From: Giuseppe Scrivano <gscrivan@redhat.com>
To: ebiederm@xmission.com (Eric W. Biederman)
Cc: Christian Brauner <christian.brauner@ubuntu.com>,
lkml <linux-kernel@vger.kernel.org>,
Linus Torvalds <torvalds@linuxfoundation.org>,
Kees Cook <keescook@chromium.org>,
"Andrew G. Morgan" <morgan@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
security@kernel.org, Tycho Andersen <tycho@tycho.ws>,
Andy Lutomirski <luto@kernel.org>,
"Serge E. Hallyn" <serge@hallyn.com>
Subject: Re: [PATCH] capabilities: require CAP_SETFCAP to map uid 0 (v3.2)
Date: Mon, 19 Apr 2021 17:52:39 +0200 [thread overview]
Message-ID: <87mttu9sqg.fsf@redhat.com> (raw)
In-Reply-To: <m135vne1ez.fsf@fess.ebiederm.org> (Eric W. Biederman's message of "Sun, 18 Apr 2021 16:19:16 -0500")
ebiederm@xmission.com (Eric W. Biederman) writes:
> Guiseppe can you take a look at this?
>
> This is a second attempt at tightening up the semantics of writing to
> file capabilities from a user namespace.
>
> The first attempt was reverted with 3b0c2d3eaa83 ("Revert 95ebabde382c
> ("capabilities: Don't allow writing ambiguous v3 file capabilities")"),
> which corrected the issue reported in:
> https://github.com/containers/buildah/issues/3071
>
> There is a report the podman testsuite passes. While different this
> looks in many ways much more strict than the code that was reverted. So
> while I can imagine this change doesn't cause problems as is, I will be
> surprised.
thanks for pulling me in the discussion.
I've tested the patch with several cases similar to the issue we had in
the past and the patch seems to work well.
Podman creates all the user namespaces within the same parent user
namespace. In the parent user namespace all the capabilities are kept
and AFAIK Docker does the same. I'd expect a change in behavior only
for nested user namespaces in containers where CAP_SETFCAP is not
granted, but that is not a common configuration given that CAP_SETFCAP
is added by default.
> "Serge E. Hallyn" <serge@hallyn.com> writes:
>
>> +/**
>> + * verify_root_map() - check the uid 0 mapping
>> + * @file: idmapping file
>> + * @map_ns: user namespace of the target process
>> + * @new_map: requested idmap
>> + *
>> + * If a process requested a mapping for uid 0 onto uid 0, verify that the
>> + * process writing the map had the CAP_SETFCAP capability as the target process
>> + * will be able to write fscaps that are valid in ancestor user namespaces.
>> + *
>> + * Return: true if the mapping is allowed, false if not.
>> + */
>> +static bool verify_root_map(const struct file *file,
>> + struct user_namespace *map_ns,
>> + struct uid_gid_map *new_map)
>> +{
>> + int idx;
>> + const struct user_namespace *file_ns = file->f_cred->user_ns;
>> + struct uid_gid_extent *extent0 = NULL;
>> +
>> + for (idx = 0; idx < new_map->nr_extents; idx++) {
>> + u32 lower_first;
nit: lower_first seems unused?
>> +
>> + if (new_map->nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
>> + extent0 = &new_map->extent[idx];
>> + else
>> + extent0 = &new_map->forward[idx];
>> + if (extent0->lower_first == 0)
>> + break;
>> +
>> + extent0 = NULL;
>> + }
Tested-by: Giuseppe Scrivano <gscrivan@redhat.com>
Regards,
Giuseppe
next prev parent reply other threads:[~2021-04-19 15:52 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-16 4:58 [RFC PATCH] capabilities: require CAP_SETFCAP to map uid 0 (v3) Serge E. Hallyn
2021-04-16 15:05 ` Christian Brauner
2021-04-16 21:34 ` Serge E. Hallyn
2021-04-17 2:19 ` Serge E. Hallyn
2021-04-17 20:04 ` [PATCH] capabilities: require CAP_SETFCAP to map uid 0 (v3.2) Serge E. Hallyn
2021-04-18 17:21 ` Christian Brauner
2021-04-18 21:19 ` Eric W. Biederman
2021-04-19 15:52 ` Giuseppe Scrivano [this message]
2021-04-19 16:02 ` Christian Brauner
2021-04-20 13:40 ` Serge E. Hallyn
2021-04-19 12:25 ` [PATCH] capabilities: require CAP_SETFCAP to map uid 0 (v3.3) Serge E. Hallyn
2021-04-19 16:09 ` Christian Brauner
2021-04-20 3:42 ` Serge E. Hallyn
2021-04-20 8:31 ` Christian Brauner
2021-04-20 13:43 ` [PATCH v3.4] capabilities: require CAP_SETFCAP to map uid 0 Serge E. Hallyn
2021-04-20 16:47 ` Christian Brauner
2021-04-20 17:33 ` Linus Torvalds
2021-04-21 8:26 ` Christian Brauner
2021-04-21 19:16 ` Eric W. Biederman
2021-04-22 13:20 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87mttu9sqg.fsf@redhat.com \
--to=gscrivan@redhat.com \
--cc=christian.brauner@ubuntu.com \
--cc=ebiederm@xmission.com \
--cc=gregkh@linuxfoundation.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=morgan@kernel.org \
--cc=security@kernel.org \
--cc=serge@hallyn.com \
--cc=torvalds@linuxfoundation.org \
--cc=tycho@tycho.ws \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox