Namespaced file capabilities were introduced in 8db6c34f1dbc .
When userspace reads an xattr for a namespaced capability, a
virtualized representation of it is returned if the caller is
in a user namespace owned by the capability's owning rootid.
The function which performs this virtualization was not hooked
up if CONFIG_SECURITY=n. Therefore in that case the original
xattr was shown instead of the virtualized one.
To test this using libcap-bin (*1),
$ v=$(mktemp)
$ unshare -Ur setcap cap_sys_admin-eip $v
$ unshare -Ur setcap -v cap_sys_admin-eip $v
/tmp/tmp.lSiIFRvt8Y: OK
"setcap -v" verifies the values instead of setting them, and
will check whether the rootid value is set. Therefore, with
this bug un-fixed, and with CONFIG_SECURITY=n, setcap -v will
fail:
$ v=$(mktemp)
$ unshare -Ur setcap cap_sys_admin=eip $v
$ unshare -Ur setcap -v cap_sys_admin=eip $v
nsowner[got=1000, want=0],/tmp/tmp.HHDiOOl9fY differs in []
Fix this bug by calling cap_inode_getsecurity() in
security_inode_getsecurity() instead of returning
-EOPNOTSUPP, when CONFIG_SECURITY=n.
*1 - note, if libcap is too old for getcap to have the '-n'
option, then use verify-caps instead.
Signed-off-by: Serge Hallyn <[email protected]>
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1593431
Cc: Herv? Guillemet <[email protected]>
Cc: Andrew G. Morgan <[email protected]>
Cc: Casey Schaufler <[email protected]>
---
include/linux/security.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index bc2725491560..39642626a707 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -869,7 +869,7 @@ static inline int security_inode_killpriv(struct dentry *dentry)
static inline int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
{
- return -EOPNOTSUPP;
+ return cap_inode_getsecurity(inode, name, buffer, alloc);
}
static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
--
2.25.1
Signed-off-by: Andrew G. Morgan <[email protected]>
On Tue, Nov 17, 2020 at 7:09 AM Serge E. Hallyn <[email protected]> wrote:
>
> Namespaced file capabilities were introduced in 8db6c34f1dbc .
> When userspace reads an xattr for a namespaced capability, a
> virtualized representation of it is returned if the caller is
> in a user namespace owned by the capability's owning rootid.
> The function which performs this virtualization was not hooked
> up if CONFIG_SECURITY=n. Therefore in that case the original
> xattr was shown instead of the virtualized one.
>
> To test this using libcap-bin (*1),
>
> $ v=$(mktemp)
> $ unshare -Ur setcap cap_sys_admin-eip $v
> $ unshare -Ur setcap -v cap_sys_admin-eip $v
> /tmp/tmp.lSiIFRvt8Y: OK
>
> "setcap -v" verifies the values instead of setting them, and
> will check whether the rootid value is set. Therefore, with
> this bug un-fixed, and with CONFIG_SECURITY=n, setcap -v will
> fail:
>
> $ v=$(mktemp)
> $ unshare -Ur setcap cap_sys_admin=eip $v
> $ unshare -Ur setcap -v cap_sys_admin=eip $v
> nsowner[got=1000, want=0],/tmp/tmp.HHDiOOl9fY differs in []
>
> Fix this bug by calling cap_inode_getsecurity() in
> security_inode_getsecurity() instead of returning
> -EOPNOTSUPP, when CONFIG_SECURITY=n.
>
> *1 - note, if libcap is too old for getcap to have the '-n'
> option, then use verify-caps instead.
>
> Signed-off-by: Serge Hallyn <[email protected]>
> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1593431
> Cc: Hervé Guillemet <[email protected]>
> Cc: Andrew G. Morgan <[email protected]>
> Cc: Casey Schaufler <[email protected]>
> ---
> include/linux/security.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/include/linux/security.h b/include/linux/security.h
> index bc2725491560..39642626a707 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -869,7 +869,7 @@ static inline int security_inode_killpriv(struct dentry *dentry)
>
> static inline int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
> {
> - return -EOPNOTSUPP;
> + return cap_inode_getsecurity(inode, name, buffer, alloc);
> }
>
> static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
> --
> 2.25.1
>
On 11/17/2020 7:08 AM, Serge E. Hallyn wrote:
> Namespaced file capabilities were introduced in 8db6c34f1dbc .
