Documentation patch for namespaced file capabilities

Documentation patch for namespaced file capabilities

[Michael Kerrisk (man-pages)]

Hi Serge,

At the moment man-pages lacks documentation of the namespaced file
capability feature that you added with commit
8db6c34f1dbc8e06aa016a9b829b06902c3e1340. Would you be able to send a
patch describing the feature?

Presumably, the patch would be for the capabilities(7) page (or
perhaps for the user_namespaces(7) page, if that seems more
appropriate), As well as documenting the semantics, it would be good
to include an example or two of the notation that is used for the
xattr names.

Presumably also there will be some changes in userspace tools
(setcap/getcap?). Do you know anything about what's happening there?

Cheers,

Michael


-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/

Documentation patch for namespaced file capabilities

[Michael Kerrisk (man-pages)]

Hi Serge,

At the moment man-pages lacks documentation of the namespaced file
capability feature that you added with commit
8db6c34f1dbc8e06aa016a9b829b06902c3e1340. Would you be able to send a
patch describing the feature?

Presumably, the patch would be for the capabilities(7) page (or
perhaps for the user_namespaces(7) page, if that seems more
appropriate), As well as documenting the semantics, it would be good
to include an example or two of the notation that is used for the
xattr names.

Presumably also there will be some changes in userspace tools
(setcap/getcap?). Do you know anything about what's happening there?

Cheers,

Michael


-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Documentation patch for namespaced file capabilities

[Michael Kerrisk (man-pages)]

Hi Serge,

At the moment man-pages lacks documentation of the namespaced file
capability feature that you added with commit
8db6c34f1dbc8e06aa016a9b829b06902c3e1340. Would you be able to send a
patch describing the feature?

Presumably, the patch would be for the capabilities(7) page (or
perhaps for the user_namespaces(7) page, if that seems more
appropriate), As well as documenting the semantics, it would be good
to include an example or two of the notation that is used for the
xattr names.

Presumably also there will be some changes in userspace tools
(setcap/getcap?). Do you know anything about what's happening there?

Cheers,

Michael


-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/

Re: Documentation patch for namespaced file capabilities

[Eric W. Biederman]

"Michael Kerrisk (man-pages)" <mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> writes:

> Hi Serge,
>
> At the moment man-pages lacks documentation of the namespaced file
> capability feature that you added with commit
> 8db6c34f1dbc8e06aa016a9b829b06902c3e1340. Would you be able to send a
> patch describing the feature?
>
> Presumably, the patch would be for the capabilities(7) page (or
> perhaps for the user_namespaces(7) page, if that seems more
> appropriate), As well as documenting the semantics, it would be good
> to include an example or two of the notation that is used for the
> xattr names.
>
> Presumably also there will be some changes in userspace tools
> (setcap/getcap?). Do you know anything about what's happening there?


Just a quick summary.

- The capability name does not change.

- From inside a user namespace the capability works as for ``root'' as
  existing tools expect.  (AKA the capability is mapped into the current
  user namespace).

- From outside a user namespace the version of the capability is
  incremented, and a uid of the root user in a user namespace is added
  at the end in the new version of the capability.

So for the capabilities(7) manpage I would add to the File capablities
section:

Since Kernel v4.14 the kernel supports setting file capabilities inside
a user namespace.  In which case an additional uid is stored indicating
the root user of the user namespace the file capabilitity is active in.

When a file is executed and it has a file capability limited to a user
namespace, the kernel takes the uid from the capability and if that uid
matches the uid of the root user of the user namespace or the root user
of an ancestor namespace the capability is applied.  Otherwise the
capability is ignored.

Eric

Re: Documentation patch for namespaced file capabilities

[Eric W. Biederman]

"Michael Kerrisk (man-pages)" <mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> writes:

> Hi Serge,
>
> At the moment man-pages lacks documentation of the namespaced file
> capability feature that you added with commit
> 8db6c34f1dbc8e06aa016a9b829b06902c3e1340. Would you be able to send a
> patch describing the feature?
>
> Presumably, the patch would be for the capabilities(7) page (or
> perhaps for the user_namespaces(7) page, if that seems more
> appropriate), As well as documenting the semantics, it would be good
> to include an example or two of the notation that is used for the
> xattr names.
>
> Presumably also there will be some changes in userspace tools
> (setcap/getcap?). Do you know anything about what's happening there?


