Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932204AbcDVR0s (ORCPT ); Fri, 22 Apr 2016 13:26:48 -0400 Received: from h2.hallyn.com ([78.46.35.8]:40636 "EHLO h2.hallyn.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754357AbcDVR0r (ORCPT ); Fri, 22 Apr 2016 13:26:47 -0400 From: serge.hallyn@ubuntu.com To: linux-kernel@vger.kernel.org Cc: linux-api@vger.kernel.org, containers@lists.linux-foundation.org, ebiederm@xmission.com, morgan@kernel.org, luto@amacapital.net, keescook@chromium.org, jmorris@namei.org Subject: namespaced file capabilities Date: Fri, 22 Apr 2016 12:26:32 -0500 Message-Id: <1461345993-17526-1-git-send-email-serge.hallyn@ubuntu.com> X-Mailer: git-send-email 1.7.9.5 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2145 Lines: 47 Hi, I've sent a few patches and emails over the past months about supporting file capabilities in user namespace confined containers. A few of the requirements as I see them are: 1. Root in a user namespace should be able to set file capabilities on a binary for use by any user mapped into his namespace. 2. Any uid not mapped into the user namespace whose root user set file capabilities should not gain privileges when running an executable which only has file capabilities set by this root user. 3. Existing calls to cap_set_file(3) and cap_get_file(3) as well as setcap(8) and getcap(8) should transparently work. This would allow package managers to simply set file capabilities in postinst. Below is a kernel patch which implements a new security.nscapability extended attribute. Setting this xattr on a file requires cap_setfcap against the current user namespace, and for the file to be owned by a uid and gid mapped into that namespace. When found on a file, the capabilities will take effect only if the file is owned by the root uid in the caller's namespace, or the root uid in any ancestor namespace. While this design supports nested namespaces, it does not support use of file capabilities by users in unrelated namespaces. So if the same file is linked into two namespaces N1 and N2 which do not share the same root kuid, then the only way for N1 and N2 to both execute the file while respecting security.nscapability is to have a common ancestor namespace write the capability. The only reasonable way we could handle this case would be to use a securityfs interface to set file capabilities. The capability.ko module could then do the work of keeping a list of uid ranges for which file capabilities should be honored. I don't think that flexibility is really called for. The kernel patch follows, and can be found at https://git.kernel.org/cgit/linux/kernel/git/sergeh/linux-security.git/log/?h=2016-04-22/nsfscaps The libcap patch can be found at https://git.kernel.org/cgit/linux/kernel/git/sergeh/libcap.git/log/?h=2016-04-22/nscaps Comments/conversation/suggestions greatly appreciated. thanks, -serge