Add core support for Linux capabilities?

[richardleach]

Perl doesn't provide a handy out-of-the-box mechanism for showing/test/setting Linux capabilities [1,2], which are hugely relevant to containerised environments (e.g. docker/kubernetes[3,4]/openstack), but may also become more relevant to standard Linux (and other) systems in the future.

At least to start with, this issue is intended as a placeholder for discussion.

On CPAN

CPAN provides at least one module, Linux::Capabilities, but it might be nice to have some functionality baked in by default.

Sample use cases

• An application intended for containerised deployment could test whether it has the capabilities necessary for its functionality, and to provide more meaningful diagnostics messages in the event that it does not have all necessary capabilities. The application could also modify its behaviour if useful-to-have-but-not-essential capabilities were not present.
• If file capabilities are used instead of traditional suid/sguid bits, a perl script could better understand what privileged operations it can and cannot do, rather than just blindly trying stuff. (Or the other way around, any script that currently does die unless ($UID ==0) to check for elevated privileges before proceeding will not run, even if it actually has the capabilities it needs.)
• An application that can modify its Inheritable set can launch child processes that have fewer capabilities than the parent. (Note: Documentation mostly talks about execve calls here, but a quick grep of perl source only finds execv and execvp. Not sure to what extent that is important or not.)

Possible actions

• Modify Perlsec.pod to mention capabilities, even if no functionality is added to core?
• Add functionality to query/test the current capability sets for the running process
• Add functionality for easy manipulation/lookup of capability constants etc
• Add functionality to set capabilities (c.f. setcap)
• Add functionality to support querying file capabilities

[1] http://man7.org/linux/man-pages/man7/capabilities.7.html
[2] https://k3a.me/linux-capabilities-in-a-nutshell/
[3] https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container
[4] https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities

[tonycoz]

I can't really see us adding capabilities access to the core, as in the perl executable, though their use and implications could certainly be mentioned in perlsec.

We have discussed adding more "batteries" to the perl distribution, but I'm not sure Linux::Capabilities is one we'd add, since it requires the libpcap development headers/libraries, I know I don't have those installed.

[Leont]

More batteries can be useful, but more platform specific batteries usually isn't (unless it's required for basic functioning like on VMS)

[richardleach]

I'll try to write some text for perlsec in the coming week or two.