From: Seth Forshee <seth.forshee@canonical.com>
To: "Serge E. Hallyn" <serge@hallyn.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Serge Hallyn <serge.hallyn@canonical.com>,
Richard Weinberger <richard.weinberger@gmail.com>,
Austin S Hemmelgarn <ahferroin7@gmail.com>,
Miklos Szeredi <mszeredi@redhat.com>,
Pavel Tikhomirov <ptikhomirov@virtuozzo.com>,
linux-kernel@vger.kernel.org, linux-bcache@vger.kernel.org,
dm-devel@redhat.com, linux-raid@vger.kernel.org,
linux-mtd@lists.infradead.org, linux-fsdevel@vger.kernel.org,
fuse-devel@lists.sourceforge.net,
linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
cgroups@vger.kernel.org
Subject: Re: [PATCH v3 14/21] fs: Allow superblock owner to change ownership of inodes with unmappable ids
Date: Mon, 25 Apr 2016 15:54:51 -0500 [thread overview]
Message-ID: <20160425205451.GA22516@ubuntu-hedt> (raw)
In-Reply-To: <20160425203047.GA29927@mail.hallyn.com>
On Mon, Apr 25, 2016 at 03:30:47PM -0500, Serge E. Hallyn wrote:
> Quoting Seth Forshee (seth.forshee@canonical.com):
> > In a userns mount some on-disk inodes may have ids which do not
> > map into s_user_ns, in which case the in-kernel inodes are owned
> > by invalid users. The superblock owner should be able to change
> > attributes of these inodes but cannot. However it is unsafe to
> > grant the superblock owner privileged access to all inodes in the
> > superblock since proc, sysfs, etc. use DAC to protect files which
> > may not belong to s_user_ns. The problem is restricted to only
> > inodes where the owner or group is an invalid user.
> >
> > We can work around this by allowing users with CAP_CHOWN in
> > s_user_ns to change an invalid owner or group id, so long as the
> > other id is either invalid or mappable in s_user_ns. After
> > changing ownership the user will be privileged towards the inode
> > and thus able to change other attributes.
> >
> > As an precaution, checks for invalid ids are added to the proc
> > and kernfs setattr interfaces. These filesystems are not expected
> > to have inodes with invalid ids, but if it does happen any
> > setattr operations will return -EPERM.
> >
> > Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
>
> Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
>
> bug a request below,
>
> > ---
> > fs/attr.c | 47 +++++++++++++++++++++++++++++++++++++++--------
> > fs/kernfs/inode.c | 2 ++
> > fs/proc/base.c | 2 ++
> > fs/proc/generic.c | 3 +++
> > fs/proc/proc_sysctl.c | 2 ++
> > 5 files changed, 48 insertions(+), 8 deletions(-)
> >
> > diff --git a/fs/attr.c b/fs/attr.c
> > index 3cfaaac4a18e..a8b0931654a5 100644
> > --- a/fs/attr.c
> > +++ b/fs/attr.c
> > @@ -16,6 +16,43 @@
> > #include <linux/evm.h>
> > #include <linux/ima.h>
> >
> > +static bool chown_ok(const struct inode *inode, kuid_t uid)
> > +{
> > + struct user_namespace *user_ns;
> > +
> > + if (uid_eq(current_fsuid(), inode->i_uid) && uid_eq(uid, inode->i_uid))
> > + return true;
> > + if (capable_wrt_inode_uidgid(inode, CAP_CHOWN))
> > + return true;
> > +
> > + user_ns = inode->i_sb->s_user_ns;
> > + if (!uid_valid(inode->i_uid) &&
> > + (!gid_valid(inode->i_gid) || kgid_has_mapping(user_ns, inode->i_gid)) &&
>
> This confused me to no end :) Perhaps a "is_unmapped_valid_gid()" helper
> would make it clearer what this is meant to do? Or else maybe a comment
> above chown_ok(), explaining that
>
> 1. for a blockdev, the uid is converted at inode read so that it is
> either mapped or invalid
> 2. for sysfs / etc, uid can be valid but not mapped into the userns
Even with a helper a comment is probably helpful to explain why. I'll do
that first, then see if a helper would make things any clearer.
