Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753935AbdFMUtM (ORCPT ); Tue, 13 Jun 2017 16:49:12 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:46903 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751793AbdFMUtL (ORCPT ); Tue, 13 Jun 2017 16:49:11 -0400 Subject: Re: [PATCH v4] Introduce v3 namespaced file capabilities To: Tycho Andersen , James Bottomley References: <20170507092105.GA67584@inn.lkp.intel.com> <20170508044408.GA11400@mail.hallyn.com> <20170508181156.GA23112@mail.hallyn.com> <9f80188c-df03-066a-5dac-785cc711d064@linux.vnet.ibm.com> <20170613171422.i5vsylhqqo736car@smitten> <1497375902.7379.25.camel@HansenPartnership.com> <20170613204612.uztqywc7topa6g2h@smitten> Cc: Mimi Zohar , containers@lists.linux-foundation.org, LKML , xiaolong.ye@intel.com, "Eric W. Biederman" , lkp@01.org From: Stefan Berger Date: Tue, 13 Jun 2017 16:49:03 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 In-Reply-To: <20170613204612.uztqywc7topa6g2h@smitten> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-TM-AS-GCONF: 00 x-cbid: 17061320-0024-0000-0000-000002919F4D X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00007226; HX=3.00000241; KW=3.00000007; PH=3.00000004; SC=3.00000212; SDB=6.00874332; UDB=6.00435206; IPR=6.00654421; BA=6.00005420; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00015811; XFM=3.00000015; UTC=2017-06-13 20:49:07 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17061320-0025-0000-0000-0000445F71D6 Message-Id: <8933bf11-7ca2-fa12-8d51-46d94d94a182@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-06-13_09:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1706130354 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3082 Lines: 62 On 06/13/2017 04:46 PM, Tycho Andersen wrote: > On Tue, Jun 13, 2017 at 10:45:02AM -0700, James Bottomley wrote: >> On Tue, 2017-06-13 at 11:14 -0600, Tycho Andersen via Containers wrote: >>> Hi Stefan, >>> >>> On Tue, Jun 13, 2017 at 11:47:26AM -0400, Stefan Berger wrote: >>>> On 05/08/2017 02:11 PM, Serge E. Hallyn wrote: >>>>> Root in a non-initial user ns cannot be trusted to write a >>>>> traditional security.capability xattr. If it were allowed to do >>>>> so, then any unprivileged user on the host could map his own uid >>>>> to root in a private namespace, write the xattr, and execute the >>>>> file with privilege on the host. >>>>> >>>>> However supporting file capabilities in a user namespace is very >>>>> desirable. Not doing so means that any programs designed to run >>>>> with limited privilege must continue to support other methods of >>>>> gaining and dropping privilege. For instance a program installer >>>>> must detect whether file capabilities can be assigned, and assign >>>>> them if so but set setuid-root otherwise. The program in turn >>>>> must know how to drop partial capabilities, and do so only if >>>>> setuid-root. >>>> Hi Serge, >>>> >>>> >>>> I have been looking at patch below primarily to learn how we >>>> could apply a similar technique to security.ima and security.evm >>>> for a namespaced IMA. From the paragraphs above I thought that you >>>> solved the problem of a shared filesystem where one now can write >>>> different security.capability xattrs by effectively supporting for >>>> example security.capability[uid=1000] and >>>> security.capability[uid=2000] written into the filesystem. Each >>>> would then become visible as security.capability if the userns >>>> mapping is set appropriately. >>> One disadvantage of this approach is that whoever is setting up the >>> container would need to go touch the security.ima attribute for each >>> file in the contianer, which would slow down container creation time. >>> For capabilities this makes sense, because you might want the file to >>> have different capabilities in different namespaces, but for IMA, >>> since the file hash will be the same in every namespace, >> Actually, this isn't necessarily true: IMA may have the hash, you're >> right, but I suspect in most container use cases it will have the >> signature. It's definitely a use case that the container will be using >> a different keyring from the host, so different signatures are surely >> possible for the same underlying image file. >> >> One might imagine doing the above via overlays, because the new >> signature should override the old. > Yes, good point, thanks. Assuming the container and the host are using > the same keyring, we could design it in such a way that the container > engine doesn't need to touch every file on creation, which would be > very nice. I don't think this will be the general case. The host may be Ubuntu, the guest could be Fedora and you'll have different keys. I don't think you would want the container keys on the host keyring. Stefan > > Tycho >