From: Andrew Morton <akpm@linux-foundation.org>
To: "Serge E. Hallyn" <serge@hallyn.com>
Cc: LSM <linux-security-module@vger.kernel.org>,
James Morris <jmorris@namei.org>,
Kees Cook <kees.cook@canonical.com>,
containers@lists.linux-foundation.org,
kernel list <linux-kernel@vger.kernel.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Alexey Dobriyan <adobriyan@gmail.com>,
Michael Kerrisk <mtk.manpages@gmail.com>,
xemul@parallels.com, dhowells@redhat.com
Subject: Re: [PATCH 2/9] security: Make capabilities relative to the user namespace.
Date: Fri, 18 Feb 2011 15:59:18 -0800 [thread overview]
Message-ID: <20110218155918.53f4e0a9.akpm@linux-foundation.org> (raw)
In-Reply-To: <20110217150306.GB26395@mail.hallyn.com>
On Thu, 17 Feb 2011 15:03:06 +0000
"Serge E. Hallyn" <serge@hallyn.com> wrote:
> - Introduce ns_capable to test for a capability in a non-default
> user namespace.
> - Teach cap_capable to handle capabilities in a non-default
> user namespace.
>
> The motivation is to get to the unprivileged creation of new
> namespaces. It looks like this gets us 90% of the way there, with
> only potential uid confusion issues left.
>
> I still need to handle getting all caps after creation but otherwise I
> think I have a good starter patch that achieves all of your goals.
>
>
> ...
>
> --- a/include/linux/capability.h
> +++ b/include/linux/capability.h
> @@ -544,7 +544,7 @@ extern const kernel_cap_t __cap_init_eff_set;
> *
> * Note that this does not set PF_SUPERPRIV on the task.
> */
> -#define has_capability(t, cap) (security_real_capable((t), (cap)) == 0)
> +#define has_capability(t, cap) (security_real_capable((t), &init_user_ns, (cap)) == 0)
>
> /**
> * has_capability_noaudit - Determine if a task has a superior capability available (unaudited)
> @@ -558,9 +558,15 @@ extern const kernel_cap_t __cap_init_eff_set;
> * Note that this does not set PF_SUPERPRIV on the task.
> */
> #define has_capability_noaudit(t, cap) \
> - (security_real_capable_noaudit((t), (cap)) == 0)
> + (security_real_capable_noaudit((t), &init_user_ns, (cap)) == 0)
>
> +struct user_namespace;
> +extern struct user_namespace init_user_ns;
Two icky-should-be-written-in-C macros which reference init_user_ns,
followed by the declaration of init_user_ns and its type. Declarations
which duplicate those in other header files. It's ripe for some
upcleaning, methinks?
Also, please ensure that the forward struct declarations are all at
top-of-file (as in include/linux/security.h). Otherwise we can end up
accumulating multiple forward declarations of the same thing in the one
file.
> extern int capable(int cap);
> +extern int ns_capable(struct user_namespace *ns, int cap);
> +extern int task_ns_capable(struct task_struct *t, int cap);
> +
> +#define nsown_capable(cap) (ns_capable(current_user_ns(), (cap)))
macroitis!
> @@ -301,15 +302,42 @@ error:
> */
> int capable(int cap)
> {
> + return ns_capable(&init_user_ns, cap);
> +}
> +EXPORT_SYMBOL(capable);
> +
> +/**
> + * ns_capable - Determine if the current task has a superior capability in effect
> + * @ns: The usernamespace we want the capability in
> + * @cap: The capability to be tested for
> + *
> + * Return true if the current task has the given superior capability currently
> + * available for use, false if not.
Actually it doesn't return true or false - it returns 1 or 0. Using a
`bool' return type would fix the comment :)
> + * This sets PF_SUPERPRIV on the task if the capability is available on the
> + * assumption that it's about to be used.
