From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx2.mailbox.org ([80.241.60.215]:27686 "EHLO mx2.mailbox.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S970986AbeEXP5n (ORCPT ); Thu, 24 May 2018 11:57:43 -0400 Date: Thu, 24 May 2018 17:57:37 +0200 From: Christian Brauner To: "Eric W. Biederman" Cc: Linux Containers , linux-fsdevel@vger.kernel.org, Seth Forshee , "Serge E. Hallyn" , linux-kernel@vger.kernel.org Subject: Re: [REVIEW][PATCH 5/6] capabilities: Allow privileged user in s_user_ns to set security.* xattrs Message-ID: <20180524155737.GA19932@mailbox.org> References: <87o9h6554f.fsf@xmission.com> <20180523232538.4880-5-ebiederm@xmission.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20180523232538.4880-5-ebiederm@xmission.com> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On Wed, May 23, 2018 at 06:25:37PM -0500, Eric W. Biederman wrote: > A privileged user in s_user_ns will generally have the ability to > manipulate the backing store and insert security.* xattrs into > the filesystem directly. Therefore the kernel must be prepared to > handle these xattrs from unprivileged mounts, and it makes little > sense for commoncap to prevent writing these xattrs to the > filesystem. The capability and LSM code have already been updated > to appropriately handle xattrs from unprivileged mounts, so it > is safe to loosen this restriction on setting xattrs. > > The exception to this logic is that writing xattrs to a mounted > filesystem may also cause the LSM inode_post_setxattr or > inode_setsecurity callbacks to be invoked. SELinux will deny the > xattr update by virtue of applying mountpoint labeling to > unprivileged userns mounts, and Smack will deny the writes for > any user without global CAP_MAC_ADMIN, so loosening the > capability check in commoncap is safe in this respect as well. Acked-by: Christian Brauner > > Signed-off-by: Seth Forshee > Acked-by: Serge Hallyn Note, I just talked to Serge. This should be Acked-by: Serge Hallyn > Signed-off-by: Eric W. Biederman > --- > security/commoncap.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/security/commoncap.c b/security/commoncap.c > index 1ce701fcb3f3..f4c33abd9959 100644 > --- a/security/commoncap.c > +++ b/security/commoncap.c > @@ -919,6 +919,8 @@ int cap_bprm_set_creds(struct linux_binprm *bprm) > int cap_inode_setxattr(struct dentry *dentry, const char *name, > const void *value, size_t size, int flags) > { > + struct user_namespace *user_ns = dentry->d_sb->s_user_ns; > + > /* Ignore non-security xattrs */ > if (strncmp(name, XATTR_SECURITY_PREFIX, > sizeof(XATTR_SECURITY_PREFIX) - 1) != 0) > @@ -931,7 +933,7 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name, > if (strcmp(name, XATTR_NAME_CAPS) == 0) > return 0; > > - if (!capable(CAP_SYS_ADMIN)) > + if (!ns_capable(user_ns, CAP_SYS_ADMIN)) > return -EPERM; > return 0; > } > @@ -949,6 +951,8 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name, > */ > int cap_inode_removexattr(struct dentry *dentry, const char *name) > { > + struct user_namespace *user_ns = dentry->d_sb->s_user_ns; > + > /* Ignore non-security xattrs */ > if (strncmp(name, XATTR_SECURITY_PREFIX, > sizeof(XATTR_SECURITY_PREFIX) - 1) != 0) > @@ -964,7 +968,7 @@ int cap_inode_removexattr(struct dentry *dentry, const char *name) > return 0; > } > > - if (!capable(CAP_SYS_ADMIN)) > + if (!ns_capable(user_ns, CAP_SYS_ADMIN)) > return -EPERM; > return 0; > } > -- > 2.14.1 >