Project

General

Profile

Feature #2375

Updated by Richard Sailer over 3 years ago

It would be a good security improvement if threads only could only do what they need to do. 
 and nothing more.  
 (e.g. A thread that does not need to write to disk also has no capability to do so, etc.). 
 And linux capabilities are a per-thread attribute (man attributes) 

 This would contain at least the following subtasks:  

   * Define sensible capability sets for indivudial thread modules 
   * check out SCDropCaps() and the libcap-ng bug, which prevented this feature earlier (still there?) 
   * Implement mechanics to declare and set needed capabilities per thread module 
   * What to do if a thread changes its thread modules? Can this happen? 

 This maybe is a bigger change and lots of work, but I would like to do it, 
 so I flagged it low priority and TBD. Any thoughts on this? 

 And I should note: this would be linux only since capabilities are a linux feature. FreeBSD has something related called capsicum, but the library we use (libcap-ng) is linux only.

Back