Honestly, I had to think about the helper name you proposed for a minute
before it made sense even though I already understood the code ;-)
next prev parent reply other threads:[~2016-04-26 19:47 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-22 15:38 [PATCH v3 00/21] Support fuse mounts in user namespaces Seth Forshee
2016-04-22 15:38 ` [PATCH v3 01/21] fs: fix a posible leak of allocated superblock Seth Forshee
2016-04-22 15:38 ` [PATCH v3 02/21] fs: Remove check of s_user_ns for existing mounts in fs_fully_visible() Seth Forshee
2016-04-22 15:38 ` [PATCH v3 03/21] fs: Allow sysfs and cgroupfs to share super blocks between user namespaces Seth Forshee
2016-04-25 19:01 ` Serge E. Hallyn
2016-04-22 15:38 ` [PATCH v3 04/21] block_dev: Support checking inode permissions in lookup_bdev() Seth Forshee
2016-04-22 15:38 ` [PATCH v3 05/21] block_dev: Check permissions towards block device inode when mounting Seth Forshee
2016-04-22 15:38 ` [PATCH v3 06/21] fs: Treat foreign mounts as nosuid Seth Forshee
2016-04-22 15:38 ` [PATCH v3 07/21] selinux: Add support for unprivileged mounts from user namespaces Seth Forshee
2016-04-22 15:38 ` [PATCH v3 08/21] userns: Replace in_userns with current_in_userns Seth Forshee
2016-04-22 15:38 ` [PATCH v3 09/21] Smack: Handle labels consistently in untrusted mounts Seth Forshee
2016-04-22 15:38 ` [PATCH v3 10/21] fs: Check for invalid i_uid in may_follow_link() Seth Forshee
2016-04-22 15:38 ` [PATCH v3 11/21] cred: Reject inodes with invalid ids in set_create_file_as() Seth Forshee
2016-04-22 15:38 ` [PATCH v3 12/21] fs: Refuse uid/gid changes which don't map into s_user_ns Seth Forshee
2016-04-22 15:38 ` [PATCH v3 13/21] fs: Update posix_acl support to handle user namespace mounts Seth Forshee
2016-04-22 15:38 ` [PATCH v3 14/21] fs: Allow superblock owner to change ownership of inodes with unmappable ids Seth Forshee
2016-04-25 20:30 ` Serge E. Hallyn
2016-04-25 20:54 ` Seth Forshee [this message]
2016-04-22 15:38 ` [PATCH v3 15/21] fs: Don't remove suid for CAP_FSETID in s_user_ns Seth Forshee
2016-04-22 15:38 ` [PATCH v3 16/21] fs: Allow superblock owner to access do_remount_sb() Seth Forshee
2016-04-22 15:38 ` [PATCH v3 17/21] capabilities: Allow privileged user in s_user_ns to set security.* xattrs Seth Forshee
2016-04-22 15:38 ` [PATCH v3 18/21] fuse: Add support for pid namespaces Seth Forshee
2016-04-22 15:38 ` [PATCH v3 19/21] fuse: Support fuse filesystems outside of init_user_ns Seth Forshee
2016-04-22 15:38 ` [PATCH v3 20/21] fuse: Restrict allow_other to the superblock's namespace or a descendant Seth Forshee
2016-04-22 15:38 ` [PATCH v3 21/21] fuse: Allow user namespace mounts Seth Forshee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160425205451.GA22516@ubuntu-hedt \
--to=seth.forshee@canonical.com \
--cc=ahferroin7@gmail.com \
--cc=cgroups@vger.kernel.org \
--cc=dm-devel@redhat.com \
--cc=ebiederm@xmission.com \
--cc=fuse-devel@lists.sourceforge.net \
--cc=gregkh@linuxfoundation.org \
--cc=linux-bcache@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=linux-raid@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mszeredi@redhat.com \
--cc=ptikhomirov@virtuozzo.com \
--cc=richard.weinberger@gmail.com \
--cc=selinux@tycho.nsa.gov \
--cc=serge.hallyn@canonical.com \
--cc=serge@hallyn.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).