Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753297AbdFVUd1 (ORCPT ); Thu, 22 Jun 2017 16:33:27 -0400 Received: from nm28-vm1.bullet.mail.ne1.yahoo.com ([98.138.91.35]:48283 "EHLO nm28-vm1.bullet.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751202AbdFVUdZ (ORCPT ); Thu, 22 Jun 2017 16:33:25 -0400 X-Yahoo-Newman-Id: 748050.17528.bm@smtp113.mail.ne1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: MTpzpQ8VM1lZ7D.vsRscjLnfFPeY18dE_cig2nFpF49G6.P ZHU7C5EUn5N5etgpG90LRGmI5GH6nc1HeAq9qC.JedsdQizhIgOI5xYUWtBf Ftk2aHlhCgA5p8E10vjkmcm5JPuHPhwHPdmFpNKSIK5V7wmeSWxE7WWDl1aa 3CNzNOxtU6IJItjk2kKtenCn7FugUGy1UGIwPsbpomOieqA5.9Dm5kl80jnM LY3GcSD7S.q7on0NZPHzBY93Bq61MkzUjHxCtnwKQPBmrV.kiNKf9SiChdC_ 3FuGGn2Jt2dQpNgTsyNPhmPHBTe9ifg1euKDdez1UEiZVZ.sNPEw.gSVGBZ7 L1AiTsVgJLSM01mAQ_NkoePPjdclchbxs7eAdsYHd56xaGnFq3vRY8SEHqaA VIVwLZ56OjN_ybg__fRaWH0EpdaoYgrqFrfs27_4zSJoNlL6KDGBSfiP6WlJ qUO4ND1ko5sJ4CkAdONbbXi3lBFI0PDxUK0wD473jML3raJ1CeMXjNm.5wQt iyyYXzD_jamXqyuG2R6AXCFzKj8cqDpuegBEuONfkuztHBVqctcZmGM1lq7y iCk4- X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw-- Subject: Re: [PATCH 0/3] Enable namespaced file capabilities To: Stefan Berger , ebiederm@xmission.com, containers@lists.linux-foundation.org Cc: lkp@01.org, xiaolong.ye@intel.com, linux-kernel@vger.kernel.org, zohar@linux.vnet.ibm.com, serge@hallyn.com, tycho@docker.com, James.Bottomley@HansenPartnership.com, christian.brauner@mailbox.org, vgoyal@redhat.com, amir73il@gmail.com, linux-security-module@vger.kernel.org References: <1498157989-11814-1-git-send-email-stefanb@linux.vnet.ibm.com> <70a09f1b-e82c-a25c-9325-d5d757b1b695@schaufler-ca.com> <10fb9c1b-e9af-336c-9a1b-cf95259cfaf3@linux.vnet.ibm.com> From: Casey Schaufler Message-ID: <2bf08b3e-27f4-3592-d5e2-a823401ac644@schaufler-ca.com> Date: Thu, 22 Jun 2017 13:33:20 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.0 MIME-Version: 1.0 In-Reply-To: <10fb9c1b-e9af-336c-9a1b-cf95259cfaf3@linux.vnet.ibm.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3761 Lines: 73 On 6/22/2017 1:12 PM, Stefan Berger wrote: > On 06/22/2017 03:59 PM, Casey Schaufler wrote: >> On 6/22/2017 11:59 AM, Stefan Berger wrote: >>> This series of patches primary goal is to enable file capabilities >>> in user namespaces without affecting the file capabilities that are >>> effective on the host. This is to prevent that any unprivileged user >>> on the host maps his own uid to root in a private namespace, writes >>> the xattr, and executes the file with privilege on the host. >>> >>> We achieve this goal by writing extended attributes with a different >>> name when a user namespace is used. If for example the root user >>> in a user namespace writes the security.capability xattr, the name >>> of the xattr that is actually written is encoded as >>> security.capability@uid=1000 for root mapped to uid 1000 on the host. >> You need to identify the instance of the user namespace for >> this to work right on a system with multiple user namespaces. >> If I have a shared filesystem mounted in two different user >> namespaces a change by one will affect the other. > > Two different user namespaces with different uid mappings will not affect each other. But two namespaces with the same uid mapping will, and I don't think this meets the principle of least astonishment. I also object to associating capabilities with UIDs. The whole point of capabilities is to disassociate UID 0 from privilege. What you've done is explicitly associate a UID with the ability to have privilege. That's an architectural regression. > > If root in userns1 mapped to uid 1000 (size 1000) writes security.capability, it will write security.capability@uid=1000 into the fs. > If root in userns2 mapped to uid 2000 (size 1000) writes security.capability, it will write security.capability@uid=2000 into the fs. > > Neither of the two will see each other's security.capability, but each will see their own 'security.capability'. > > Assume now userns1 has a size of 2000, so overlapping with userns2, it will now see userns2's security.capability@uid=1000 as well as its own 'security.capability'. security.capability@uid=1000 (of userns2) in userns1 will not have an effect on effective file capabilities. > >> ... unless I'm missing something obvious about namespace behavior. >> >>> When listing the xattrs on the host, the existing security.capability >>> as well as the security.capability@uid=1000 will be shown. Inside the >>> namespace only 'security.capability', with the value of >>> security.capability@uid=1000, is visible. >>> >>> To maintain compatibility with existing behavior, the value of >>> security.capability of the host is shown inside the user namespace >>> once the security.capability of the user namespace has been removed >>> (which really removes security.capability@uid=1000). Writing to >>> an extended attribute inside a user namespace effectively hides the >>> extended attribute of the host. >>> >>> The general framework that is established with these patches can >>> be applied to other extended attributes as well, such as security.ima >>> or the 'trusted.' prefix . Another extended attribute that needed to >>> be enabled here is 'security.selinux,' since otherwise this extended >>> attribute would not be shown anymore inside a user namespace. >>> >>> Regards, >>> Stefan & Serge >>> >>> >>> Stefan Berger (3): >>> xattr: Enable security.capability in user namespaces >>> Enable capabilities of files from shared filesystem >>> Enable security.selinux in user namespaces >>> >>> fs/xattr.c | 472 ++++++++++++++++++++++++++++++++++++++++++++++- >>> security/commoncap.c | 36 +++- >>> security/selinux/hooks.c | 9 +- >>> 3 files changed, 501 insertions(+), 16 deletions(-) >>> > >