> When userspace reads an xattr for a namespaced capability, a
> virtualized representation of it is returned if the caller is
> in a user namespace owned by the capability's owning rootid.
> The function which performs this virtualization was not hooked
> up if CONFIG_SECURITY=n. Therefore in that case the original
> xattr was shown instead of the virtualized one.
>
> To test this using libcap-bin (*1),
>
> $ v=$(mktemp)
> $ unshare -Ur setcap cap_sys_admin-eip $v
> $ unshare -Ur setcap -v cap_sys_admin-eip $v
> /tmp/tmp.lSiIFRvt8Y: OK
>
> "setcap -v" verifies the values instead of setting them, and
> will check whether the rootid value is set. Therefore, with
> this bug un-fixed, and with CONFIG_SECURITY=n, setcap -v will
> fail:
>
> $ v=$(mktemp)
> $ unshare -Ur setcap cap_sys_admin=eip $v
> $ unshare -Ur setcap -v cap_sys_admin=eip $v
> nsowner[got=1000, want=0],/tmp/tmp.HHDiOOl9fY differs in []
>
> Fix this bug by calling cap_inode_getsecurity() in
> security_inode_getsecurity() instead of returning
> -EOPNOTSUPP, when CONFIG_SECURITY=n.
>
> *1 - note, if libcap is too old for getcap to have the '-n'
> option, then use verify-caps instead.
>
> Signed-off-by: Serge Hallyn <[email protected]>
> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1593431
> Cc: Hervé Guillemet <[email protected]>
> Cc: Andrew G. Morgan <[email protected]>
> Cc: Casey Schaufler <[email protected]>
Acked-by: Casey Schaufler <[email protected]>
> ---
> include/linux/security.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/include/linux/security.h b/include/linux/security.h
> index bc2725491560..39642626a707 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -869,7 +869,7 @@ static inline int security_inode_killpriv(struct dentry *dentry)
>
> static inline int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
> {
> - return -EOPNOTSUPP;
> + return cap_inode_getsecurity(inode, name, buffer, alloc);
> }
>
> static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
[Adding LSM list]
On Tue, 17 Nov 2020, Serge E. Hallyn wrote:
> Namespaced file capabilities were introduced in 8db6c34f1dbc .
> When userspace reads an xattr for a namespaced capability, a
> virtualized representation of it is returned if the caller is
> in a user namespace owned by the capability's owning rootid.
> The function which performs this virtualization was not hooked
> up if CONFIG_SECURITY=n. Therefore in that case the original
> xattr was shown instead of the virtualized one.
>
> To test this using libcap-bin (*1),
>
> $ v=$(mktemp)
> $ unshare -Ur setcap cap_sys_admin-eip $v
> $ unshare -Ur setcap -v cap_sys_admin-eip $v
> /tmp/tmp.lSiIFRvt8Y: OK
>
> "setcap -v" verifies the values instead of setting them, and
> will check whether the rootid value is set. Therefore, with
> this bug un-fixed, and with CONFIG_SECURITY=n, setcap -v will
> fail:
>
> $ v=$(mktemp)
> $ unshare -Ur setcap cap_sys_admin=eip $v
> $ unshare -Ur setcap -v cap_sys_admin=eip $v
> nsowner[got=1000, want=0],/tmp/tmp.HHDiOOl9fY differs in []
>
> Fix this bug by calling cap_inode_getsecurity() in
> security_inode_getsecurity() instead of returning
> -EOPNOTSUPP, when CONFIG_SECURITY=n.
>
> *1 - note, if libcap is too old for getcap to have the '-n'
> option, then use verify-caps instead.
>
> Signed-off-by: Serge Hallyn <[email protected]>
> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1593431
> Cc: Herv? Guillemet <[email protected]>
> Cc: Andrew G. Morgan <[email protected]>
> Cc: Casey Schaufler <[email protected]>
> ---
> include/linux/security.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/include/linux/security.h b/include/linux/security.h
> index bc2725491560..39642626a707 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -869,7 +869,7 @@ static inline int security_inode_killpriv(struct dentry *dentry)
>
> static inline int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
> {
> - return -EOPNOTSUPP;
> + return cap_inode_getsecurity(inode, name, buffer, alloc);
> }
>
> static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
>
--
James Morris
<[email protected]>
On Tue, 17 Nov 2020, Andrew G. Morgan wrote:
> Signed-off-by: Andrew G. Morgan <[email protected]>
This should be Acked-by or Reviewed-by, unless this is your patch, or it
came via your tree.
