Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753935AbdFMUtM (ORCPT <rfc822;w@1wt.eu>);
        Tue, 13 Jun 2017 16:49:12 -0400
Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:46903 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1751793AbdFMUtL (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 13 Jun 2017 16:49:11 -0400
Subject: Re: [PATCH v4] Introduce v3 namespaced file capabilities
To: Tycho Andersen <tycho@docker.com>,
        James Bottomley <James.Bottomley@HansenPartnership.com>
References: <20170507092105.GA67584@inn.lkp.intel.com>
 <20170508044408.GA11400@mail.hallyn.com>
 <CACOXgS9a=avAWZEre1Q1CGjSHeq78Pkq1fYfwPjiyEX-u=B5wQ@mail.gmail.com>
 <20170508181156.GA23112@mail.hallyn.com>
 <9f80188c-df03-066a-5dac-785cc711d064@linux.vnet.ibm.com>
 <20170613171422.i5vsylhqqo736car@smitten>
 <1497375902.7379.25.camel@HansenPartnership.com>
 <20170613204612.uztqywc7topa6g2h@smitten>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>,
        containers@lists.linux-foundation.org,
        LKML <linux-kernel@vger.kernel.org>, xiaolong.ye@intel.com,
        "Eric W. Biederman" <ebiederm@xmission.com>, lkp@01.org
From: Stefan Berger <stefanb@linux.vnet.ibm.com>
Date: Tue, 13 Jun 2017 16:49:03 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <20170613204612.uztqywc7topa6g2h@smitten>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-TM-AS-GCONF: 00
x-cbid: 17061320-0024-0000-0000-000002919F4D
X-IBM-SpamModules-Scores: 
X-IBM-SpamModules-Versions: BY=3.00007226; HX=3.00000241; KW=3.00000007;
 PH=3.00000004; SC=3.00000212; SDB=6.00874332; UDB=6.00435206; IPR=6.00654421;
 BA=6.00005420; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000;
 ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00015811; XFM=3.00000015;
 UTC=2017-06-13 20:49:07
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 17061320-0025-0000-0000-0000445F71D6
Message-Id: <8933bf11-7ca2-fa12-8d51-46d94d94a182@linux.vnet.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-06-13_09:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0
 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam
 adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000
 definitions=main-1706130354
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 3082
Lines: 62

On 06/13/2017 04:46 PM, Tycho Andersen wrote:
> On Tue, Jun 13, 2017 at 10:45:02AM -0700, James Bottomley wrote:
>> On Tue, 2017-06-13 at 11:14 -0600, Tycho Andersen via Containers wrote:
>>> Hi Stefan,
>>>
>>> On Tue, Jun 13, 2017 at 11:47:26AM -0400, Stefan Berger wrote:
>>>> On 05/08/2017 02:11 PM, Serge E. Hallyn wrote:
>>>>> Root in a non-initial user ns cannot be trusted to write a
>>>>> traditional security.capability xattr.  If it were allowed to do
>>>>> so, then any unprivileged user on the host could map his own uid
>>>>> to root in a private namespace, write the xattr, and execute the
>>>>> file with privilege on the host.
>>>>>
>>>>> However supporting file capabilities in a user namespace is very
>>>>> desirable.  Not doing so means that any programs designed to run
>>>>> with limited privilege must continue to support other methods of
>>>>> gaining and dropping privilege.  For instance a program installer
>>>>> must detect whether file capabilities can be assigned, and assign
>>>>> them if so but set setuid-root otherwise.  The program in turn
>>>>> must know how to drop partial capabilities, and do so only if
>>>>> setuid-root.
>>>> Hi Serge,
>>>>
>>>>
>>>>    I have been looking at patch below primarily to learn how we
>>>> could apply a similar technique to security.ima and security.evm
>>>> for a namespaced IMA. From the paragraphs above I thought that you
>>>> solved the problem of a shared filesystem where one now can write
>>>> different security.capability xattrs by effectively supporting for
>>>> example security.capability[uid=1000] and
>>>> security.capability[uid=2000] written into the filesystem. Each
>>>> would then become visible as security.capability if the userns
>>>> mapping is set appropriately.
>>> One disadvantage of this approach is that whoever is setting up the
>>> container would need to go touch the security.ima attribute for each
>>> file in the contianer, which would slow down container creation time.
>>> For capabilities this makes sense, because you might want the file to
>>> have different capabilities in different namespaces, but for IMA,
>>> since the file hash will be the same in every namespace,
>> Actually, this isn't necessarily true: IMA may have the hash, you're
>> right, but I suspect in most container use cases it will have the
>> signature.  It's definitely a use case that the container will be using
>> a different keyring from the host, so different signatures are surely
>> possible for the same underlying image file.
>>
>> One might imagine doing the above via overlays, because the new
>> signature should override the old.
> Yes, good point, thanks. Assuming the container and the host are using
> the same keyring, we could design it in such a way that the container
> engine doesn't need to touch every file on creation, which would be
> very nice.

I don't think this will be the general case. The host may be Ubuntu, the 
guest could be Fedora and you'll have different keys. I don't think you 
would want the container keys on the host keyring.

    Stefan


>
> Tycho
>