From: "Serge E. Hallyn" <serge@hallyn.com>
To: "Theodore Ts'o" <tytso@mit.edu>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Stefan Berger <stefanb@linux.vnet.ibm.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
containers@lists.linux-foundation.org, lkp@01.org,
linux-kernel@vger.kernel.org, zohar@linux.vnet.ibm.com,
tycho@docker.com, James.Bottomley@HansenPartnership.com,
vgoyal@redhat.com, christian.brauner@mailbox.org,
amir73il@gmail.com, linux-security-module@vger.kernel.org,
casey@schaufler-ca.com
Subject: Re: [PATCH v2] xattr: Enable security.capability in user namespaces
Date: Thu, 13 Jul 2017 14:41:05 -0500 [thread overview]
Message-ID: <20170713194105.GA4895@mail.hallyn.com> (raw)
In-Reply-To: <20170713191429.vfaetqscxd7hniwq@thunk.org>
Quoting Theodore Ts'o (tytso@mit.edu):
> On Thu, Jul 13, 2017 at 12:39:10PM -0500, Eric W. Biederman wrote:
> > > Can you define what 'scalable' means for you in this context?
> > > From what I can see sharing a filesystem between multiple containers
> > > doesn't 'scale well' for virtualizing the xattrs primarily because of
> > > size limitations of xattrs per file.
> >
> > Worse than that I believe you will find that filesystems are built on
> > the assumption that there will be a small number of xattrs per file.
> > So even if the vfs limitations were lifted the filesystem performance
> > would suffer.
>
> That's why I've been pushing here. If people try to do
>
> security.capable@uid=1000
> security.capable@uid=2000
> security.capable@uid=3000
> security.capable@uid=4000
> security.capable@uid=5000
> security.capable@uid=6000
> security.capable@uid=7000
> security.capable@uid=8000
> security.capable@uid=9000
> .
> .
> .
>
> ... where the values of all of these will be the same, this is going
> to be *awful* even if the file system can support it.
Typically users will be allocated a single range of ids, for instance
100000-200000. We might therefore consider putting a range in the uid=,
i.e. security.capable@uid=100000-200000. I don't think that's really
needed, but it's an option.
Consider that the executable will be owned by some kuid+kgid. If we
have all the xattrs you list above, then who would we have actually
owning the file? If we're chown'ing it anyway (to be root-owned but
not seutid-root), then this discussion is moot, because we'll have
to re-write the xattr after the chown. So for this to matter, we
would have an fs owned by either uid nobody in the container, or
by some special user (mapped to 100000 in the container perhaps)
which is always special-case-mapped into the container.
> So maybe we are better off if we define an xattr
>
> security.capable@guest-container
> ... so the property is that it is ignored by the host ("real")
> container, and in all of the subcontainers, it will be used if the
> local container root is trying to execute the file.
In the previous discussion we considered having 'security.capable@uid='
with no following integer, meaning that it would take effect in all
user namespaces which do not have kuid 0 as root.
This could be useful for cases like docker hosts, but note that writing
this has to require either global CAP_SETFCAP, or CAP_SETFCAP in a
user namespace that has every kuid except 0 mapped. If joe, uid 1000,
has subuids 100000-20000 delegated to him, then he must not be allowed
to write something that can affect someone with kuids 300000-400000.