> + */
> +int ns_capable(struct user_namespace *ns, int cap)
> +{
> if (unlikely(!cap_valid(cap))) {
> printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap);
> BUG();
> }
>
> - if (security_capable(current_cred(), cap) == 0) {
> + if (security_capable(ns, current_cred(), cap) == 0) {
> current->flags |= PF_SUPERPRIV;
> return 1;
> }
> return 0;
> }
> -EXPORT_SYMBOL(capable);
> +EXPORT_SYMBOL(ns_capable);
> +
> +/*
> + * does current have capability 'cap' to the user namespace of task
> + * 't'. Return true if it does, false otherwise.
> + */
Other comments were kerneldocified.
> +int task_ns_capable(struct task_struct *t, int cap)
> +{
> + return ns_capable(task_cred_xxx(t, user)->user_ns, cap);
> +}
> +EXPORT_SYMBOL(task_ns_capable);
Could return bool.
>
> ...
>
> +int cap_capable(struct task_struct *tsk, const struct cred *cred,
> + struct user_namespace *targ_ns, int cap, int audit)
> {
> - return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
> + for (;;) {
> + /* The creator of the user namespace has all caps. */
> + if (targ_ns != &init_user_ns && targ_ns->creator == cred->user)
> + return 0;
> +
> + /* Do we have the necessary capabilities? */
> + if (targ_ns == cred->user->user_ns)
> + return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
> +
> + /* Have we tried all of the parent namespaces? */
> + if (targ_ns == &init_user_ns)
> + return -EPERM;
> +
> + /* If you have the capability in a parent user ns you have it
> + * in the over all children user namespaces as well, so see
> + * if this process has the capability in the parent user
> + * namespace.
> + */
> + targ_ns = targ_ns->creator->user_ns;
> + }
> +
> + /* We never get here */
> + return -EPERM;
So delete the code? Or does the compiler warn? If so, it's pretty busted.
> }
>
> /**
>
> ...
>
next prev parent reply other threads:[~2011-02-19 0:00 UTC|newest]
Thread overview: 135+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-17 15:02 userns: targeted capabilities v5 Serge E. Hallyn
2011-02-17 15:02 ` [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace Serge E. Hallyn
2011-02-18 3:31 ` Eric W. Biederman
2011-02-18 16:57 ` Daniel Lezcano
[not found] ` <20110217150257.GA26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 3:31 ` Eric W. Biederman
2011-02-18 16:57 ` Daniel Lezcano
2011-02-18 23:59 ` Andrew Morton
2011-02-23 17:16 ` David Howells
2011-02-18 23:59 ` Andrew Morton
2011-02-23 17:16 ` David Howells
2011-02-23 21:21 ` Eric W. Biederman
2011-02-23 23:19 ` David Howells
[not found] ` <8559.1298503148-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-02-23 23:54 ` Eric W. Biederman
2011-02-23 23:54 ` Eric W. Biederman
[not found] ` <3139.1298481393-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-02-23 21:21 ` Eric W. Biederman
[not found] ` <m1lj16ih0n.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2011-02-23 23:19 ` David Howells
2011-02-17 15:03 ` [PATCH 2/9] security: Make capabilities relative to the user namespace Serge E. Hallyn
2011-02-18 3:46 ` Eric W. Biederman
2011-02-18 23:44 ` Daniel Lezcano
[not found] ` <20110217150306.GB26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 3:46 ` Eric W. Biederman
2011-02-18 23:44 ` Daniel Lezcano
2011-02-18 23:59 ` Andrew Morton
2011-02-23 11:40 ` David Howells
2011-02-23 16:59 ` David Howells
2011-02-18 23:59 ` Andrew Morton [this message]
2011-02-23 11:40 ` David Howells
2011-02-23 12:01 ` David Howells
2011-02-23 13:43 ` Serge E. Hallyn
[not found] ` <29617.1298462517-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-02-23 13:43 ` Serge E. Hallyn
2011-02-23 16:59 ` David Howells
2011-02-17 15:03 ` [PATCH 3/9] allow sethostname in a container Serge E. Hallyn
