From: "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
To: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Cc: "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>,
"Andrew G. Morgan"
<morgan-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
Jann Horn <jann-XZ1E9jl8jIdeoWH0uzbU5w@public.gmane.org>,
Michael Kerrisk-manpages
<mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
"Serge E. Hallyn"
<serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>,
Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>,
Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
LKML <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: Re: [PATCH 1/1] simplified security.nscapability xattr
Date: Tue, 3 May 2016 09:25:26 -0500 [thread overview]
Message-ID: <20160503142526.GA6309@mail.hallyn.com> (raw)
In-Reply-To: <87bn4nhejj.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
Quoting Eric W. Biederman (ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org):
> "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org> writes:
>
> > Quoting Andrew G. Morgan (morgan-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org):
> >>
> >> I guess I'm confused how we have strayed so far that this isn't an obvious
> >> requirement. Uid=0 as being the root of privilege was the basic problem
> >> that capabilities were designed to change.
> >
> > The task executing the file can be any uid mapped into the namespace. The
> > file only has to be owned by the root of the user_ns. Which I agree is
> > unfortunate. We can work around it by putting the root uid into the xattr
> > itself (which still isn't orthogonal but allows the file to at least by
> > owned by non-root), but the problem then is that a task needs to know its
> > global root k_uid just to write the xattr.
>
> The root kuid is just make_kuids(user_ns, 0) so it is easy to find.
>
> It might be a hair better to use the userns->owner instead of the root
> uid. That would allow user namespaces without a mapped root to still
> use file capabilities.
That's all fine if the kernel does it for us magically. Which is what we're
talking about below. Above I was talking about userspace putting it into
the xattr.
> >> Uid is an acl concept. Capabilities are supposed to be independent of that.
> >>
> >> If we want to support NS file capabilities I would look at replacing the
> >> xattr syscall with a dedicated file capabilities modification syscall. Then
> >
> > That was one ofthe possibilities I'd mentioned in my earlier proposal,
> > fwiw. The problem is if we want tar to still work unmodified then
> > simple xattr operations still have to work.
> >
> > Maybe there's workable semantics there though. Worth thinking about.
>
> If the problem is compatibilty please look at
> posix_acl_fix_xattr_from_user. With something similar for the
All right. Excellent. I simply didn't think something like that would
be acceptable. I tend to think of xattrs as just out of band file contents,
but generally under user control. I guess that's not right.
> security.capability attribute we can perform whatever transformation
> makes sense. I admit adding 4 bytes is a bit of a pain in that context
> but not a big one.
If we can do all the magic in the kernel behind the scenes, then I
absolutely do not mind adding a new security.capability version with 4
more bytes. Userspace can just write the old xattr format with the new
version number, kernel fills in the userns owner kuid. It's what I
originally wanted to do, but didn't think was acceptable.
Sounds great!
-serge
WARNING: multiple messages have this Message-ID (diff)
From: "Serge E. Hallyn" <serge@hallyn.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
"Andrew G. Morgan" <morgan@kernel.org>,
Kees Cook <keescook@chromium.org>, Jann Horn <jann@thejh.net>,
Michael Kerrisk-manpages <mtk.manpages@gmail.com>,
"Serge E. Hallyn" <serge.hallyn@ubuntu.com>,
Linux API <linux-api@vger.kernel.org>,
Andy Lutomirski <luto@amacapital.net>,
Linux Containers <containers@lists.linux-foundation.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 1/1] simplified security.nscapability xattr
Date: Tue, 3 May 2016 09:25:26 -0500 [thread overview]
Message-ID: <20160503142526.GA6309@mail.hallyn.com> (raw)
In-Reply-To: <87bn4nhejj.fsf@x220.int.ebiederm.org>
Quoting Eric W. Biederman (ebiederm@xmission.com):
> "Serge E. Hallyn" <serge@hallyn.com> writes:
>
> > Quoting Andrew G. Morgan (morgan@kernel.org):
> >>
> >> I guess I'm confused how we have strayed so far that this isn't an obvious
> >> requirement. Uid=0 as being the root of privilege was the basic problem
> >> that capabilities were designed to change.
> >
> > The task executing the file can be any uid mapped into the namespace. The
> > file only has to be owned by the root of the user_ns. Which I agree is
> > unfortunate. We can work around it by putting the root uid into the xattr
> > itself (which still isn't orthogonal but allows the file to at least by
> > owned by non-root), but the problem then is that a task needs to know its
> > global root k_uid just to write the xattr.
>
> The root kuid is just make_kuids(user_ns, 0) so it is easy to find.
>
> It might be a hair better to use the userns->owner instead of the root
> uid. That would allow user namespaces without a mapped root to still
> use file capabilities.
That's all fine if the kernel does it for us magically. Which is what we're
talking about below. Above I was talking about userspace putting it into
the xattr.
> >> Uid is an acl concept. Capabilities are supposed to be independent of that.
> >>
> >> If we want to support NS file capabilities I would look at replacing the
> >> xattr syscall with a dedicated file capabilities modification syscall. Then
> >
> > That was one ofthe possibilities I'd mentioned in my earlier proposal,
> > fwiw. The problem is if we want tar to still work unmodified then
> > simple xattr operations still have to work.
> >
> > Maybe there's workable semantics there though. Worth thinking about.
>
> If the problem is compatibilty please look at
> posix_acl_fix_xattr_from_user. With something similar for the
All right. Excellent. I simply didn't think something like that would
be acceptable. I tend to think of xattrs as just out of band file contents,
but generally under user control. I guess that's not right.
> security.capability attribute we can perform whatever transformation
> makes sense. I admit adding 4 bytes is a bit of a pain in that context
> but not a big one.
If we can do all the magic in the kernel behind the scenes, then I
absolutely do not mind adding a new security.capability version with 4
more bytes. Userspace can just write the old xattr format with the new
version number, kernel fills in the userns owner kuid. It's what I
originally wanted to do, but didn't think was acceptable.
Sounds great!
-serge
next prev parent reply other threads:[~2016-05-03 14:25 UTC|newest]
Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-22 17:26 namespaced file capabilities serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA
2016-04-22 17:26 ` serge.hallyn
[not found] ` <1461345993-17526-1-git-send-email-serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>
2016-04-22 17:26 ` [PATCH 1/1] simplified security.nscapability xattr serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA
2016-04-22 17:26 ` serge.hallyn
[not found] ` <1461345993-17526-2-git-send-email-serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>
2016-04-26 19:46 ` Seth Forshee
2016-04-26 19:46 ` Seth Forshee
2016-04-26 21:59 ` Kees Cook
2016-04-26 21:59 ` Kees Cook
[not found] ` <CAGXu5jKFNQs8oxq+yD6_Q8HcNyf+GouSHFzkxT9u9BkK=ZLQ7Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-04-26 22:26 ` Serge E. Hallyn
2016-04-26 22:26 ` Serge E. Hallyn
[not found] ` <20160426222627.GA19307-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2016-04-26 22:39 ` Kees Cook
2016-04-26 22:39 ` Kees Cook
2016-04-27 8:09 ` Jann Horn
[not found] ` <CAGXu5jJbmSKst_RiM84-7OaX=2XettzpTh34uFFoevvoPRO76Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-04-27 4:39 ` Serge E. Hallyn
2016-04-27 4:39 ` Serge E. Hallyn
2016-04-27 4:39 ` Serge E. Hallyn
2016-04-27 8:09 ` Jann Horn
2016-05-02 3:54 ` Serge E. Hallyn
2016-05-02 3:54 ` Serge E. Hallyn
[not found] ` <20160502035452.GA31837-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2016-05-02 18:31 ` Michael Kerrisk (man-pages)
2016-05-02 18:31 ` Michael Kerrisk (man-pages)
2016-05-02 21:31 ` Eric W. Biederman
2016-05-02 21:31 ` Eric W. Biederman
[not found] ` <87h9egp2oq.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-05-03 3:57 ` Andrew G. Morgan
[not found] ` <CALQRfL7mfpyudWs4Z8W5Zi8CTG-9O0OvrCnRU7pk0MXtsLBd0A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-05-03 4:50 ` Eric W. Biederman
2016-05-03 4:50 ` Eric W. Biederman
[not found] ` <874mafiw2m.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-05-10 19:00 ` Serge E. Hallyn
2016-05-10 19:00 ` Serge E. Hallyn
2016-05-03 4:50 ` Eric W. Biederman
2016-05-03 5:19 ` Serge E. Hallyn
2016-05-03 5:19 ` Serge E. Hallyn
2016-05-03 5:19 ` Serge E. Hallyn
[not found] ` <20160503051921.GA31551-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2016-05-03 5:54 ` Eric W. Biederman
2016-05-03 5:54 ` Eric W. Biederman
[not found] ` <87bn4nhejj.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-05-03 14:25 ` Serge E. Hallyn
2016-05-03 14:25 ` Serge E. Hallyn [this message]
2016-05-03 14:25 ` Serge E. Hallyn
[not found] ` <20160503142526.GA6309-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2016-05-10 19:03 ` Serge E. Hallyn
2016-05-10 19:03 ` Serge E. Hallyn
2016-05-10 19:03 ` Serge E. Hallyn
2016-05-07 23:10 ` Jann Horn
2016-05-07 23:10 ` Jann Horn
[not found] ` <20160507231012.GA11076-J1fxOzX/cBvk1uMJSBkQmQ@public.gmane.org>
2016-05-11 21:02 ` Serge E. Hallyn
2016-05-11 21:02 ` Serge E. Hallyn
[not found] ` <20160511210221.GA24015-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2016-05-16 21:15 ` Serge E. Hallyn
2016-05-16 21:15 ` Serge E. Hallyn
2016-05-16 21:15 ` Serge E. Hallyn
[not found] ` <20160516211523.GA5282-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2016-05-16 21:48 ` Serge E. Hallyn
2016-05-16 21:48 ` Serge E. Hallyn
[not found] ` <20160516214804.GA5926-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2016-05-18 21:57 ` [PATCH RFC] user-namespaced file capabilities - now with more magic Serge E. Hallyn
2016-05-18 21:57 ` Serge E. Hallyn
[not found] ` <20160518215752.GA9187-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2016-05-19 20:53 ` Mimi Zohar
2016-05-19 20:53 ` Mimi Zohar
2016-05-19 20:53 ` Mimi Zohar
2016-05-20 3:40 ` Serge E. Hallyn
[not found] ` <20160520034048.GA31216-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2016-05-20 11:19 ` Mimi Zohar
2016-05-20 11:19 ` Mimi Zohar
[not found] ` <1463743150.2465.100.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-05-20 18:28 ` Eric W. Biederman
2016-05-20 18:28 ` Eric W. Biederman
2016-05-20 18:28 ` Eric W. Biederman
[not found] ` <87mvnklh20.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-05-20 19:09 ` Mimi Zohar
2016-05-20 19:09 ` Mimi Zohar
[not found] ` <1463771344.2763.58.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-05-20 19:11 ` Eric W. Biederman
2016-05-20 19:11 ` Eric W. Biederman
2016-05-20 19:26 ` Serge E. Hallyn
2016-05-20 19:26 ` Serge E. Hallyn
[not found] ` <20160520192607.GA11601-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2016-05-20 19:42 ` Eric W. Biederman
2016-05-20 19:42 ` Eric W. Biederman
[not found] ` <87iny8h5yv.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-05-20 19:59 ` Serge E. Hallyn
2016-05-20 19:59 ` Serge E. Hallyn
[not found] ` <20160520195902.GB12101-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2016-05-20 23:23 ` Mimi Zohar
2016-05-20 23:23 ` Mimi Zohar
[not found] ` <1463786592.2763.74.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-05-20 23:32 ` Serge E. Hallyn
2016-05-20 23:32 ` Serge E. Hallyn
2016-05-20 23:23 ` Mimi Zohar
2016-05-20 19:59 ` Serge E. Hallyn
[not found] ` <1463691236.2465.74.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-05-20 3:40 ` Serge E. Hallyn
2016-05-11 21:02 ` [PATCH 1/1] simplified security.nscapability xattr Serge E. Hallyn
2016-05-03 5:54 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160503142526.GA6309@mail.hallyn.com \
--to=serge-a9i7lubdfnhqt0dzr+alfa@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=jann-XZ1E9jl8jIdeoWH0uzbU5w@public.gmane.org \
--cc=keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=morgan-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.