Project

General

Profile

Actions
Copy link

Feature #2375

open
RS OD

Design and implement sensible per-thread capabilities

Feature #2375: Design and implement sensible per-thread capabilities

Added by Richard Sailer over 8 years ago. Updated about 1 year ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
9.0.0-beta1
Effort:
medium
Difficulty:
low
Label:

Description

It would be a good security improvement if threads could only do what they need to do.
(e.g. A thread that does not need to write to disk also has no capability to do so, etc.).
And linux capabilities are a per-thread attribute (man attributes)

This would contain at least the following subtasks:

  • Define sensible capability sets for indivudial thread modules
  • check out SCDropCaps() and the libcap-ng bug, which prevented this feature earlier (still there?)
  • Implement mechanics to declare and set needed capabilities per thread module
  • What to do if a thread changes its thread modules? Can this happen?

This maybe is a bigger change and lots of work, but I would like to do it,
so I flagged it low priority and TBD. Any thoughts on this?

And I should note: this would be linux only since capabilities are a linux feature. FreeBSD has something related called capsicum, but the library we use (libcap-ng) is linux only.

Related issues 1 (1 open0 closed)

Related to Suricata - Feature #276: Libcap support for dropping privilegesNewCommunity TicketActions

RS Updated by Richard Sailer over 8 years ago Actions
Copy link
 #1

  • Description updated (diff)

RS Updated by Richard Sailer over 8 years ago Actions
Copy link
 #2

  • Description updated (diff)

VJ Updated by Victor Julien over 8 years ago Actions
Copy link
 #3

Basic infra is already in place, see for example source-pfring.c

    tmm_modules[TMM_RECEIVEPFRING].cap_flags = SC_CAP_NET_ADMIN | SC_CAP_NET_RAW |
        SC_CAP_NET_BIND_SERVICE | SC_CAP_NET_BROADCAST;

VJ Updated by Victor Julien over 8 years ago Actions
Copy link
 #4

  • Related to Feature #276: Libcap support for dropping privileges added

VJ Updated by Victor Julien over 8 years ago Actions
Copy link
 #5

  • Assignee changed from Richard Sailer to Anonymous

VJ Updated by Victor Julien over 7 years ago Actions
Copy link
 #6

  • Effort set to medium
  • Difficulty set to low

AH Updated by Andreas Herz about 7 years ago Actions
Copy link
 #7

  • Assignee set to Community Ticket

VJ Updated by Victor Julien over 6 years ago Actions
Copy link
 #8

  • Assignee changed from Community Ticket to OISF Dev
  • Priority changed from Low to Normal
  • Target version changed from TBD to 6.0.0beta1

When we first tried this years ago it turned out not to work, I believe due to a bug in libcap-ng. I'm hopeful we can get it to work now.

VJ Updated by Victor Julien almost 6 years ago Actions
Copy link
 #9

  • Target version changed from 6.0.0beta1 to 7.0.0-beta1

VJ Updated by Victor Julien over 4 years ago Actions
Copy link
 #10

  • Target version changed from 7.0.0-beta1 to 8.0.0-beta1

VJ Updated by Victor Julien about 1 year ago Actions
Copy link
 #11

  • Target version changed from 8.0.0-beta1 to 9.0.0-beta1
Actions
Copy link

Also available in: PDF Atom