2011-02-18 3:05 ` Eric W. Biederman
2011-02-18 23:46 ` Daniel Lezcano
[not found] ` <20110217150316.GC26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 3:05 ` Eric W. Biederman
2011-02-18 23:46 ` Daniel Lezcano
2011-02-17 15:03 ` [PATCH 4/9] allow killing tasks in your own or child userns Serge E. Hallyn
2011-02-18 3:00 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
[not found] ` <20110218155921.440f1137.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2011-02-24 0:48 ` Serge E. Hallyn
2011-02-24 0:48 ` Serge E. Hallyn
[not found] ` <20110224004818.GA11822-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-24 0:54 ` Andrew Morton
2011-02-24 0:54 ` Andrew Morton
[not found] ` <20110217150325.GD26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 3:00 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
2011-02-19 10:55 ` Daniel Lezcano
2011-02-19 10:55 ` Daniel Lezcano
2011-02-17 15:03 ` [PATCH 5/9] Allow ptrace from non-init user namespaces Serge E. Hallyn
[not found] ` <20110217150333.GE26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 2:59 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
2011-02-19 17:49 ` Daniel Lezcano
2011-02-23 17:05 ` David Howells
2011-02-23 17:11 ` David Howells
2011-02-18 2:59 ` Eric W. Biederman
[not found] ` <m1aahu9hea.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2011-02-18 4:36 ` Serge E. Hallyn
2011-02-18 4:36 ` Serge E. Hallyn
2011-02-24 0:49 ` [PATCH] userns: ptrace: incorporate feedback from Eric Serge E. Hallyn
[not found] ` <20110224004901.GB11822-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-24 0:56 ` Andrew Morton
2011-02-24 0:56 ` Andrew Morton
[not found] ` <20110223165651.cf248f3b.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2011-02-24 3:15 ` Serge E. Hallyn
2011-02-24 3:15 ` Serge E. Hallyn
[not found] ` <20110218043601.GB9584-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-24 0:49 ` Serge E. Hallyn
2011-02-18 23:59 ` [PATCH 5/9] Allow ptrace from non-init user namespaces Andrew Morton
[not found] ` <20110218155925.f7d30a52.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2011-02-24 0:43 ` Serge E. Hallyn
2011-02-24 0:43 ` Serge E. Hallyn
2011-02-19 17:49 ` Daniel Lezcano
2011-02-23 17:05 ` David Howells
2011-02-23 17:11 ` David Howells
2011-02-17 15:03 ` [PATCH 6/9] user namespaces: convert all capable checks in kernel/sys.c Serge E. Hallyn
2011-02-18 1:57 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
[not found] ` <20110217150342.GF26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 1:57 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
2011-02-19 0:01 ` Andrew Morton
2011-02-19 17:52 ` Daniel Lezcano
2011-02-19 0:01 ` Andrew Morton
2011-02-19 17:52 ` Daniel Lezcano
[not found] ` <20110217150224.GA26334-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-17 15:02 ` [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace Serge E. Hallyn
2011-02-17 15:03 ` [PATCH 2/9] security: Make capabilities relative to the user namespace Serge E. Hallyn
2011-02-17 15:03 ` [PATCH 3/9] allow sethostname in a container Serge E. Hallyn
2011-02-17 15:03 ` [PATCH 4/9] allow killing tasks in your own or child userns Serge E. Hallyn
2011-02-17 15:03 ` [PATCH 5/9] Allow ptrace from non-init user namespaces Serge E. Hallyn
2011-02-17 15:03 ` [PATCH 6/9] user namespaces: convert all capable checks in kernel/sys.c Serge E. Hallyn
2011-02-17 15:03 ` [PATCH 7/9] add a user namespace owner of ipc ns Serge E. Hallyn
2011-02-17 15:03 ` [PATCH 8/9] user namespaces: convert several capable() calls Serge E. Hallyn
2011-02-17 15:04 ` [PATCH 9/9] userns: check user namespace for task->file uid equivalence checks Serge E. Hallyn
2011-02-18 0:21 ` userns: targeted capabilities v5 Andrew Morton
