From mboxrd@z Thu Jan 1 00:00:00 1970 From: Serge Hallyn Subject: Re: [PATCH 30/43] userns: Fail exec for suid and sgid binaries with ids outside our user namespace. Date: Tue, 24 Apr 2012 10:10:40 -0500 Message-ID: <20120424151040.GA2979@ubuntu> References: <1333862139-31737-30-git-send-email-ebiederm@xmission.com> <20120418190927.GK5186@mail.hallyn.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Cc: Linux Containers , linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Cyrill Gorcunov , linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Al Viro , linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Andrew Morton , Linus Torvalds To: "Eric W. Biederman" Return-path: Content-Disposition: inline In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org List-Id: linux-fsdevel.vger.kernel.org Quoting Eric W. Biederman (ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org): > "Serge E. Hallyn" writes: > > > Quoting Eric W. Beiderman (ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org): > >> From: Eric W. Biederman > >> > > > > Oh, perhaps this is the right place in the thread to discuss the issue of > > what to do with file capabilities? I'm ok waiting until the next iteration > > to even discuss it, so long as we start by refusing setting of fcaps by > > any task not in init_user_ns. > > For now we do refuse all callers in the init_user_ns because that path > is protected by a capable and not an ns_capable call. > > And as a general policy I have pushed all of the changes from capable to > ns_capable out till after we get these other user namespace bits so we > can get the patches reviewed so hopefully don't enable something that is > not safe. > > Let's just note here that when we ever get a filesystem mounted in > something other than the init_user_ns or otherwise allow file > capabilities that do not belong to the init_user_ns we need to an > additional exec check to avoid a security issue for processes in the > init_user_ns using those credentials. > > The other direction the init_user_ns setting file caps on a file and use > using them in a child namespace seems safe, and practical because of the > way we handle capabilities. Aka if you have a capability in an outer > user namespace you also have it in a child user namespace. Which means > a file cap exec today will give you just the capabilities in the child > user namespace. > > Something else to think about when we reach filesystems mounted in > different user namespaces (aka unprivileged mounts) are security > labels on files in different user namespaces. Not any kind of immediate > concern but something we may have to handle eventually. An interesting concern to discuss at the security mini-summit (or just at the UDS session). -serge