Just a quick summary.

- The capability name does not change.

- From inside a user namespace the capability works as for ``root'' as
  existing tools expect.  (AKA the capability is mapped into the current
  user namespace).

- From outside a user namespace the version of the capability is
  incremented, and a uid of the root user in a user namespace is added
  at the end in the new version of the capability.

So for the capabilities(7) manpage I would add to the File capablities
section:

Since Kernel v4.14 the kernel supports setting file capabilities inside
a user namespace.  In which case an additional uid is stored indicating
the root user of the user namespace the file capabilitity is active in.

When a file is executed and it has a file capability limited to a user
namespace, the kernel takes the uid from the capability and if that uid
matches the uid of the root user of the user namespace or the root user
of an ancestor namespace the capability is applied.  Otherwise the
capability is ignored.

Eric

Documentation patch for namespaced file capabilities

[Eric W. Biederman]

"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:

> Hi Serge,
>
> At the moment man-pages lacks documentation of the namespaced file
> capability feature that you added with commit
> 8db6c34f1dbc8e06aa016a9b829b06902c3e1340. Would you be able to send a
> patch describing the feature?
>
> Presumably, the patch would be for the capabilities(7) page (or
> perhaps for the user_namespaces(7) page, if that seems more
> appropriate), As well as documenting the semantics, it would be good
> to include an example or two of the notation that is used for the
> xattr names.
>
> Presumably also there will be some changes in userspace tools
> (setcap/getcap?). Do you know anything about what's happening there?


Just a quick summary.

- The capability name does not change.

- From inside a user namespace the capability works as for ``root'' as
  existing tools expect.  (AKA the capability is mapped into the current
  user namespace).

- From outside a user namespace the version of the capability is
  incremented, and a uid of the root user in a user namespace is added
  at the end in the new version of the capability.

So for the capabilities(7) manpage I would add to the File capablities
section:

Since Kernel v4.14 the kernel supports setting file capabilities inside
a user namespace.  In which case an additional uid is stored indicating
the root user of the user namespace the file capabilitity is active in.

When a file is executed and it has a file capability limited to a user
namespace, the kernel takes the uid from the capability and if that uid
matches the uid of the root user of the user namespace or the root user
of an ancestor namespace the capability is applied.  Otherwise the
capability is ignored.

Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Documentation patch for namespaced file capabilities

[Eric W. Biederman]

[-- Attachment #1: Type: text/plain, Size: 1791 bytes --]

"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:

> Hi Serge,
>
> At the moment man-pages lacks documentation of the namespaced file
> capability feature that you added with commit
> 8db6c34f1dbc8e06aa016a9b829b06902c3e1340. Would you be able to send a
> patch describing the feature?
>
> Presumably, the patch would be for the capabilities(7) page (or
> perhaps for the user_namespaces(7) page, if that seems more
> appropriate), As well as documenting the semantics, it would be good
> to include an example or two of the notation that is used for the
> xattr names.
>
> Presumably also there will be some changes in userspace tools
> (setcap/getcap?). Do you know anything about what's happening there?


Just a quick summary.

- The capability name does not change.

- From inside a user namespace the capability works as for ``root'' as
  existing tools expect.  (AKA the capability is mapped into the current
  user namespace).

- From outside a user namespace the version of the capability is
  incremented, and a uid of the root user in a user namespace is added
  at the end in the new version of the capability.

So for the capabilities(7) manpage I would add to the File capablities
section:

Since Kernel v4.14 the kernel supports setting file capabilities inside
a user namespace.  In which case an additional uid is stored indicating
the root user of the user namespace the file capabilitity is active in.

When a file is executed and it has a file capability limited to a user
namespace, the kernel takes the uid from the capability and if that uid
matches the uid of the root user of the user namespace or the root user
of an ancestor namespace the capability is applied.  Otherwise the
capability is ignored.

