From: Seth Forshee <seth.forshee@canonical.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"Serge H. Hallyn" <serge.hallyn@ubuntu.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Michael j Theall <mtheall@us.ibm.com>,
Miklos Szeredi <miklos@szeredi.hu>,
Linux FS Devel <linux-fsdevel@vger.kernel.org>,
fuse-devel@lists.sourceforge.net
Subject: Re: [fuse-devel] [PATCH v4 4/5] fuse: Support privileged xattrs only with a mount option
Date: Thu, 23 Oct 2014 16:24:51 -0500 [thread overview]
Message-ID: <20141023212451.GA141706@ubuntu-hedt> (raw)
In-Reply-To: <CALCETrUTxsH=p8QhK80Z3nS3JHT-14-BC0Q1bmAm29UYBo69tA@mail.gmail.com>
On Thu, Oct 23, 2014 at 11:32:41AM -0700, Andy Lutomirski wrote:
> On Oct 21, 2014 9:59 PM, "Seth Forshee" <seth.forshee@canonical.com> wrote:
> >
> > On Tue, Oct 21, 2014 at 02:27:13PM -0700, Andy Lutomirski wrote:
> > > On Tue, Oct 21, 2014 at 2:21 PM, Seth Forshee
> > >
> > > > return s;
> > > >
> > > > fail:
> > > > diff --git a/fs/xattr.c b/fs/xattr.c
> > > > index 64e83efb742d..383bb9f25555 100644
> > > > --- a/fs/xattr.c
> > > > +++ b/fs/xattr.c
> > > > @@ -40,6 +40,12 @@ xattr_permission(struct inode *inode, const char *name, int mask)
> > > > return -EPERM;
> > > > }
> > > >
> > > > + /* Restrict security.* and trusted.* to mounts from init_user_ns. */
> > > > + if (inode->i_sb->s_user_ns != &init_user_ns &&
> > > > + (!strcmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN) ||
> > > > + !strcmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN)))
> > > > + return -EPERM;
> > > > +
> > >
> > > trusted.* should be fine already, I think -- it checks global
> > > capabilities. And I still think that security.* should be left to
> > > LSMs, which IMO really do need to be fixed for user namespaces.
> > >
> > > But how does this help with FUSE at all? Does FUSE end up calling
> > > xattr_permission?
> >
> > It gets called from vfs_getxattr, and thus for the getxattr syscall for
> > all fs types, so this would block reading any trusted.* xattrs from the
> > fuse userspace process.
>
> Oh. It seems weird to me that getxattr would get an error instead of
> FUSE being prevented from setting those attributes.
>
> I'm still unconvinced that this is the right approach. And anything
> that tries to use LSMs in a container will eventually want those
> attributes.
I suppose so. I'll have to think about this some more.
Thanks,
Seth
next prev parent reply other threads:[~2014-10-23 21:25 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-14 14:25 [PATCH v4 0/5] fuse: Add support for mounts from pid/user namespaces Seth Forshee
[not found] ` <1413296756-25071-1-git-send-email-seth.forshee-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
2014-10-14 14:25 ` [PATCH v4 1/5] fuse: Add support for pid namespaces Seth Forshee
2014-10-14 14:25 ` Seth Forshee
2014-10-14 14:25 ` [PATCH v4 3/5] fuse: Restrict allow_other to uids already controlled by the user Seth Forshee
2014-10-14 14:25 ` Seth Forshee
2014-10-15 14:58 ` Andy Lutomirski
[not found] ` <543E8BB3.6040701-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
2014-10-15 15:11 ` Seth Forshee
2014-10-15 15:11 ` Seth Forshee
2014-10-14 14:25 ` [PATCH v4 4/5] fuse: Support privileged xattrs only with a mount option Seth Forshee
2014-10-14 14:25 ` Seth Forshee
2014-10-14 18:12 ` [fuse-devel] " Michael j Theall
2014-10-14 20:01 ` Eric W. Biederman
2014-10-14 20:59 ` Seth Forshee
2014-10-14 21:13 ` Eric W. Biederman
2014-10-14 21:19 ` Andy Lutomirski
2014-10-14 21:29 ` Eric W. Biederman
2014-10-15 7:39 ` Seth Forshee
2014-10-15 14:37 ` Andy Lutomirski
2014-10-21 21:21 ` Seth Forshee
2014-10-21 21:27 ` Andy Lutomirski
2014-10-21 21:34 ` Michael j Theall
2014-10-21 21:44 ` Andy Lutomirski
2014-10-22 4:58 ` Seth Forshee
2014-10-23 18:32 ` Andy Lutomirski
2014-10-23 21:24 ` Seth Forshee [this message]
2014-10-14 14:25 ` [PATCH v4 2/5] fuse: Support fuse filesystems outside of init_user_ns Seth Forshee
2014-10-15 14:49 ` Andy Lutomirski
2014-10-15 15:05 ` Seth Forshee
2014-10-15 17:05 ` Andy Lutomirski
2014-10-15 17:05 ` Andy Lutomirski
2014-10-15 22:59 ` Seth Forshee
2014-10-15 23:07 ` Andy Lutomirski
[not found] ` <CALCETrWuc8x60A9v9xSL1Jbk0ZgiXsL_o20wc0PyPDgO9g6BRg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-10-15 23:24 ` Seth Forshee
2014-10-15 23:24 ` Seth Forshee
2014-10-14 14:25 ` [PATCH v4 5/5] fuse: Allow user namespace mounts Seth Forshee
2014-10-15 14:58 ` Andy Lutomirski
2014-10-15 15:20 ` Seth Forshee
2014-10-15 23:08 ` Andy Lutomirski
2014-10-15 23:07 ` Seth Forshee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141023212451.GA141706@ubuntu-hedt \
--to=seth.forshee@canonical.com \
--cc=ebiederm@xmission.com \
--cc=fuse-devel@lists.sourceforge.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=miklos@szeredi.hu \
--cc=mtheall@us.ibm.com \
--cc=serge.hallyn@ubuntu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.