From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mimi Zohar Subject: Re: [PATCH v2] xattr: Enable security.capability in user namespaces Date: Fri, 14 Jul 2017 16:03:39 -0400 Message-ID: <1500062619.3583.71.camel@linux.vnet.ibm.com> References: <87y3rscz9j.fsf@xmission.com> <20170713164012.brj2flnkaaks2oci@thunk.org> <87k23cb6os.fsf@xmission.com> <847ccb2a-30c0-a94c-df6f-091c8901eaa0@linux.vnet.ibm.com> <87bmoo8bxb.fsf@xmission.com> <9a3010e5-ca2b-5e7a-656b-fcc14f7bec4e@linux.vnet.ibm.com> <87h8yf7szd.fsf@xmission.com> <65dbe654-0d99-03fa-c838-5a726b462826@linux.vnet.ibm.com> <20170714133437.GA16737@mail.hallyn.com> <596f808b-e21d-8296-5fef-23c1ce7ab778@linux.vnet.ibm.com> <20170714173556.GA19669@mail.hallyn.com> <1500058090.3583.28.camel@linux.vnet.ibm.com> <1500058362.2853.28.camel@HansenPartnership.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: <1500058362.2853.28.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: James Bottomley , "Serge E. Hallyn" , Stefan Berger , Mimi Zohar Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, "Eric W. Biederman" , casey-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org, Theodore Ts'o , lkp-JC7UmRfGjtg@public.gmane.org List-Id: containers.vger.kernel.org T24gRnJpLCAyMDE3LTA3LTE0IGF0IDExOjUyIC0wNzAwLCBKYW1lcyBCb3R0b21sZXkgd3JvdGU6 Cj4gT24gRnJpLCAyMDE3LTA3LTE0IGF0IDE0OjQ4IC0wNDAwLCBNaW1pIFpvaGFyIHdyb3RlOgo+ ID4gVGhlIGNvbmNlcm4gaXMgd2l0aCBhIHNoYXJlZCBmaWxlc3lzdGVtcy4gwqBJbiB0aGF0IGNh c2UsIGZvciBJTUEgaXQKPiA+IHdvdWxkIG1ha2Ugc2Vuc2UgdG8gc3VwcG9ydCBhIG5hdGl2ZSBh bmQgYSBuYW1lc3BhY2UgeGF0dHIuIMKgSWYgZHVlCj4gPiB0byB4YXR0ciBzcGFjZSBsaW1pdGF0 aW9ucyB3ZSBoYXZlIHRvIGxpbWl0IHRoZSBudW1iZXIgb2YgeGF0dHJzLAo+ID4gdGhlbiB3ZSBz aG91bGQgbGltaXQgaXQgdG8gdHdvIC0gYSBuYXRpdmUgYW5kIGEgbmFtZXNwYWNlIHZlcnNpb24s Cj4gPiB3aXRoIGEgInVpZD0iIHRhZyAtIGZpcnN0IG5hbWVzcGFjZSBnZXRzIHBlcm1pc3Npb24g dG8gd3JpdGUgdGhlCj4gPiBuYW1lc3BhY2UgeGF0dHIuIMKgQWdhaW4sIGxpa2UgaW4gdGhlIGxh eWVyZWQgY2FzZSwgaWYgdGhlIG5hbWVzcGFjZQo+ID4geGF0dHIgZG9lc24ndCBleGlzdCwgZmFs bCBiYWNrIHRvIHVzaW5nIHRoZSBuYXRpdmUgeGF0dHIuCj4gCj4gSnVzdCBvbiB0aGlzIHBvaW50 OiBpZiB3ZSdyZSByZWFsbHkgY29uY2VybmVkIGFib3V0IHRoZSBuZWVkIG9uIHNoYXJlZAo+IGZp bGVzeXN0ZW1zIHRvIGhhdmUgbXVsdGlwbGUgSU1BIHNpZ25hdHVyZXMgcGVyIGZpbGUsIG1pZ2h0 IGl0IG5vdCBtYWtlCj4gc2Vuc2Ugc2ltcGx5IHRvIHN1cHBvcnQgbXVsdGlwbGUgc2lnbmF0dXJl cyB3aXRoaW4gdGhlIHNlY3VyaXR5LmltYQo+IHhhdHRyPyBUaGUgcnVsZXMgZm9yIHdyaXRpbmcg c2lnbmF0dXJlIHVwZGF0ZXMgd2l0aGluIHVzZXIgbmFtZXNwYWNlcwo+IHdvdWxkIGJlIHNvbWV3 aGF0IGNvbXBsZXggKHNheSBvbmx5IGFibGUgdG8gcmVwbGFjZSBhIHNpZ25hdHVyZSBmb3IKPiB3 aGljaCB5b3UgZGVtb25zdHJhdGUgeW91IHBvc3Nlc3MgdGhlIGtleSkgYnV0IGl0IHdvdWxkIGxl YWQgdG8gYW4KPiBpbXBsZW1lbnRhdGlvbiB3aGljaCB3b3VsZCB3b3JrIGZvciB0cmFkaXRpb25h bCBzaGFyZWQgZmlsZXN5c3RlbXMKPiAobGlrZSBORlMpIGFzIHdlbGwgYXMgY29udGFpbmVyaXNl ZCBiaW5kIG1vdW50cy4KCldyaXRpbmcgc2VjdXJpdHkuaW1hIHJlcXVpcmVzIGJlaW5nIHJvb3Qg d2l0aCBDQVBfU1lTX0FETUlOCnByaXZpbGVnZXMuIMKgSSB3b3VsZG4ndCB3YW50IHRvIGdpdmUg cm9vdCB3aXRoaW4gdGhlIG5hbWVzcGFjZQpwZXJtaXNzaW9uIHRvIG92ZXIgd3JpdGUgb3IganVz dCBleHRlbmQgdGhlIG5hdGl2ZSBzZWN1cml0eS5pbWEuCgpNaW1pCgpfX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwpDb250YWluZXJzIG1haWxpbmcgbGlzdApD b250YWluZXJzQGxpc3RzLmxpbnV4LWZvdW5kYXRpb24ub3JnCmh0dHBzOi8vbGlzdHMubGludXhm b3VuZGF0aW9uLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2NvbnRhaW5lcnM= From mboxrd@z Thu Jan 1 00:00:00 1970 From: zohar@linux.vnet.ibm.com (Mimi Zohar) Date: Fri, 14 Jul 2017 16:03:39 -0400 Subject: [PATCH v2] xattr: Enable security.capability in user namespaces In-Reply-To: <1500058362.2853.28.camel@HansenPartnership.com> References: <87y3rscz9j.fsf@xmission.com> <20170713164012.brj2flnkaaks2oci@thunk.org> <87k23cb6os.fsf@xmission.com> <847ccb2a-30c0-a94c-df6f-091c8901eaa0@linux.vnet.ibm.com> <87bmoo8bxb.fsf@xmission.com> <9a3010e5-ca2b-5e7a-656b-fcc14f7bec4e@linux.vnet.ibm.com> <87h8yf7szd.fsf@xmission.com> <65dbe654-0d99-03fa-c838-5a726b462826@linux.vnet.ibm.com> <20170714133437.GA16737@mail.hallyn.com> <596f808b-e21d-8296-5fef-23c1ce7ab778@linux.vnet.ibm.com> <20170714173556.GA19669@mail.hallyn.com> <1500058090.3583.28.camel@linux.vnet.ibm.com> <1500058362.2853.28.camel@HansenPartnership.com> Message-ID: <1500062619.3583.71.camel@linux.vnet.ibm.com> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On Fri, 2017-07-14 at 11:52 -0700, James Bottomley wrote: > On Fri, 2017-07-14 at 14:48 -0400, Mimi Zohar wrote: > > The concern is with a shared filesystems. ?In that case, for IMA it > > would make sense to support a native and a namespace xattr. ?If due > > to xattr space limitations we have to limit the number of xattrs, > > then we should limit it to two - a native and a namespace version, > > with a "uid=" tag - first namespace gets permission to write the > > namespace xattr. ?Again, like in the layered case, if the namespace > > xattr doesn't exist, fall back to using the native xattr. > > Just on this point: if we're really concerned about the need on shared > filesystems to have multiple IMA signatures per file, might it not make > sense simply to support multiple signatures within the security.ima > xattr? The rules for writing signature updates within user namespaces > would be somewhat complex (say only able to replace a signature for > which you demonstrate you possess the key) but it would lead to an > implementation which would work for traditional shared filesystems > (like NFS) as well as containerised bind mounts. Writing security.ima requires being root with CAP_SYS_ADMIN privileges. ?I wouldn't want to give root within the namespace permission to over write or just extend the native security.ima. Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: multipart/mixed; boundary="===============4933491019028647262==" MIME-Version: 1.0 From: Mimi Zohar To: lkp@lists.01.org Subject: Re: [PATCH v2] xattr: Enable security.capability in user namespaces Date: Fri, 14 Jul 2017 16:03:39 -0400 Message-ID: <1500062619.3583.71.camel@linux.vnet.ibm.com> In-Reply-To: <1500058362.2853.28.camel@HansenPartnership.com> List-Id: --===============4933491019028647262== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable On Fri, 2017-07-14 at 11:52 -0700, James Bottomley wrote: > On Fri, 2017-07-14 at 14:48 -0400, Mimi Zohar wrote: > > The concern is with a shared filesystems. =C2=A0In that case, for IMA it > > would make sense to support a native and a namespace xattr. =C2=A0If due > > to xattr space limitations we have to limit the number of xattrs, > > then we should limit it to two - a native and a namespace version, > > with a "uid=3D" tag - first namespace gets permission to write the > > namespace xattr. =C2=A0Again, like in the layered case, if the namespace > > xattr doesn't exist, fall back to using the native xattr. > = > Just on this point: if we're really concerned about the need on shared > filesystems to have multiple IMA signatures per file, might it not make > sense simply to support multiple signatures within the security.ima > xattr? The rules for writing signature updates within user namespaces > would be somewhat complex (say only able to replace a signature for > which you demonstrate you possess