From: David Howells <dhowells@redhat.com>
To: "Serge E. Hallyn" <serge@hallyn.com>
Cc: dhowells@redhat.com, LSM <linux-security-module@vger.kernel.org>,
Andrew Morton <akpm@osdl.org>, James Morris <jmorris@namei.org>,
Kees Cook <kees.cook@canonical.com>,
containers@lists.linux-foundation.org,
kernel list <linux-kernel@vger.kernel.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Alexey Dobriyan <adobriyan@gmail.com>,
Michael Kerrisk <mtk.manpages@gmail.com>,
xemul@parallels.com
Subject: Re: User namespaces and keys
Date: Wed, 23 Feb 2011 15:06:14 +0000 [thread overview]
Message-ID: <890.1298473574@redhat.com> (raw)
In-Reply-To: <20110223135814.GA1859@mail.hallyn.com>
Serge E. Hallyn <serge@hallyn.com> wrote:
> > I guess we need to look at how to mix keys and namespaces again.
>
> From strictly kernel pov, at the moment, keys are strictly usable only
> by the user in your own user namespace.
I'm not sure that's currently completely true. Key quota maintenance is
namespaced, and the key's owner UID/GID belong to that namespace, so that's
okay, but:
(*) key_task_permission() does not distinguish UIDs and GIDs from different
namespaces.
(*) A key can be referred to by its serial number, no matter whose namespace
it is in, and will yield up its given UID/GID, even if these aren't
actually meaningful in your namespace.
This means request_key() can successfully upcall at the moment.
I wonder if I should make the following changes:
(1) If the key and the accessor are in different user namespaces, then skip
the UID and GID comparisons in key_task_permission(). That means that to
be able to access the key you'd have to possess the key and the key would
have to grant you Possessor access, or the key would have to grant you
Other access.
(2) If the key and someone viewing the key description are in different
namespaces, then indicate that the UID and the GID are -1, irrespective of
the actual values.
(3) When an upcall is attempting to instantiate a key, it is allowed to access
the keys of requestor using the requestor's credentials (UID, GID, groups,
security label). Ensure that this will be done in the requestor's user
namespace.
Nothing should need to be done here, since search_process_keyrings()
switches to the requestor's creds.
Oh, and are security labels user-namespaced?
> We may want to look at this again, but for now I think that would be a
> safe enough default. Later, we'll probably want the user creating a
> child_user_ns to allow his keys to be inherited by the child user_ns.
That depends what you mean by 'allow his keys to be inherited'. Do you mean
copying all the creator's keys en mass? You may find all you need to do is to
provide the new intended user with a new session keyring with a link back to
the creator's session keyring.
> Though, as I type that, it seems to me that that'll just become a
> maintenance pain, and it's just plain safer to have the user re-enter
> his keys,
That would certainly be simpler.
> sharing them over a file if needed.
I'm not sure what you mean by that. Do you mean some sort of cred passing
similar to that that can be done over AF_UNIX sockets with fds?
> I'm going to not consider the TPM at the moment :)
I'm not sure the TPM is that much of a problem, assuming you're just referring
to its keystore capability...
