From: ebiederm@xmission.com (Eric W. Biederman)
To: "Serge E. Hallyn" <serge@hallyn.com>
Cc: LSM <linux-security-module@vger.kernel.org>,
Andrew Morton <akpm@osdl.org>, James Morris <jmorris@namei.org>,
Kees Cook <kees.cook@canonical.com>,
containers@lists.linux-foundation.org,
kernel list <linux-kernel@vger.kernel.org>,
Alexey Dobriyan <adobriyan@gmail.com>,
Michael Kerrisk <mtk.manpages@gmail.com>,
xemul@parallels.com, dhowells@redhat.com
Subject: Re: [PATCH 9/9] userns: check user namespace for task->file uid equivalence checks
Date: Thu, 17 Feb 2011 17:29:32 -0800 [thread overview]
Message-ID: <m14o82dtab.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <20110217150406.GI26395@mail.hallyn.com> (Serge E. Hallyn's message of "Thu, 17 Feb 2011 15:04:07 +0000")
"Serge E. Hallyn" <serge@hallyn.com> writes:
> Cheat for now and say all files belong to init_user_ns. Next
> step will be to let superblocks belong to a user_ns, and derive
> inode_userns(inode) from inode->i_sb->s_user_ns. Finally we'll
> introduce more flexible arrangements.
This looks good. I am a little worried that a concept like
inode_user_ns will imply that there is only ever one.
However this looks like a good place to start and it will only
be strange filesystems that implement a notion of permissions
that is namespace aware so I don't expect the generic code
needs to handle that case other than allowing the permission checks
to be overridden.
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
>
> Changelog:
> Feb 15: make is_owner_or_cap take const struct inode
>
> Signed-off-by: Serge E. Hallyn <serge.hallyn@canonical.com>
> ---
> fs/inode.c | 17 +++++++++++++++++
> fs/namei.c | 20 +++++++++++++++-----
> include/linux/fs.h | 9 +++++++--
> 3 files changed, 39 insertions(+), 7 deletions(-)
>
> diff --git a/fs/inode.c b/fs/inode.c
> index da85e56..1930b45 100644
> --- a/fs/inode.c
> +++ b/fs/inode.c
> @@ -25,6 +25,7 @@
> #include <linux/async.h>
> #include <linux/posix_acl.h>
> #include <linux/ima.h>
> +#include <linux/cred.h>
>
> /*
> * This is needed for the following functions:
> @@ -1722,3 +1723,19 @@ void inode_init_owner(struct inode *inode, const struct inode *dir,
> inode->i_mode = mode;
> }
> EXPORT_SYMBOL(inode_init_owner);
> +
> +/*
> + * return 1 if current either has CAP_FOWNER to the
> + * file, or owns the file.
> + */
> +int is_owner_or_cap(const struct inode *inode)
> +{
> + struct user_namespace *ns = inode_userns(inode);
> +
> + if (current_user_ns() == ns && current_fsuid() == inode->i_uid)
> + return 1;
> + if (ns_capable(ns, CAP_FOWNER))
> + return 1;
> + return 0;
> +}
> +EXPORT_SYMBOL(is_owner_or_cap);
> diff --git a/fs/namei.c b/fs/namei.c
> index 9e701e2..cfac5b4 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -176,6 +176,9 @@ static int acl_permission_check(struct inode *inode, int mask, unsigned int flag
>
> mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
>
> + if (current_user_ns() != inode_userns(inode))
> + goto other_perms;
> +
> if (current_fsuid() == inode->i_uid)
> mode >>= 6;
> else {
> @@ -189,6 +192,7 @@ static int acl_permission_check(struct inode *inode, int mask, unsigned int flag
> mode >>= 3;
> }
>
> +other_perms:
> /*
> * If the DACs are ok we don't need any capability check.
> */
> @@ -230,7 +234,7 @@ int generic_permission(struct inode *inode, int mask, unsigned int flags,
> * Executable DACs are overridable if at least one exec bit is set.
