Opened 6 years ago

Last modified 6 years ago

#7562 new defect

Reducing root's capabilities.

Reported by: cscott Owned by: cscott
Priority: normal Milestone: 9.1.0-cancelled
Component: security Version: not specified
Keywords: Cc: mstone, dsaxena
Blocked By: Blocking: #7397
Deployments affected: Action Needed: never set
Verified: no

Description

Dropping some capabilities of root in the olpcrd (init, pid 1) before the rest of the system has been started, has been mentioned as a way to avoid disabling root completely.

Change History (5)

comment:1 Changed 6 years ago by cscott

  • Cc dsaxena added

Some of the capabilities that would need to be dropped:

CAP_SYS_TIME (maybe a narrower cap would be useful)
CAP_SYS_RAWIO (to prevent working around CAP_SYS_TIME)
CAP_SYS_MODULE (to avoid rewriting the kernel)
CAP_SYS_BOOT (to disable kexec_load)

I don't have high confidence that this list is complete: it may be possible to use other root capabilities to work around the lack of the above capabilities. Hard Thinking required. But the above would be a start.

Note that removing CAP_SYS_RAWIO will probably break X, and removing CAP_SYS_BOOT may disable reboot (unless we work around it by asking the EC).

comment:2 Changed 6 years ago by cscott

These should be dropped only if security is enabled (wp and no dev key or dk).

comment:3 Changed 6 years ago by gnu

This discussion is insane. But you're playing out the script of DRM, which is that absolutely everything needs to be restricted, one step at a time to avoid disturbing the slowly heating crustaceans. Turning off root's capabilities, system-wide, has no place in a free software-based system.

comment:4 Changed 6 years ago by kimquirk

  • Milestone changed from 8.2.0 (was Update.2) to Future Release

comment:5 Changed 6 years ago by cscott

  • Milestone changed from Future Release to 9.1.0

See also #3914, which discussed protecting kernel memory only.

Note: See TracTickets for help on using tickets.