2011-02-23 12:05 ` User namespaces and keys David Howells
2011-02-17 15:03 ` [PATCH 7/9] add a user namespace owner of ipc ns Serge E. Hallyn
2011-02-18 3:19 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
2011-02-19 17:57 ` Daniel Lezcano
[not found] ` <20110217150349.GG26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 3:19 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
2011-02-19 17:57 ` Daniel Lezcano
2011-02-17 15:03 ` [PATCH 8/9] user namespaces: convert several capable() calls Serge E. Hallyn
[not found] ` <20110217150356.GH26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 1:51 ` Eric W. Biederman
2011-02-19 19:07 ` Daniel Lezcano
2011-02-18 1:51 ` Eric W. Biederman
2011-02-19 19:07 ` Daniel Lezcano
2011-02-17 15:04 ` [PATCH 9/9] userns: check user namespace for task->file uid equivalence checks Serge E. Hallyn
2011-02-18 1:29 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
[not found] ` <20110218155935.66e7782d.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2011-02-24 3:24 ` Serge E. Hallyn
2011-02-24 3:24 ` Serge E. Hallyn
[not found] ` <20110224032415.GA5555-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-24 5:08 ` Andrew Morton
2011-02-24 5:08 ` Andrew Morton
2011-02-19 19:22 ` Daniel Lezcano
[not found] ` <20110217150406.GI26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 1:29 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
2011-02-19 19:22 ` Daniel Lezcano
2011-02-18 0:21 ` userns: targeted capabilities v5 Andrew Morton
2011-02-18 3:53 ` Eric W. Biederman
[not found] ` <20110217162146.1b8e45e0.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2011-02-18 3:53 ` Eric W. Biederman
2011-02-18 4:28 ` Serge E. Hallyn
2011-02-18 4:28 ` Serge E. Hallyn
[not found] ` <29256.1298461209-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-02-23 12:01 ` [PATCH 2/9] security: Make capabilities relative to the user namespace David Howells
2011-02-23 12:05 ` User namespaces and keys David Howells
2011-02-23 13:58 ` Serge E. Hallyn
2011-02-23 14:46 ` Eric W. Biederman
2011-02-23 15:06 ` David Howells
2011-02-23 15:45 ` Eric W. Biederman
2011-02-23 15:53 ` Serge E. Hallyn
[not found] ` <20110223155328.GA21266-BtbdaCaBcfOTUehee3IRJA@public.gmane.org>
2011-02-23 19:24 ` Casey Schaufler
2011-02-23 19:24 ` Casey Schaufler
[not found] ` <4D655EE4.6030707-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2011-02-23 20:55 ` Eric W. Biederman
2011-02-23 20:55 ` Eric W. Biederman
[not found] ` <m1k4gqlbdm.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2011-02-23 21:37 ` Casey Schaufler
2011-02-23 21:37 ` Casey Schaufler
2011-02-24 6:56 ` Eric W. Biederman
[not found] ` <4D657E0C.3010102-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2011-02-24 6:56 ` Eric W. Biederman
[not found] ` <m162sasqj6.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2011-02-23 15:53 ` Serge E. Hallyn
[not found] ` <890.1298473574-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-02-23 15:45 ` Eric W. Biederman
[not found] ` <20110223135814.GA1859-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-23 14:46 ` Eric W. Biederman
2011-02-23 15:06 ` David Howells
[not found] ` <29677.1298462729-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-02-23 13:58 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110218155918.53f4e0a9.akpm@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=adobriyan@gmail.com \
--cc=containers@lists.linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=jmorris@namei.org \
--cc=kees.cook@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mtk.manpages@gmail.com \
--cc=serge@hallyn.com \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.