Design and implement sensible per-thread capabilities
It would be a good security improvement if threads could only do what they need to do.
(e.g. A thread that does not need to write to disk also has no capability to do so, etc.).
And linux capabilities are a per-thread attribute (man attributes)
This would contain at least the following subtasks:
- Define sensible capability sets for indivudial thread modules
- check out SCDropCaps() and the libcap-ng bug, which prevented this feature earlier (still there?)
- Implement mechanics to declare and set needed capabilities per thread module
- What to do if a thread changes its thread modules? Can this happen?
This maybe is a bigger change and lots of work, but I would like to do it,
so I flagged it low priority and TBD. Any thoughts on this?
And I should note: this would be linux only since capabilities are a linux feature. FreeBSD has something related called capsicum, but the library we use (libcap-ng) is linux only.
Updated by Victor Julien over 1 year ago
- Assignee changed from Community Ticket to OISF Dev
- Priority changed from Low to Normal
- Target version changed from TBD to 6.0.0beta1
When we first tried this years ago it turned out not to work, I believe due to a bug in libcap-ng. I'm hopeful we can get it to work now.