Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754656AbdFWR5O (ORCPT ); Fri, 23 Jun 2017 13:57:14 -0400 Received: from out01.mta.xmission.com ([166.70.13.231]:60898 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753598AbdFWR5M (ORCPT ); Fri, 23 Jun 2017 13:57:12 -0400 From: ebiederm@xmission.com (Eric W. Biederman) To: "Serge E. Hallyn" Cc: Casey Schaufler , Amir Goldstein , Stefan Berger , Linux Containers , lkp@01.org, xiaolong.ye@intel.com, linux-kernel , Mimi Zohar , Tycho Andersen , James Bottomley , christian.brauner@mailbox.org, Vivek Goyal , LSM List References: <1498157989-11814-1-git-send-email-stefanb@linux.vnet.ibm.com> <20170623160026.GA18257@mail.hallyn.com> <20170623163030.GA18820@mail.hallyn.com> <20170623170108.GA19354@mail.hallyn.com> Date: Fri, 23 Jun 2017 12:49:59 -0500 In-Reply-To: <20170623170108.GA19354@mail.hallyn.com> (Serge E. Hallyn's message of "Fri, 23 Jun 2017 12:01:08 -0500") Message-ID: <8760fmh9vc.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1dOSpL-0000eX-6k;;;mid=<8760fmh9vc.fsf@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=67.3.213.87;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX1+Pq1QmqFXC7+pJQnugByglteB95aYMNao= X-SA-Exim-Connect-IP: 67.3.213.87 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.0 TVD_RCVD_IP Message was received from an IP address * 1.5 XMNoVowels Alpha-numberic number with no vowels * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa07 1397; Body=1 Fuz1=1 Fuz2=1] X-Spam-DCC: XMission; sa07 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: *;"Serge E. Hallyn" X-Spam-Relay-Country: X-Spam-Timing: total 5545 ms - load_scoreonly_sql: 0.04 (0.0%), signal_user_changed: 2.6 (0.0%), b_tie_ro: 1.83 (0.0%), parse: 1.10 (0.0%), extract_message_metadata: 17 (0.3%), get_uri_detail_list: 2.6 (0.0%), tests_pri_-1000: 6 (0.1%), tests_pri_-950: 1.15 (0.0%), tests_pri_-900: 0.98 (0.0%), tests_pri_-400: 26 (0.5%), check_bayes: 25 (0.4%), b_tokenize: 8 (0.1%), b_tok_get_all: 9 (0.2%), b_comp_prob: 3.0 (0.1%), b_tok_touch_all: 3.2 (0.1%), b_finish: 0.65 (0.0%), tests_pri_0: 250 (4.5%), check_dkim_signature: 0.48 (0.0%), check_dkim_adsp: 2.9 (0.1%), tests_pri_500: 5236 (94.4%), poll_dns_idle: 5230 (94.3%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH 0/3] Enable namespaced file capabilities X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2503 Lines: 60 "Serge E. Hallyn" writes: > Quoting Casey Schaufler (casey@schaufler-ca.com): >> On 6/23/2017 9:30 AM, Serge E. Hallyn wrote: >> > Quoting Casey Schaufler (casey@schaufler-ca.com): >> >> Or maybe just security.ns.capability, taking James' comment into account. >> > That last one may be suitable as an option, useful for his particular >> > (somewhat barbaric :) use case, but it's not ok for the general solution. >> >> security.ns@uid=100.capability > > I'm ok with this. It gives protection from older kernels, and puts > the 'ns@uid=' at predictable locations for security and trusted. > >> It makes the namespace part explicit and separate from >> the rest of the attribute name. It also generalizes for >> other attributes. >> >> security.ns@uid=1000@smack=WestOfOne.SMACK64 > > Looks good to me. > > Do we want to say that '.' ends the attribute list? That of > course means '.' cannot be in the attributes. Perhaps end > with '@@' instead? Just a thought. > > What do others think? I think we have two things that will limit the allowed attributes severely. 1) We need to the names of all of the xattrs when mounting a filesystem with s_user_ns != &init_user_ns. I haven't yet checked the patches to see if they do this properly. 2) Names of xattrs are not fully general and filesystems perform various tricks to encode them more densely. We should see what the games with xattr names do to how densely xattrs can be stored on disk. That matters. Putting the uid of the root user in the name sounds fundamental to doing things this way. I am not at all certain about putting smack labels and generally treating this as something we can add two arbitrarily. If nothing else this reminds me of the frequent problem in certifications with ouids. Arbitrary attributes tend to defeat parsers in a security context on a regular basis. Even the kernel command line parser has seen problems in this area, and it isn't security sensitive most of the time. Extensibility is good in the abstract long term sense. Extensibility in the here and now where we don't even know which attributes we are talking about scares me. I don't see how we can possibily know with multiple attributes which xattrs will be the one to use. As we won't even know which properties of the kernel to look at to match attributes. So while I don't mind reorganizing the order we put the information into the attribute. Let's keep what we place in there very specific. Eric