Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752149AbdFTT5x (ORCPT ); Tue, 20 Jun 2017 15:57:53 -0400 Received: from mx1.redhat.com ([209.132.183.28]:47326 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751076AbdFTT5w (ORCPT ); Tue, 20 Jun 2017 15:57:52 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com B76704ACC9 Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=vgoyal@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com B76704ACC9 Date: Tue, 20 Jun 2017 15:57:50 -0400 From: Vivek Goyal To: Amir Goldstein Cc: "Eric W. Biederman" , "Serge E. Hallyn" , Stefan Berger , Mimi Zohar , Linux Containers , LKML , xiaolong.ye@intel.com, lkp@01.org, Miklos Szeredi Subject: Re: [PATCH v4] Introduce v3 namespaced file capabilities Message-ID: <20170620195750.GA5807@redhat.com> References: <9f80188c-df03-066a-5dac-785cc711d064@linux.vnet.ibm.com> <20170613171818.GA9070@mail.hallyn.com> <74e490f3-3c47-abfa-86ae-0fa0d1ddb43a@linux.vnet.ibm.com> <20170613235521.GC15685@mail.hallyn.com> <20170615030543.GA8979@mail.hallyn.com> <20170618221418.GA364@mail.hallyn.com> <87tw3boe5d.fsf@xmission.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.7.1 (2016-10-04) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Tue, 20 Jun 2017 19:57:52 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 5731 Lines: 116 On Tue, Jun 20, 2017 at 08:42:45AM +0300, Amir Goldstein wrote: > On Tue, Jun 20, 2017 at 12:34 AM, Eric W. Biederman > wrote: > > "Serge E. Hallyn" writes: > > > >> Quoting Stefan Berger (stefanb@linux.vnet.ibm.com): > >>> On 06/14/2017 11:05 PM, Serge E. Hallyn wrote: > >>> >On Wed, Jun 14, 2017 at 08:27:40AM -0400, Stefan Berger wrote: > >>> >>On 06/13/2017 07:55 PM, Serge E. Hallyn wrote: > >>> >>>Quoting Stefan Berger (stefanb@linux.vnet.ibm.com): > >>> >>>> If all extended > >>> >>>>attributes were to support this model, maybe the 'uid' could be > >>> >>>>associated with the 'name' of the xattr rather than its 'value' (not > >>> >>>>sure whether that's possible). > >>> >>>Right, I missed that in your original email when I saw it this morning. > >>> >>>It's not what my patch does, but it's an interesting idea. Do you have > >>> >>>a patch to that effect? We might even be able to generalize that to > >>> >>No, I don't have a patch. It may not be possible to implement it. > >>> >>The xattr_handler's take the name of the xattr as input to get(). > >>> >That may be ok though. Assume the host created a container with > >>> >100000 as the uid for root, which created a container with 130000 as > >>> >uid for root. If root in the nested container tries to read the > >>> >xattr, the kernel can check for security.foo[130000] first, then > >>> >security.foo[100000], then security.foo. Or, it can do a listxattr > >>> >and look for those. Am I overlooking one? > >>> > > >>> >>So one could try to encode the mapped uid in the name. However, that > >>> >I thought that's exactly what you were suggesting in your original > >>> >email? "security.capability[uid=2000]" > >>> > > >>> >>could lead to problems with stale xattrs in a shared filesystem over > >>> >>time unless one could limit the number of xattrs with the same > >>> >>prefix, e.g., security.capability*. So I doubt that it would work. > >>> >Hm. Yeah. But really how many setups are there like that? I.e. if > >>> >you launch a regular docker or lxd container, the image doesn't do a > >>> >bind mount of a shared image, it layers something above it or does a > >>> >copy. What setups do you know of where multiple containers in different > >>> >user namespaces mount the same filesystem shared and writeable? > >>> > >>> I think I have something now that accomodates userns access to > >>> security.capability: > >>> > >>> https://github.com/stefanberger/linux/commits/xattr_for_userns > >> > >> Thanks! > >> > >>> Encoding of uid is in the attribute name now as follows: > >>> security.foo@uid= > >>> > >>> 1) The 'plain' security.capability is only r/w accessible from the > >>> host (init_user_ns). > >>> 2) When userns reads/writes 'security.capability' it will read/write > >>> security.capability@uid= instead, with uid being the uid of > >>> root , e.g. 1000. > >>> 3) When listing xattrs for userns the host's security.capability is > >>> filtered out to avoid read failures iof 'security.capability' if > >>> security.capability@uid= is read but not there. (see 1) and 2)) > >>> 4) security.capability* may all be read from anywhere > >>> 5) security.capability@uid= may be read or written directly > >>> from a userns if matches the uid of root (current_uid()) > >> > >> This looks very close to what we want. One exception - we do want > >> to support root in a user namespace being able to write > >> security.capability@uid= where is a valid uid mapped in its > >> namespace. In that case the name should be rewritten to be > >> security.capability@uid= where y is the unmapped kuid.val. > >> > >> Eric, > >> > >> so far my patch hasn't yet hit Linus' tree. Given that, would you > >> mind taking a look and seeing what you think of this approach? If > >> we may decide to go this route, we probably should stop my patch > >> from hitting Linus' tree before we have to continue supporting it. > > > > Agreed. I will take a look. I also want to see how all of this works > > in the context of stackable filesystems. As that is the one case that > > looked like it could be a problem case in your current patchset. > > > > Apropos stackable filesystems [cc some overlayfs folks], is there any > way that parts of this work could be generalized towards ns aware > trusted@uid.* xattr? > > With overlayfs, files are written to underlying fs with mounter's > credentials. We do switch to mounter's credential for privileged operations but for a newly created file final selinux label is created as if task created that file. >How this affects v3 security capabilities and how exactly > security xattrs are handled in overtlayfs I'm not sure. Vivek? Given we switch to mounter's creds for operations on underlying filesystem (setxattr, getxattr), I thought that it probably will call xattr_userns_name() in nested manner. Once using tasks's creds and second time using mounter's creds. So that probably should have made it security.foo@uid@uid. I tried patches quickly but setcap/getcap inside containers work. So may be it is due to the fact that mounting was done from init_user_ns and following line of code will avoid adding @uid in that case. + /* no name changes for init_user_ns or uid == 0 */ + if (current_user_ns() == &init_user_ns || uid.val == 0) + goto out_copy; + I have not looked deeper. Still curious how getxattr() path works when we switch to mounter's creds. In that case underlying file system will get the impression that mounter task is trying to do getxattr() in security.capability set by container task. I am assuming we allow that? I need to spend more time understanding this. Vivek