From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751676AbdKTQDy (ORCPT <rfc822;w@1wt.eu>);
        Mon, 20 Nov 2017 11:03:54 -0500
Received: from out01.mta.xmission.com ([166.70.13.231]:55408 "EHLO
        out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751358AbdKTQDw (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 20 Nov 2017 11:03:52 -0500
From: ebiederm@xmission.com (Eric W. Biederman)
To: "Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
        Amir Goldstein <amir73il@gmail.com>,
        Stefan Berger <stefanb@linux.vnet.ibm.com>,
        Linux Containers <containers@lists.linux-foundation.org>, lkp@01.org,
        xiaolong.ye@intel.com, linux-kernel <linux-kernel@vger.kernel.org>,
        Mimi Zohar <zohar@linux.vnet.ibm.com>,
        Tycho Andersen <tycho@docker.com>,
        James Bottomley <James.Bottomley@hansenpartnership.com>,
        christian.brauner@mailbox.org, Vivek Goyal <vgoyal@redhat.com>,
        LSM List <linux-security-module@vger.kernel.org>,
        Casey Schaufler <casey@schaufler-ca.com>,
        Linux API <linux-api@vger.kernel.org>
References: <CAKgNAkiAeqbD=G6hnExh4cC84nA2mU6xdLzzS0F2x1wviEPgHg@mail.gmail.com>
Date: Mon, 20 Nov 2017 10:03:39 -0600
In-Reply-To: <CAKgNAkiAeqbD=G6hnExh4cC84nA2mU6xdLzzS0F2x1wviEPgHg@mail.gmail.com>
        (Michael Kerrisk's message of "Mon, 20 Nov 2017 10:36:11 +0100")
Message-ID: <873759ueck.fsf@xmission.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-XM-SPF: eid=1eGoXx-0004Rk-O8;;;mid=<873759ueck.fsf@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=67.3.204.119;;;frm=ebiederm@xmission.com;;;spf=neutral
X-XM-AID: U2FsdGVkX1/Zq/xf4DgL5Sn9QWIXqAWSI38TfEYBM9o=
X-SA-Exim-Connect-IP: 67.3.204.119
X-SA-Exim-Mail-From: ebiederm@xmission.com
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
        *  0.0 TVD_RCVD_IP Message was received from an IP address
        *  0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available.
        *  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
        *      [score: 0.4952]
        * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
        *      [sa07 1397; Body=1 Fuz1=1 Fuz2=1]
X-Spam-DCC: XMission; sa07 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: ;"Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>
X-Spam-Relay-Country: 
X-Spam-Timing: total 644 ms - load_scoreonly_sql: 0.03 (0.0%),
        signal_user_changed: 6 (0.9%), b_tie_ro: 3.7 (0.6%), parse: 0.73 (0.1%),
        extract_message_metadata: 2.8 (0.4%), get_uri_detail_list: 1.25 (0.2%),
        tests_pri_-1000: 4.2 (0.7%), tests_pri_-950: 1.16 (0.2%), tests_pri_-900:
        1.00 (0.2%), tests_pri_-400: 20 (3.1%), check_bayes: 19 (3.0%), b_tokenize: 7
        (1.0%), b_tok_get_all: 6 (1.0%), b_comp_prob: 1.80 (0.3%), b_tok_touch_all:
        2.4 (0.4%), b_finish: 0.58 (0.1%), tests_pri_0: 595 (92.5%),
        check_dkim_signature: 0.50 (0.1%), check_dkim_adsp: 2.8 (0.4%),
        tests_pri_500: 5 (0.8%), rewrite_mail: 0.00 (0.0%)
Subject: Re: Documentation patch for namespaced file capabilities
X-Spam-Flag: No
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:

> Hi Serge,
>
> At the moment man-pages lacks documentation of the namespaced file
> capability feature that you added with commit
> 8db6c34f1dbc8e06aa016a9b829b06902c3e1340. Would you be able to send a
> patch describing the feature?
>
> Presumably, the patch would be for the capabilities(7) page (or
> perhaps for the user_namespaces(7) page, if that seems more
> appropriate), As well as documenting the semantics, it would be good
> to include an example or two of the notation that is used for the
> xattr names.
>
> Presumably also there will be some changes in userspace tools
> (setcap/getcap?). Do you know anything about what's happening there?


Just a quick summary.

- The capability name does not change.

- From inside a user namespace the capability works as for ``root'' as
  existing tools expect.  (AKA the capability is mapped into the current
  user namespace).

- From outside a user namespace the version of the capability is
  incremented, and a uid of the root user in a user namespace is added
  at the end in the new version of the capability.

So for the capabilities(7) manpage I would add to the File capablities
section:

Since Kernel v4.14 the kernel supports setting file capabilities inside
a user namespace.  In which case an additional uid is stored indicating
the root user of the user namespace the file capabilitity is active in.

When a file is executed and it has a file capability limited to a user
namespace, the kernel takes the uid from the capability and if that uid
matches the uid of the root user of the user namespace or the root user
of an ancestor namespace the capability is applied.  Otherwise the
capability is ignored.

Eric