Capability Inheritance Algorithm

Next: Capability-Based System Boot Monitor Up: LinSec Capability Model Previous: Global Bounds Contents

Capability Inheritance Algorithm

LinSec Capability Inheritance Algorithm is used to compute process capabilities and it builds on the algorithm existing in the Linux kernel, as part of the Process Capabilities support.

Capability Inheritance Algorithm implemented in Linux kernel has three steps (quoted from fs/exec.c where it is implemented):

      pI' = pI
(***) pP' = (fP & X) | (fI & pI)
      pE' = pP' & fE          [NB. fE is 0 or ~0]

I=Inheritable, P=Permitted, E=Effective // p=process, f=file
' indicates post-exec(), and X is the global 'cap_bset'.

As there is no support for executable file capabilities in existing Linux kernel, the variables in the algorithm corresponding to them are hardcoded as either maximal possible (for superuser processes) or as zero (for non superuser processes). This causes the resulting effective capability set to be either full capability set (for the superuser owned processes) or empty one (for non superuser owned processes).

The LinSec specific algorithm also has three steps and is an evolved version of the above, Linux implemented, algorithm:

$pI^\star = pI$
$pP^\star = (fF \vert (fA \& (pI^\star \vert uP^\circ))) \& uB \& gB$
$pE^\star = (pP^\star \& fE)$

Where:

pI, pE and pP are user capability sets as specified in Subsection 4.2.5.
$pI^\star$ , $pP^\star$ and $pE^\star$ are capability sets that replace pI, pP and pE respectively for the current process after the execution of the algorithm.
fA, fF and fE are the executable file's capability sets as specified in Subsection 4.2.4.
$uP^\circ$ is user permitted set obtained by the formula: $uP^\circ = uP \vert \gamma_{m}P \vert ... \vert \gamma_{n}P$ , where uP is user permitted capability set as specified in Subsection 4.2.6 and $\gamma_{m}P$ to $\gamma_{n}P$ are capability sets representing capability groups the users is a member of as specified in Subsection 4.2.6.
uB is user bounding capability set as specified in Subsection 4.2.5.
gB is global bounding set as specified in Subsection 4.2.8.

The first step of the LinSec algorithm is left unchanged (from the Linux implementation) as neither User Capabilities or Executable File Capabilities are designed to affect a process' inheritable capability set.

The second step has suffered most alterations. The thinking behind computing the new permitted ( $pP^\star$ ) capability set is (starting by the innermost brackets):

$pP^\star$ needs to reflect both the capabilities inherited from the existing process (dictated by POSIX 1003.6) and capabilities contained in permitted capability set of the process owner (to reflect privileges of the user), but
only to the extent allowed for the newly executed binary (logical AND with fA), to ensure least privilege principle is followed.
However, $pP^\star$ needs to contain capabilities necessary for the executed binary to perform its task correctly (logical OR with fF).
Finally, no capabilities representing privileges that would exceed maximum allowed for the process owner (uB) or for the system as a whole (gB) must be included in $pP^\star$ .

The third step ensures that the process has, in its effective capability set, all capabilities needed by the newly executed binary to perform its task (fE) that it is allowed to have (logical AND with $pP^\star$ ).

The algorithm (Subsection 4.2.7) is triggered by two system events in LinSec capability model implementation:

Current process executes a binary (both in Linux and LinSec capability model implementations), and
Process changes ownership (uid) (in LinSec capability model implementation only).

In the former case, the algorithm is invoked to reflect capabilities of the new program that is being started while in the latter case, it is used to reflect capabilities of the new process owner.

Next: Capability-Based System Boot Monitor Up: LinSec Capability Model Previous: Global Bounds Contents