--
James Morris
<[email protected]>
On Tue, 17 Nov 2020, Serge E. Hallyn wrote:
> *1 - note, if libcap is too old for getcap to have the '-n'
> option, then use verify-caps instead.
>
> Signed-off-by: Serge Hallyn <[email protected]>
> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1593431
"Perf fails to compile with python 3.7"
Wrong bug ID?
--
James Morris
<[email protected]>
Reviewed-by: Andrew G. Morgan <[email protected]>
Works for me too.
On Thu, Nov 19, 2020 at 7:20 PM James Morris <[email protected]> wrote:
>
> On Tue, 17 Nov 2020, Andrew G. Morgan wrote:
>
> > Signed-off-by: Andrew G. Morgan <[email protected]>
>
> This should be Acked-by or Reviewed-by, unless this is your patch, or it
> came via your tree.
>
>
> --
> James Morris
> <[email protected]>
>
Hi James,
would you mind adding this to the security tree? (You can cherrypick
from https://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux.git/commit/?h=2020-11-29/fix-nscaps )
thanks,
-serge
On Tue, Nov 17, 2020 at 08:09:59AM -0800, Andrew G. Morgan wrote:
> Signed-off-by: Andrew G. Morgan <[email protected]>
>
>
> On Tue, Nov 17, 2020 at 7:09 AM Serge E. Hallyn <[email protected]> wrote:
>
> > Namespaced file capabilities were introduced in 8db6c34f1dbc .
> > When userspace reads an xattr for a namespaced capability, a
> > virtualized representation of it is returned if the caller is
> > in a user namespace owned by the capability's owning rootid.
> > The function which performs this virtualization was not hooked
> > up if CONFIG_SECURITY=n. Therefore in that case the original
> > xattr was shown instead of the virtualized one.
> >
> > To test this using libcap-bin (*1),
> >
> > $ v=$(mktemp)
> > $ unshare -Ur setcap cap_sys_admin-eip $v
> > $ unshare -Ur setcap -v cap_sys_admin-eip $v
> > /tmp/tmp.lSiIFRvt8Y: OK
> >
> > "setcap -v" verifies the values instead of setting them, and
> > will check whether the rootid value is set. Therefore, with
> > this bug un-fixed, and with CONFIG_SECURITY=n, setcap -v will
> > fail:
> >
> > $ v=$(mktemp)
> > $ unshare -Ur setcap cap_sys_admin=eip $v
> > $ unshare -Ur setcap -v cap_sys_admin=eip $v
> > nsowner[got=1000, want=0],/tmp/tmp.HHDiOOl9fY differs in []
> >
> > Fix this bug by calling cap_inode_getsecurity() in
> > security_inode_getsecurity() instead of returning
> > -EOPNOTSUPP, when CONFIG_SECURITY=n.
> >
> > *1 - note, if libcap is too old for getcap to have the '-n'
> > option, then use verify-caps instead.
> >
> > Signed-off-by: Serge Hallyn <[email protected]>
> > Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1593431
> > Cc: Herv? Guillemet <[email protected]>
> > Cc: Andrew G. Morgan <[email protected]>
> > Cc: Casey Schaufler <[email protected]>
> > ---
> > include/linux/security.h | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/include/linux/security.h b/include/linux/security.h
> > index bc2725491560..39642626a707 100644
> > --- a/include/linux/security.h
> > +++ b/include/linux/security.h
> > @@ -869,7 +869,7 @@ static inline int security_inode_killpriv(struct
> > dentry *dentry)
> >
> > static inline int security_inode_getsecurity(struct inode *inode, const
> > char *name, void **buffer, bool alloc)
> > {
> > - return -EOPNOTSUPP;
> > + return cap_inode_getsecurity(inode, name, buffer, alloc);
> > }
> >
> > static inline int security_inode_setsecurity(struct inode *inode, const
> > char *name, const void *value, size_t size, int flags)
> > --
> > 2.25.1
> >
> >
On Sun, 29 Nov 2020, Serge E. Hallyn wrote:
> Hi James,
>
> would you mind adding this to the security tree? (You can cherrypick
> from https://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux.git/commit/?h=2020-11-29/fix-nscaps )
Sure.
