Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754803AbdFWSfU (ORCPT ); Fri, 23 Jun 2017 14:35:20 -0400 Received: from h2.hallyn.com ([78.46.35.8]:33288 "EHLO h2.hallyn.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754327AbdFWSfT (ORCPT ); Fri, 23 Jun 2017 14:35:19 -0400 Date: Fri, 23 Jun 2017 13:35:20 -0500 From: "Serge E. Hallyn" To: Stefan Berger Cc: Casey Schaufler , "Serge E. Hallyn" , Amir Goldstein , "Eric W. Biederman" , Linux Containers , lkp@01.org, xiaolong.ye@intel.com, linux-kernel , Mimi Zohar , Tycho Andersen , James Bottomley , christian.brauner@mailbox.org, Vivek Goyal , LSM List Subject: Re: [PATCH 0/3] Enable namespaced file capabilities Message-ID: <20170623183520.GC21137@mail.hallyn.com> References: <1498157989-11814-1-git-send-email-stefanb@linux.vnet.ibm.com> <20170623160026.GA18257@mail.hallyn.com> <3404c486-c848-3283-50f7-2283cb631e8e@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3404c486-c848-3283-50f7-2283cb631e8e@linux.vnet.ibm.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2336 Lines: 45 Quoting Stefan Berger (stefanb@linux.vnet.ibm.com): > On 06/23/2017 12:16 PM, Casey Schaufler wrote: > >On 6/23/2017 9:00 AM, Serge E. Hallyn wrote: > >>Quoting Amir Goldstein (amir73il@gmail.com): > >>>On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger > >>> wrote: > >>>>This series of patches primary goal is to enable file capabilities > >>>>in user namespaces without affecting the file capabilities that are > >>>>effective on the host. This is to prevent that any unprivileged user > >>>>on the host maps his own uid to root in a private namespace, writes > >>>>the xattr, and executes the file with privilege on the host. > >>>> > >>>>We achieve this goal by writing extended attributes with a different > >>>>name when a user namespace is used. If for example the root user > >>>>in a user namespace writes the security.capability xattr, the name > >>>>of the xattr that is actually written is encoded as > >>>>security.capability@uid=1000 for root mapped to uid 1000 on the host. > >>>>When listing the xattrs on the host, the existing security.capability > >>>>as well as the security.capability@uid=1000 will be shown. Inside the > >>>>namespace only 'security.capability', with the value of > >>>>security.capability@uid=1000, is visible. > >>>> > >>>Am I the only one who thinks that suffix is perhaps not the best grammar > >>>to use for this namespace? > >>You're the only one to have mentioned it so far. > >> > >>>xattrs are clearly namespaced by prefix, so it seems right to me to keep > >>>it that way - define a new special xattr namespace "ns" and only if that > >>>prefix exists, the @uid suffix will be parsed. > >>>This could be either ns.security.capability@uid=1000 or > >>>ns@uid=1000.security.capability. The latter seems more correct to me, > >>>because then we will be able to namespace any xattr without having to > >>>protect from "unprivileged xattr injection", i.e.: > >>>setfattr -n "user.whatever.foo@uid=0" > >>I like it for simplifying the parser code. One concern I have is that, > >>since ns.* is currently not gated, one could write ns.* on an older > >>kernel and then exploit it on a newer one. > >security.ns.capability@uid=1000, then? > > Imo, '.ns' is redundant and 'encoded' in the '@'. So how about security.@uid=1000@@capability ? Maybe it's not worth it.