From: serge@hallyn.com (Serge E. Hallyn)
To: linux-security-module@vger.kernel.org
Subject: [PATCH 0/3] Enable namespaced file capabilities
Date: Fri, 23 Jun 2017 12:20:16 -0500 [thread overview]
Message-ID: <20170623172016.GA19551@mail.hallyn.com> (raw)
In-Reply-To: <1498237641.3641.15.camel@HansenPartnership.com>
Quoting James Bottomley (James.Bottomley at HansenPartnership.com):
> On Fri, 2017-06-23 at 11:30 -0500, Serge E. Hallyn wrote:
> > Quoting Casey Schaufler (casey at schaufler-ca.com):
> > > Or maybe just security.ns.capability, taking James' comment into
> > > account.
> >
> > That last one may be suitable as an option, useful for his particular
> > (somewhat barbaric :) use case, but it's not ok for the general
> > solution.
> >
> > If uid 1000 was delegated the subuids 100000-199999, it should be
> > able to write a file capability for use by his subuids, but that file
> > capability must not apply to other subuids.
>
> I don't think it's barbaric, I think it's the common use case. Let me
:) sorry. Yes, it is the common case, and even lxd does it that way.
But lxc itself does not, and while there are shortcomings (including
this one, file capabilities) which require 'barbaric' use of privilege
to set things up in some cases, I prefer we not get complacent and accept
it as proper.
> give a more comprehensible answer in terms of docker and IMA. Lets
> suppose I'm running docker locally and in a test cloud both with userns
> enabled.
>
> I build an image locally, mapping my uid (1000) to root. If I begin
> with a standard base, each of the files has a security.ima signature.
> Now I add my layer, which involves updating a file, so I need to write
> a new signature to security.ima. Because I'm running user namespaced,
> the update gets written at security.ima at uid=1000 when I do a docker
> save.
>
> Now supposing I deploy that image to a cloud. As a tenant, the cloud
> gives me real uid 4531 and maps that to root. Execution of the binary
> fails because it tries to use the underlying signature (in
> security.ima) as there is no xattr named security.ima at uid=4531
In this example, how do you, if you do, shift the owner of the file
into the mapped user namespace? Or are you happy to have the file owned
by an invalid user nobody? (There certainly are cases where that would
be ok, but I suspect you're shifting the file)
> So my essential point is that building the real kuid into the permanent
> record of the xattr damages image portability, which is touted as one
> of the real advantages of container images.
'container images' aren't portable in that sense now - for at least
many cases - because you have to shift the uid. However you're doing
that, you may be able to shift the xattr the same way.
-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-06-23 17:20 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-22 18:59 [PATCH 0/3] Enable namespaced file capabilities Stefan Berger
2017-06-22 18:59 ` [PATCH 1/3] xattr: Enable security.capability in user namespaces Stefan Berger
2017-06-24 21:02 ` kbuild test robot
2017-06-24 21:02 ` [PATCH] xattr: fix kstrdup.cocci warnings kbuild test robot
2017-06-22 18:59 ` [PATCH 2/3] Enable capabilities of files from shared filesystem Stefan Berger
2017-06-22 18:59 ` [PATCH 3/3] Enable security.selinux in user namespaces Stefan Berger
2017-06-23 20:30 ` Stephen Smalley
2017-06-23 23:41 ` Stefan Berger
2017-06-22 19:59 ` [PATCH 0/3] Enable namespaced file capabilities Casey Schaufler
2017-06-22 20:12 ` Stefan Berger
2017-06-22 20:33 ` Casey Schaufler
2017-06-22 21:03 ` Stefan Berger
2017-06-22 21:09 ` Serge E. Hallyn
2017-06-22 22:40 ` Casey Schaufler
2017-06-22 23:07 ` Serge E. Hallyn
2017-06-22 23:29 ` James Bottomley
2017-06-22 23:32 ` Serge E. Hallyn
2017-06-22 23:36 ` Serge E. Hallyn
2017-06-23 0:13 ` James Bottomley
2017-06-23 1:19 ` Serge E. Hallyn
2017-06-23 17:37 ` Eric W. Biederman
2017-06-23 18:39 ` Serge E. Hallyn
2017-06-23 7:01 ` Amir Goldstein
2017-06-23 16:00 ` Serge E. Hallyn
2017-06-23 16:16 ` Casey Schaufler
2017-06-23 16:30 ` Serge E. Hallyn
2017-06-23 16:53 ` Casey Schaufler
2017-06-23 17:01 ` Serge E. Hallyn
2017-06-23 17:49 ` Eric W. Biederman
2017-06-23 18:32 ` Serge E. Hallyn
2017-06-23 17:07 ` James Bottomley
2017-06-23 17:20 ` Serge E. Hallyn [this message]
2017-06-23 17:38 ` Stefan Berger
2017-06-23 18:34 ` Serge E. Hallyn
2017-06-23 18:08 ` Stefan Berger
2017-06-23 18:35 ` Serge E. Hallyn
2017-06-23 20:30 ` Casey Schaufler
2017-06-23 23:09 ` Stefan Berger
2017-06-23 23:51 ` Casey Schaufler
2017-06-28 5:41 ` Serge E. Hallyn
2017-06-28 7:18 ` Amir Goldstein
2017-06-28 14:04 ` Stefan Berger
2017-06-28 14:28 ` Serge E. Hallyn
2017-06-23 20:09 ` Vivek Goyal
2017-06-23 20:17 ` Serge E. Hallyn
2017-06-23 20:36 ` Vivek Goyal
2017-06-23 20:51 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170623172016.GA19551@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).