From mboxrd@z Thu Jan 1 00:00:00 1970 From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman) Subject: Re: [PATCH v2] xattr: Enable security.capability in user namespaces Date: Fri, 14 Jul 2017 07:04:19 -0500 Message-ID: <87vamv2pj0.fsf@xmission.com> References: <1499785511-17192-1-git-send-email-stefanb@linux.vnet.ibm.com> <1499785511-17192-2-git-send-email-stefanb@linux.vnet.ibm.com> <87mv89iy7q.fsf@xmission.com> <20170712170346.GA17974@mail.hallyn.com> <877ezdgsey.fsf@xmission.com> <74664cc8-bc3e-75d6-5892-f8934404349f@linux.vnet.ibm.com> <20170713011554.xwmrgkzfwnibvgcu@thunk.org> <87y3rscz9j.fsf@xmission.com> <20170713164012.brj2flnkaaks2oci@thunk.org> <87k23cb6os.fsf@xmission.com> <847ccb2a-30c0-a94c-df6f-091c8901eaa0@linux.vnet.ibm.com> <87bmoo8bxb.fsf@xmission.com> <9a3010e5-ca2b-5e7a-656b-fcc14f7bec4e@linux.vnet.ibm.com> <87h8yf7szd.fsf@xmission.com> <65dbe654-0d99-03fa-c838-5a726b462826@linux.vnet.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <65dbe654-0d99-03fa-c838-5a726b462826-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> (Stefan Berger's message of "Fri, 14 Jul 2017 07:32:42 -0400") List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: Stefan Berger Cc: Theodore Ts'o , zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org, containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org, linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, casey-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org, lkp-JC7UmRfGjtg@public.gmane.org List-Id: containers.vger.kernel.org Stefan Berger writes: > On 07/13/2017 08:38 PM, Eric W. Biederman wrote: >> Stefan Berger writes: >> >>> On 07/13/2017 01:49 PM, Eric W. Biederman wrote: >>> >>>> My big question right now is can you implement Ted's suggested >>>> restriction. Only one security.foo or secuirty.foo@... attribute ? >>> We need to raw-list the xattrs and do the check before writing them. I am fairly sure this can be done. >>> >>> So now you want to allow security.foo and one security.foo@uid=<> or just a single one security.foo(@[[:print:]]*)? >>> >> The latter. > > That case would prevent a container user from overriding the xattr on > the host. Is that what we want? Most definitely. If a more privileged use has set secure.capable that is better. > For limiting the number of xattrs and > getting that functionality (override IMA signature for example) the > former seems better... I don't know about IMA. But my feeling is that we will only be dealing with a single signing key, so I don't see how having multiple IMA xattrs make sense. Could you explain that to me? > For the former I now have the topmost patch here: > https://github.com/stefanberger/linux/commits/xattr_for_userns.v3 Thank you. Eric From mboxrd@z Thu Jan 1 00:00:00 1970 From: ebiederm@xmission.com (Eric W. Biederman) Date: Fri, 14 Jul 2017 07:04:19 -0500 Subject: [PATCH v2] xattr: Enable security.capability in user namespaces In-Reply-To: <65dbe654-0d99-03fa-c838-5a726b462826@linux.vnet.ibm.com> (Stefan Berger's message of "Fri, 14 Jul 2017 07:32:42 -0400") References: <1499785511-17192-1-git-send-email-stefanb@linux.vnet.ibm.com> <1499785511-17192-2-git-send-email-stefanb@linux.vnet.ibm.com> <87mv89iy7q.fsf@xmission.com> <20170712170346.GA17974@mail.hallyn.com> <877ezdgsey.fsf@xmission.com> <74664cc8-bc3e-75d6-5892-f8934404349f@linux.vnet.ibm.com> <20170713011554.xwmrgkzfwnibvgcu@thunk.org> <87y3rscz9j.fsf@xmission.com> <20170713164012.brj2flnkaaks2oci@thunk.org> <87k23cb6os.fsf@xmission.com> <847ccb2a-30c0-a94c-df6f-091c8901eaa0@linux.vnet.ibm.com> <87bmoo8bxb.fsf@xmission.com> <9a3010e5-ca2b-5e7a-656b-fcc14f7bec4e@linux.vnet.ibm.com> <87h8yf7szd.fsf@xmission.com> <65dbe654-0d99-03fa-c838-5a726b462826@linux.vnet.ibm.com> Message-ID: <87vamv2pj0.fsf@xmission.com> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org Stefan Berger writes: > On 07/13/2017 08:38 PM, Eric W. Biederman wrote: >> Stefan Berger writes: >> >>> On 07/13/2017 01:49 PM, Eric W. Biederman wrote: >>> >>>> My big question right now is can you implement Ted's suggested >>>> restriction. Only one security.foo or secuirty.foo at ... attribute ? >>> We need to raw-list the xattrs and do the check before writing them. I am fairly sure this can be done. >>> >>> So now you want to allow security.foo and one security.foo at uid=<> or just a single one security.foo(@[[:print:]]*)? >>> >> The latter. > > That case would prevent a container user from overriding the xattr on > the host. Is that what we want? Most definitely. If a more privileged use has set secure.capable that is better. > For limiting the number of xattrs and > getting that functionality (override IMA signature for example) the > former seems better... I don't know about IMA. But my feeling is that we will only be dealing with a single signing key, so I don't see how having multiple IMA xattrs make sense. Could you explain that to me? > For the former I now have the topmost patch here: > https://github.com/stefanberger/linux/commits/xattr_for_userns.v3 Thank you. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: multipart/mixed; boundary="===============8625817921337177290==" MIME-Version: 1.0 From: Eric W. Biederman To: lkp@lists.01.org Subject: Re: [PATCH v2] xattr: Enable security.capability in user namespaces Date: Fri, 14 Jul 2017 07:04:19 -0500 Message-ID: <87vamv2pj0.fsf@xmission.com> In-Reply-To: <65dbe654-0d99-03fa-c838-5a726b462826@linux.vnet.ibm.com> List-Id: --===============8625817921337177290== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Stefan Berger writes: > On 07/13/2017 08:38 PM, Eric W. Biederman wrote: >> Stefan Berger writes: >> >>> On 07/13/2017 01:49 PM, Eric W. Biederman wrote: >>> >>>> My big question right now is can you implement Ted's suggested >>>> restriction. Only one security.foo or secuirty.foo(a)... attribute ? >>> We need to raw-list the xattrs and do the check before writing them. I = am fairly sure this can be done. >>> >>> So now you want to allow security.foo and one security.foo(a)uid=3D<> o= r just a single one security.foo(@[[:print:]]*)? >>> >> The latter. > > That case would prevent a container user from overriding the xattr on > the host. Is that what we want? Most definitely. If a more privileged use has set secure.capable that is better. = > For limiting the number of xattrs and > getting that functionality (override IMA signature for example) the > former seems better... I don't know about IMA. But my feeling is that we will only be dealing with a single signing key, so I don't see how having multiple IMA xattrs make sense. Could you explain that to me? > For the former I now have the topmost patch here: > https://github.com/stefanberger/linux/commits/xattr_for_userns.v3 Thank you. Eric --===============8625817921337177290==-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932146AbdGNMMv (ORCPT ); Fri, 14 Jul 2017 08:12:51 -0400 Received: from out03.mta.xmission.com ([166.70.13.233]:57497 "EHLO out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932079AbdGNMMs (ORCPT ); Fri, 14 Jul 2017 08:12:48 -0400 From: ebiederm@xmission.com (Eric W. Biederman) To: Stefan Berger Cc: "Theodore Ts'o" , "Serge