From: Seth Forshee <seth.forshee@canonical.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"Serge H. Hallyn" <serge.hallyn@ubuntu.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Michael j Theall <mtheall@us.ibm.com>,
Miklos Szeredi <miklos@szeredi.hu>,
Linux FS Devel <linux-fsdevel@vger.kernel.org>,
fuse-devel@lists.sourceforge.net
Subject: Re: [fuse-devel] [PATCH v4 4/5] fuse: Support privileged xattrs only with a mount option
Date: Thu, 23 Oct 2014 16:24:51 -0500 [thread overview]
Message-ID: <20141023212451.GA141706@ubuntu-hedt> (raw)
In-Reply-To: <CALCETrUTxsH=p8QhK80Z3nS3JHT-14-BC0Q1bmAm29UYBo69tA@mail.gmail.com>
On Thu, Oct 23, 2014 at 11:32:41AM -0700, Andy Lutomirski wrote:
> On Oct 21, 2014 9:59 PM, "Seth Forshee" <seth.forshee@canonical.com> wrote:
> >
> > On Tue, Oct 21, 2014 at 02:27:13PM -0700, Andy Lutomirski wrote:
> > > On Tue, Oct 21, 2014 at 2:21 PM, Seth Forshee
> > >
> > > > return s;
> > > >
> > > > fail:
> > > > diff --git a/fs/xattr.c b/fs/xattr.c
> > > > index 64e83efb742d..383bb9f25555 100644
> > > > --- a/fs/xattr.c
> > > > +++ b/fs/xattr.c
> > > > @@ -40,6 +40,12 @@ xattr_permission(struct inode *inode, const char *name, int mask)
> > > > return -EPERM;
> > > > }
> > > >
> > > > + /* Restrict security.* and trusted.* to mounts from init_user_ns. */
> > > > + if (inode->i_sb->s_user_ns != &init_user_ns &&
> > > > + (!strcmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN) ||
> > > > + !strcmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN)))
> > > > + return -EPERM;
> > > > +
> > >
> > > trusted.* should be fine already, I think -- it checks global
> > > capabilities. And I still think that security.* should be left to
> > > LSMs, which IMO really do need to be fixed for user namespaces.
> > >
> > > But how does this help with FUSE at all? Does FUSE end up calling
> > > xattr_permission?
> >
> > It gets called from vfs_getxattr, and thus for the getxattr syscall for
> > all fs types, so this would block reading any trusted.* xattrs from the
> > fuse userspace process.
>
> Oh. It seems weird to me that getxattr would get an error instead of
> FUSE being prevented from setting those attributes.
>
> I'm still unconvinced that this is the right approach. And anything
> that tries to use LSMs in a container will eventually want those
> attributes.
I suppose so. I'll have to think about this some more.
Thanks,
Seth
next prev parent reply other threads:[~2014-10-23 21:25 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-14 14:25 [PATCH v4 0/5] fuse: Add support for mounts from pid/user namespaces Seth Forshee
2014-10-14 14:25 ` [PATCH v4 2/5] fuse: Support fuse filesystems outside of init_user_ns Seth Forshee
2014-10-15 14:49 ` Andy Lutomirski
2014-10-15 15:05 ` Seth Forshee
2014-10-15 17:05 ` Andy Lutomirski
2014-10-15 22:59 ` Seth Forshee
2014-10-15 23:07 ` Andy Lutomirski
[not found] ` <CALCETrWuc8x60A9v9xSL1Jbk0ZgiXsL_o20wc0PyPDgO9g6BRg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-10-15 23:24 ` Seth Forshee
[not found] ` <1413296756-25071-1-git-send-email-seth.forshee-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
2014-10-14 14:25 ` [PATCH v4 1/5] fuse: Add support for pid namespaces Seth Forshee
2014-10-14 14:25 ` [PATCH v4 3/5] fuse: Restrict allow_other to uids already controlled by the user Seth Forshee
2014-10-15 14:58 ` Andy Lutomirski
[not found] ` <543E8BB3.6040701-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
2014-10-15 15:11 ` Seth Forshee
2014-10-14 14:25 ` [PATCH v4 4/5] fuse: Support privileged xattrs only with a mount option Seth Forshee
2014-10-14 18:12 ` [fuse-devel] " Michael j Theall
2014-10-14 20:01 ` Eric W. Biederman
2014-10-14 20:59 ` Seth Forshee
2014-10-14 21:13 ` Eric W. Biederman
2014-10-14 21:19 ` Andy Lutomirski
2014-10-14 21:29 ` Eric W. Biederman
2014-10-15 7:39 ` Seth Forshee
2014-10-15 14:37 ` Andy Lutomirski
2014-10-21 21:21 ` Seth Forshee
2014-10-21 21:27 ` Andy Lutomirski
2014-10-21 21:34 ` Michael j Theall
2014-10-21 21:44 ` Andy Lutomirski
2014-10-22 4:58 ` Seth Forshee
2014-10-23 18:32 ` Andy Lutomirski
2014-10-23 21:24 ` Seth Forshee [this message]
2014-10-14 14:25 ` [PATCH v4 5/5] fuse: Allow user namespace mounts Seth Forshee
2014-10-15 14:58 ` Andy Lutomirski
2014-10-15 15:20 ` Seth Forshee
2014-10-15 23:08 ` Andy Lutomirski
2014-10-15 23:07 ` Seth Forshee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141023212451.GA141706@ubuntu-hedt \
--to=seth.forshee@canonical.com \
--cc=ebiederm@xmission.com \
--cc=fuse-devel@lists.sourceforge.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=miklos@szeredi.hu \
--cc=mtheall@us.ibm.com \
--cc=serge.hallyn@ubuntu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).