Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753850AbdFVWkk (ORCPT ); Thu, 22 Jun 2017 18:40:40 -0400 Received: from nm11.bullet.mail.ne1.yahoo.com ([98.138.90.74]:43603 "EHLO nm11.bullet.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752741AbdFVWkj (ORCPT ); Thu, 22 Jun 2017 18:40:39 -0400 X-Yahoo-Newman-Id: 238865.66109.bm@smtp224.mail.ne1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: Vjo6d0kVM1k.0lKhByw.6iwqWWaN0j3D7etA.R3dKFREtDq .Sxu6DR6F6P6RSh5pbl1OPax7iOdduEdaSin5h9.RYBbpXRU1qllv2XFF5pe aQ0tiW96hJYWllspmDqqn4jgFvEScWuOvfjemPH2YUf0npPLASDirHg8aVQi VJp4ItX39WhfsXZmKFsg2BS5O3ixqTvg2UMkbuGLekXZVyTUkjSWBaRW.Y8v 8OEx1btVlV5rHd32hxegbi6RsFUN09MOtrSjaWFbbkZbeofnVJ3S.duPSHsQ W0IJtHrk_GsZbBaxkTB6VPcFSmEHDsG24uCN0RTMIZ6KoDhNJ6S37btgxDzD .m79DPbihLz6Fzb16JsWvStdGED87pZqNX2phs1Ivd0jnjIWwcjJueX_KeHx CUg.YeWw4uwA8o2AZ2c26tXgPs9z2jtv6SiasSCMpvefqflD8mVIOOHYZN6j KFdUG9GFtnb0ODaDAqI7oKMOcTv3hXefnhw0qT5AsZVbOwNEiuHxOaZEBK5S jAUuMAHl76jpNc.ErfgN_RXMksfhKS8kRMSuM4tgngMm1HQR.Tk5Wp2JY7Kt UOGl8QNt8vzgmdYzhK3oM X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw-- Subject: Re: [PATCH 0/3] Enable namespaced file capabilities To: "Serge E. Hallyn" Cc: Stefan Berger , ebiederm@xmission.com, containers@lists.linux-foundation.org, lkp@01.org, xiaolong.ye@intel.com, linux-kernel@vger.kernel.org, zohar@linux.vnet.ibm.com, tycho@docker.com, James.Bottomley@HansenPartnership.com, christian.brauner@mailbox.org, vgoyal@redhat.com, amir73il@gmail.com, linux-security-module@vger.kernel.org References: <1498157989-11814-1-git-send-email-stefanb@linux.vnet.ibm.com> <70a09f1b-e82c-a25c-9325-d5d757b1b695@schaufler-ca.com> <10fb9c1b-e9af-336c-9a1b-cf95259cfaf3@linux.vnet.ibm.com> <2bf08b3e-27f4-3592-d5e2-a823401ac644@schaufler-ca.com> <20170622210925.GA32691@mail.hallyn.com> From: Casey Schaufler Message-ID: <45e59e2e-0e00-cb9a-2f85-dc4606338a08@schaufler-ca.com> Date: Thu, 22 Jun 2017 15:40:34 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.0 MIME-Version: 1.0 In-Reply-To: <20170622210925.GA32691@mail.hallyn.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3643 Lines: 70 On 6/22/2017 2:09 PM, Serge E. Hallyn wrote: > Quoting Casey Schaufler (casey@schaufler-ca.com): >> On 6/22/2017 1:12 PM, Stefan Berger wrote: >>> On 06/22/2017 03:59 PM, Casey Schaufler wrote: >>>> On 6/22/2017 11:59 AM, Stefan Berger wrote: >>>>> This series of patches primary goal is to enable file capabilities >>>>> in user namespaces without affecting the file capabilities that are >>>>> effective on the host. This is to prevent that any unprivileged user >>>>> on the host maps his own uid to root in a private namespace, writes >>>>> the xattr, and executes the file with privilege on the host. >>>>> >>>>> We achieve this goal by writing extended attributes with a different >>>>> name when a user namespace is used. If for example the root user >>>>> in a user namespace writes the security.capability xattr, the name >>>>> of the xattr that is actually written is encoded as >>>>> security.capability@uid=1000 for root mapped to uid 1000 on the host. >>>> You need to identify the instance of the user namespace for >>>> this to work right on a system with multiple user namespaces. >>>> If I have a shared filesystem mounted in two different user >>>> namespaces a change by one will affect the other. >>> Two different user namespaces with different uid mappings will not affect each other. >> But two namespaces with the same uid mapping will, and I >> don't think this meets the principle of least astonishment. > It does. If you have one filesystem shared among multiple > containers, then it needs to be either read-only, or you > need to know what you're doing. Joe's a junior devop who has been given a container template which he tweaks for various nefarious purposes. He doesn't know much about what he's doing. He isn't changing the UIDs the template uses because, quite frankly, he doesn't know a UID from an entrenching tool. He has changed a filesystem from RO to RW because he read on a forum somewhere that doing so would fix a problem he had once. He doesn't want to have that problem again, so he left the change in the template. Containers are being sold as a way to make things easier. This sort of side effect is dangerous in an environment where users are being told that they don't have to worry so much, the environment will take care of them. >> I also object to associating capabilities with UIDs. The >> whole point of capabilities is to disassociate UID 0 from >> privilege. What you've done is explicitly associate a UID >> with the ability to have privilege. That's an architectural >> regression. > IMO this is looking at it the wrong way. The right way to look at the problem is to identify the capabilities the program ought to have and set the file capabilities and UID/GID properly on the program on the base system. If you have to fix the program so it works right under those conditions, so much the better for everyone. If you're running with different capabilities in a container to prevent the program from doing damage to the base system, maybe the program needs fixing instead. > From inside the container's > viewpoint, the capabilities are not associated with a uid. Any > task, regardles off uid, in the container, which executes the file, > gets the privilege. IMO that satisfies the intent of file capabilities. The UID is the wrong association. The namespace is the correct association. You're using the UID because it's something that's different in the namespace than in the base system. You can detect it. What you need is a non-volatile namespace id to attach to the file rather than using the UID mapping (which may not be unique) that the namespace uses. > -serge