David
next prev parent reply other threads:[~2011-02-23 15:06 UTC|newest]
Thread overview: 135+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-17 15:02 userns: targeted capabilities v5 Serge E. Hallyn
2011-02-17 15:02 ` [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace Serge E. Hallyn
2011-02-18 3:31 ` Eric W. Biederman
2011-02-18 16:57 ` Daniel Lezcano
2011-02-18 23:59 ` Andrew Morton
[not found] ` <20110217150257.GA26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 3:31 ` Eric W. Biederman
2011-02-18 16:57 ` Daniel Lezcano
2011-02-18 23:59 ` Andrew Morton
2011-02-23 17:16 ` David Howells
2011-02-23 17:16 ` David Howells
[not found] ` <3139.1298481393-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-02-23 21:21 ` Eric W. Biederman
2011-02-23 21:21 ` Eric W. Biederman
2011-02-23 23:19 ` David Howells
2011-02-23 23:54 ` Eric W. Biederman
[not found] ` <8559.1298503148-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-02-23 23:54 ` Eric W. Biederman
[not found] ` <m1lj16ih0n.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2011-02-23 23:19 ` David Howells
2011-02-17 15:03 ` [PATCH 2/9] security: Make capabilities relative to the user namespace Serge E. Hallyn
2011-02-18 3:46 ` Eric W. Biederman
[not found] ` <20110217150306.GB26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 3:46 ` Eric W. Biederman
2011-02-18 23:44 ` Daniel Lezcano
2011-02-18 23:59 ` Andrew Morton
2011-02-23 11:40 ` David Howells
2011-02-23 16:59 ` David Howells
2011-02-18 23:44 ` Daniel Lezcano
2011-02-18 23:59 ` Andrew Morton
2011-02-23 11:40 ` David Howells
2011-02-23 12:01 ` David Howells
2011-02-23 13:43 ` Serge E. Hallyn
[not found] ` <29617.1298462517-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-02-23 13:43 ` Serge E. Hallyn
2011-02-23 16:59 ` David Howells
2011-02-17 15:03 ` [PATCH 3/9] allow sethostname in a container Serge E. Hallyn
2011-02-18 3:05 ` Eric W. Biederman
[not found] ` <20110217150316.GC26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 3:05 ` Eric W. Biederman
2011-02-18 23:46 ` Daniel Lezcano
2011-02-18 23:46 ` Daniel Lezcano
2011-02-17 15:03 ` [PATCH 4/9] allow killing tasks in your own or child userns Serge E. Hallyn
2011-02-18 3:00 ` Eric W. Biederman
[not found] ` <20110217150325.GD26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 3:00 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
2011-02-19 10:55 ` Daniel Lezcano
2011-02-19 10:55 ` Daniel Lezcano
2011-02-18 23:59 ` Andrew Morton
2011-02-24 0:48 ` Serge E. Hallyn
2011-02-24 0:54 ` Andrew Morton
[not found] ` <20110224004818.GA11822-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-24 0:54 ` Andrew Morton
[not found] ` <20110218155921.440f1137.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2011-02-24 0:48 ` Serge E. Hallyn
[not found] ` <20110217150224.GA26334-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-17 15:02 ` [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace Serge E. Hallyn
2011-02-17 15:03 ` [PATCH 2/9] security: Make capabilities relative to the user namespace Serge E. Hallyn
2011-02-17 15:03 ` [PATCH 3/9] allow sethostname in a container Serge E. Hallyn
2011-02-17 15:03 ` [PATCH 4/9] allow killing tasks in your own or child userns Serge E. Hallyn
2011-02-17 15:03 ` [PATCH 5/9] Allow ptrace from non-init user namespaces Serge E. Hallyn
2011-02-17 15:03 ` [PATCH 6/9] user namespaces: convert all capable checks in kernel/sys.c Serge E. Hallyn
2011-02-17 15:03 ` [PATCH 7/9] add a user namespace owner of ipc ns Serge E. Hallyn
2011-02-17 15:03 ` [PATCH 8/9] user namespaces: convert several capable() calls Serge E. Hallyn
2011-02-17 15:04 ` [PATCH 9/9] userns: check user namespace for task->file uid equivalence checks Serge E. Hallyn
2011-02-18 0:21 ` userns: targeted capabilities v5 Andrew Morton
2011-02-23 12:05 ` User namespaces and keys David Howells
2011-02-17 15:03 ` [PATCH 5/9] Allow ptrace from non-init user namespaces Serge E. Hallyn
2011-02-18 2:59 ` Eric W. Biederman
2011-02-18 4:36 ` Serge E. Hallyn
2011-02-24 0:49 ` [PATCH] userns: ptrace: incorporate feedback from Eric Serge E. Hallyn
[not found] ` <20110224004901.GB11822-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-24 0:56 ` Andrew Morton
2011-02-24 0:56 ` Andrew Morton
2011-02-24 3:15 ` Serge E. Hallyn
[not found] ` <20110223165651.cf248f3b.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2011-02-24 3:15 ` Serge E. Hallyn
[not found] ` <20110218043601.GB9584-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-24 0:49 ` Serge E. Hallyn
[not found] ` <m1aahu9hea.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2011-02-18 4:36 ` [PATCH 5/9] Allow ptrace from non-init user namespaces Serge E. Hallyn
