* [PATCH] user_ns: Use nsown_capable instead of capable in net_ctl_permissions
@ 2012-07-24 11:05 Huang Qiang
[not found] ` <500E815D.4070605-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
0 siblings, 1 reply; 3+ messages in thread
From: Huang Qiang @ 2012-07-24 11:05 UTC (permalink / raw)
To: ebiederm-aS9lmoZGLiVWk0Htik3J/w,
serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw
Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA
From: Zhao Hongjiang <zhaohongjiang-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
HI:
When I use an unprivileged user exec the following command:
# nsexec -cUn /bin/bash
to create a container with new user_ns and net_ns.
Then I exec "echo 4096 4096 4096 > /proc/sys/net/ipv4/tcp_mem",
the result is Permission Denied which we hope it should be allowed.
It is because of capable(CAP_NET_ADMIN).
Even my unprivileged user have the CAP_NET_ADMIN in the new user_ns and the
tcp_mem is belong to the new net_ns, the capable(CAP_NET_ADMIN) checking is
that this must in the init_user_ns, so the result is the network administrator
can't have the same access as root.
Use nsown_capable(...) the problem is solved.
PS: I changed lxc almostly like what serge done, then use an unprivileged user
to start a container, several Permission Denied occur(such as mount), all this
is caused by capabale(...), when i use nsown_capable(...) the container is
running like everything is ok.
Is this capabale() methed is obsolete? If so, i'll send a new patch to solve
all this problems.
Signed-off-by: Zhao Hongjiang<zhaohongjiang-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
Signed-off-by: Huang Qiang <h.huangqiang-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
---
net/sysctl_net.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/net/sysctl_net.c b/net/sysctl_net.c
index c3e65ae..ee31777 100644
--- a/net/sysctl_net.c
+++ b/net/sysctl_net.c
@@ -47,7 +47,7 @@ static int net_ctl_permissions(struct ctl_table_root *root,
struct ctl_table *table)
{
/* Allow network administrator to have same access as root. */
- if (capable(CAP_NET_ADMIN)) {
+ if (nsown_capable(CAP_NET_ADMIN)) {
int mode = (table->mode >> 6) & 7;
return (mode << 6) | (mode << 3) | mode;
}
--
1.7.1
^ permalink raw reply related [flat|nested] 3+ messages in thread[parent not found: <500E815D.4070605-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>]
* Re: [PATCH] user_ns: Use nsown_capable instead of capable in net_ctl_permissions [not found] ` <500E815D.4070605-hv44wF8Li93QT0dZR+AlfA@public.gmane.org> @ 2012-07-24 14:20 ` Serge Hallyn 2012-07-25 11:32 ` Eric W. Biederman 1 sibling, 0 replies; 3+ messages in thread From: Serge Hallyn @ 2012-07-24 14:20 UTC (permalink / raw) To: Huang Qiang Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA, ebiederm-aS9lmoZGLiVWk0Htik3J/w Quoting Huang Qiang (h.huangqiang-hv44wF8Li93QT0dZR+AlfA@public.gmane.org): > From: Zhao Hongjiang <zhaohongjiang-hv44wF8Li93QT0dZR+AlfA@public.gmane.org> > > HI: Hi, > When I use an unprivileged user exec the following command: > # nsexec -cUn /bin/bash > to create a container with new user_ns and net_ns. > > Then I exec "echo 4096 4096 4096 > /proc/sys/net/ipv4/tcp_mem", > the result is Permission Denied which we hope it should be allowed. > > It is because of capable(CAP_NET_ADMIN). > > Even my unprivileged user have the CAP_NET_ADMIN in the new user_ns and the > tcp_mem is belong to the new net_ns, the capable(CAP_NET_ADMIN) checking is > that this must in the init_user_ns, so the result is the network administrator > can't have the same access as root. > > Use nsown_capable(...) the problem is solved. > > PS: I changed lxc almostly like what serge done, then use an unprivileged user Which time? :) FWIW the closest I came to a working patch to lxc to work with user namespaces was https://code.launchpad.net/~serge-hallyn/ubuntu/quantal/lxc/lxc-user-ns but, of course, the missing ns_capable conversions prevented that from being usable yet. > to start a container, several Permission Denied occur(such as mount), all this > is caused by capabale(...), when i use nsown_capable(...) the container is > running like everything is ok. > Is this capabale() methed is obsolete? If so, i'll send a new patch to solve > all this problems. The intent is to switch many of them over, but we don't want to start handing out capabilities until we're sure the core conversion is complete. Eric still has a large patchset which hasn't been merged upstream, which I'd like to see before this patch or the others you are talking about. (See http://git.kernel.org/?p=linux/kernel/git/ebiederm/user-namespace.git;a=summary and http://kernel.ubuntu.com/git?p=serge/quantal-userns.git;a=summary for patches yet to be merged) But certainly if you want to start queueing such patches in your own git tree to experiment with exactly what is needed for unprivileged containers that would be very interesting. I'll be overrun and then missing for a bit, but in 2 or 3 weeks I may rebuild and then flesh out my own tree with new patches. Would be happy to look at anything you come up with in the meantime, and work with you then. > Signed-off-by: Zhao Hongjiang<zhaohongjiang-hv44wF8Li93QT0dZR+AlfA@public.gmane.org> > Signed-off-by: Huang Qiang <h.huangqiang-hv44wF8Li93QT0dZR+AlfA@public.gmane.org> > --- > net/sysctl_net.