-serge
next prev parent reply other threads:[~2017-07-13 19:41 UTC|newest]
Thread overview: 76+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-11 15:05 [PATCH v2] Enable namespaced file capabilities Stefan Berger
2017-07-11 15:05 ` [PATCH v2] xattr: Enable security.capability in user namespaces Stefan Berger
2017-07-11 17:12 ` Serge E. Hallyn
2017-07-12 0:15 ` Stefan Berger
2017-07-12 0:47 ` Serge E. Hallyn
2017-07-12 3:45 ` Serge E. Hallyn
2017-07-12 11:35 ` Stefan Berger
2017-07-12 17:32 ` Serge E. Hallyn
2017-07-12 7:59 ` James Morris
2017-07-12 13:25 ` Eric W. Biederman
2017-07-12 17:03 ` Serge E. Hallyn
2017-07-12 22:20 ` James Morris
2017-07-13 0:33 ` Eric W. Biederman
2017-07-13 1:01 ` Serge E. Hallyn
2017-07-12 23:13 ` Eric W. Biederman
2017-07-13 0:43 ` Serge E. Hallyn
2017-07-13 0:44 ` Stefan Berger
2017-07-13 1:15 ` Theodore Ts'o
2017-07-13 2:34 ` Serge E. Hallyn
2017-07-13 12:11 ` Eric W. Biederman
2017-07-13 16:40 ` Theodore Ts'o
2017-07-13 17:05 ` Stefan Berger
2017-07-13 17:39 ` Eric W. Biederman
2017-07-13 19:14 ` Theodore Ts'o
2017-07-13 19:41 ` Serge E. Hallyn [this message]
2017-07-13 21:17 ` Serge E. Hallyn
2017-07-18 7:01 ` James Morris
2017-07-18 12:12 ` Stefan Berger
2017-07-18 13:26 ` Eric W. Biederman
2017-07-18 23:13 ` Serge E. Hallyn
2017-07-13 17:14 ` Eric W. Biederman
2017-07-13 17:33 ` Stefan Berger
2017-07-13 17:49 ` Eric W. Biederman
2017-07-13 19:48 ` Serge E. Hallyn
2017-07-13 21:12 ` Eric W. Biederman
[not found] ` <9a3010e5-ca2b-5e7a-656b-fcc14f7bec4e@linux.vnet.ibm.com>
2017-07-14 0:38 ` Eric W. Biederman
2017-07-14 11:32 ` Stefan Berger
2017-07-14 12:04 ` Eric W. Biederman
2017-07-14 12:39 ` Stefan Berger
2017-07-14 13:34 ` Serge E. Hallyn
2017-07-14 15:22 ` Stefan Berger
2017-07-14 17:35 ` Serge E. Hallyn
2017-07-14 18:17 ` Eric W. Biederman
2017-07-14 18:48 ` Mimi Zohar
2017-07-14 18:52 ` James Bottomley
2017-07-14 20:03 ` Mimi Zohar
2017-07-14 20:39 ` James Bottomley
2017-07-14 21:34 ` Theodore Ts'o
2017-07-14 23:22 ` Eric W. Biederman
2017-07-14 23:29 ` Mimi Zohar
2017-07-14 23:53 ` Eric W. Biederman
2017-07-14 19:29 ` Theodore Ts'o
2017-07-14 19:43 ` Mimi Zohar
[not found] ` <xagsmtp2.20170714182525.6604@vmsdvm4.vnet.ibm.com>
2017-07-14 19:26 ` Mimi Zohar
2017-07-15 0:02 ` Eric W. Biederman
[not found] ` <xagsmtp3.20170715001054.9173@uk1vsc.vnet.ibm.com>
2017-07-16 11:25 ` Mimi Zohar
2017-07-26 3:00 ` Serge E. Hallyn
2017-07-26 13:57 ` Mimi Zohar
2017-07-14 17:36 ` Eric W. Biederman
2017-07-14 19:22 ` Stefan Berger
2017-07-13 21:21 ` Serge E. Hallyn
2017-07-13 21:13 ` Serge E. Hallyn
2017-07-12 17:53 ` Vivek Goyal
2017-07-12 19:19 ` Stefan Berger
2017-07-14 23:41 ` Eric W. Biederman
2017-07-15 21:27 ` Stefan Berger
2017-07-17 18:58 ` Vivek Goyal
2017-07-17 20:50 ` Stefan Berger
2017-07-18 11:48 ` Vivek Goyal
2017-07-18 12:05 ` Stefan Berger
2017-07-18 12:30 ` Vivek Goyal
2017-07-18 12:36 ` Vivek Goyal
2017-07-18 13:29 ` Eric W. Biederman
2017-07-18 13:21 ` Stefan Berger
2017-07-18 14:57 ` Vivek Goyal
2017-07-18 16:11 ` Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170713194105.GA4895@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=amir73il@gmail.com \
--cc=casey@schaufler-ca.com \
--cc=christian.brauner@mailbox.org \
--cc=containers@lists.linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lkp@01.org \
--cc=stefanb@linux.vnet.ibm.com \
--cc=tycho@docker.com \
--cc=tytso@mit.edu \
--cc=vgoyal@redhat.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).