Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755782AbdD0RGv (ORCPT ); Thu, 27 Apr 2017 13:06:51 -0400 Received: from out03.mta.xmission.com ([166.70.13.233]:58228 "EHLO out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750799AbdD0RGn (ORCPT ); Thu, 27 Apr 2017 13:06:43 -0400 From: ebiederm@xmission.com (Eric W. Biederman) To: "Serge E. Hallyn" Cc: Seth Forshee , lkml , linux-api@vger.kernel.org, linux-security-module@vger.kernel.org, Kees Cook , Andreas Gruenbacher , Andy Lutomirski , "Andrew G. Morgan" References: <20170419164824.GA27843@mail.hallyn.com> <87wpadpb3m.fsf@xmission.com> <20170422151412.GA14861@mail.hallyn.com> <87vapwncws.fsf@xmission.com> <87r30d255v.fsf@xmission.com> <20170427165245.GA794@mail.hallyn.com> Date: Thu, 27 Apr 2017 12:00:25 -0500 In-Reply-To: <20170427165245.GA794@mail.hallyn.com> (Serge E. Hallyn's message of "Thu, 27 Apr 2017 11:52:45 -0500") Message-ID: <874lx9zsye.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1d3msE-0000Ld-FX;;;mid=<874lx9zsye.fsf@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=67.3.233.227;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX1/hl3C9ey7p5mrr504csHI3lcJFJtfeI3A= X-SA-Exim-Connect-IP: 67.3.233.227 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa04 1397; Body=1 Fuz1=1 Fuz2=1] X-Spam-DCC: XMission; sa04 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;"Serge E. Hallyn" X-Spam-Relay-Country: X-Spam-Timing: total 5681 ms - load_scoreonly_sql: 0.06 (0.0%), signal_user_changed: 2.8 (0.1%), b_tie_ro: 2.1 (0.0%), parse: 0.87 (0.0%), extract_message_metadata: 15 (0.3%), get_uri_detail_list: 2.8 (0.0%), tests_pri_-1000: 7 (0.1%), tests_pri_-950: 1.10 (0.0%), tests_pri_-900: 0.91 (0.0%), tests_pri_-400: 27 (0.5%), check_bayes: 26 (0.5%), b_tokenize: 9 (0.2%), b_tok_get_all: 9 (0.2%), b_comp_prob: 2.7 (0.0%), b_tok_touch_all: 3.0 (0.1%), b_finish: 0.59 (0.0%), tests_pri_0: 273 (4.8%), check_dkim_signature: 0.53 (0.0%), check_dkim_adsp: 2.5 (0.0%), tests_pri_500: 5352 (94.2%), poll_dns_idle: 5346 (94.1%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH] Introduce v3 namespaced file capabilities X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 4517 Lines: 112 "Serge E. Hallyn" writes: > Quoting Eric W. Biederman (ebiederm@xmission.com): >> ebiederm@xmission.com (Eric W. Biederman) writes: >> >> > "Serge E. Hallyn" writes: >> > >> >> Quoting Eric W. Biederman (ebiederm@xmission.com): >> >>> >> >>> "Serge E. Hallyn" writes: >> >>> >> >>> > diff --git a/fs/xattr.c b/fs/xattr.c >> >>> > index 7e3317c..75cc65a 100644 >> >>> > --- a/fs/xattr.c >> >>> > +++ b/fs/xattr.c >> >>> > @@ -170,12 +170,29 @@ int __vfs_setxattr_noperm(struct dentry *dentry, const char *name, >> >>> > const void *value, size_t size, int flags) >> >>> > { >> >>> > struct inode *inode = dentry->d_inode; >> >>> > - int error = -EAGAIN; >> >>> > + int error; >> >>> > + void *wvalue = NULL; >> >>> > + size_t wsize = 0; >> >>> > int issec = !strncmp(name, XATTR_SECURITY_PREFIX, >> >>> > XATTR_SECURITY_PREFIX_LEN); >> >>> > >> >>> > - if (issec) >> >>> > + if (issec) { >> >>> > inode->i_flags &= ~S_NOSEC; >> >>> > + >> >>> > + if (!strcmp(name, "security.capability")) { >> >>> > + error = cap_setxattr_convert_nscap(dentry, value, size, >> >>> > + &wvalue, &wsize); >> >>> > + if (error < 0) >> >>> > + return error; >> >>> > + if (wvalue) { >> >>> > + value = wvalue; >> >>> > + size = wsize; >> >>> > + } >> >>> > + } >> >>> > + } >> >>> > + >> >>> > + error = -EAGAIN; >> >>> > + >> >>> >> >>> Why is the conversion in __vfs_setxattr_noperm and not in setattr as >> >>> was done for posix_acl_fix_xattr_from_user? >> >> >> >> I think I was thinking I wanted to catch all the vfs_setxattr operations, >> >> but I don't think that's right. Moving to setxattr seems right. I'll >> >> look around a bit more. >> > >> > Thanks. This is one of these little details that we want a good answer >> > to why there. If you can document that in your patch description when >> > you resend I would appreciate it. >> >> Ok. Grrr. >> >> Looking at this a little more getting it correct where we call the >> conversion operation is critical. >> >> I believe the current placement of cap_setxattr_convert_nscap is >> actively wrong. In particular unless I am misleading something this >> will trigger multiple conversions when setting one of these attributes >> on overlayfs. >> >> The stragey I adopted for for posix acls is: >> >> On a write from userspace convert from current_user_ns() to &init_user_ns. >> On a write to the filesystem convert from &init_user_ns to fs_user_ns. >> >> On a read from the filesystem convert from fs_user_ns to &init_user_ns >> On a read from the kernel to userspace convert from &init_user_ns >> to current_user_ns(). >> >> Overall a good strategy but no one we can trivially adopt for the >> capability xattr as the second write to filesystem method does not >> appear to actually exist for anything except for posix acls. >> >> I need to think a little more about how we want to accomplish this for >> the capability xattr. My apoligies for leading you down a path that has >> all of these bumps and then being sufficiently distracted not to help >> you through this maze. >> >> The only easy solution I can see is to just always keep things in >> &init_user_ns inside the kernel. That works until we bring fuse or >> other unprivileged mounts onboard that have storage outside of the >> kernel. >> >> Seth and I will have to rework that for fuse support but that sounds >> better than not letting such an issue prevent us from merging the code. > > Ok, in the meantime I've made a few updates in my tree which I think > make the code a lot nicer (and do move the conversion to setxattr()), > but there's a bug in that which I'm still trying to nail down. I'll > send a new version when I get that figured, and we can see how close > to ok that is. > > Note that upstream cap_inode_removexattr and cap_inode_setxattr() > upstream still don't respect the fs_user_ns properly either (the > proper code is in the Ubuntu kernel, maybe it's in your -next > tree, I don't know how you and Seth are coordinating that) Oh yes. The relaxation of permissions. I remember holding off on that until we knew the core vfs work was done. At this point I don't think it is necessary to keep holding off. It seemed prudent before we got all of the s_user_ns bits used in all of the proper places. At this point I think it was just worry about the last little vfs bits has been challenging enough that we just haven't gotten too it. Eric