Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753707AbbGOWee (ORCPT <rfc822;w@1wt.eu>);
	Wed, 15 Jul 2015 18:34:34 -0400
Received: from out02.mta.xmission.com ([166.70.13.232]:46126 "EHLO
	out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752590AbbGOWea (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Wed, 15 Jul 2015 18:34:30 -0400
From: ebiederm@xmission.com (Eric W. Biederman)
To: Seth Forshee <seth.forshee@canonical.com>
Cc: Casey Schaufler <casey@schaufler-ca.com>,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org,
        selinux@tycho.nsa.gov, Serge Hallyn <serge.hallyn@canonical.com>,
        Andy Lutomirski <luto@amacapital.net>, linux-kernel@vger.kernel.org
References: <1436989569-69582-1-git-send-email-seth.forshee@canonical.com>
	<55A6C448.5050902@schaufler-ca.com>
	<87vbdlf7vo.fsf@x220.int.ebiederm.org>
	<20150715214813.GB76420@ubuntu-hedt>
Date: Wed, 15 Jul 2015 17:28:03 -0500
In-Reply-To: <20150715214813.GB76420@ubuntu-hedt> (Seth Forshee's message of
	"Wed, 15 Jul 2015 16:48:13 -0500")
Message-ID: <87wpy1dpjg.fsf@x220.int.ebiederm.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-XM-AID: U2FsdGVkX19eYZeBTpwrF7EKOqk6gtbnHq7ulokNyhk=
X-SA-Exim-Connect-IP: 67.3.205.90
X-SA-Exim-Mail-From: ebiederm@xmission.com
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
	*  0.7 XMSubLong Long Subject
	*  1.5 XMNoVowels Alpha-numberic number with no vowels
	*  0.0 TVD_RCVD_IP Message was received from an IP address
	*  0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available.
	*  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
	*      [score: 0.5000]
	* -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
	*      [sa06 1397; Body=1 Fuz1=1 Fuz2=1]
X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: **;Seth Forshee <seth.forshee@canonical.com>
X-Spam-Relay-Country: 
X-Spam-Timing: total 395 ms - load_scoreonly_sql: 0.07 (0.0%),
	signal_user_changed: 4.0 (1.0%), b_tie_ro: 2.8 (0.7%), parse: 1.02 (0.3%),
	extract_message_metadata: 25 (6.2%), get_uri_detail_list: 4.4 (1.1%),
	tests_pri_-1000: 9 (2.2%), tests_pri_-950: 1.32 (0.3%), tests_pri_-900: 1.10
	(0.3%), tests_pri_-400: 30 (7.6%), check_bayes: 29 (7.2%), b_tokenize: 8
	(2.1%), b_tok_get_all: 10 (2.6%), b_comp_prob: 4.0 (1.0%), b_tok_touch_all:
	3.5 (0.9%), b_finish: 0.76 (0.2%), tests_pri_0: 316 (80.1%), tests_pri_500:
	4.3 (1.1%), rewrite_mail: 0.00 (0.0%)
Subject: Re: [PATCH 0/7] Initial support for user namespace owned mounts
X-Spam-Flag: No
X-SA-Exim-Version: 4.2.1 (built Wed, 24 Sep 2014 11:00:52 -0600)
X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 4137
Lines: 88

Seth Forshee <seth.forshee@canonical.com> writes:

> On Wed, Jul 15, 2015 at 04:06:35PM -0500, Eric W. Biederman wrote:
>> Casey Schaufler <casey@schaufler-ca.com> writes:
>> 
>> > On 7/15/2015 12:46 PM, Seth Forshee wrote:
>> >> These are the first in a larger set of patches that I've been working on
>> >> (with help from Eric Biederman) to support mounting ext4 and fuse
>> >> filesystems from within user namespaces. I've pushed the full series to:
>> >>
>> >>   git://kernel.ubuntu.com/sforshee/linux.git userns-mounts
>> >>
>> >> Taking the series as a whole, the strategy is to handle as much of the
>> >> heavy lifting as possible in the vfs so the filesystems don't have to
>> >> handle weird edge cases. If you look at the full series you'll find that
>> >> the changes in ext4 to support user namespace mounts turn out to be
>> >> fairly minimal (fuse is a bit more complicated though as it must deal
>> >> with translating ids for a userspace process which is running in pid and
>> >> user namespaces).
>> >>
>> >> The patches I'm sending today lay some of the groundwork in the vfs and
>> >> related code. They fall into two broad groups:
>> >>
>> >>  1. Patches 1-2 add s_user_ns and simplify MNT_NODEV handling. These are
>> >>     pretty straightforward, and Eric has expressed interest in merging
>> >>     these patches soon. Note that patch 2 won't apply cleanly without
>> >>     Eric's noexec patches for proc and sys [1].
>> >>
>> >>  2. Patches 2-7 tighten down security for mounts with s_user_ns !=
>> >>     &init_user_ns. This includes updates to how file caps and suid are
>> >>     handled and LSM updates to ignore security labels on superblocks
>> >>     from non-init namespaces.
>> >>
>> >>     The LSM changes in particular may not be optimal, as I don't have a
>> >>     lot of familiarity with this code, so I'd be especially appreciative
>> >>     of review of these changes and suggestions on how to improve them.
>> >
>> > Lukasz Pawelczyk <l.pawelczyk@samsung.com> proposed
>> > LSM support in user namespaces ([RFC] lsm: namespace hooks)
>> > that make a whole lot more sense than just turning off
>> > the option of using labels on files. Gutting the ability
>> > to use MAC in a namespace is a step down the road of
>> > making MAC and namespaces incompatible.
>> 
>> This is not "turning off the option to use labels on files".
>> 
>> This is supporting mounting filesystems like ext4 by unprivileged users
>> and not trusting the labels they set in the same way as we trust labels
>> on filesystems mounted by privileged users.
>> 
>> The first step needs to be not trusting those labels and treating such
>> filesystems as filesystems without label support.  I hope that is Seth
>> has implemented.
>> 
>> In the long run we can do more interesting things with such filesystems
>> once the appropriate LSM policy is in place.
>
> Yes, this exactly. Right now it looks to me like the only safe thing to
> do with mounts from unprivileged users is to ignore the security labels,
> so that's what I'm trying to do with these changes. If there's some
> better thing to do, or some better way to do it, I'm more than happy to
> receive that feedback.

Ugh.

This made me realize that we have an interesting problem here.  An
unprivileged mount of tmpfs probably needs to have
s_user_ns == &init_user_ns.

Otherwise we will break security labels on tmpfs for no good reason.
ramfs and sysfs also seem to have similar concerns.

Because they have no backing store we can trust those filesystems with
security labels.  Plus for at least sysfs there is the security label
bleed through issue, that we need to make certain works.

Perhaps these filesystems with trusted backing store need to call
"sget_userns(..., &init_user_ns)".

If we don't get this right we will have significant regressions with
respect to security labels, and that is not ok.

Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/