From: Seth Forshee <seth.forshee@canonical.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
Serge Hallyn <serge.hallyn@canonical.com>,
Richard Weinberger <richard.weinberger@gmail.com>,
Austin S Hemmelgarn <ahferroin7@gmail.com>,
Miklos Szeredi <miklos@szeredi.hu>,
linux-kernel@vger.kernel.org, linux-bcache@vger.kernel.org,
dm-devel@redhat.com, linux-raid@vger.kernel.org,
linux-mtd@lists.infradead.org, linux-fsdevel@vger.kernel.org,
fuse-devel@lists.sourceforge.net,
linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov
Subject: Re: [PATCH RESEND v2 11/18] fs: Ensure the mounter of a filesystem is privileged towards its inodes
Date: Thu, 3 Mar 2016 11:02:01 -0600 [thread overview]
Message-ID: <20160303170201.GA30224@ubuntu-hedt> (raw)
In-Reply-To: <1451930639-94331-12-git-send-email-seth.forshee@canonical.com>
On Mon, Jan 04, 2016 at 12:03:50PM -0600, Seth Forshee wrote:
> The mounter of a filesystem should be privileged towards the
> inodes of that filesystem. Extend the checks in
> inode_owner_or_capable() and capable_wrt_inode_uidgid() to
> permit access by users priviliged in the user namespace of the
> inode's superblock.
Eric - I've discovered a problem related to this patch. The patches
you've already applied to your testing branch make it so that s_user_ns
can be an unprivileged user for proc and kernfs-based mounts. In some
cases DAC is the only thing protecting files in these mounts (ignoring
MAC), and with this patch an unprivileged user could bypass DAC.
There's a simple solution - always set s_user_ns to &init_user_ns for
those filesystems. I think this is the right thing to do, since the
backing store behind these filesystems are really kernel objects. But
this would break the assumption behind your patch "userns: Simpilify
MNT_NODEV handling" and cause a regression in mounting behavior.
I've come up with several possible solutions for this conflict.
1. Drop this patch and keep on setting s_user_ns to unprivilged users.
This would be unfortunate because I think this patch does make sense
for most filesystems.
2. Restrict this patch so that a user privileged towards s_user_ns is
only privileged towards the super blocks inodes if s_user_ns has a
mapping for both i_uid and i_gid. This is better than (1) but still
not ideal in my mind.
3. Drop your patch and maintain the current MNT_NODEV behavior.
4. Add a new s_iflags flag to indicate a super block is from an
unprivileged mount, and use this in your patch instead of s_user_ns.
Any preference, or any other ideas?
Thanks,
Seth
next prev parent reply other threads:[~2016-03-03 17:02 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-04 18:03 [PATCH RESEND v2 00/19] Support fuse mounts in user namespaces Seth Forshee
2016-01-04 18:03 ` [PATCH RESEND v2 01/18] block_dev: Support checking inode permissions in lookup_bdev() Seth Forshee
2016-01-04 18:03 ` [PATCH RESEND v2 10/18] fs: Update posix_acl support to handle user namespace mounts Seth Forshee
[not found] ` <1451930639-94331-1-git-send-email-seth.forshee-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
2016-01-04 18:03 ` [PATCH RESEND v2 02/18] block_dev: Check permissions towards block device inode when mounting Seth Forshee
2016-01-04 18:03 ` [PATCH RESEND v2 03/18] fs: Treat foreign mounts as nosuid Seth Forshee
2016-01-04 18:03 ` [PATCH RESEND v2 04/18] selinux: Add support for unprivileged mounts from user namespaces Seth Forshee
2016-01-04 18:03 ` [PATCH RESEND v2 05/18] userns: Replace in_userns with current_in_userns Seth Forshee
2016-01-04 18:03 ` [PATCH RESEND v2 06/18] Smack: Handle labels consistently in untrusted mounts Seth Forshee
2016-01-04 18:03 ` [PATCH RESEND v2 07/18] fs: Check for invalid i_uid in may_follow_link() Seth Forshee
2016-01-04 18:03 ` [PATCH RESEND v2 08/18] cred: Reject inodes with invalid ids in set_create_file_as() Seth Forshee
2016-01-04 18:03 ` [PATCH RESEND v2 09/18] fs: Refuse uid/gid changes which don't map into s_user_ns Seth Forshee
2016-01-04 18:03 ` [PATCH RESEND v2 11/18] fs: Ensure the mounter of a filesystem is privileged towards its inodes Seth Forshee
2016-03-03 17:02 ` Seth Forshee [this message]
2016-03-04 22:43 ` Eric W. Biederman
2016-03-06 15:48 ` Seth Forshee
2016-03-06 22:07 ` Eric W. Biederman
2016-03-07 13:32 ` Seth Forshee
2016-03-28 16:59 ` Seth Forshee
2016-03-30 1:36 ` Eric W. Biederman
2016-03-30 14:58 ` Seth Forshee
2016-03-30 20:18 ` Eric W. Biederman
2016-01-04 18:03 ` [PATCH RESEND v2 12/18] fs: Don't remove suid for CAP_FSETID in s_user_ns Seth Forshee
2016-01-04 18:03 ` [PATCH RESEND v2 13/18] fs: Allow superblock owner to access do_remount_sb() Seth Forshee
2016-01-04 18:03 ` [PATCH RESEND v2 14/18] capabilities: Allow privileged user in s_user_ns to set security.* xattrs Seth Forshee
2016-01-04 18:03 ` [PATCH RESEND v2 15/18] fuse: Add support for pid namespaces Seth Forshee
2016-03-09 10:53 ` Miklos Szeredi
2016-03-09 14:17 ` Seth Forshee
2016-01-04 18:03 ` [PATCH RESEND v2 16/18] fuse: Support fuse filesystems outside of init_user_ns Seth Forshee
2016-03-09 11:29 ` Miklos Szeredi
2016-03-09 14:18 ` Seth Forshee
2016-03-09 14:48 ` Miklos Szeredi
[not found] ` <CAJfpegv5JmB15yHpjYxVeOYdWWkoLMftr9-e_iS93Y_7m=t4Zw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-09 15:25 ` Seth Forshee
2016-03-09 15:51 ` Miklos Szeredi
[not found] ` <CAJfpegv5KR_Hi-79a8oyb+R+tv9W3RYqy5pngUKSyauVNk2ScQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-09 17:07 ` Seth Forshee
2016-03-14 20:58 ` Miklos Szeredi
2016-03-25 20:31 ` Seth Forshee
2016-01-04 18:03 ` [PATCH RESEND v2 17/18] fuse: Restrict allow_other to the superblock's namespace or a descendant Seth Forshee
2016-03-09 11:40 ` Miklos Szeredi
2016-01-04 18:03 ` [PATCH RESEND v2 18/18] fuse: Allow user namespace mounts Seth Forshee
2016-03-09 13:08 ` Miklos Szeredi
2016-01-25 19:47 ` [PATCH RESEND v2 00/19] Support fuse mounts in user namespaces Seth Forshee
2016-01-25 20:01 ` Eric W. Biederman
2016-01-25 20:36 ` Seth Forshee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160303170201.GA30224@ubuntu-hedt \
--to=seth.forshee@canonical.com \
--cc=ahferroin7@gmail.com \
--cc=dm-devel@redhat.com \
--cc=ebiederm@xmission.com \
--cc=fuse-devel@lists.sourceforge.net \
--cc=linux-bcache@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=linux-raid@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=richard.weinberger@gmail.com \
--cc=selinux@tycho.nsa.gov \
--cc=serge.hallyn@canonical.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).