From: Seth Forshee <seth.forshee@canonical.com>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
Serge Hallyn <serge.hallyn@canonical.com>,
Andy Lutomirski <luto@amacapital.net>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 0/7] Initial support for user namespace owned mounts
Date: Fri, 17 Jul 2015 08:21:46 -0500 [thread overview]
Message-ID: <20150717132146.GA65566@ubuntu-hedt> (raw)
In-Reply-To: <55A8253E.3000407@schaufler-ca.com>
On Thu, Jul 16, 2015 at 02:42:22PM -0700, Casey Schaufler wrote:
<snip>
> > I welcome feedback about anything I've missed, but stating generally
> > that you think I probably missed something isn't very helpful.
>
> True enough. I hope I've explained myself above.
Thanks, that definitely clarified where we were having a disconnect.
Andy's done a fantastic job explaining how those concerns are addressed.
> > The LSM issue is thornier than the rest of it though, which is why I
> > specifically asked for review there in the cover letter. There's a lot
> > of complexity and nuance, and I still don't have a grasp on all the
> > subtleties. One such subtlety is the full impact of simply ignoring the
> > security labels on disk (but I am still confused as to why this is
> > different from filesystems which don't support xattrs at all).
>
> If you can mount a filesystem such that the labels are ignored you
> are effectively specifying that the Smack label on the files be
> determined by the defaulting rules. With CAP_MAC_ADMIN that's fine.
> Without it, it's not.
>
> > I was unaware of Lukasz's patches until yesterday, and I will have a
> > look at them. But since we don't have the LSM support for user
> > namespaces yet, I don't see the problem with doing something safe for
> > LSMs initially and evolving the LSM integration for user ns mounts along
> > with the rest of the user ns integration.
>
> Ignoring the security attributes is not safe!
Understood. It's surely safe for each LSM to deny such mounts until it
has a way to handle them safely though.
I'm not trying to completely punt on the issue of security modules, just
break this down into more manageable chunks. You've given good guidance
for Smack (thanks very much for that), so I can plan to work on that
soon.
> > Your point is taken about my less-than-expert opinion about the other
> > security modules. We should at minimum get acks from the maintainers of
> > those modules that unprivileged mounts will not compromise MAC.
>
> I am the Smack maintainer. Unprivileged mounts as you have
> described them compromise MAC. They compromise DAC, too.
It looks like Andy's more or less convinced you that DAC isn't
(additionally?) compromised. And there's a plan for MAC, that the
security module can deny mounts from user namespaces until it has a
solution for allowing them safely.
> > For Smack specifically, I believe my only concern was the SMACK64EXEC
> > attribute, as all the other attributes only affected subjects' access to
> > the files. So maybe it would be possible to simply ignore this attribute
> > in unprivileged mounts and respect the others, even lacking more
> > complete LSM support for user namespaces.
>
> SMACK64EXEC is analogous to the setuid bit, but I would rather see
> exec() of programs with this attribute refused that for it to be
> blindly ignored.
That's fine, it's your call.
Thanks,
Seth
next prev parent reply other threads:[~2015-07-17 13:21 UTC|newest]
Thread overview: 117+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-15 19:46 [PATCH 0/7] Initial support for user namespace owned mounts Seth Forshee
2015-07-15 19:46 ` [PATCH 1/7] fs: Add user namesapace member to struct super_block Seth Forshee
2015-07-16 2:47 ` Eric W. Biederman
2015-08-05 21:03 ` Seth Forshee
2015-08-05 21:19 ` Eric W. Biederman
2015-08-06 14:20 ` Seth Forshee
2015-08-06 14:51 ` Stephen Smalley
2015-08-06 15:44 ` Seth Forshee
2015-08-06 16:11 ` Stephen Smalley
2015-08-07 14:16 ` Seth Forshee
2015-08-07 14:32 ` Seth Forshee
2015-08-07 18:35 ` Casey Schaufler
2015-08-07 18:57 ` Seth Forshee
2015-07-15 19:46 ` [PATCH 2/7] userns: Simpilify MNT_NODEV handling Seth Forshee
2015-07-15 19:46 ` [PATCH 3/7] fs: Ignore file caps in mounts from other user namespaces Seth Forshee