E. Hallyn" , containers@lists.linux-foundation.org, lkp@01.org, linux-kernel@vger.kernel.org, zohar@linux.vnet.ibm.com, tycho@docker.com, James.Bottomley@HansenPartnership.com, vgoyal@redhat.com, christian.brauner@mailbox.org, amir73il@gmail.com, linux-security-module@vger.kernel.org, casey@schaufler-ca.com References: <1499785511-17192-1-git-send-email-stefanb@linux.vnet.ibm.com> <1499785511-17192-2-git-send-email-stefanb@linux.vnet.ibm.com> <87mv89iy7q.fsf@xmission.com> <20170712170346.GA17974@mail.hallyn.com> <877ezdgsey.fsf@xmission.com> <74664cc8-bc3e-75d6-5892-f8934404349f@linux.vnet.ibm.com> <20170713011554.xwmrgkzfwnibvgcu@thunk.org> <87y3rscz9j.fsf@xmission.com> <20170713164012.brj2flnkaaks2oci@thunk.org> <87k23cb6os.fsf@xmission.com> <847ccb2a-30c0-a94c-df6f-091c8901eaa0@linux.vnet.ibm.com> <87bmoo8bxb.fsf@xmission.com> <9a3010e5-ca2b-5e7a-656b-fcc14f7bec4e@linux.vnet.ibm.com> <87h8yf7szd.fsf@xmission.com> <65dbe654-0d99-03fa-c838-5a726b462826@linux.vnet.ibm.com> Date: Fri, 14 Jul 2017 07:04:19 -0500 In-Reply-To: <65dbe654-0d99-03fa-c838-5a726b462826@linux.vnet.ibm.com> (Stefan Berger's message of "Fri, 14 Jul 2017 07:32:42 -0400") Message-ID: <87vamv2pj0.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1dVzS9-0001YP-J6;;;mid=<87vamv2pj0.fsf@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=67.3.213.87;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX18Tc5J/Xi3Fg4ZnEr4TSucBpRiGZCOvXj8= X-SA-Exim-Connect-IP: 67.3.213.87 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.7 XMSubLong Long Subject * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.4990] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa04 1397; Body=1 Fuz1=1 Fuz2=1] X-Spam-DCC: XMission; sa04 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;Stefan Berger X-Spam-Relay-Country: X-Spam-Timing: total 5757 ms - load_scoreonly_sql: 0.06 (0.0%), signal_user_changed: 3.4 (0.1%), b_tie_ro: 2.3 (0.0%), parse: 1.86 (0.0%), extract_message_metadata: 36 (0.6%), get_uri_detail_list: 4.1 (0.1%), tests_pri_-1000: 10 (0.2%), tests_pri_-950: 1.15 (0.0%), tests_pri_-900: 0.95 (0.0%), tests_pri_-400: 24 (0.4%), check_bayes: 23 (0.4%), b_tokenize: 7 (0.1%), b_tok_get_all: 7 (0.1%), b_comp_prob: 3.6 (0.1%), b_tok_touch_all: 2.7 (0.0%), b_finish: 0.57 (0.0%), tests_pri_0: 847 (14.7%), check_dkim_signature: 0.69 (0.0%), check_dkim_adsp: 3.6 (0.1%), tests_pri_500: 4827 (83.8%), poll_dns_idle: 4820 (83.7%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH v2] xattr: Enable security.capability in user namespaces X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Stefan Berger writes: > On 07/13/2017 08:38 PM, Eric W. Biederman wrote: >> Stefan Berger writes: >> >>> On 07/13/2017 01:49 PM, Eric W. Biederman wrote: >>> >>>> My big question right now is can you implement Ted's suggested >>>> restriction. Only one security.foo or secuirty.foo@... attribute ? >>> We need to raw-list the xattrs and do the check before writing them. I am fairly sure this can be done. >>> >>> So now you want to allow security.foo and one security.foo@uid=<> or just a single one security.foo(@[[:print:]]*)? >>> >> The latter. > > That case would prevent a container user from overriding the xattr on > the host. Is that what we want? Most definitely. If a more privileged use has set secure.capable that is better. > For limiting the number of xattrs and > getting that functionality (override IMA signature for example) the > former seems better... I don't know about IMA. But my feeling is that we will only be dealing with a single signing key, so I don't see how having multiple IMA xattrs make sense. Could you explain that to me? > For the former I now have the topmost patch here: > https://github.com/stefanberger/linux/commits/xattr_for_userns.v3 Thank you. Eric