>
> thanks,
> -serge
>
> On Tue, Nov 17, 2020 at 08:09:59AM -0800, Andrew G. Morgan wrote:
> > Signed-off-by: Andrew G. Morgan <[email protected]>
> >
> >
> > On Tue, Nov 17, 2020 at 7:09 AM Serge E. Hallyn <[email protected]> wrote:
> >
> > > Namespaced file capabilities were introduced in 8db6c34f1dbc .
> > > When userspace reads an xattr for a namespaced capability, a
> > > virtualized representation of it is returned if the caller is
> > > in a user namespace owned by the capability's owning rootid.
> > > The function which performs this virtualization was not hooked
> > > up if CONFIG_SECURITY=n. Therefore in that case the original
> > > xattr was shown instead of the virtualized one.
> > >
> > > To test this using libcap-bin (*1),
> > >
> > > $ v=$(mktemp)
> > > $ unshare -Ur setcap cap_sys_admin-eip $v
> > > $ unshare -Ur setcap -v cap_sys_admin-eip $v
> > > /tmp/tmp.lSiIFRvt8Y: OK
> > >
> > > "setcap -v" verifies the values instead of setting them, and
> > > will check whether the rootid value is set. Therefore, with
> > > this bug un-fixed, and with CONFIG_SECURITY=n, setcap -v will
> > > fail:
> > >
> > > $ v=$(mktemp)
> > > $ unshare -Ur setcap cap_sys_admin=eip $v
> > > $ unshare -Ur setcap -v cap_sys_admin=eip $v
> > > nsowner[got=1000, want=0],/tmp/tmp.HHDiOOl9fY differs in []
> > >
> > > Fix this bug by calling cap_inode_getsecurity() in
> > > security_inode_getsecurity() instead of returning
> > > -EOPNOTSUPP, when CONFIG_SECURITY=n.
> > >
> > > *1 - note, if libcap is too old for getcap to have the '-n'
> > > option, then use verify-caps instead.
> > >
> > > Signed-off-by: Serge Hallyn <[email protected]>
> > > Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1593431
> > > Cc: Herv? Guillemet <[email protected]>
> > > Cc: Andrew G. Morgan <[email protected]>
> > > Cc: Casey Schaufler <[email protected]>
> > > ---
> > > include/linux/security.h | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/include/linux/security.h b/include/linux/security.h
> > > index bc2725491560..39642626a707 100644
> > > --- a/include/linux/security.h
> > > +++ b/include/linux/security.h
> > > @@ -869,7 +869,7 @@ static inline int security_inode_killpriv(struct
> > > dentry *dentry)
> > >
> > > static inline int security_inode_getsecurity(struct inode *inode, const
> > > char *name, void **buffer, bool alloc)
> > > {
> > > - return -EOPNOTSUPP;
> > > + return cap_inode_getsecurity(inode, name, buffer, alloc);
> > > }
> > >
> > > static inline int security_inode_setsecurity(struct inode *inode, const
> > > char *name, const void *value, size_t size, int flags)
> > > --
> > > 2.25.1
> > >
> > >
>
--
James Morris
<[email protected]>
The correct bug reference for this patch is:
https://bugzilla.kernel.org/show_bug.cgi?id=209689
Reviewed-by: Andrew G. Morgan <[email protected]>
On Mon, Nov 30, 2020 at 6:58 PM James Morris <[email protected]> wrote:
>
> On Sun, 29 Nov 2020, Serge E. Hallyn wrote:
>
> > Hi James,
> >
> > would you mind adding this to the security tree? (You can cherrypick
> > from https://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux.git/commit/?h=2020-11-29/fix-nscaps )
>
> Sure.
