From: Mimi Zohar <zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
To: "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
Cc: Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
"Serge E. Hallyn"
<serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>,
LKML <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>,
Seth Forshee
<seth.forshee-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>,
LSM
<linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
"Eric W. Biederman"
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>,
Jann Horn <jann-XZ1E9jl8jIdeoWH0uzbU5w@public.gmane.org>,
"Andrew G. Morgan"
<morgan-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
Michael Kerrisk-manpages
<mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Subject: Re: [PATCH RFC] user-namespaced file capabilities - now with more magic
Date: Fri, 20 May 2016 07:19:10 -0400 [thread overview]
Message-ID: <1463743150.2465.100.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20160520034048.GA31216-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
On Thu, 2016-05-19 at 22:40 -0500, Serge E. Hallyn wrote:
> Quoting Mimi Zohar (zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org):
> > On Wed, 2016-05-18 at 16:57 -0500, Serge E. Hallyn wrote:
> > > diff --git a/fs/xattr.c b/fs/xattr.c
> > > index 4861322..5c0e7ae 100644
> > > --- a/fs/xattr.c
> > > +++ b/fs/xattr.c
> > > @@ -94,11 +94,26 @@ int __vfs_setxattr_noperm(struct dentry *dentry, const char *name,
> > > {
> > > struct inode *inode = dentry->d_inode;
> > > int error = -EOPNOTSUPP;
> > > + void *wvalue = NULL;
> > > + size_t wsize = 0;
> > > int issec = !strncmp(name, XATTR_SECURITY_PREFIX,
> > > XATTR_SECURITY_PREFIX_LEN);
> > >
> > > - if (issec)
> > > + if (issec) {
> > > inode->i_flags &= ~S_NOSEC;
> > > + /* if root in a non-init user_ns tries to set
> > > + * security.capability, write a security.nscapability
> > > + * in its place */
> > > + if (!strcmp(name, "security.capability") &&
> > > + current_user_ns() != &init_user_ns) {
> > > + cap_setxattr_make_nscap(dentry, value, size, &wvalue, &wsize);
> > > + if (!wvalue)
> > > + return -EPERM;
> > > + value = wvalue;
> > > + size = wsize;
> > > + name = "security.nscapability";
> > > + }
> >
> > The call to capable_wrt_inode_uidgid() is hidden behind
> > cap_setxattr_make_nscap(). Does it make sense to call it here instead,
> > before the security.capability test? This would lay the foundation for
> > doing something similar for IMA.
>
> Might make sense to move that. Though looking at it with fresh eyes I wonder
> whether adding less code here at __vfs_setxattr_noperm(), i.e.
>
> if (!cap_setxattr_makenscap(dentry, &value, &size, &name))
> return -EPERM;
>
> would be cleaner.
Yes, it would be cleaner, but I'm suggesting you do all the hard work
making it generic. Then the rest of us can follow your lead. Its more
likely that you'll get it right. At a high level, it might look like:
/* Permit root in a non-init user_ns to modify the security
* namespace xattr equivalents (eg. nscapability, ns_ima, etc).
*/
if ((current_user_ns() != &init_user_ns) &&
capable_wrt_inode_uidgid(inode, CAP_SETFCAP)) {
if security..capability
call capability /* set nscapability? */
else if security.ima
call ima /* set ns_ima? */
}
Mimi
next prev parent reply other threads:[~2016-05-20 11:19 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-22 17:26 namespaced file capabilities serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA
[not found] ` <1461345993-17526-1-git-send-email-serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>
2016-04-22 17:26 ` [PATCH 1/1] simplified security.nscapability xattr serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA
[not found] ` <1461345993-17526-2-git-send-email-serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>
2016-04-26 19:46 ` Seth Forshee
2016-04-26 21:59 ` Kees Cook
[not found] ` <CAGXu5jKFNQs8oxq+yD6_Q8HcNyf+GouSHFzkxT9u9BkK=ZLQ7Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-04-26 22:26 ` Serge E. Hallyn
[not found] ` <20160426222627.GA19307-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2016-04-26 22:39 ` Kees Cook
2016-04-27 8:09 ` Jann Horn
[not found] ` <CAGXu5jJbmSKst_RiM84-7OaX=2XettzpTh34uFFoevvoPRO76Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-04-27 4:39 ` Serge E. Hallyn
2016-05-02 3:54 ` Serge E. Hallyn
[not found] ` <20160502035452.GA31837-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2016-05-02 18:31 ` Michael Kerrisk (man-pages)
2016-05-02 21:31 ` Eric W. Biederman
[not found] ` <87h9egp2oq.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-05-03 3:57 ` Andrew G. Morgan
[not found] ` <CALQRfL7mfpyudWs4Z8W5Zi8CTG-9O0OvrCnRU7pk0MXtsLBd0A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-05-03 4:50 ` Eric W. Biederman
[not found] ` <874mafiw2m.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-05-10 19:00 ` Serge E. Hallyn
2016-05-03 5:19 ` Serge E. Hallyn
[not found] ` <20160503051921.GA31551-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2016-05-03 5:54 ` Eric W. Biederman
[not found] ` <87bn4nhejj.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-05-03 14:25 ` Serge E. Hallyn
[not found] ` <20160503142526.GA6309-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2016-05-10 19:03 ` Serge E. Hallyn
2016-05-07 23:10 ` Jann Horn
[not found] ` <20160507231012.GA11076-J1fxOzX/cBvk1uMJSBkQmQ@public.gmane.org>
2016-05-11 21:02 ` Serge E. Hallyn
[not found] ` <20160511210221.GA24015-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2016-05-16 21:15 ` Serge E. Hallyn
[not found] ` <20160516211523.GA5282-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2016-05-16 21:48 ` Serge E. Hallyn
2016-05-18 21:57 ` [PATCH RFC] user-namespaced file capabilities - now with more magic Serge E. Hallyn
[not found] ` <20160518215752.GA9187-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2016-05-19 20:53 ` Mimi Zohar
2016-05-20 3:40 ` Serge E. Hallyn
[not found] ` <20160520034048.GA31216-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2016-05-20 11:19 ` Mimi Zohar [this message]
[not found] ` <1463743150.2465.100.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-05-20 18:28 ` Eric W. Biederman
[not found] ` <87mvnklh20.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-05-20 19:09 ` Mimi Zohar
2016-05-20 19:11 ` Eric W. Biederman
2016-05-20 19:26 ` Serge E. Hallyn
2016-05-20 19:42 ` Eric W. Biederman
[not found] ` <87iny8h5yv.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-05-20 19:59 ` Serge E. Hallyn
[not found] ` <20160520195902.GB12101-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2016-05-20 23:23 ` Mimi Zohar
[not found] ` <1463786592.2763.74.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-05-20 23:32 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1463743150.2465.100.camel@linux.vnet.ibm.com \
--to=zohar-23vcf4htsmix0ybbhkvfkdbpr1lh4cv8@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=jann-XZ1E9jl8jIdeoWH0uzbU5w@public.gmane.org \
--cc=keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=morgan-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org \
--cc=serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org \
--cc=seth.forshee-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).