From: James Morris <jmorris@namei.org>
To: Seth Forshee <seth.forshee@canonical.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
Serge Hallyn <serge.hallyn@canonical.com>,
James Morris <james.l.morris@oracle.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Richard Weinberger <richard.weinberger@gmail.com>,
Austin S Hemmelgarn <ahferroin7@gmail.com>,
Miklos Szeredi <mszeredi@redhat.com>,
Pavel Tikhomirov <ptikhomirov@virtuozzo.com>,
linux-kernel@vger.kernel.org, linux-bcache@vger.kernel.org,
dm-devel@redhat.com, linux-raid@vger.kernel.org,
linux-mtd@lists.infradead.org, linux-fsdevel@vger.kernel.org,
fuse-devel@lists.sourceforge.net,
linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
cgroups@vger.kernel.org
Subject: Re: [PATCH v4 17/21] capabilities: Allow privileged user in s_user_ns to set security.* xattrs
Date: Wed, 27 Apr 2016 17:22:02 +1000 (AEST) [thread overview]
Message-ID: <alpine.LRH.2.20.1604271721471.796@namei.org> (raw)
In-Reply-To: <1461699396-33000-18-git-send-email-seth.forshee@canonical.com>
On Tue, 26 Apr 2016, Seth Forshee wrote:
> A privileged user in s_user_ns will generally have the ability to
> manipulate the backing store and insert security.* xattrs into
> the filesystem directly. Therefore the kernel must be prepared to
> handle these xattrs from unprivileged mounts, and it makes little
> sense for commoncap to prevent writing these xattrs to the
> filesystem. The capability and LSM code have already been updated
> to appropriately handle xattrs from unprivileged mounts, so it
> is safe to loosen this restriction on setting xattrs.
>
> The exception to this logic is that writing xattrs to a mounted
> filesystem may also cause the LSM inode_post_setxattr or
> inode_setsecurity callbacks to be invoked. SELinux will deny the
> xattr update by virtue of applying mountpoint labeling to
> unprivileged userns mounts, and Smack will deny the writes for
> any user without global CAP_MAC_ADMIN, so loosening the
> capability check in commoncap is safe in this respect as well.
>
> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
> Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Acked-by: James Morris <james.l.morris@oracle.com>
--
James Morris
<jmorris@namei.org>
next prev parent reply other threads:[~2016-04-27 7:22 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-26 19:36 [PATCH v4 00/21] Support fuse mounts in user namespaces Seth Forshee
2016-04-26 19:36 ` [PATCH v4 01/21] fs: fix a posible leak of allocated superblock Seth Forshee
2016-04-26 19:36 ` [PATCH v4 02/21] fs: Remove check of s_user_ns for existing mounts in fs_fully_visible() Seth Forshee
2016-04-26 19:36 ` [PATCH v4 03/21] fs: Allow sysfs and cgroupfs to share super blocks between user namespaces Seth Forshee
2016-04-26 19:36 ` [PATCH v4 04/21] block_dev: Support checking inode permissions in lookup_bdev() Seth Forshee
2016-04-26 19:36 ` [PATCH v4 05/21] block_dev: Check permissions towards block device inode when mounting Seth Forshee
2016-04-26 19:36 ` [PATCH v4 06/21] fs: Treat foreign mounts as nosuid Seth Forshee
2016-04-26 19:36 ` [PATCH v4 07/21] selinux: Add support for unprivileged mounts from user namespaces Seth Forshee
2016-04-26 19:36 ` [PATCH v4 08/21] userns: Replace in_userns with current_in_userns Seth Forshee
2016-04-26 19:36 ` [PATCH v4 09/21] Smack: Handle labels consistently in untrusted mounts Seth Forshee
2016-04-26 19:36 ` [PATCH v4 10/21] fs: Check for invalid i_uid in may_follow_link() Seth Forshee
2016-05-24 15:55 ` Djalal Harouni
2016-04-26 19:36 ` [PATCH v4 11/21] cred: Reject inodes with invalid ids in set_create_file_as() Seth Forshee
2016-04-26 19:36 ` [PATCH v4 12/21] fs: Refuse uid/gid changes which don't map into s_user_ns Seth Forshee
2016-04-26 19:36 ` [PATCH v4 13/21] fs: Update posix_acl support to handle user namespace mounts Seth Forshee
2016-04-26 19:36 ` [PATCH v4 14/21] fs: Allow superblock owner to change ownership of inodes with unmappable ids Seth Forshee
2016-04-26 19:36 ` [PATCH v4 15/21] fs: Don't remove suid for CAP_FSETID in s_user_ns Seth Forshee
2016-04-26 19:36 ` [PATCH v4 16/21] fs: Allow superblock owner to access do_remount_sb() Seth Forshee
2016-04-26 19:36 ` [PATCH v4 17/21] capabilities: Allow privileged user in s_user_ns to set security.* xattrs Seth Forshee
2016-04-27 7:22 ` James Morris [this message]
2016-04-26 19:36 ` [PATCH v4 18/21] fuse: Add support for pid namespaces Seth Forshee
2016-07-20 2:44 ` Sheng Yang
2016-07-20 12:52 ` Seth Forshee
2016-07-20 22:28 ` Sheng Yang
2016-07-21 7:25 ` Miklos Szeredi
2016-04-26 19:36 ` [PATCH v4 19/21] fuse: Support fuse filesystems outside of init_user_ns Seth Forshee
2016-04-26 19:36 ` [PATCH v4 20/21] fuse: Restrict allow_other to the superblock's namespace or a descendant Seth Forshee
2016-04-26 19:36 ` [PATCH v4 21/21] fuse: Allow user namespace mounts Seth Forshee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LRH.2.20.1604271721471.796@namei.org \
--to=jmorris@namei.org \
--cc=ahferroin7@gmail.com \
--cc=cgroups@vger.kernel.org \
--cc=dm-devel@redhat.com \
--cc=ebiederm@xmission.com \
--cc=fuse-devel@lists.sourceforge.net \
--cc=james.l.morris@oracle.com \
--cc=linux-bcache@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=linux-raid@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mszeredi@redhat.com \
--cc=ptikhomirov@virtuozzo.com \
--cc=richard.weinberger@gmail.com \
--cc=selinux@tycho.nsa.gov \
--cc=serge.hallyn@canonical.com \
--cc=serge@hallyn.com \
--cc=seth.forshee@canonical.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox