Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S938532AbdD0Q1Q (ORCPT ); Thu, 27 Apr 2017 12:27:16 -0400 Received: from out02.mta.xmission.com ([166.70.13.232]:35136 "EHLO out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755139AbdD0Q1E (ORCPT ); Thu, 27 Apr 2017 12:27:04 -0400 From: ebiederm@xmission.com (Eric W. Biederman) To: "Serge E. Hallyn" Cc: Seth Forshee , lkml , linux-api@vger.kernel.org, linux-security-module@vger.kernel.org, Kees Cook , Andreas Gruenbacher , Andy Lutomirski , "Andrew G. Morgan" References: <20170419164824.GA27843@mail.hallyn.com> <87wpadpb3m.fsf@xmission.com> <20170422151412.GA14861@mail.hallyn.com> <87vapwncws.fsf@xmission.com> Date: Thu, 27 Apr 2017 11:20:44 -0500 In-Reply-To: <87vapwncws.fsf@xmission.com> (Eric W. Biederman's message of "Sat, 22 Apr 2017 20:14:11 -0500") Message-ID: <87r30d255v.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1d3mFs-0000Ep-4s;;;mid=<87r30d255v.fsf@xmission.com>;;;hst=in01.mta.xmission.com;;;ip=67.3.233.227;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX1+6Mx97Yxfj2QWOScckF9a+PXJoh2qs1mg= X-SA-Exim-Connect-IP: 67.3.233.227 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa06 1397; Body=1 Fuz1=1 Fuz2=1] X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;"Serge E. Hallyn" X-Spam-Relay-Country: X-Spam-Timing: total 5685 ms - load_scoreonly_sql: 0.05 (0.0%), signal_user_changed: 2.6 (0.0%), b_tie_ro: 1.70 (0.0%), parse: 0.79 (0.0%), extract_message_metadata: 14 (0.2%), get_uri_detail_list: 2.0 (0.0%), tests_pri_-1000: 7 (0.1%), tests_pri_-950: 1.18 (0.0%), tests_pri_-900: 0.99 (0.0%), tests_pri_-400: 23 (0.4%), check_bayes: 22 (0.4%), b_tokenize: 8 (0.1%), b_tok_get_all: 7 (0.1%), b_comp_prob: 2.4 (0.0%), b_tok_touch_all: 2.7 (0.0%), b_finish: 0.55 (0.0%), tests_pri_0: 266 (4.7%), check_dkim_signature: 0.54 (0.0%), check_dkim_adsp: 3.1 (0.1%), tests_pri_500: 5367 (94.4%), poll_dns_idle: 5355 (94.2%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH] Introduce v3 namespaced file capabilities X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3179 Lines: 91 ebiederm@xmission.com (Eric W. Biederman) writes: > "Serge E. Hallyn" writes: > >> Quoting Eric W. Biederman (ebiederm@xmission.com): >>> >>> "Serge E. Hallyn" writes: >>> >>> > diff --git a/fs/xattr.c b/fs/xattr.c >>> > index 7e3317c..75cc65a 100644 >>> > --- a/fs/xattr.c >>> > +++ b/fs/xattr.c >>> > @@ -170,12 +170,29 @@ int __vfs_setxattr_noperm(struct dentry *dentry, const char *name, >>> > const void *value, size_t size, int flags) >>> > { >>> > struct inode *inode = dentry->d_inode; >>> > - int error = -EAGAIN; >>> > + int error; >>> > + void *wvalue = NULL; >>> > + size_t wsize = 0; >>> > int issec = !strncmp(name, XATTR_SECURITY_PREFIX, >>> > XATTR_SECURITY_PREFIX_LEN); >>> > >>> > - if (issec) >>> > + if (issec) { >>> > inode->i_flags &= ~S_NOSEC; >>> > + >>> > + if (!strcmp(name, "security.capability")) { >>> > + error = cap_setxattr_convert_nscap(dentry, value, size, >>> > + &wvalue, &wsize); >>> > + if (error < 0) >>> > + return error; >>> > + if (wvalue) { >>> > + value = wvalue; >>> > + size = wsize; >>> > + } >>> > + } >>> > + } >>> > + >>> > + error = -EAGAIN; >>> > + >>> >>> Why is the conversion in __vfs_setxattr_noperm and not in setattr as >>> was done for posix_acl_fix_xattr_from_user? >> >> I think I was thinking I wanted to catch all the vfs_setxattr operations, >> but I don't think that's right. Moving to setxattr seems right. I'll >> look around a bit more. > > Thanks. This is one of these little details that we want a good answer > to why there. If you can document that in your patch description when > you resend I would appreciate it. Ok. Grrr. Looking at this a little more getting it correct where we call the conversion operation is critical. I believe the current placement of cap_setxattr_convert_nscap is actively wrong. In particular unless I am misleading something this will trigger multiple conversions when setting one of these attributes on overlayfs. The stragey I adopted for for posix acls is: On a write from userspace convert from current_user_ns() to &init_user_ns. On a write to the filesystem convert from &init_user_ns to fs_user_ns. On a read from the filesystem convert from fs_user_ns to &init_user_ns On a read from the kernel to userspace convert from &init_user_ns to current_user_ns(). Overall a good strategy but no one we can trivially adopt for the capability xattr as the second write to filesystem method does not appear to actually exist for anything except for posix acls. I need to think a little more about how we want to accomplish this for the capability xattr. My apoligies for leading you down a path that has all of these bumps and then being sufficiently distracted not to help you through this maze. The only easy solution I can see is to just always keep things in &init_user_ns inside the kernel. That works until we bring fuse or other unprivileged mounts onboard that have storage outside of the kernel. Seth and I will have to rework that for fuse support but that sounds better than not letting such an issue prevent us from merging the code. Eric