>
> >
> > thanks,
> > -serge
> >
> > On Tue, Nov 17, 2020 at 08:09:59AM -0800, Andrew G. Morgan wrote:
> > > Signed-off-by: Andrew G. Morgan <[email protected]>
> > >
> > >
> > > On Tue, Nov 17, 2020 at 7:09 AM Serge E. Hallyn <[email protected]> wrote:
> > >
> > > > Namespaced file capabilities were introduced in 8db6c34f1dbc .
> > > > When userspace reads an xattr for a namespaced capability, a
> > > > virtualized representation of it is returned if the caller is
> > > > in a user namespace owned by the capability's owning rootid.
> > > > The function which performs this virtualization was not hooked
> > > > up if CONFIG_SECURITY=n. Therefore in that case the original
> > > > xattr was shown instead of the virtualized one.
> > > >
> > > > To test this using libcap-bin (*1),
> > > >
> > > > $ v=$(mktemp)
> > > > $ unshare -Ur setcap cap_sys_admin-eip $v
> > > > $ unshare -Ur setcap -v cap_sys_admin-eip $v
> > > > /tmp/tmp.lSiIFRvt8Y: OK
> > > >
> > > > "setcap -v" verifies the values instead of setting them, and
> > > > will check whether the rootid value is set. Therefore, with
> > > > this bug un-fixed, and with CONFIG_SECURITY=n, setcap -v will
> > > > fail:
> > > >
> > > > $ v=$(mktemp)
> > > > $ unshare -Ur setcap cap_sys_admin=eip $v
> > > > $ unshare -Ur setcap -v cap_sys_admin=eip $v
> > > > nsowner[got=1000, want=0],/tmp/tmp.HHDiOOl9fY differs in []
> > > >
> > > > Fix this bug by calling cap_inode_getsecurity() in
> > > > security_inode_getsecurity() instead of returning
> > > > -EOPNOTSUPP, when CONFIG_SECURITY=n.
> > > >
> > > > *1 - note, if libcap is too old for getcap to have the '-n'
> > > > option, then use verify-caps instead.
> > > >
> > > > Signed-off-by: Serge Hallyn <[email protected]>
> > > > Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1593431
> > > > Cc: Hervé Guillemet <[email protected]>
> > > > Cc: Andrew G. Morgan <[email protected]>
> > > > Cc: Casey Schaufler <[email protected]>
> > > > ---
> > > > include/linux/security.h | 2 +-
> > > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > > >
> > > > diff --git a/include/linux/security.h b/include/linux/security.h
> > > > index bc2725491560..39642626a707 100644
> > > > --- a/include/linux/security.h
> > > > +++ b/include/linux/security.h
> > > > @@ -869,7 +869,7 @@ static inline int security_inode_killpriv(struct
> > > > dentry *dentry)
> > > >
> > > > static inline int security_inode_getsecurity(struct inode *inode, const
> > > > char *name, void **buffer, bool alloc)
> > > > {
> > > > - return -EOPNOTSUPP;
> > > > + return cap_inode_getsecurity(inode, name, buffer, alloc);
> > > > }
> > > >
> > > > static inline int security_inode_setsecurity(struct inode *inode, const
> > > > char *name, const void *value, size_t size, int flags)
> > > > --
> > > > 2.25.1
> > > >
> > > >
> >
>
> --
> James Morris
> <[email protected]>
On Fri, 4 Dec 2020, Andrew G. Morgan wrote:
> The correct bug reference for this patch is:
>
> https://bugzilla.kernel.org/show_bug.cgi?id=209689
>
> Reviewed-by: Andrew G. Morgan <[email protected]>
Thanks.
Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git fixes-5.10
and next-testing
--
James Morris
<[email protected]>
How odd - where did that come from?
James, I force-pushed that with corrected bugzilla link to
2020-11-29/fix-nscaps. Sorry about that.
On Fri, Dec 04, 2020 at 07:58:14AM -0800, Andrew G. Morgan wrote:
> The correct bug reference for this patch is:
>
> https://bugzilla.kernel.org/show_bug.cgi?id=209689
>
> Reviewed-by: Andrew G. Morgan <[email protected]>
>
> On Mon, Nov 30, 2020 at 6:58 PM James Morris <[email protected]> wrote:
> >
> > On Sun, 29 Nov 2020, Serge E. Hallyn wrote:
> >
> > > Hi James,
> > >
> > > would you mind adding this to the security tree? (You can cherrypick
> > > from https://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux.git/commit/?h=2020-11-29/fix-nscaps )
> >
> > Sure.