Eric

Re: Documentation patch for namespaced file capabilities

[Eric W. Biederman]

"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:

> Hi Serge,
>
> At the moment man-pages lacks documentation of the namespaced file
> capability feature that you added with commit
> 8db6c34f1dbc8e06aa016a9b829b06902c3e1340. Would you be able to send a
> patch describing the feature?
>
> Presumably, the patch would be for the capabilities(7) page (or
> perhaps for the user_namespaces(7) page, if that seems more
> appropriate), As well as documenting the semantics, it would be good
> to include an example or two of the notation that is used for the
> xattr names.
>
> Presumably also there will be some changes in userspace tools
> (setcap/getcap?). Do you know anything about what's happening there?


Just a quick summary.

- The capability name does not change.

- From inside a user namespace the capability works as for ``root'' as
  existing tools expect.  (AKA the capability is mapped into the current
  user namespace).

- From outside a user namespace the version of the capability is
  incremented, and a uid of the root user in a user namespace is added
  at the end in the new version of the capability.

So for the capabilities(7) manpage I would add to the File capablities
section:

Since Kernel v4.14 the kernel supports setting file capabilities inside
a user namespace.  In which case an additional uid is stored indicating
the root user of the user namespace the file capabilitity is active in.

When a file is executed and it has a file capability limited to a user
namespace, the kernel takes the uid from the capability and if that uid
matches the uid of the root user of the user namespace or the root user
of an ancestor namespace the capability is applied.  Otherwise the
capability is ignored.

Eric

Re: Documentation patch for namespaced file capabilities

[Serge E. Hallyn]

Quoting Michael Kerrisk (man-pages) (mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org):
> Hi Serge,
> 
> At the moment man-pages lacks documentation of the namespaced file
> capability feature that you added with commit
> 8db6c34f1dbc8e06aa016a9b829b06902c3e1340. Would you be able to send a
> patch describing the feature?

Sorry.  I'm adding this to my todo list, so I should get to it soon.

> Presumably, the patch would be for the capabilities(7) page (or
> perhaps for the user_namespaces(7) page, if that seems more
> appropriate), As well as documenting the semantics, it would be good
> to include an example or two of the notation that is used for the
> xattr names.
> 
> Presumably also there will be some changes in userspace tools
> (setcap/getcap?). Do you know anything about what's happening there?
> 
> Cheers,
> 
> Michael
> 
> 
> -- 
> Michael Kerrisk
> Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
> Linux/UNIX System Programming Training: http://man7.org/training/

Re: Documentation patch for namespaced file capabilities

[Serge E. Hallyn]

Quoting Michael Kerrisk (man-pages) (mtk.manpages@gmail.com):
> Hi Serge,
> 
> At the moment man-pages lacks documentation of the namespaced file
> capability feature that you added with commit
> 8db6c34f1dbc8e06aa016a9b829b06902c3e1340. Would you be able to send a
> patch describing the feature?

Sorry.  I'm adding this to my todo list, so I should get to it soon.

> Presumably, the patch would be for the capabilities(7) page (or
> perhaps for the user_namespaces(7) page, if that seems more
> appropriate), As well as documenting the semantics, it would be good
> to include an example or two of the notation that is used for the
> xattr names.
> 
> Presumably also there will be some changes in userspace tools
> (setcap/getcap?). Do you know anything about what's happening there?
> 
> Cheers,
> 
> Michael
> 
> 
> -- 
> Michael Kerrisk
> Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
> Linux/UNIX System Programming Training: http://man7.org/training/

Documentation patch for namespaced file capabilities

[Serge E. Hallyn]

Quoting Michael Kerrisk (man-pages) (mtk.manpages at gmail.com):
> Hi Serge,
> 
> At the moment man-pages lacks documentation of the namespaced file
> capability feature that you added with commit
> 8db6c34f1dbc8e06aa016a9b829b06902c3e1340. Would you be able to send a
> patch describing the feature?

Sorry.  I'm adding this to my todo list, so I should get to it soon.