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/net/sysctl_net.c b/net/sysctl_net.c > index c3e65ae..ee31777 100644 > --- a/net/sysctl_net.c > +++ b/net/sysctl_net.c > @@ -47,7 +47,7 @@ static int net_ctl_permissions(struct ctl_table_root *root, > struct ctl_table *table) > { > /* Allow network administrator to have same access as root. */ > - if (capable(CAP_NET_ADMIN)) { > + if (nsown_capable(CAP_NET_ADMIN)) { > int mode = (table->mode >> 6) & 7; > return (mode << 6) | (mode << 3) | mode; > } > -- > 1.7.1 > ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] user_ns: Use nsown_capable instead of capable in net_ctl_permissions [not found] ` <500E815D.4070605-hv44wF8Li93QT0dZR+AlfA@public.gmane.org> 2012-07-24 14:20 ` Serge Hallyn @ 2012-07-25 11:32 ` Eric W. Biederman 1 sibling, 0 replies; 3+ messages in thread From: Eric W. Biederman @ 2012-07-25 11:32 UTC (permalink / raw) To: Huang Qiang; +Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA To expand a bit on Serge's reply. Huang Qiang <h.huangqiang-hv44wF8Li93QT0dZR+AlfA@public.gmane.org> writes: > From: Zhao Hongjiang <zhaohongjiang-hv44wF8Li93QT0dZR+AlfA@public.gmane.org> > > HI: > When I use an unprivileged user exec the following command: > # nsexec -cUn /bin/bash > to create a container with new user_ns and net_ns. > > Then I exec "echo 4096 4096 4096 > /proc/sys/net/ipv4/tcp_mem", > the result is Permission Denied which we hope it should be allowed. > > It is because of capable(CAP_NET_ADMIN). > > Even my unprivileged user have the CAP_NET_ADMIN in the new user_ns and the > tcp_mem is belong to the new net_ns, the capable(CAP_NET_ADMIN) checking is > that this must in the init_user_ns, so the result is the network administrator > can't have the same access as root. > > Use nsown_capable(...) the problem is solved. > > PS: I changed lxc almostly like what serge done, then use an unprivileged user > to start a container, several Permission Denied occur(such as mount), all this > is caused by capabale(...), when i use nsown_capable(...) the container is > running like everything is ok. > Is this capabale() methed is obsolete? If so, i'll send a new patch to solve > all this problems. No capable is not really obsolete. Your patch is a bit scary, and this is definitely an area we need to do some work in. There are a couple of pieces to this. If you raise tcp_mem you can allow yourself to take up unlimited amounts of kernel memory. We should not allow that for an unprivilged user, and unprivilged users are allowed to create a user namespaces and then network namespaces. The replacement should be ns_capable not nsown_capable. We don't want to allow any process that happens to have CAP_NET_ADMIN in their user namespace to have root privileges over any syctl file they can get a file descriptor to. cap_capable exists so that we can take our time and audit these things. Potentially we could change all cap_capable to "ns_capable(&init_user_ns, ...)" but that doesn't buy us much in the short term. So while I think your patch is in the right ballpark, I think a correct version of allowing an unprivileged user to raise tcp_mem is something we need to do a bit more carefully. Eric > Signed-off-by: Zhao Hongjiang<zhaohongjiang-hv44wF8Li93QT0dZR+AlfA@public.gmane.org> > Signed-off-by: Huang Qiang <h.huangqiang-hv44wF8Li93QT0dZR+AlfA@public.gmane.org> > --- > net/sysctl_net.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/net/sysctl_net.c b/net/sysctl_net.c > index c3e65ae..ee31777 100644 > --- a/net/sysctl_net.c > +++ b/net/sysctl_net.c > @@ -47,7 +47,7 @@ static int net_ctl_permissions(struct ctl_table_root *root, > struct ctl_table *table) > { > /* Allow network administrator to have same access as root. */ > - if (capable(CAP_NET_ADMIN)) { > + if (nsown_capable(CAP_NET_ADMIN)) { > int mode = (table->mode >> 6) & 7; > return (mode << 6) | (mode << 3) | mode; > } ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-07-25 11:32 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-07-24 11:05 [PATCH] user_ns: Use nsown_capable instead of capable in net_ctl_permissions Huang Qiang
[not found] ` <500E815D.4070605-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
2012-07-24 14:20 ` Serge Hallyn
2012-07-25 11:32 ` Eric W. Biederman
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.