Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753975AbbGOWlz (ORCPT ); Wed, 15 Jul 2015 18:41:55 -0400 Received: from out03.mta.xmission.com ([166.70.13.233]:58369 "EHLO out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753540AbbGOWlu (ORCPT ); Wed, 15 Jul 2015 18:41:50 -0400 From: ebiederm@xmission.com (Eric W. Biederman) To: Andy Lutomirski Cc: "Serge E. Hallyn" , Seth Forshee , Alexander Viro , Serge Hallyn , James Morris , Linux FS Devel , LSM List , SELinux-NSA , "linux-kernel\@vger.kernel.org" References: <1436989569-69582-1-git-send-email-seth.forshee@canonical.com> <1436989569-69582-4-git-send-email-seth.forshee@canonical.com> <20150715214848.GA24204@mail.hallyn.com> Date: Wed, 15 Jul 2015 17:35:24 -0500 In-Reply-To: (Andy Lutomirski's message of "Wed, 15 Jul 2015 14:50:46 -0700") Message-ID: <87wpy1camr.fsf@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-AID: U2FsdGVkX18Hs0KV7y+WK0QZ+1vaE0kP0+3sSfUSyzE= X-SA-Exim-Connect-IP: 67.3.205.90 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.7 XMSubLong Long Subject * 1.5 XMNoVowels Alpha-numberic number with no vowels * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.4999] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa01 1397; Body=1 Fuz1=1 Fuz2=1] X-Spam-DCC: XMission; sa01 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: **;Andy Lutomirski X-Spam-Relay-Country: X-Spam-Timing: total 1084 ms - load_scoreonly_sql: 0.05 (0.0%), signal_user_changed: 6 (0.6%), b_tie_ro: 5 (0.5%), parse: 1.28 (0.1%), extract_message_metadata: 35 (3.2%), get_uri_detail_list: 4.5 (0.4%), tests_pri_-1000: 16 (1.5%), tests_pri_-950: 1.97 (0.2%), tests_pri_-900: 1.62 (0.1%), tests_pri_-400: 43 (3.9%), check_bayes: 40 (3.7%), b_tokenize: 16 (1.5%), b_tok_get_all: 11 (1.0%), b_comp_prob: 6 (0.5%), b_tok_touch_all: 2.9 (0.3%), b_finish: 0.83 (0.1%), tests_pri_0: 603 (55.7%), tests_pri_500: 370 (34.1%), poll_dns_idle: 360 (33.2%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH 3/7] fs: Ignore file caps in mounts from other user namespaces X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Wed, 24 Sep 2014 11:00:52 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3393 Lines: 78 Andy Lutomirski writes: > On Wed, Jul 15, 2015 at 2:48 PM, Serge E. Hallyn wrote: >> On Wed, Jul 15, 2015 at 02:46:04PM -0500, Seth Forshee wrote: >>> Capability sets attached to files must be ignored except in the >>> user namespaces where the mounter is privileged, i.e. s_user_ns >>> and its descendants. Otherwise a vector exists for gaining >>> privileges in namespaces where a user is not already privileged. >>> >>> Add a new helper function, in_user_ns(), to test whether a user >>> namespace is the same as or a descendant of another namespace. >>> Use this helper to determine whether a file's capability set >>> should be applied to the caps constructed during exec. >>> >>> Signed-off-by: Seth Forshee >> >> Acked-by: Serge Hallyn >> >> I think it's an ok behavior, though let's just go over the >> alternatives. >> >> It might actually be ok to simply require that the user_ns be >> equal. If I unshare a new userns in which a different uid is >> mapped to root, I may not want file capabilities to be granted >> to tasks in that ns. (On the other hand, I might be creating >> a new user_ns specifically to not have a uid 0 mapped into it >> at all, and only have file capabilities grant privilege) >> >> Conversely, if I unshare one user_ns with a MS_SHARED mnt_ns, mount >> an ext4fs, and then (from the parent shell) unshare another user_ns >> with the same mapping, intending it to be a "peer" to the first one >> I'd unshared and be able to use the ext4fs it mounted. This won't >> work here. That's probably best - the appropriate thing to do was >> to attach to the existing user_ns. But it could end up being >> limiting in some special cases, so I'm bringing it up here. >> >> Again I think what you have here is the simplest and most sensible >> choice, so ack. >> > > I think I'm missing something. Why is this separate from mount_may_suid? > > I can see why it would make sense to check s_user_ns (or maybe > s_user_ns *and* the vfsmount namespace) in mount_may_suid, but I don't > see why we need separate checks. So I don't quite understand your concerns that lead to the mnt_may_suid patch. But in my limited understanding there are two distinct issues. 1) What do file capabilities mean on a filesystem mounted with user namespace privileges. Where the unprivileged user can control what resides on disk. That is what this patch should be about. Meaning and restricting those permissions to unprivileged users. 2) The second issue that I think your mnt_may_suid patch is about seems to be what to do if a mount winds up in a place we never intended. Aka leaks. I don't think any changes to mnt_may_suid are necessary in that sense. However they may be useful. So I think your mnt_may_suid change may be worth having but so far it seems unnecessary. Which is a long way of saying this patch is fundamentally necessary, and I am not certain about the mnt_may_suid patch. Am I right in understanding it's purpose? Or does this patch actually succeed in obsoleting it? Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/