[not found] ` <20110217150333.GE26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 2:59 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
2011-02-19 17:49 ` Daniel Lezcano
2011-02-23 17:05 ` David Howells
2011-02-23 17:11 ` David Howells
2011-02-18 23:59 ` Andrew Morton
2011-02-24 0:43 ` Serge E. Hallyn
[not found] ` <20110218155925.f7d30a52.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2011-02-24 0:43 ` Serge E. Hallyn
2011-02-19 17:49 ` Daniel Lezcano
2011-02-23 17:05 ` David Howells
2011-02-23 17:11 ` David Howells
2011-02-17 15:03 ` [PATCH 6/9] user namespaces: convert all capable checks in kernel/sys.c Serge E. Hallyn
2011-02-18 1:57 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
2011-02-19 0:01 ` Andrew Morton
2011-02-19 17:52 ` Daniel Lezcano
[not found] ` <20110217150342.GF26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 1:57 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
2011-02-19 0:01 ` Andrew Morton
2011-02-19 17:52 ` Daniel Lezcano
2011-02-17 15:03 ` [PATCH 7/9] add a user namespace owner of ipc ns Serge E. Hallyn
2011-02-18 3:19 ` Eric W. Biederman
[not found] ` <20110217150349.GG26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 3:19 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
2011-02-19 17:57 ` Daniel Lezcano
2011-02-18 23:59 ` Andrew Morton
2011-02-19 17:57 ` Daniel Lezcano
2011-02-17 15:03 ` [PATCH 8/9] user namespaces: convert several capable() calls Serge E. Hallyn
[not found] ` <20110217150356.GH26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 1:51 ` Eric W. Biederman
2011-02-19 19:07 ` Daniel Lezcano
2011-02-18 1:51 ` Eric W. Biederman
2011-02-19 19:07 ` Daniel Lezcano
2011-02-17 15:04 ` [PATCH 9/9] userns: check user namespace for task->file uid equivalence checks Serge E. Hallyn
2011-02-18 1:29 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
[not found] ` <20110218155935.66e7782d.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2011-02-24 3:24 ` Serge E. Hallyn
2011-02-24 3:24 ` Serge E. Hallyn
[not found] ` <20110224032415.GA5555-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-24 5:08 ` Andrew Morton
2011-02-24 5:08 ` Andrew Morton
[not found] ` <20110217150406.GI26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 1:29 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
2011-02-19 19:22 ` Daniel Lezcano
2011-02-19 19:22 ` Daniel Lezcano
2011-02-18 0:21 ` userns: targeted capabilities v5 Andrew Morton
[not found] ` <20110217162146.1b8e45e0.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2011-02-18 3:53 ` Eric W. Biederman
2011-02-18 4:28 ` Serge E. Hallyn
2011-02-18 3:53 ` Eric W. Biederman
2011-02-18 4:28 ` Serge E. Hallyn
[not found] ` <29256.1298461209-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-02-23 12:01 ` [PATCH 2/9] security: Make capabilities relative to the user namespace David Howells
2011-02-23 12:05 ` User namespaces and keys David Howells
2011-02-23 13:58 ` Serge E. Hallyn
2011-02-23 14:46 ` Eric W. Biederman
[not found] ` <20110223135814.GA1859-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-23 14:46 ` Eric W. Biederman
2011-02-23 15:06 ` David Howells
2011-02-23 15:06 ` David Howells [this message]
[not found] ` <890.1298473574-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-02-23 15:45 ` Eric W. Biederman
2011-02-23 15:45 ` Eric W. Biederman
2011-02-23 15:53 ` Serge E. Hallyn
[not found] ` <20110223155328.GA21266-BtbdaCaBcfOTUehee3IRJA@public.gmane.org>
2011-02-23 19:24 ` Casey Schaufler
2011-02-23 19:24 ` Casey Schaufler
[not found] ` <4D655EE4.6030707-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2011-02-23 20:55 ` Eric W. Biederman
2011-02-23 20:55 ` Eric W. Biederman
[not found] ` <m1k4gqlbdm.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2011-02-23 21:37 ` Casey Schaufler
2011-02-23 21:37 ` Casey Schaufler
2011-02-24 6:56 ` Eric W. Biederman
[not found] ` <4D657E0C.3010102-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2011-02-24 6:56 ` Eric W. Biederman
[not found] ` <m162sasqj6.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2011-02-23 15:53 ` Serge E. Hallyn
[not found] ` <29677.1298462729-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-02-23 13:58 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=890.1298473574@redhat.com \
--to=dhowells@redhat.com \
--cc=adobriyan@gmail.com \
--cc=akpm@osdl.org \
--cc=containers@lists.linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=jmorris@namei.org \
--cc=kees.cook@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mtk.manpages@gmail.com \
--cc=serge@hallyn.com \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.