The first attempt at running cryptohome as a non-root user ( issue 741786 ) failed (issue 764540) because cryptohome actually needs to be root to write to /proc/sys/vm/drop_caches, and this cannot be covered with capabilities.
The initial approach considered a kernel change that would allow writing to sysctl files when having CAP_SYS_ADMIN. However, there are concerns with this approach since other sysctl's are controlled by CAP_NET_ADMIN, and because many of these values are not necessarily namespace-aware.
While the suggested approach would prevent processes in non-root namespaces to modify the sysctl files, other sandboxing configurations would have access to all sysctl files.
Suggestion: this might be the first thing that gets peeled off cryptohome: making sure caches get dropped.
Comment 1 by jorgelo@chromium.org
, Sep 26 2017Labels: -Type-Bug Type-Feature