the key) but it would lead to an > implementation which would work for traditional shared filesystems > (like NFS) as well as containerised bind mounts. Writing security.ima requires being root with CAP_SYS_ADMIN privileges. =C2=A0I wouldn't want to give root within the namespace permission to over write or just extend the native security.ima. Mimi --===============4933491019028647262==-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751152AbdGNUDy (ORCPT ); Fri, 14 Jul 2017 16:03:54 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:48401 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751081AbdGNUDx (ORCPT ); Fri, 14 Jul 2017 16:03:53 -0400 Subject: Re: [PATCH v2] xattr: Enable security.capability in user namespaces From: Mimi Zohar To: James Bottomley , "Serge E. Hallyn" , Stefan Berger , Mimi Zohar Cc: "Eric W. Biederman" , "Theodore Ts'o" , containers@lists.linux-foundation.org, lkp@01.org, linux-kernel@vger.kernel.org, tycho@docker.com, vgoyal@redhat.com, christian.brauner@mailbox.org, amir73il@gmail.com, linux-security-module@vger.kernel.org, casey@schaufler-ca.com Date: Fri, 14 Jul 2017 16:03:39 -0400 In-Reply-To: <1500058362.2853.28.camel@HansenPartnership.com> References: <87y3rscz9j.fsf@xmission.com> <20170713164012.brj2flnkaaks2oci@thunk.org> <87k23cb6os.fsf@xmission.com> <847ccb2a-30c0-a94c-df6f-091c8901eaa0@linux.vnet.ibm.com> <87bmoo8bxb.fsf@xmission.com> <9a3010e5-ca2b-5e7a-656b-fcc14f7bec4e@linux.vnet.ibm.com> <87h8yf7szd.fsf@xmission.com> <65dbe654-0d99-03fa-c838-5a726b462826@linux.vnet.ibm.com> <20170714133437.GA16737@mail.hallyn.com> <596f808b-e21d-8296-5fef-23c1ce7ab778@linux.vnet.ibm.com> <20170714173556.GA19669@mail.hallyn.com> <1500058090.3583.28.camel@linux.vnet.ibm.com> <1500058362.2853.28.camel@HansenPartnership.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-MML: disable x-cbid: 17071420-0012-0000-0000-0000025718BD X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17071420-0013-0000-0000-00000770AC79 Message-Id: <1500062619.3583.71.camel@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-07-14_13:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1706020000 definitions=main-1707140316 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 2017-07-14 at 11:52 -0700, James Bottomley wrote: > On Fri, 2017-07-14 at 14:48 -0400, Mimi Zohar wrote: > > The concern is with a shared filesystems.  In that case, for IMA it > > would make sense to support a native and a namespace xattr.  If due > > to xattr space limitations we have to limit the number of xattrs, > > then we should limit it to two - a native and a namespace version, > > with a "uid=" tag - first namespace gets permission to write the > > namespace xattr.  Again, like in the layered case, if the namespace > > xattr doesn't exist, fall back to using the native xattr. > > Just on this point: if we're really concerned about the need on shared > filesystems to have multiple IMA signatures per file, might it not make > sense simply to support multiple signatures within the security.ima > xattr? The rules for writing signature updates within user namespaces > would be somewhat complex (say only able to replace a signature for > which you demonstrate you possess the key) but it would lead to an > implementation which would work for traditional shared filesystems > (like NFS) as well as containerised bind mounts. Writing security.ima requires being root with CAP_SYS_ADMIN privileges.  I wouldn't want to give root within the namespace permission to over write or just extend the native security.ima. Mimi