Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933332AbdGKPGd (ORCPT ); Tue, 11 Jul 2017 11:06:33 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:33017 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932596AbdGKPGb (ORCPT ); Tue, 11 Jul 2017 11:06:31 -0400 From: Stefan Berger <"Stefan Bergerstefanb"@linux.vnet.ibm.com> To: ebiederm@xmission.com, containers@lists.linux-foundation.org Cc: lkp@01.org, linux-kernel@vger.kernel.org, zohar@linux.vnet.ibm.com, tycho@docker.com, serge@hallyn.com, James.Bottomley@HansenPartnership.com, vgoyal@redhat.com, christian.brauner@mailbox.org, amir73il@gmail.com, linux-security-module@vger.kernel.org, casey@schaufler-ca.com, Stefan Berger Subject: [PATCH v2] Enable namespaced file capabilities Date: Tue, 11 Jul 2017 11:05:10 -0400 X-Mailer: git-send-email 2.5.5 X-TM-AS-GCONF: 00 x-cbid: 17071115-0020-0000-0000-00000C5895FD X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00007349; HX=3.00000241; KW=3.00000007; PH=3.00000004; SC=3.00000214; SDB=6.00886061; UDB=6.00442254; IPR=6.00666210; BA=6.00005468; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00016179; XFM=3.00000015; UTC=2017-07-11 15:05:22 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17071115-0021-0000-0000-00005D3283B5 Message-Id: <1499785511-17192-1-git-send-email-stefanb@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-07-11_07:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1706020000 definitions=main-1707110240 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2254 Lines: 52 From: Stefan Berger The primary goal of the following patch is to enable file capabilities in user namespaces without affecting the file capabilities that are effective on the host. This is to prevent that any unprivileged user on the host maps his own uid to root in a private namespace, writes the xattr, and executes the file with privilege on the host. We achieve this goal by writing extended attributes with a different name when a user namespace is used. If for example the root user in a user namespace writes the security.capability xattr, the name of the xattr that is actually written is encoded as security.capability@uid=1000 for root mapped to uid 1000 on the host. When listing the xattrs on the host, the existing security.capability as well as the security.capability@uid=1000 will be shown. Inside the namespace only 'security.capability', with the value of security.capability@uid=1000, is visible. To maintain compatibility with existing behavior, the value of security.capability of the host is shown inside the user namespace once the security.capability of the user namespace has been removed (which really removes security.capability@uid=1000). Writing to an extended attribute inside a user namespace effectively hides the extended attribute of the host. The general framework that is established with these patches can be applied to other extended attributes as well, such as security.ima or the 'trusted.' prefix. Regards, Stefan & Serge --- v1->v2: - removed patch 3 related to security.selinux; no other xattr than security.capability is touched - reordered call to xattr_userns_name() to be before call to xattr_resolve_name() since the string passed into the handler must contain the full xattr name so that xattr_full_name() still works properly since only the xattr's suffix is passed to the handler function but xattr_resolve_name() may be called from that handler Stefan Berger (1): xattr: Enable security.capability in user namespaces fs/xattr.c | 509 +++++++++++++++++++++++++++++++++++++++++++++-- security/commoncap.c | 36 +++- security/selinux/hooks.c | 9 +- 3 files changed, 523 insertions(+), 31 deletions(-) -- 2.7.4