From: serge@hallyn.com (Serge E. Hallyn)
To: linux-security-module@vger.kernel.org
Subject: [PATCH 0/3] Enable namespaced file capabilities
Date: Wed, 28 Jun 2017 00:41:38 -0500 [thread overview]
Message-ID: <20170628054138.GA15939@mail.hallyn.com> (raw)
In-Reply-To: <CAOQ4uxj=_Riih1K+QOYasZU8vZKCSrsg393f=17mJ2O-909e=Q@mail.gmail.com>
On Fri, Jun 23, 2017 at 10:01:46AM +0300, Amir Goldstein wrote:
> On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger
> <stefanb@linux.vnet.ibm.com> wrote:
> > This series of patches primary goal is to enable file capabilities
> > in user namespaces without affecting the file capabilities that are
> > effective on the host. This is to prevent that any unprivileged user
> > on the host maps his own uid to root in a private namespace, writes
> > the xattr, and executes the file with privilege on the host.
> >
> > We achieve this goal by writing extended attributes with a different
> > name when a user namespace is used. If for example the root user
> > in a user namespace writes the security.capability xattr, the name
> > of the xattr that is actually written is encoded as
> > security.capability at uid=1000 for root mapped to uid 1000 on the host.
> > When listing the xattrs on the host, the existing security.capability
> > as well as the security.capability at uid=1000 will be shown. Inside the
> > namespace only 'security.capability', with the value of
> > security.capability at uid=1000, is visible.
> >
>
> Am I the only one who thinks that suffix is perhaps not the best grammar
> to use for this namespace?
> xattrs are clearly namespaced by prefix, so it seems right to me to keep
> it that way - define a new special xattr namespace "ns" and only if that
> prefix exists, the @uid suffix will be parsed.
> This could be either ns.security.capability at uid=1000 or
> ns at uid=1000.security.capability. The latter seems more correct to me,
> because then we will be able to namespace any xattr without having to
> protect from "unprivileged xattr injection", i.e.:
> setfattr -n "user.whatever.foo at uid=0"
>
> Amir.
Hi Amir,
I was liking the prefix at first, but I'm actually not sure it's worth
it. THe main advantage would be so that checking for namespace or other
tags could be done always at the same offset simplifying the parser.
But since we will want to only handle namespacing for some tags, and
potentially differently for each task, it won't actually be simpler, I
don't think.
On the other hand we do want to make sure that the syntax we use is
generally usable, so I think simply specifying that >1 tags can each
be separate by '@' should suffice. So for now we'd only have
security.capability at uid=100000
soon we'd hopefully have
security.ima at uid=100000
and eventually trusted.blarb at foo=bar
-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-06-28 5:41 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-22 18:59 [PATCH 0/3] Enable namespaced file capabilities Stefan Berger
2017-06-22 18:59 ` [PATCH 1/3] xattr: Enable security.capability in user namespaces Stefan Berger
2017-06-24 21:02 ` [PATCH] xattr: fix kstrdup.cocci warnings kbuild test robot
2017-06-24 21:02 ` [PATCH 1/3] xattr: Enable security.capability in user namespaces kbuild test robot
2017-06-22 18:59 ` [PATCH 2/3] Enable capabilities of files from shared filesystem Stefan Berger
2017-06-22 18:59 ` [PATCH 3/3] Enable security.selinux in user namespaces Stefan Berger
2017-06-23 20:30 ` Stephen Smalley
2017-06-23 23:41 ` Stefan Berger
2017-06-22 19:59 ` [PATCH 0/3] Enable namespaced file capabilities Casey Schaufler
2017-06-22 20:12 ` Stefan Berger
2017-06-22 20:33 ` Casey Schaufler
2017-06-22 21:03 ` Stefan Berger
2017-06-22 21:09 ` Serge E. Hallyn
2017-06-22 22:40 ` Casey Schaufler
2017-06-22 23:07 ` Serge E. Hallyn
2017-06-22 23:29 ` James Bottomley
2017-06-22 23:32 ` Serge E. Hallyn
2017-06-22 23:36 ` Serge E. Hallyn
2017-06-23 0:13 ` James Bottomley
2017-06-23 1:19 ` Serge E. Hallyn
2017-06-23 17:37 ` Eric W. Biederman
2017-06-23 18:39 ` Serge E. Hallyn
2017-06-23 7:01 ` Amir Goldstein
2017-06-23 16:00 ` Serge E. Hallyn
2017-06-23 16:16 ` Casey Schaufler
2017-06-23 16:30 ` Serge E. Hallyn
2017-06-23 16:53 ` Casey Schaufler
2017-06-23 17:01 ` Serge E. Hallyn
2017-06-23 17:49 ` Eric W. Biederman
2017-06-23 18:32 ` Serge E. Hallyn
2017-06-23 17:07 ` James Bottomley
2017-06-23 17:20 ` Serge E. Hallyn
2017-06-23 17:38 ` Stefan Berger
2017-06-23 18:34 ` Serge E. Hallyn
2017-06-23 18:08 ` Stefan Berger
2017-06-23 18:35 ` Serge E. Hallyn
2017-06-23 20:30 ` Casey Schaufler
2017-06-23 23:09 ` Stefan Berger
2017-06-23 23:51 ` Casey Schaufler
2017-06-28 5:41 ` Serge E. Hallyn [this message]
2017-06-28 7:18 ` Amir Goldstein
2017-06-28 14:04 ` Stefan Berger
2017-06-28 14:28 ` Serge E. Hallyn
2017-06-23 20:09 ` Vivek Goyal
2017-06-23 20:17 ` Serge E. Hallyn
2017-06-23 20:36 ` Vivek Goyal
2017-06-23 20:51 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170628054138.GA15939@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).