More precisely, are there any operations for which more than one capability could be used to give a process the necessary permissions?
Advertisement
Answer
The short answer is yes.
I would say the overarching model is that each operation is guarded by a single capability. However, there are certainly exceptions. At a glance through the kernel/ directory, I quickly found one example. The usermodehelper sysctl
handler requires both CAP_SETPCAP and CAP_SYS_MODULE capabilities in order to update its settings.
Another factor to consider: capability checks are sprinkled throughout the kernel code, including numerous drivers. A driver writer can choose to check for capabilities in whatever way they deem best so there could well be one that requires the caller to hold multiple capabilities.
Finally, there are numerous other cases where a single operation might potentially use more than a single capability even though it fundamentally requires only one. For example, consider a system call that requires a capability as a base but also takes a pathname argument for some operation. I found as example: pr_ctl
system call with option PR_SET_MM
and sub-option PR_SET_MM_EXE_FILE
. This call requires CAP_SYS_RESOURCE
foundationally. However, it also requires certain permissions to the file. If the calling user doesn’t have the right credentials to access the file, however, that permission can be overridden if the caller has CAP_DAC_OVERRIDE
capability.