From: ebiederm@xmission.com (Eric W. Biederman)
To: "Serge E. Hallyn" <serge@hallyn.com>
Cc: Christian Brauner <christian.brauner@ubuntu.com>,
lkml <linux-kernel@vger.kernel.org>,
Linus Torvalds <torvalds@linuxfoundation.org>,
Kees Cook <keescook@chromium.org>,
"Andrew G. Morgan" <morgan@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
security@kernel.org, Tycho Andersen <tycho@tycho.ws>,
Andy Lutomirski <luto@kernel.org>
Subject: Re: [PATCH v3.4] capabilities: require CAP_SETFCAP to map uid 0
Date: Wed, 21 Apr 2021 14:16:34 -0500 [thread overview]
Message-ID: <m15z0fphwt.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <20210420134334.GA11582@mail.hallyn.com> (Serge E. Hallyn's message of "Tue, 20 Apr 2021 08:43:34 -0500")
"Serge E. Hallyn" <serge@hallyn.com> writes:
> +/**
> + * verify_root_map() - check the uid 0 mapping
> + * @file: idmapping file
> + * @map_ns: user namespace of the target process
> + * @new_map: requested idmap
> + *
> + * If a process requests mapping parent uid 0 into the new ns, verify that the
> + * process writing the map had the CAP_SETFCAP capability as the target process
> + * will be able to write fscaps that are valid in ancestor user namespaces.
> + *
> + * Return: true if the mapping is allowed, false if not.
> + */
> +static bool verify_root_map(const struct file *file,
> + struct user_namespace *map_ns,
> + struct uid_gid_map *new_map)
> +{
> + int idx;
> + const struct user_namespace *file_ns = file->f_cred->user_ns;
> + struct uid_gid_extent *extent0 = NULL;
> +
> + for (idx = 0; idx < new_map->nr_extents; idx++) {
> + if (new_map->nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
> + extent0 = &new_map->extent[idx];
> + else
> + extent0 = &new_map->forward[idx];
> + if (extent0->lower_first == 0)
> + break;
> +
> + extent0 = NULL;
> + }
> +
> + if (!extent0)
> + return true;
> +
> + if (map_ns == file_ns) {
> + /* The process unshared its ns and is writing to its own
> + * /proc/self/uid_map. User already has full capabilites in
> + * the new namespace. Verify that the parent had CAP_SETFCAP
> + * when it unshared.
> + * */
> + if (!file_ns->parent_could_setfcap)
> + return false;
> + } else {
> + /* Process p1 is writing to uid_map of p2, who is in a child
> + * user namespace to p1's. Verify that the opener of the map
> + * file has CAP_SETFCAP against the parent of the new map
> + * namespace */
> + if (!file_ns_capable(file, map_ns->parent, CAP_SETFCAP))
> + return false;
> + }
Is there any reason this permission check is not simply:
return map_ns->parent_could_setfcap ||
file_ns_capable(file, map_ns->parent, CAP_SETFCAP);
That is why don't we allow any mapping (that is otherwise valid) in user
namespaces whose creator had the permission to call CAP_SETFCAP?
Why limit the case of using the creators permissions to only the case of
mapping just a single uid (that happens to be the current euid) in the
user namespace?
I don't see any safety reasons for the map_ns == file_ns test.
Is the file_ns_capable check for CAP_SETFCAP actually needed? AKA could
the permission check be simplified to:
return map_ns->parent_could_setfcap;
That would be a much easier rule to explain to people.
I seem to remember distributions at least trying to make newuidmap have
just CAP_SETUID and newgidmap have just CAP_SETGID. Such a simplified
check would facilitate that.
Eric
next prev parent reply other threads:[~2021-04-21 19:18 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-16 4:58 [RFC PATCH] capabilities: require CAP_SETFCAP to map uid 0 (v3) Serge E. Hallyn
2021-04-16 15:05 ` Christian Brauner
2021-04-16 21:34 ` Serge E. Hallyn
2021-04-17 2:19 ` Serge E. Hallyn
2021-04-17 20:04 ` [PATCH] capabilities: require CAP_SETFCAP to map uid 0 (v3.2) Serge E. Hallyn
2021-04-18 17:21 ` Christian Brauner
2021-04-18 21:19 ` Eric W. Biederman
2021-04-19 15:52 ` Giuseppe Scrivano
2021-04-19 16:02 ` Christian Brauner
2021-04-20 13:40 ` Serge E. Hallyn
2021-04-19 12:25 ` [PATCH] capabilities: require CAP_SETFCAP to map uid 0 (v3.3) Serge E. Hallyn
2021-04-19 16:09 ` Christian Brauner
2021-04-20 3:42 ` Serge E. Hallyn
2021-04-20 8:31 ` Christian Brauner
2021-04-20 13:43 ` [PATCH v3.4] capabilities: require CAP_SETFCAP to map uid 0 Serge E. Hallyn
2021-04-20 16:47 ` Christian Brauner
2021-04-20 17:33 ` Linus Torvalds
2021-04-21 8:26 ` Christian Brauner
2021-04-21 19:16 ` Eric W. Biederman [this message]
2021-04-22 13:20 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m15z0fphwt.fsf@fess.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=christian.brauner@ubuntu.com \
--cc=gregkh@linuxfoundation.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=morgan@kernel.org \
--cc=security@kernel.org \
--cc=serge@hallyn.com \
--cc=torvalds@linuxfoundation.org \
--cc=tycho@tycho.ws \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.