Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754654AbdFWXvm (ORCPT ); Fri, 23 Jun 2017 19:51:42 -0400 Received: from nm10-vm0.bullet.mail.ne1.yahoo.com ([98.138.91.72]:51684 "EHLO nm10-vm0.bullet.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753849AbdFWXvl (ORCPT ); Fri, 23 Jun 2017 19:51:41 -0400 X-Yahoo-Newman-Id: 639315.72705.bm@smtp206.mail.ne1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: 1rN9e58VM1kzjtBTlSHWoUUL_JE.cjTXgBdFR14Flxue9Um .Fe__yFarKdaNKxxvF0oVKmSF4wn3VFGD_bSx_z76My1cRdvaaJ4H16oKvX3 ikeIOAIdnk56rC7.3lMc_hRltcD1VMZnqy8a8c4FFQEnKvaYdMrw8zx3v45S 0NjMOmdPFA.GVFQhh1nYcTgbC7wnwhzKy8UDCR0Df4nvJXfN5v68unjlPDqc VTR9SsVIUW.wYuStnTsnbkYYN9DrU9NoofIV6kH0FF.dKQ5EhM1aNagnQHS8 R9RpxPt0VcG9jIYJ6k_aPiAZQvZqtygtka6bKx2raz3OTeo3Het8I_8d0Fox ot.r3_HaW6Oyf6yHTCgefZGI_II6n7Lw_OZCwfHBB655iJvtVtJ.fEmEiOTO 8ZsI6DvoRs6wM8vCTIgVzkvFwhIDDHsDJIAqgtR7LoydXktKLyd9WZ.Fe.z1 pxh3M4ILrx09yDs3iGHdKY6yDHeMXQimVWA4eDF1XNN6HgyN.HTtMJYDoCEf HZdxPSr0jcTLynPODbkzhSqWkvvX.jkHoDOHxidxBmvMUiAyE6SI2xoJHsIh Qt.SuwEJ257SW.Ss- X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw-- Subject: Re: [PATCH 0/3] Enable namespaced file capabilities To: Stefan Berger , "Serge E. Hallyn" Cc: Amir Goldstein , "Eric W. Biederman" , Linux Containers , lkp@01.org, xiaolong.ye@intel.com, linux-kernel , Mimi Zohar , Tycho Andersen , James Bottomley , christian.brauner@mailbox.org, Vivek Goyal , LSM List References: <1498157989-11814-1-git-send-email-stefanb@linux.vnet.ibm.com> <20170623160026.GA18257@mail.hallyn.com> <3404c486-c848-3283-50f7-2283cb631e8e@linux.vnet.ibm.com> <20170623183520.GC21137@mail.hallyn.com> From: Casey Schaufler Message-ID: <59197179-8ef9-6be6-315f-41c10a8d7d06@schaufler-ca.com> Date: Fri, 23 Jun 2017 16:51:35 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3459 Lines: 66 On 6/23/2017 4:09 PM, Stefan Berger wrote: > On 06/23/2017 02:35 PM, Serge E. Hallyn wrote: >> Quoting Stefan Berger (stefanb@linux.vnet.ibm.com): >>> On 06/23/2017 12:16 PM, Casey Schaufler wrote: >>>> On 6/23/2017 9:00 AM, Serge E. Hallyn wrote: >>>>> Quoting Amir Goldstein (amir73il@gmail.com): >>>>>> On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger >>>>>> wrote: >>>>>>> This series of patches primary goal is to enable file capabilities >>>>>>> in user namespaces without affecting the file capabilities that are >>>>>>> effective on the host. This is to prevent that any unprivileged user >>>>>>> on the host maps his own uid to root in a private namespace, writes >>>>>>> the xattr, and executes the file with privilege on the host. >>>>>>> >>>>>>> We achieve this goal by writing extended attributes with a different >>>>>>> name when a user namespace is used. If for example the root user >>>>>>> in a user namespace writes the security.capability xattr, the name >>>>>>> of the xattr that is actually written is encoded as >>>>>>> security.capability@uid=1000 for root mapped to uid 1000 on the host. >>>>>>> When listing the xattrs on the host, the existing security.capability >>>>>>> as well as the security.capability@uid=1000 will be shown. Inside the >>>>>>> namespace only 'security.capability', with the value of >>>>>>> security.capability@uid=1000, is visible. >>>>>>> >>>>>> Am I the only one who thinks that suffix is perhaps not the best grammar >>>>>> to use for this namespace? >>>>> You're the only one to have mentioned it so far. >>>>> >>>>>> xattrs are clearly namespaced by prefix, so it seems right to me to keep >>>>>> it that way - define a new special xattr namespace "ns" and only if that >>>>>> prefix exists, the @uid suffix will be parsed. >>>>>> This could be either ns.security.capability@uid=1000 or >>>>>> ns@uid=1000.security.capability. The latter seems more correct to me, >>>>>> because then we will be able to namespace any xattr without having to >>>>>> protect from "unprivileged xattr injection", i.e.: >>>>>> setfattr -n "user.whatever.foo@uid=0" >>>>> I like it for simplifying the parser code. One concern I have is that, >>>>> since ns.* is currently not gated, one could write ns.* on an older >>>>> kernel and then exploit it on a newer one. >>>> security.ns.capability@uid=1000, then? >>> Imo, '.ns' is redundant and 'encoded' in the '@'. >> So how about >> security.@uid=1000@@capability ? > Ouch. >> Maybe it's not worth it. > > So the .ns is there to be able to possibly extend it in another dimension in the future, like have '.foo' there at some point? Traditionally we have . If you want to preserve the kind and name you have to introduce a third component if you want to have it treated differently under curtain (e.g. namespaced) conditions. You want to maintain the kind, because that's already treated specially. You want to maintain the name because that's what the feature code keys on. The kind is expected to be first, and the name last, so your new data needs to be in the middle. You need to identify what you expect the new bit to be used for because if you're clever enough to create a reason to add to the attribute name, someone else is, too. Thus security.ns@uid=1000@@.capability security.endian@end=big@@.capability It's better to add fields than to change how a field is formatted and interpreted.