[cap-talk] Concening entry "ambient authority" in Wikipedia
David-Sarah Hopwood
david-sarah at jacaranda.org
Wed Jun 10 17:02:13 EDT 2009
Marcus Brinkmann wrote:
> David-Sarah Hopwood wrote:
>> Undeniable authorities. They are not capabilities, nor are they accessed
>> via capabilities.
>
> This does not appear to be true, as is easily demonstrated. The capability
> name space is the interrupt vector, and the UNIX capability is capability
> number 0x80 by convention. The messages are marshalled in registers and
> memory buffers, and the send+receive instruction is "int CAP" where CAP is the
> capability name.
>
> This capability can be intercepted and denied by using the ptrace interface,
> as is done by programs such as strace, fakeroot or faketime (20 lines of code
> for the latter).
ptrace is not part of the traditional Unix security model. In the original
design, kernel calls were universally available primitives. If you add the
facility to intercept kernel calls in a way that supports process isolation,
then you can potentially implement a capability system in terms of that
(this is almost a triviality; it applies to essentially any system with an
interceptable kernel interface in which user processes can only affect each
other via the kernel).
However, an instance of a Unix system that is not *in fact* intercepting
kernel calls in such a way as to implement capability rules -- even if the
facilities to do so are in principle available -- is not a capability
system, and in that case its authorities are not being accessed via
capabilities.
--
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
More information about the cap-talk
mailing list