From: stefanb@linux.vnet.ibm.com (Stefan Berger)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v2] xattr: Enable security.capability in user namespaces
Date: Fri, 14 Jul 2017 08:39:49 -0400 [thread overview]
Message-ID: <6eb8226e-58b7-88cc-a8e4-35df47ae5688@linux.vnet.ibm.com> (raw)
In-Reply-To: <87vamv2pj0.fsf@xmission.com>
On 07/14/2017 08:04 AM, Eric W. Biederman wrote:
> Stefan Berger <stefanb@linux.vnet.ibm.com> writes:
>
>> On 07/13/2017 08:38 PM, Eric W. Biederman wrote:
>>> Stefan Berger <stefanb@linux.vnet.ibm.com> writes:
>>>
>>>> On 07/13/2017 01:49 PM, Eric W. Biederman wrote:
>>>>
>>>>> My big question right now is can you implement Ted's suggested
>>>>> restriction. Only one security.foo or secuirty.foo at ... attribute ?
>>>> We need to raw-list the xattrs and do the check before writing them. I am fairly sure this can be done.
>>>>
>>>> So now you want to allow security.foo and one security.foo at uid=<> or just a single one security.foo(@[[:print:]]*)?
>>>>
>>> The latter.
>> That case would prevent a container user from overriding the xattr on
>> the host. Is that what we want?
> Most definitely. If a more privileged use has set secure.capable that
> is better.
>
>> For limiting the number of xattrs and
>> getting that functionality (override IMA signature for example) the
>> former seems better...
> I don't know about IMA. But my feeling is that we will only be dealing
> with a single signing key, so I don't see how having multiple IMA xattrs
> make sense. Could you explain that to me?
Admittedly I would need to construct and example where the user inside
the container doesn't want to share the public key with the host on a
file mounted from the host for some reason.
An example related to security.capability could be a Fedora Docker
container where the container is distributed with the ping tool
installed. The ping tool is installed with cap_net_admin,cap_net_raw+ep.
On a normal Fedora container I cannot use this tool due to my
capabilities bounding set not including cap_net_admin. So, I overwrite
this and set only cap_net_raw+ep and I can use for pinging. I may loose
some functionality on the way due to the lost cap_net_admin but I can
now use the tool. I guess the point is one can override the capabilities
set of a distributed container if the container is started with less
capabilities.
Stefan
>
>> For the former I now have the topmost patch here:
>> https://github.com/stefanberger/linux/commits/xattr_for_userns.v3
> Thank you.
>
> Eric
>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-07-14 12:39 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1499785511-17192-1-git-send-email-stefanb@linux.vnet.ibm.com>
[not found] ` <1499785511-17192-2-git-send-email-stefanb@linux.vnet.ibm.com>
2017-07-11 17:12 ` [PATCH v2] xattr: Enable security.capability in user namespaces Serge E. Hallyn
2017-07-12 0:15 ` Stefan Berger
2017-07-12 0:47 ` Serge E. Hallyn
2017-07-12 3:45 ` Serge E. Hallyn
2017-07-12 11:35 ` Stefan Berger
2017-07-12 17:32 ` Serge E. Hallyn
2017-07-12 7:59 ` James Morris
2017-07-12 13:25 ` Eric W. Biederman
2017-07-12 17:03 ` Serge E. Hallyn
2017-07-12 22:20 ` James Morris
2017-07-13 0:33 ` Eric W. Biederman
2017-07-13 1:01 ` Serge E. Hallyn
2017-07-12 23:13 ` Eric W. Biederman
2017-07-13 0:43 ` Serge E. Hallyn
2017-07-13 0:44 ` Stefan Berger
2017-07-13 1:15 ` Theodore Ts'o
2017-07-13 2:34 ` Serge E. Hallyn
2017-07-13 12:11 ` Eric W. Biederman
2017-07-13 16:40 ` Theodore Ts'o
2017-07-13 17:05 ` Stefan Berger
2017-07-13 17:39 ` Eric W. Biederman
2017-07-13 19:14 ` Theodore Ts'o
2017-07-13 19:41 ` Serge E. Hallyn
2017-07-13 21:17 ` Serge E. Hallyn
2017-07-18 7:01 ` James Morris
2017-07-18 12:12 ` Stefan Berger
2017-07-18 13:26 ` Eric W. Biederman
2017-07-18 23:13 ` Serge E. Hallyn
2017-07-13 17:14 ` Eric W. Biederman
2017-07-13 17:33 ` Stefan Berger
2017-07-13 17:49 ` Eric W. Biederman
2017-07-13 19:48 ` Serge E. Hallyn
2017-07-13 21:12 ` Eric W. Biederman
[not found] ` <9a3010e5-ca2b-5e7a-656b-fcc14f7bec4e@linux.vnet.ibm.com>
2017-07-14 0:38 ` Eric W. Biederman
2017-07-14 11:32 ` Stefan Berger
2017-07-14 12:04 ` Eric W. Biederman
2017-07-14 12:39 ` Stefan Berger [this message]
2017-07-14 13:34 ` Serge E. Hallyn
2017-07-14 15:22 ` Stefan Berger
2017-07-14 17:35 ` Serge E. Hallyn
2017-07-14 18:17 ` Eric W. Biederman
2017-07-14 18:48 ` Mimi Zohar
2017-07-14 18:52 ` James Bottomley
2017-07-14 20:03 ` Mimi Zohar
2017-07-14 20:39 ` James Bottomley
2017-07-14 21:34 ` Theodore Ts'o
2017-07-14 23:22 ` Eric W. Biederman
2017-07-14 23:29 ` Mimi Zohar
2017-07-14 23:53 ` Eric W. Biederman
2017-07-14 19:29 ` Theodore Ts'o
2017-07-14 19:43 ` Mimi Zohar
[not found] ` <xagsmtp2.20170714182525.6604@vmsdvm4.vnet.ibm.com>
2017-07-14 19:26 ` Mimi Zohar
2017-07-15 0:02 ` Eric W. Biederman
[not found] ` <xagsmtp3.20170715001054.9173@uk1vsc.vnet.ibm.com>
2017-07-16 11:25 ` Mimi Zohar
2017-07-26 3:00 ` Serge E. Hallyn
2017-07-26 13:57 ` Mimi Zohar
2017-07-14 17:36 ` Eric W. Biederman
2017-07-14 19:22 ` Stefan Berger
2017-07-13 21:21 ` Serge E. Hallyn
2017-07-13 21:13 ` Serge E. Hallyn
2017-07-12 17:53 ` Vivek Goyal
2017-07-12 19:19 ` Stefan Berger
2017-07-14 23:41 ` Eric W. Biederman
2017-07-15 21:27 ` Stefan Berger
2017-07-17 18:58 ` Vivek Goyal
2017-07-17 20:50 ` Stefan Berger
2017-07-18 11:48 ` Vivek Goyal
2017-07-18 12:05 ` Stefan Berger
2017-07-18 12:30 ` Vivek Goyal
2017-07-18 12:36 ` Vivek Goyal
2017-07-18 13:29 ` Eric W. Biederman
2017-07-18 13:21 ` Stefan Berger
2017-07-18 14:57 ` Vivek Goyal
2017-07-18 16:11 ` Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6eb8226e-58b7-88cc-a8e4-35df47ae5688@linux.vnet.ibm.com \
--to=stefanb@linux.vnet.ibm.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).