Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753831AbdGNLcx (ORCPT ); Fri, 14 Jul 2017 07:32:53 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:48344 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753519AbdGNLct (ORCPT ); Fri, 14 Jul 2017 07:32:49 -0400 Subject: Re: [PATCH v2] xattr: Enable security.capability in user namespaces To: "Eric W. Biederman" References: <1499785511-17192-1-git-send-email-stefanb@linux.vnet.ibm.com> <1499785511-17192-2-git-send-email-stefanb@linux.vnet.ibm.com> <87mv89iy7q.fsf@xmission.com> <20170712170346.GA17974@mail.hallyn.com> <877ezdgsey.fsf@xmission.com> <74664cc8-bc3e-75d6-5892-f8934404349f@linux.vnet.ibm.com> <20170713011554.xwmrgkzfwnibvgcu@thunk.org> <87y3rscz9j.fsf@xmission.com> <20170713164012.brj2flnkaaks2oci@thunk.org> <87k23cb6os.fsf@xmission.com> <847ccb2a-30c0-a94c-df6f-091c8901eaa0@linux.vnet.ibm.com> <87bmoo8bxb.fsf@xmission.com> <9a3010e5-ca2b-5e7a-656b-fcc14f7bec4e@linux.vnet.ibm.com> <87h8yf7szd.fsf@xmission.com> Cc: "Theodore Ts'o" , "Serge E. Hallyn" , containers@lists.linux-foundation.org, lkp@01.org, linux-kernel@vger.kernel.org, zohar@linux.vnet.ibm.com, tycho@docker.com, James.Bottomley@HansenPartnership.com, vgoyal@redhat.com, christian.brauner@mailbox.org, amir73il@gmail.com, linux-security-module@vger.kernel.org, casey@schaufler-ca.com From: Stefan Berger Date: Fri, 14 Jul 2017 07:32:42 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 In-Reply-To: <87h8yf7szd.fsf@xmission.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-TM-AS-GCONF: 00 x-cbid: 17071411-8235-0000-0000-00000BEDE62E X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00007364; HX=3.00000241; KW=3.00000007; PH=3.00000004; SC=3.00000214; SDB=6.00887408; UDB=6.00443070; IPR=6.00667559; BA=6.00005470; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00016223; XFM=3.00000015; UTC=2017-07-14 11:32:47 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17071411-8236-0000-0000-00003CBF8A37 Message-Id: <65dbe654-0d99-03fa-c838-5a726b462826@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-07-13_13:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=2 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1706020000 definitions=main-1707140190 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1135 Lines: 31 On 07/13/2017 08:38 PM, Eric W. Biederman wrote: > Stefan Berger writes: > >> On 07/13/2017 01:49 PM, Eric W. Biederman wrote: >> >>> My big question right now is can you implement Ted's suggested >>> restriction. Only one security.foo or secuirty.foo@... attribute ? >> We need to raw-list the xattrs and do the check before writing them. I am fairly sure this can be done. >> >> So now you want to allow security.foo and one security.foo@uid=<> or just a single one security.foo(@[[:print:]]*)? >> > The latter. That case would prevent a container user from overriding the xattr on the host. Is that what we want? For limiting the number of xattrs and getting that functionality (override IMA signature for example) the former seems better... For the former I now have the topmost patch here: https://github.com/stefanberger/linux/commits/xattr_for_userns.v3 Stefan > > Eric > -- > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html >