> */
> if (!(mask & MAY_EXEC) || execute_ok(inode))
> - if (capable(CAP_DAC_OVERRIDE))
> + if (ns_capable(inode_userns(inode), CAP_DAC_OVERRIDE))
> return 0;
>
> /*
> @@ -238,7 +242,7 @@ int generic_permission(struct inode *inode, int mask, unsigned int flags,
> */
> mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
> if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))
> - if (capable(CAP_DAC_READ_SEARCH))
> + if (ns_capable(inode_userns(inode), CAP_DAC_READ_SEARCH))
> return 0;
>
> return -EACCES;
> @@ -675,6 +679,7 @@ force_reval_path(struct path *path, struct nameidata *nd)
> static inline int exec_permission(struct inode *inode, unsigned int flags)
> {
> int ret;
> + struct user_namespace *ns = inode_userns(inode);
>
> if (inode->i_op->permission) {
> ret = inode->i_op->permission(inode, MAY_EXEC, flags);
> @@ -687,7 +692,7 @@ static inline int exec_permission(struct inode *inode, unsigned int flags)
> if (ret == -ECHILD)
> return ret;
>
> - if (capable(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH))
> + if (ns_capable(ns, CAP_DAC_OVERRIDE) || ns_capable(ns, CAP_DAC_READ_SEARCH))
> goto ok;
>
> return ret;
> @@ -1940,11 +1945,15 @@ static inline int check_sticky(struct inode *dir, struct inode *inode)
>
> if (!(dir->i_mode & S_ISVTX))
> return 0;
> + if (current_user_ns() != inode_userns(inode))
> + goto other_userns;
> if (inode->i_uid == fsuid)
> return 0;
> if (dir->i_uid == fsuid)
> return 0;
> - return !capable(CAP_FOWNER);
> +
> +other_userns:
> + return !ns_capable(inode_userns(inode), CAP_FOWNER);
> }
>
> /*
> @@ -2635,7 +2644,8 @@ int vfs_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
> if (error)
> return error;
>
> - if ((S_ISCHR(mode) || S_ISBLK(mode)) && !capable(CAP_MKNOD))
> + if ((S_ISCHR(mode) || S_ISBLK(mode)) &&
> + !ns_capable(inode_userns(dir), CAP_MKNOD))
> return -EPERM;
>
> if (!dir->i_op->mknod)
> diff --git a/include/linux/fs.h b/include/linux/fs.h
> index bd32159..c84417a 100644
> --- a/include/linux/fs.h
> +++ b/include/linux/fs.h
> @@ -1446,8 +1446,13 @@ enum {
> #define put_fs_excl() atomic_dec(¤t->fs_excl)
> #define has_fs_excl() atomic_read(¤t->fs_excl)
>
> -#define is_owner_or_cap(inode) \
> - ((current_fsuid() == (inode)->i_uid) || capable(CAP_FOWNER))
> +/*
> + * until VFS tracks user namespaces for inodes, just make all files
> + * belong to init_user_ns
> + */
> +extern struct user_namespace init_user_ns;
> +#define inode_userns(inode) (&init_user_ns)
> +extern int is_owner_or_cap(const struct inode *inode);
>
> /* not quite ready to be deprecated, but... */
> extern void lock_super(struct super_block *);
next prev parent reply other threads:[~2011-02-18 1:29 UTC|newest]
Thread overview: 135+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-17 15:02 userns: targeted capabilities v5 Serge E. Hallyn
2011-02-17 15:02 ` [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace Serge E. Hallyn
2011-02-18 3:31 ` Eric W. Biederman
2011-02-18 16:57 ` Daniel Lezcano
[not found] ` <20110217150257.GA26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 3:31 ` Eric W. Biederman
2011-02-18 16:57 ` Daniel Lezcano
2011-02-18 23:59 ` Andrew Morton
2011-02-23 17:16 ` David Howells
2011-02-18 23:59 ` Andrew Morton
2011-02-23 17:16 ` David Howells
2011-02-23 21:21 ` Eric W. Biederman
2011-02-23 23:19 ` David Howells
2011-02-23 23:54 ` Eric W. Biederman
[not found] ` <8559.1298503148-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-02-23 23:54 ` Eric W. Biederman
[not found] ` <3139.1298481393-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-02-23 21:21 ` Eric W. Biederman
[not found] ` <m1lj16ih0n.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2011-02-23 23:19 ` David Howells
2011-02-17 15:03 ` [PATCH 2/9] security: Make capabilities relative to the user namespace Serge E. Hallyn
2011-02-18 3:46 ` Eric W. Biederman
2011-02-18 23:44 ` Daniel Lezcano
2011-02-18 23:59 ` Andrew Morton
2011-02-23 11:40 ` David Howells
2011-02-23 12:01 ` David Howells
