Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932146AbdGNMMv (ORCPT <rfc822;w@1wt.eu>);
        Fri, 14 Jul 2017 08:12:51 -0400
Received: from out03.mta.xmission.com ([166.70.13.233]:57497 "EHLO
        out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932079AbdGNMMs (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 14 Jul 2017 08:12:48 -0400
From: ebiederm@xmission.com (Eric W. Biederman)
To: Stefan Berger <stefanb@linux.vnet.ibm.com>
Cc: "Theodore Ts'o" <tytso@mit.edu>, "Serge E. Hallyn" <serge@hallyn.com>,
        containers@lists.linux-foundation.org, lkp@01.org,
        linux-kernel@vger.kernel.org, zohar@linux.vnet.ibm.com,
        tycho@docker.com, James.Bottomley@HansenPartnership.com,
        vgoyal@redhat.com, christian.brauner@mailbox.org, amir73il@gmail.com,
        linux-security-module@vger.kernel.org, casey@schaufler-ca.com
References: <1499785511-17192-1-git-send-email-stefanb@linux.vnet.ibm.com>
        <1499785511-17192-2-git-send-email-stefanb@linux.vnet.ibm.com>
        <87mv89iy7q.fsf@xmission.com> <20170712170346.GA17974@mail.hallyn.com>
        <877ezdgsey.fsf@xmission.com>
        <74664cc8-bc3e-75d6-5892-f8934404349f@linux.vnet.ibm.com>
        <20170713011554.xwmrgkzfwnibvgcu@thunk.org>
        <87y3rscz9j.fsf@xmission.com>
        <20170713164012.brj2flnkaaks2oci@thunk.org>
        <87k23cb6os.fsf@xmission.com>
        <847ccb2a-30c0-a94c-df6f-091c8901eaa0@linux.vnet.ibm.com>
        <87bmoo8bxb.fsf@xmission.com>
        <9a3010e5-ca2b-5e7a-656b-fcc14f7bec4e@linux.vnet.ibm.com>
        <87h8yf7szd.fsf@xmission.com>
        <65dbe654-0d99-03fa-c838-5a726b462826@linux.vnet.ibm.com>
Date: Fri, 14 Jul 2017 07:04:19 -0500
In-Reply-To: <65dbe654-0d99-03fa-c838-5a726b462826@linux.vnet.ibm.com> (Stefan
        Berger's message of "Fri, 14 Jul 2017 07:32:42 -0400")
Message-ID: <87vamv2pj0.fsf@xmission.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-XM-SPF: eid=1dVzS9-0001YP-J6;;;mid=<87vamv2pj0.fsf@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=67.3.213.87;;;frm=ebiederm@xmission.com;;;spf=neutral
X-XM-AID: U2FsdGVkX18Tc5J/Xi3Fg4ZnEr4TSucBpRiGZCOvXj8=
X-SA-Exim-Connect-IP: 67.3.213.87
X-SA-Exim-Mail-From: ebiederm@xmission.com
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
        *  0.0 TVD_RCVD_IP Message was received from an IP address
        *  0.7 XMSubLong Long Subject
        *  0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available.
        *  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
        *      [score: 0.4990]
        * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
        *      [sa04 1397; Body=1 Fuz1=1 Fuz2=1]
X-Spam-DCC: XMission; sa04 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: ;Stefan Berger <stefanb@linux.vnet.ibm.com>
X-Spam-Relay-Country: 
X-Spam-Timing: total 5757 ms - load_scoreonly_sql: 0.06 (0.0%),
        signal_user_changed: 3.4 (0.1%), b_tie_ro: 2.3 (0.0%), parse: 1.86 (0.0%),
        extract_message_metadata: 36 (0.6%), get_uri_detail_list: 4.1 (0.1%),
        tests_pri_-1000: 10 (0.2%), tests_pri_-950: 1.15 (0.0%), tests_pri_-900: 0.95
        (0.0%), tests_pri_-400: 24 (0.4%), check_bayes: 23 (0.4%), b_tokenize: 7
        (0.1%), b_tok_get_all: 7 (0.1%), b_comp_prob: 3.6 (0.1%), b_tok_touch_all:
        2.7 (0.0%), b_finish: 0.57 (0.0%), tests_pri_0: 847 (14.7%),
        check_dkim_signature: 0.69 (0.0%), check_dkim_adsp: 3.6 (0.1%),
        tests_pri_500: 4827 (83.8%), poll_dns_idle: 4820 (83.7%), rewrite_mail: 0.00
        (0.0%)
Subject: Re: [PATCH v2] xattr: Enable security.capability in user namespaces
X-Spam-Flag: No
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1266
Lines: 35

Stefan Berger <stefanb@linux.vnet.ibm.com> writes:

> On 07/13/2017 08:38 PM, Eric W. Biederman wrote:
>> Stefan Berger <stefanb@linux.vnet.ibm.com> writes:
>>
>>> On 07/13/2017 01:49 PM, Eric W. Biederman wrote:
>>>
>>>> My big question right now is can you implement Ted's suggested
>>>> restriction.  Only one security.foo or secuirty.foo@... attribute ?
>>> We need to raw-list the xattrs and do the check before writing them. I am fairly sure this can be done.
>>>
>>> So now you want to allow security.foo and one security.foo@uid=<> or just a single one security.foo(@[[:print:]]*)?
>>>
>> The latter.
>
> That case would prevent a container user from overriding the xattr on
> the host. Is that what we want?

Most definitely.  If a more privileged use has set secure.capable that
is better.  

> For limiting the number of xattrs and
> getting that functionality (override IMA signature for example) the
> former seems better...

I don't know about IMA.  But my feeling is that we will only be dealing
with a single signing key, so I don't see how having multiple IMA xattrs
make sense.  Could you explain that to me?

> For the former I now have the topmost patch here:
> https://github.com/stefanberger/linux/commits/xattr_for_userns.v3

Thank you.

Eric