2015-07-15 21:48 ` Serge E. Hallyn
2015-07-15 21:50 ` Andy Lutomirski
2015-07-15 22:35 ` Eric W. Biederman
2015-07-16 1:14 ` Seth Forshee
2015-07-16 1:23 ` Andy Lutomirski
2015-07-16 13:06 ` Seth Forshee
2015-07-16 1:19 ` Andy Lutomirski
2015-07-16 4:23 ` Eric W. Biederman
2015-07-16 4:49 ` Andy Lutomirski
2015-07-16 5:04 ` Eric W. Biederman
2015-07-16 5:15 ` Andy Lutomirski
2015-07-16 5:44 ` Eric W. Biederman
2015-07-16 13:13 ` Seth Forshee
2015-07-17 0:43 ` Eric W. Biederman
2015-07-29 16:04 ` Serge E. Hallyn
2015-07-29 16:18 ` Serge E. Hallyn
2015-07-15 19:46 ` [PATCH 4/7] fs: Treat foreign mounts as nosuid Seth Forshee
2015-07-17 6:46 ` Nikolay Borisov
2015-07-15 19:46 ` [PATCH 5/7] security: Restrict security attribute updates for userns mounts Seth Forshee
2015-07-15 19:46 ` [PATCH 6/7] selinux: Ignore security labels on user namespace mounts Seth Forshee
2015-07-16 13:23 ` Stephen Smalley
2015-07-22 16:02 ` Stephen Smalley
2015-07-22 16:14 ` Seth Forshee
2015-07-22 20:25 ` Stephen Smalley
2015-07-22 20:40 ` Stephen Smalley
2015-07-23 13:57 ` Stephen Smalley
2015-07-23 14:39 ` Seth Forshee
2015-07-23 15:36 ` Stephen Smalley
2015-07-23 16:23 ` Seth Forshee
2015-07-24 15:11 ` Seth Forshee
2015-07-30 15:57 ` Stephen Smalley
2015-07-30 16:24 ` Seth Forshee
2015-07-15 19:46 ` [PATCH 7/7] smack: Don't use security labels for " Seth Forshee
2015-07-15 20:43 ` Casey Schaufler
2015-07-15 20:36 ` [PATCH 0/7] Initial support for user namespace owned mounts Casey Schaufler
2015-07-15 21:06 ` Eric W. Biederman
2015-07-15 21:48 ` Seth Forshee
2015-07-15 22:28 ` Eric W. Biederman
2015-07-16 1:05 ` Andy Lutomirski
2015-07-16 2:20 ` Eric W. Biederman
2015-07-16 13:12 ` Stephen Smalley
2015-07-15 23:04 ` Casey Schaufler
2015-07-15 22:39 ` Casey Schaufler
2015-07-16 1:08 ` Andy Lutomirski
2015-07-16 2:54 ` Casey Schaufler
2015-07-16 4:47 ` Eric W. Biederman
2015-07-17 0:09 ` Dave Chinner
2015-07-17 0:42 ` Eric W. Biederman
2015-07-17 2:47 ` Dave Chinner
2015-07-21 17:37 ` J. Bruce Fields
2015-07-22 7:56 ` Dave Chinner
2015-07-22 14:09 ` J. Bruce Fields
2015-07-22 16:52 ` Austin S Hemmelgarn
2015-07-22 17:41 ` J. Bruce Fields
2015-07-23 1:51 ` Dave Chinner
2015-07-23 13:19 ` J. Bruce Fields
2015-07-23 23:48 ` Dave Chinner
2015-07-18 0:07 ` Serge E. Hallyn
2015-07-20 17:54 ` Colin Walters
2015-07-16 11:16 ` Lukasz Pawelczyk
2015-07-17 0:10 ` Eric W. Biederman
2015-07-17 10:13 ` Lukasz Pawelczyk
2015-07-16 3:15 ` Eric W. Biederman
2015-07-16 13:59 ` Seth Forshee
2015-07-16 15:09 ` Casey Schaufler
2015-07-16 18:57 ` Seth Forshee
2015-07-16 21:42 ` Casey Schaufler
2015-07-16 22:27 ` Andy Lutomirski
2015-07-16 23:08 ` Casey Schaufler
2015-07-16 23:29 ` Andy Lutomirski
2015-07-17 0:45 ` Casey Schaufler
2015-07-17 0:59 ` Andy Lutomirski
2015-07-17 14:28 ` Serge E. Hallyn
2015-07-17 14:56 ` Seth Forshee
2015-07-21 20:35 ` Seth Forshee
2015-07-22 1:52 ` Casey Schaufler
2015-07-22 15:56 ` Seth Forshee
2015-07-22 18:10 ` Casey Schaufler
2015-07-22 19:32 ` Seth Forshee
2015-07-23 0:05 ` Casey Schaufler
2015-07-23 0:15 ` Eric W. Biederman
2015-07-23 5:15 ` Seth Forshee
2015-07-23 21:48 ` Casey Schaufler
2015-07-28 20:40 ` Seth Forshee
2015-07-30 16:18 ` Casey Schaufler
2015-07-30 17:05 ` Eric W. Biederman
2015-07-30 17:25 ` Seth Forshee
2015-07-30 17:33 ` Eric W. Biederman
2015-07-17 13:21 ` Seth Forshee [this message]
2015-07-17 17:14 ` Casey Schaufler
2015-07-16 15:59 ` Seth Forshee
-- strict thread matches above, loose matches on Subject: below --
2015-07-30 4:24 Amir Goldstein
2015-07-30 13:55 ` Seth Forshee
2015-07-30 14:47 ` Amir Goldstein
2015-07-30 15:33 ` Casey Schaufler
2015-07-30 15:52 ` Colin Walters
2015-07-30 16:15 ` Eric W. Biederman
2015-07-30 13:57 ` Serge Hallyn
2015-07-30 15:09 ` Amir Goldstein
2015-07-31 8:11 Amir Goldstein
2015-07-31 19:56 ` Casey Schaufler
2015-08-01 17:01 ` Amir Goldstein
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150717132146.GA65566@ubuntu-hedt \
--to=seth.forshee@canonical.com \
--cc=casey@schaufler-ca.com \
--cc=ebiederm@xmission.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=selinux@tycho.nsa.gov \
--cc=serge.hallyn@canonical.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).