% ---------------------------- \subsubsection{Basics} % ---------------------------- \begin{frame}[fragile] \frametitle{What is a Linux Capability?} \begin{itemize} \item Syscalls \begin{itemize} \item Application Programming Interface (API) to the Kernel \item some Syscalls need special privileges (EPERM) \end{itemize} \item User Privileges \begin{itemize} \item root (UID == 0): all privileges \item users (UID > 0): no privileges \end{itemize} \item Capability \begin{itemize} \item single privilege \item can be raised or dropped \end{itemize} \end{itemize} \end{frame} % ---------------------------- \subsubsection{How it works} % ---------------------------- \begin{frame}[fragile] \frametitle{Control Flow} \begin{figure}[h] \centering \includegraphics[width=8cm]{images/syscall_flow.png} \end{figure} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Type of Syscalls} \begin{itemize} \item unprivileged Syscalls: \begin{itemize} \item sys\_gethostname() \item sys\_read() / sys\_write() \item sys\_getuid() / sys\_getgid() \item \dots \end{itemize} \item privileged Syscalls: \begin{itemize} \item sys\_sethostname() \item sys\_open() \item sys\_setuid() / sys\_setgid() \item \dots \end{itemize} \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Capabilities} \begin{columns}[onlytextwidth] \begin{column}{0.5\textwidth} \begin{itemize} \item CAP\_MKNOD \item CAP\_KILL \item CAP\_SETGID \item CAP\_SETUID \item CAP\_SETPCAP \item CAP\_SYS\_BOOT \item CAP\_SYS\_NICE \item CAP\_SYS\_TIME \end{itemize} \end{column} \begin{column}{0.5\textwidth} \begin{itemize} \item CAP\_SYS\_MODULE \item CAP\_SYS\_RAWIO \item CAP\_SYS\_PTRACE \item CAP\_NET\_BIND\_SERVICE \item CAP\_NET\_BROADCAST \item CAP\_NET\_RAW \item CAP\_SYS\_ADMIN \item CAP\_NET\_ADMIN \end{itemize} \end{column} \end{columns} Full list: \\ Kernel Source: include/uapi/capability.h \\ Distribution: /usr/include/linux/capability.h \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Process and File} \begin{itemize} \item Process/Task \begin{itemize} \item Capability bitfields in task context: \begin{itemize} \item Permitted \item Effective \item Inheritable \end{itemize} \end{itemize} \item File \begin{itemize} \item Bitfields in file-attributes (xattr) \begin{itemize} \item Permitted \item Inheritable \item Auto-load Effective (single bit) \end{itemize} \end{itemize} \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Capability Bitfields} \begin{figure}[h] \centering \includegraphics[width=7cm]{images/cap_bitfields.png} \end{figure} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Capability transition during execve()} \begin{figure}[h] \centering \includegraphics[width=8cm]{images/cap_trans_execve.png} \end{figure} \end{frame} % ---------------------------- \subsubsection{Capabilities in Applications} % ---------------------------- \begin{frame}[fragile] \frametitle{Capability Handling in Applications (libcap)} \begin{columns}[onlytextwidth] \begin{column}{0.45\textwidth} \begin{beamerboxesrounded}[shadow=true]{Capability Set Handling} \begin{tiny} \begin{verbatim} #include int list_n = 1; cap_t caps; cap_value_t list[list_n]; caps = cap_get_proc(); /* Capability Bitfield Modifications */ cap_set_proc(caps); /* Continue with modified privileges */ cap_free(caps); \end{verbatim} \end{tiny} \end{beamerboxesrounded} \end{column} \begin{column}{0.45\textwidth} Capability Bitfield Modifications \begin{beamerboxesrounded}[shadow=true]{gain (temp):} \begin{tiny} \begin{verbatim} list[0] = CAP_NET_BIND_SERVICE; cap_set_flag(caps, CAP_EFFECTIVE, list_n, list, CAP_SET); cap_set_proc(caps); \end{verbatim} \end{tiny} \end{beamerboxesrounded} \begin{beamerboxesrounded}[shadow=true]{drop (temp):} \begin{tiny} \begin{verbatim} list[0] = CAP_NET_BIND_SERVICE; cap_set_flag(caps,CAP_EFFECTIVE, list_n, list,CAP_CLEAR); cap_set_proc(caps); \end{verbatim} \end{tiny} \end{beamerboxesrounded} \begin{beamerboxesrounded}[shadow=true]{drop (finally):} \begin{tiny} \begin{verbatim} list[0] = CAP_NET_BIND_SERVICE; cap_set_flag(caps,CAP_PERMITTED, list_n, list,CAP_CLEAR); cap_set_proc(caps); \end{verbatim} \end{tiny} \end{beamerboxesrounded} \end{column} \end{columns} \end{frame} % % ---------------------------- \begin{frame}[fragile] \frametitle{Capability scenario} Scenario for dropping capabilities in suid-root processes \begin{enumerate} \item Run process with effective UID == 0 \item use libcap to drop not required capabilities \begin{itemize} \item effective: drop all \item permitted: keep only required \end{itemize} \item set SEC\_KEEP\_CAPS (prctl(PR\_SET\_KEEPCAPS)) \item set all UIDs to non-zero \item raise capability in effecive set before calling a privileged syscall \item drop capability from effective set after syscall \end{enumerate} \end{frame} % ---------------------------- \subsubsection{Tooling \& Documentation} % ---------------------------- \begin{frame}[fragile] \frametitle{Tooling for Capabilities} \begin{itemize} \item capsh\\ Modify security properties of a task (including capabilities) \item getcap/setcap\\ Modify file capability settings \item libpam-cap\\ Preset users inheritable capabilities during login \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Further Information about Capabilities} \begin{itemize} \item cat /proc//status \item Man-Pages (man 7 capabilities, ff.) \item The Linux Programming Interface (Michael Kerisk),\\ ISBN 978-1-59327-220-3 \end{itemize} \end{frame} % ---------------------------- \subsubsection{Summary} % ---------------------------- \begin{frame}[fragile] \frametitle{Summary} \begin{itemize} \item A Capability allows to use a privileged syscall \item Task-Capabilities: \begin{itemize} \item 3 bitfields \item permitted, effective, inheritable \end{itemize} \item File Capabilities: \begin{itemize} \item File extended attributes \item 2 bitfields, 1 flag \item permmitted, inheritable, effecitve (flag) \end{itemize} \item Capability transition for fork() and execve() \item Conclusion\\ \begin{itemize} \item root/non-root: all or nothing\\ \item Capabilities: fine grain privileges \end{itemize} \end{itemize} \end{frame}