[not found] ` <29617.1298462517-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-02-23 13:43 ` Serge E. Hallyn
2011-02-23 13:43 ` Serge E. Hallyn
[not found] ` <20110217150306.GB26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 3:46 ` Eric W. Biederman
2011-02-18 23:44 ` Daniel Lezcano
2011-02-18 23:59 ` Andrew Morton
2011-02-23 11:40 ` David Howells
2011-02-23 16:59 ` David Howells
2011-02-23 16:59 ` David Howells
2011-02-17 15:03 ` [PATCH 3/9] allow sethostname in a container Serge E. Hallyn
[not found] ` <20110217150316.GC26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 3:05 ` Eric W. Biederman
2011-02-18 23:46 ` Daniel Lezcano
2011-02-18 3:05 ` Eric W. Biederman
2011-02-18 23:46 ` Daniel Lezcano
2011-02-17 15:03 ` [PATCH 4/9] allow killing tasks in your own or child userns Serge E. Hallyn
[not found] ` <20110217150325.GD26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 3:00 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
2011-02-19 10:55 ` Daniel Lezcano
2011-02-19 10:55 ` Daniel Lezcano
2011-02-18 3:00 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
2011-02-24 0:48 ` Serge E. Hallyn
2011-02-24 0:54 ` Andrew Morton
[not found] ` <20110224004818.GA11822-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-24 0:54 ` Andrew Morton
[not found] ` <20110218155921.440f1137.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2011-02-24 0:48 ` Serge E. Hallyn
2011-02-17 15:03 ` [PATCH 5/9] Allow ptrace from non-init user namespaces Serge E. Hallyn
2011-02-18 2:59 ` Eric W. Biederman
[not found] ` <m1aahu9hea.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2011-02-18 4:36 ` Serge E. Hallyn
2011-02-18 4:36 ` Serge E. Hallyn
2011-02-24 0:49 ` [PATCH] userns: ptrace: incorporate feedback from Eric Serge E. Hallyn
[not found] ` <20110224004901.GB11822-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-24 0:56 ` Andrew Morton
2011-02-24 0:56 ` Andrew Morton
[not found] ` <20110223165651.cf248f3b.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2011-02-24 3:15 ` Serge E. Hallyn
2011-02-24 3:15 ` Serge E. Hallyn
[not found] ` <20110218043601.GB9584-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-24 0:49 ` Serge E. Hallyn
2011-02-18 23:59 ` [PATCH 5/9] Allow ptrace from non-init user namespaces Andrew Morton
[not found] ` <20110218155925.f7d30a52.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2011-02-24 0:43 ` Serge E. Hallyn
2011-02-24 0:43 ` Serge E. Hallyn
2011-02-19 17:49 ` Daniel Lezcano
[not found] ` <20110217150333.GE26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 2:59 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
2011-02-19 17:49 ` Daniel Lezcano
2011-02-23 17:05 ` David Howells
2011-02-23 17:11 ` David Howells
2011-02-23 17:05 ` David Howells
2011-02-23 17:11 ` David Howells
2011-02-17 15:03 ` [PATCH 6/9] user namespaces: convert all capable checks in kernel/sys.c Serge E. Hallyn
2011-02-18 1:57 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
2011-02-19 0:01 ` Andrew Morton
[not found] ` <20110217150342.GF26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 1:57 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
2011-02-19 0:01 ` Andrew Morton
2011-02-19 17:52 ` Daniel Lezcano
2011-02-19 17:52 ` Daniel Lezcano
2011-02-17 15:03 ` [PATCH 7/9] add a user namespace owner of ipc ns Serge E. Hallyn
2011-02-18 3:19 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
[not found] ` <20110217150349.GG26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 3:19 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
2011-02-19 17:57 ` Daniel Lezcano
2011-02-19 17:57 ` Daniel Lezcano
[not found] ` <20110217150224.GA26334-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-17 15:02 ` [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace Serge E. Hallyn
2011-02-17 15:03 ` [PATCH 2/9] security: Make capabilities relative to the user namespace Serge E. Hallyn
2011-02-17 15:03 ` [PATCH 3/9] allow sethostname in a container Serge E. Hallyn
