Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752642AbbGaIgN (ORCPT ); Fri, 31 Jul 2015 04:36:13 -0400 Received: from mail-lb0-f170.google.com ([209.85.217.170]:33643 "EHLO mail-lb0-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751256AbbGaIgJ (ORCPT ); Fri, 31 Jul 2015 04:36:09 -0400 MIME-Version: 1.0 Date: Fri, 31 Jul 2015 11:36:07 +0300 X-Google-Sender-Auth: z4-Cr7HWzhef2IE5K4iBTCqD-88 Message-ID: Subject: Re: [PATCH 1/7] fs: Add user namesapace member to struct super_block From: Amir Goldstein To: "Eric W. Biederman" Cc: Seth Forshee , Alexander Viro , Jeff Layton , "J. Bruce Fields" , Serge Hallyn , Andy Lutomirski , linux-fsdevel , LSM List , SELinux-NSA , linux-kernel , "Theodore Ts'o" Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3043 Lines: 69 On Thu, Jul 16, 2015 at 5:47 AM, Eric W. Biederman wrote: > Seth Forshee writes: > >> Initially this will be used to eliminate the implicit MNT_NODEV >> flag for mounts from user namespaces. In the future it will also >> be used for translating ids and checking capabilities for >> filesystems mounted from user namespaces. >> >> s_user_ns is initialized in alloc_super() and is generally set to >> current_user_ns(). To avoid security and corruption issues, two >> additional mount checks are also added: >> >> - do_new_mount() gains a check that the user has CAP_SYS_ADMIN >> in current_user_ns(). >> >> - sget() will fail with EBUSY when the filesystem it's looking >> for is already mounted from another user namespace. >> >> proc needs some special handling here. The user namespace of >> current isn't appropriate when forking as a result of clone (2) >> with CLONE_NEWPID|CLONE_NEWUSER, as it will make proc unmountable >> from within the new user namespace. Instead, the user namespace >> which owns the new pid namespace should be used. sget_userns() is >> added to allow passing of a user namespace other than that of >> current, and this is used by proc_mount(). sget() becomes a >> wrapper around sget_userns() which passes current_user_ns(). > > From bits of the previous conversation. > > We need sget_userns(..., &init_user_ns) for sysfs. The sysfs > xattrs can travel from one mount of sysfs to another via the sysfs > backing store. > > For tmpfs and any other filesystems we support mounting without > privilige that support xattrs. We need to identify them and > see if userspace is taking advantage of the ability to set > xattrs and file caps (unlikely). If they are we need to call > sget_userns(..., &init_user_ns) on those filesystems as well. > > Possibly/Probably we should just do that for all of the interesting > filesystems to start with and then change back to an ordinary old sget > after we have done the testing and confirmed we will not be introducing > userspace regressions. Eric, Perhaps it is too soon to discuss here, but how do you envision handling of file system private mount options in user ns. For example, suppose that we get to a point where we can trust an ext4 loopback mount to be non vulnerable to exploits. That loopback mounted fs could very well have errors and so error=panic option would be very much undesired from unprivileged user mount. Do you think this would require extra flags/callbacks from VFS to file system code or would s_user_ns be sufficient? > > Eric > -- > To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/