Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1760451AbcCDWxL (ORCPT ); Fri, 4 Mar 2016 17:53:11 -0500 Received: from out02.mta.xmission.com ([166.70.13.232]:38865 "EHLO out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1759555AbcCDWxG (ORCPT ); Fri, 4 Mar 2016 17:53:06 -0500 From: ebiederm@xmission.com (Eric W. Biederman) To: Seth Forshee Cc: Alexander Viro , Serge Hallyn , Richard Weinberger , Austin S Hemmelgarn , Miklos Szeredi , linux-kernel@vger.kernel.org, linux-bcache@vger.kernel.org, dm-devel@redhat.com, linux-raid@vger.kernel.org, linux-mtd@lists.infradead.org, linux-fsdevel@vger.kernel.org, fuse-devel@lists.sourceforge.net, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov References: <1451930639-94331-1-git-send-email-seth.forshee@canonical.com> <1451930639-94331-12-git-send-email-seth.forshee@canonical.com> <20160303170201.GA30224@ubuntu-hedt> Date: Fri, 04 Mar 2016 16:43:06 -0600 In-Reply-To: <20160303170201.GA30224@ubuntu-hedt> (Seth Forshee's message of "Thu, 3 Mar 2016 11:02:01 -0600") Message-ID: <87twkl50g5.fsf@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-AID: U2FsdGVkX1/c+2lZV99F/DAF96KmmvmUzcHwwCiYQS0= X-SA-Exim-Connect-IP: 70.59.168.211 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.7 XMSubLong Long Subject * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa06 1397; Body=1 Fuz1=1 Fuz2=1] X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;Seth Forshee X-Spam-Relay-Country: X-Spam-Timing: total 769 ms - load_scoreonly_sql: 0.10 (0.0%), signal_user_changed: 8 (1.1%), b_tie_ro: 7 (0.9%), parse: 1.18 (0.2%), extract_message_metadata: 14 (1.9%), get_uri_detail_list: 1.95 (0.3%), tests_pri_-1000: 6 (0.7%), tests_pri_-950: 1.33 (0.2%), tests_pri_-900: 1.09 (0.1%), tests_pri_-400: 25 (3.3%), check_bayes: 24 (3.1%), b_tokenize: 8 (1.0%), b_tok_get_all: 8 (1.1%), b_comp_prob: 2.4 (0.3%), b_tok_touch_all: 3.2 (0.4%), b_finish: 0.67 (0.1%), tests_pri_0: 700 (91.0%), check_dkim_signature: 0.54 (0.1%), check_dkim_adsp: 3.7 (0.5%), tests_pri_500: 8 (1.0%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH RESEND v2 11/18] fs: Ensure the mounter of a filesystem is privileged towards its inodes X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Wed, 24 Sep 2014 11:00:52 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2641 Lines: 55 Seth Forshee writes: > On Mon, Jan 04, 2016 at 12:03:50PM -0600, Seth Forshee wrote: >> The mounter of a filesystem should be privileged towards the >> inodes of that filesystem. Extend the checks in >> inode_owner_or_capable() and capable_wrt_inode_uidgid() to >> permit access by users priviliged in the user namespace of the >> inode's superblock. > > Eric - I've discovered a problem related to this patch. The patches > you've already applied to your testing branch make it so that s_user_ns > can be an unprivileged user for proc and kernfs-based mounts. In some > cases DAC is the only thing protecting files in these mounts (ignoring > MAC), and with this patch an unprivileged user could bypass DAC. > > There's a simple solution - always set s_user_ns to &init_user_ns for > those filesystems. I think this is the right thing to do, since the > backing store behind these filesystems are really kernel objects. But > this would break the assumption behind your patch "userns: Simpilify > MNT_NODEV handling" and cause a regression in mounting behavior. > > I've come up with several possible solutions for this conflict. > > 1. Drop this patch and keep on setting s_user_ns to unprivilged users. > This would be unfortunate because I think this patch does make sense > for most filesystems. > 2. Restrict this patch so that a user privileged towards s_user_ns is > only privileged towards the super blocks inodes if s_user_ns has a > mapping for both i_uid and i_gid. This is better than (1) but still > not ideal in my mind. > 3. Drop your patch and maintain the current MNT_NODEV behavior. > 4. Add a new s_iflags flag to indicate a super block is from an > unprivileged mount, and use this in your patch instead of s_user_ns. > > Any preference, or any other ideas? In general this is only an issue if uids and gids on the filesystem do not map into the user namespace. Therefore the general fix is to limit the logic of checking for capabilities in s_user_ns if we are dealing with INVALID_UID and INVALID_GID. For proc and kernfs that should never be the case so the problem becomes a non-issue. Further I would look at limiting that relaxation to just inode_change_ok. So that we can easily wrap that check per filesystem and deny the relaxation for proc and kernfs. proc and kernfs already have wrappers for .setattr so denying changes when !uid_vaid and !gid_valid would be a trivial addition, and ensure calamity does not ensure. Furthmore by limiting any additional to inode_change_ok we keep the work of the additional tests off of the fast paths. Eric