> >
> > >
> > > thanks,
> > > -serge
> > >
> > > On Tue, Nov 17, 2020 at 08:09:59AM -0800, Andrew G. Morgan wrote:
> > > > Signed-off-by: Andrew G. Morgan <[email protected]>
> > > >
> > > >
> > > > On Tue, Nov 17, 2020 at 7:09 AM Serge E. Hallyn <[email protected]> wrote:
> > > >
> > > > > Namespaced file capabilities were introduced in 8db6c34f1dbc .
> > > > > When userspace reads an xattr for a namespaced capability, a
> > > > > virtualized representation of it is returned if the caller is
> > > > > in a user namespace owned by the capability's owning rootid.
> > > > > The function which performs this virtualization was not hooked
> > > > > up if CONFIG_SECURITY=n. Therefore in that case the original
> > > > > xattr was shown instead of the virtualized one.
> > > > >
> > > > > To test this using libcap-bin (*1),
> > > > >
> > > > > $ v=$(mktemp)
> > > > > $ unshare -Ur setcap cap_sys_admin-eip $v
> > > > > $ unshare -Ur setcap -v cap_sys_admin-eip $v
> > > > > /tmp/tmp.lSiIFRvt8Y: OK
> > > > >
> > > > > "setcap -v" verifies the values instead of setting them, and
> > > > > will check whether the rootid value is set. Therefore, with
> > > > > this bug un-fixed, and with CONFIG_SECURITY=n, setcap -v will
> > > > > fail:
> > > > >
> > > > > $ v=$(mktemp)
> > > > > $ unshare -Ur setcap cap_sys_admin=eip $v
> > > > > $ unshare -Ur setcap -v cap_sys_admin=eip $v
> > > > > nsowner[got=1000, want=0],/tmp/tmp.HHDiOOl9fY differs in []
> > > > >
> > > > > Fix this bug by calling cap_inode_getsecurity() in
> > > > > security_inode_getsecurity() instead of returning
> > > > > -EOPNOTSUPP, when CONFIG_SECURITY=n.
> > > > >
> > > > > *1 - note, if libcap is too old for getcap to have the '-n'
> > > > > option, then use verify-caps instead.
> > > > >
> > > > > Signed-off-by: Serge Hallyn <[email protected]>
> > > > > Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1593431
> > > > > Cc: Herv? Guillemet <[email protected]>
> > > > > Cc: Andrew G. Morgan <[email protected]>
> > > > > Cc: Casey Schaufler <[email protected]>
> > > > > ---
> > > > > include/linux/security.h | 2 +-
> > > > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > > > >
> > > > > diff --git a/include/linux/security.h b/include/linux/security.h
> > > > > index bc2725491560..39642626a707 100644
> > > > > --- a/include/linux/security.h
> > > > > +++ b/include/linux/security.h
> > > > > @@ -869,7 +869,7 @@ static inline int security_inode_killpriv(struct
> > > > > dentry *dentry)
> > > > >
> > > > > static inline int security_inode_getsecurity(struct inode *inode, const
> > > > > char *name, void **buffer, bool alloc)
> > > > > {
> > > > > - return -EOPNOTSUPP;
> > > > > + return cap_inode_getsecurity(inode, name, buffer, alloc);
> > > > > }
> > > > >
> > > > > static inline int security_inode_setsecurity(struct inode *inode, const
> > > > > char *name, const void *value, size_t size, int flags)
> > > > > --
> > > > > 2.25.1
> > > > >
> > > > >
> > >
> >
> > --
> > James Morris
> > <[email protected]>
Oh, I see you'd changed it inline :) Thanks
On Sat, Dec 05, 2020 at 11:40:00AM -0600, Serge E. Hallyn wrote:
> How odd - where did that come from?
>
> James, I force-pushed that with corrected bugzilla link to
> 2020-11-29/fix-nscaps. Sorry about that.