> Presumably, the patch would be for the capabilities(7) page (or
> perhaps for the user_namespaces(7) page, if that seems more
> appropriate), As well as documenting the semantics, it would be good
> to include an example or two of the notation that is used for the
> xattr names.
> 
> Presumably also there will be some changes in userspace tools
> (setcap/getcap?). Do you know anything about what's happening there?
> 
> Cheers,
> 
> Michael
> 
> 
> -- 
> Michael Kerrisk
> Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
> Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Documentation patch for namespaced file capabilities

[Michael Kerrisk (man-pages)]

Hi Serge,

On 29 November 2017 at 18:58, Serge E. Hallyn <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org> wrote:
> Quoting Michael Kerrisk (man-pages) (mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org):
>> Hi Serge,
>>
>> At the moment man-pages lacks documentation of the namespaced file
>> capability feature that you added with commit
>> 8db6c34f1dbc8e06aa016a9b829b06902c3e1340. Would you be able to send a
>> patch describing the feature?
>
> Sorry.  I'm adding this to my todo list, so I should get to it soon.

A gentle ping...

Cheers,

Michael

>> Presumably, the patch would be for the capabilities(7) page (or
>> perhaps for the user_namespaces(7) page, if that seems more
>> appropriate), As well as documenting the semantics, it would be good
>> to include an example or two of the notation that is used for the
>> xattr names.
>>
>> Presumably also there will be some changes in userspace tools
>> (setcap/getcap?). Do you know anything about what's happening there?
>>
>> Cheers,
>>
>> Michael
>>
>>
>> --
>> Michael Kerrisk
>> Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
>> Linux/UNIX System Programming Training: http://man7.org/training/



-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/

Re: Documentation patch for namespaced file capabilities

[Michael Kerrisk (man-pages)]

Hi Serge,

On 29 November 2017 at 18:58, Serge E. Hallyn <serge@hallyn.com> wrote:
> Quoting Michael Kerrisk (man-pages) (mtk.manpages@gmail.com):
>> Hi Serge,
>>
>> At the moment man-pages lacks documentation of the namespaced file
>> capability feature that you added with commit
>> 8db6c34f1dbc8e06aa016a9b829b06902c3e1340. Would you be able to send a
>> patch describing the feature?
>
> Sorry.  I'm adding this to my todo list, so I should get to it soon.

A gentle ping...

Cheers,

Michael

>> Presumably, the patch would be for the capabilities(7) page (or
>> perhaps for the user_namespaces(7) page, if that seems more
>> appropriate), As well as documenting the semantics, it would be good
>> to include an example or two of the notation that is used for the
>> xattr names.
>>
>> Presumably also there will be some changes in userspace tools
>> (setcap/getcap?). Do you know anything about what's happening there?
>>
>> Cheers,
>>
>> Michael
>>
>>
>> --
>> Michael Kerrisk
>> Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
>> Linux/UNIX System Programming Training: http://man7.org/training/



-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/

Documentation patch for namespaced file capabilities

[Michael Kerrisk (man-pages)]

Hi Serge,

On 29 November 2017 at 18:58, Serge E. Hallyn <serge@hallyn.com> wrote:
> Quoting Michael Kerrisk (man-pages) (mtk.manpages at gmail.com):
>> Hi Serge,
>>
>> At the moment man-pages lacks documentation of the namespaced file
>> capability feature that you added with commit
>> 8db6c34f1dbc8e06aa016a9b829b06902c3e1340. Would you be able to send a
>> patch describing the feature?
>
> Sorry.  I'm adding this to my todo list, so I should get to it soon.

A gentle ping...

Cheers,

Michael

>> Presumably, the patch would be for the capabilities(7) page (or
>> perhaps for the user_namespaces(7) page, if that seems more
>> appropriate), As well as documenting the semantics, it would be good
>> to include an example or two of the notation that is used for the
>> xattr names.
>>
>> Presumably also there will be some changes in userspace tools
>> (setcap/getcap?). Do you know anything about what's happening there?
>>
>> Cheers,
>>
>> Michael
>>
>>
>> --
>> Michael Kerrisk
>> Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
>> Linux/UNIX System Programming Training: http://man7.org/training/



-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html