Linux Capabilities Revisited

(dfir.ch)

190 points Harvesterify | 1 comments | 22 Oct 25 13:50 UTC | HN request time: 0s | source

Show context

surajrmal ◴[22 Oct 25 14:42 UTC] No.45669852[source]▶

A shared global namespace ultimately makes it very difficult to have a decent capability based security system. Namespaces limited to the set of actions you have and a hierarchy of capabilities whereby children can only be given access to capabilities their parents have is required for a sane view of how things work. Much like encapsulation makes it easier to reason about abstractions in a program, this nested hierarchy of capabilities makes it easier to reason about the privilege of various parts of the system. Instead we have soup where no one can quite reason about what has access to what.

replies(6): >>45670120 #>>45670198 #>>45670857 #>>45671117 #>>45671465 #>>45674367 #

rootnod3 ◴[22 Oct 25 14:57 UTC] No.45670120[source]▶

>>45669852 #

Even if not super fine grained, I think that OpenBSD’s pledge is really nicely done.

Next after that I’d vote for FreeBSD’s capsicum.

replies(2): >>45670403 #>>45671131 #

hypeatei ◴[22 Oct 25 15:13 UTC] No.45670403[source]▶

>>45670120 #

OpenBSDs pledge is so simple and nice to use. I really wish Linux would incorporate it. Seccomp is a nightmare to implement.

replies(2): >>45670913 #>>45672383 #

1. rootnod3 ◴[22 Oct 25 15:46 UTC] No.45670913{3}[source]▶

>>45670403 #

I'd rather have a simple coarse-grained mechanism than whatever feverdream that seccomp, selinux and apparmor are. A convoluted mess incorporating almost Turing complete languages that are just asking to shoot yourself in the foot a mile deep.

The simplicity of pledge is good enough for 99% of use-cases I'd wager AND easy to add to existing code.

↑