>
> On Fri, Dec 04, 2020 at 07:58:14AM -0800, Andrew G. Morgan wrote:
> > The correct bug reference for this patch is:
> >
> > https://bugzilla.kernel.org/show_bug.cgi?id=209689
> >
> > Reviewed-by: Andrew G. Morgan <[email protected]>
> >
> > On Mon, Nov 30, 2020 at 6:58 PM James Morris <[email protected]> wrote:
> > >
> > > On Sun, 29 Nov 2020, Serge E. Hallyn wrote:
> > >
> > > > Hi James,
> > > >
> > > > would you mind adding this to the security tree? (You can cherrypick
> > > > from https://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux.git/commit/?h=2020-11-29/fix-nscaps )
> > >
> > > Sure.
> > >
> > > >
> > > > thanks,
> > > > -serge
> > > >
> > > > On Tue, Nov 17, 2020 at 08:09:59AM -0800, Andrew G. Morgan wrote:
> > > > > Signed-off-by: Andrew G. Morgan <[email protected]>
> > > > >
> > > > >
> > > > > On Tue, Nov 17, 2020 at 7:09 AM Serge E. Hallyn <[email protected]> wrote:
> > > > >
> > > > > > Namespaced file capabilities were introduced in 8db6c34f1dbc .
> > > > > > When userspace reads an xattr for a namespaced capability, a
> > > > > > virtualized representation of it is returned if the caller is
> > > > > > in a user namespace owned by the capability's owning rootid.
> > > > > > The function which performs this virtualization was not hooked
> > > > > > up if CONFIG_SECURITY=n. Therefore in that case the original
> > > > > > xattr was shown instead of the virtualized one.
> > > > > >
> > > > > > To test this using libcap-bin (*1),
> > > > > >
> > > > > > $ v=$(mktemp)
> > > > > > $ unshare -Ur setcap cap_sys_admin-eip $v
> > > > > > $ unshare -Ur setcap -v cap_sys_admin-eip $v
> > > > > > /tmp/tmp.lSiIFRvt8Y: OK
> > > > > >
> > > > > > "setcap -v" verifies the values instead of setting them, and
> > > > > > will check whether the rootid value is set. Therefore, with
> > > > > > this bug un-fixed, and with CONFIG_SECURITY=n, setcap -v will
> > > > > > fail:
> > > > > >
> > > > > > $ v=$(mktemp)
> > > > > > $ unshare -Ur setcap cap_sys_admin=eip $v
> > > > > > $ unshare -Ur setcap -v cap_sys_admin=eip $v
> > > > > > nsowner[got=1000, want=0],/tmp/tmp.HHDiOOl9fY differs in []
> > > > > >
> > > > > > Fix this bug by calling cap_inode_getsecurity() in
> > > > > > security_inode_getsecurity() instead of returning
> > > > > > -EOPNOTSUPP, when CONFIG_SECURITY=n.
> > > > > >
> > > > > > *1 - note, if libcap is too old for getcap to have the '-n'
> > > > > > option, then use verify-caps instead.
> > > > > >
> > > > > > Signed-off-by: Serge Hallyn <[email protected]>
> > > > > > Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1593431
> > > > > > Cc: Herv? Guillemet <[email protected]>
> > > > > > Cc: Andrew G. Morgan <[email protected]>
> > > > > > Cc: Casey Schaufler <[email protected]>
> > > > > > ---
> > > > > > include/linux/security.h | 2 +-
> > > > > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > > > > >
> > > > > > diff --git a/include/linux/security.h b/include/linux/security.h
> > > > > > index bc2725491560..39642626a707 100644
> > > > > > --- a/include/linux/security.h
> > > > > > +++ b/include/linux/security.h
> > > > > > @@ -869,7 +869,7 @@ static inline int security_inode_killpriv(struct
> > > > > > dentry *dentry)
> > > > > >
> > > > > > static inline int security_inode_getsecurity(struct inode *inode, const
> > > > > > char *name, void **buffer, bool alloc)
> > > > > > {
> > > > > > - return -EOPNOTSUPP;
> > > > > > + return cap_inode_getsecurity(inode, name, buffer, alloc);
> > > > > > }
> > > > > >
> > > > > > static inline int security_inode_setsecurity(struct inode *inode, const
> > > > > > char *name, const void *value, size_t size, int flags)
> > > > > > --
> > > > > > 2.25.1
> > > > > >
> > > > > >
> > > >
> > >
> > > --
> > > James Morris
> > > <[email protected]>