2011-02-17 15:03 ` [PATCH 4/9] allow killing tasks in your own or child userns Serge E. Hallyn
2011-02-17 15:03 ` [PATCH 5/9] Allow ptrace from non-init user namespaces Serge E. Hallyn
2011-02-17 15:03 ` [PATCH 6/9] user namespaces: convert all capable checks in kernel/sys.c Serge E. Hallyn
2011-02-17 15:03 ` [PATCH 7/9] add a user namespace owner of ipc ns Serge E. Hallyn
2011-02-17 15:03 ` [PATCH 8/9] user namespaces: convert several capable() calls Serge E. Hallyn
2011-02-17 15:04 ` [PATCH 9/9] userns: check user namespace for task->file uid equivalence checks Serge E. Hallyn
2011-02-18 0:21 ` userns: targeted capabilities v5 Andrew Morton
2011-02-23 12:05 ` User namespaces and keys David Howells
2011-02-17 15:03 ` [PATCH 8/9] user namespaces: convert several capable() calls Serge E. Hallyn
2011-02-18 1:51 ` Eric W. Biederman
[not found] ` <20110217150356.GH26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 1:51 ` Eric W. Biederman
2011-02-19 19:07 ` Daniel Lezcano
2011-02-19 19:07 ` Daniel Lezcano
2011-02-17 15:04 ` [PATCH 9/9] userns: check user namespace for task->file uid equivalence checks Serge E. Hallyn
[not found] ` <20110217150406.GI26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 1:29 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
2011-02-19 19:22 ` Daniel Lezcano
2011-02-18 1:29 ` Eric W. Biederman [this message]
2011-02-18 23:59 ` Andrew Morton
2011-02-24 3:24 ` Serge E. Hallyn
2011-02-24 5:08 ` Andrew Morton
[not found] ` <20110224032415.GA5555-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-24 5:08 ` Andrew Morton
[not found] ` <20110218155935.66e7782d.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2011-02-24 3:24 ` Serge E. Hallyn
2011-02-19 19:22 ` Daniel Lezcano
2011-02-18 0:21 ` userns: targeted capabilities v5 Andrew Morton
2011-02-18 3:53 ` Eric W. Biederman
[not found] ` <20110217162146.1b8e45e0.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2011-02-18 3:53 ` Eric W. Biederman
2011-02-18 4:28 ` Serge E. Hallyn
2011-02-18 4:28 ` Serge E. Hallyn
[not found] ` <29256.1298461209-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-02-23 12:01 ` [PATCH 2/9] security: Make capabilities relative to the user namespace David Howells
2011-02-23 12:05 ` User namespaces and keys David Howells
2011-02-23 13:58 ` Serge E. Hallyn
2011-02-23 14:46 ` Eric W. Biederman
[not found] ` <20110223135814.GA1859-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-23 14:46 ` Eric W. Biederman
2011-02-23 15:06 ` David Howells
2011-02-23 15:06 ` David Howells
2011-02-23 15:45 ` Eric W. Biederman
[not found] ` <m162sasqj6.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2011-02-23 15:53 ` Serge E. Hallyn
2011-02-23 15:53 ` Serge E. Hallyn
[not found] ` <20110223155328.GA21266-BtbdaCaBcfOTUehee3IRJA@public.gmane.org>
2011-02-23 19:24 ` Casey Schaufler
2011-02-23 19:24 ` Casey Schaufler
[not found] ` <4D655EE4.6030707-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2011-02-23 20:55 ` Eric W. Biederman
2011-02-23 20:55 ` Eric W. Biederman
[not found] ` <m1k4gqlbdm.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2011-02-23 21:37 ` Casey Schaufler
2011-02-23 21:37 ` Casey Schaufler
2011-02-24 6:56 ` Eric W. Biederman
[not found] ` <4D657E0C.3010102-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2011-02-24 6:56 ` Eric W. Biederman
[not found] ` <890.1298473574-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-02-23 15:45 ` Eric W. Biederman
[not found] ` <29677.1298462729-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-02-23 13:58 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m14o82dtab.fsf@fess.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=adobriyan@gmail.com \
--cc=akpm@osdl.org \
--cc=containers@lists.linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=jmorris@namei.org \
--cc=kees.cook@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mtk.manpages@gmail.com \
--cc=serge@hallyn.com \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.