04PM +0000, Vladimir D. Seleznev wrote:
> > > altha.nosuid facility controls what binaries can raise user privilleges.
> > > Prior to this commit it only handled setuid binaries, but it was still
> > > possible to raise privilleges via setcaps. Now it handles both setuid
> > > and setcap binaries.
> > > 
> > > Signed-off-by: Vladimir D. Seleznev <vseleznv@altlinux.org>
> > > ---
> > >  Documentation/admin-guide/LSM/AltHa.rst |  6 ++--
> > >  security/altha/Kconfig                  |  2 +-
> > >  security/altha/altha_lsm.c              | 47 ++++++++++++++++++++-----
> > >  3 files changed, 43 insertions(+), 12 deletions(-)
> > > 
> > 
> > Ping
> 
> What about tests?

I'm not ready to put efforts for tests at this moment. Please apply the
patch, the tests can be a future work for this module.

> ps. I also have additional thoughts about this protection concept itself.

-- 
   WBR,
   Vladimir D. Seleznev