Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751145AbdGNXtm (ORCPT ); Fri, 14 Jul 2017 19:49:42 -0400 Received: from out02.mta.xmission.com ([166.70.13.232]:37744 "EHLO out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750917AbdGNXtk (ORCPT ); Fri, 14 Jul 2017 19:49:40 -0400 From: ebiederm@xmission.com (Eric W. Biederman) To: Stefan Berger Cc: containers@lists.linux-foundation.org, lkp@01.org, linux-kernel@vger.kernel.org, zohar@linux.vnet.ibm.com, tycho@docker.com, serge@hallyn.com, James.Bottomley@HansenPartnership.com, vgoyal@redhat.com, christian.brauner@mailbox.org, amir73il@gmail.com, linux-security-module@vger.kernel.org, casey@schaufler-ca.com, Stefan Berger References: <1499785511-17192-1-git-send-email-stefanb@linux.vnet.ibm.com> <1499785511-17192-2-git-send-email-stefanb@linux.vnet.ibm.com> Date: Fri, 14 Jul 2017 18:41:39 -0500 In-Reply-To: <1499785511-17192-2-git-send-email-stefanb@linux.vnet.ibm.com> (Stefan Berger's message of "Tue, 11 Jul 2017 11:05:11 -0400") Message-ID: <87d192si18.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1dWAKz-000663-8B;;;mid=<87d192si18.fsf@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=67.3.213.87;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX1+Ee0Q6Mw3k0GDaGpHNwxapnfUABSje9N0= X-SA-Exim-Connect-IP: 67.3.213.87 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.7 XMSubLong Long Subject * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa08 1397; Body=1 Fuz1=1 Fuz2=1] X-Spam-DCC: XMission; sa08 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;Stefan Berger X-Spam-Relay-Country: X-Spam-Timing: total 5685 ms - load_scoreonly_sql: 0.04 (0.0%), signal_user_changed: 3.9 (0.1%), b_tie_ro: 2.8 (0.0%), parse: 1.11 (0.0%), extract_message_metadata: 16 (0.3%), get_uri_detail_list: 4.0 (0.1%), tests_pri_-1000: 4.6 (0.1%), tests_pri_-950: 0.92 (0.0%), tests_pri_-900: 0.79 (0.0%), tests_pri_-400: 22 (0.4%), check_bayes: 21 (0.4%), b_tokenize: 6 (0.1%), b_tok_get_all: 8 (0.1%), b_comp_prob: 1.57 (0.0%), b_tok_touch_all: 3.5 (0.1%), b_finish: 0.77 (0.0%), tests_pri_0: 179 (3.1%), check_dkim_signature: 0.39 (0.0%), check_dkim_adsp: 2.8 (0.0%), tests_pri_500: 5454 (95.9%), poll_dns_idle: 5447 (95.8%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH v2] xattr: Enable security.capability in user namespaces X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2949 Lines: 66 Stefan Berger <"Stefan Bergerstefanb"@linux.vnet.ibm.com> writes: > From: Stefan Berger > > This patch enables security.capability in user namespaces but also > takes a more general approach to enabling extended attributes in user > namespaces. > > The following rules describe the approach using security.foo as a > 'user namespace enabled' extended attribute: > > Reading of extended attributes: > > 1a) Reading security.foo from a user namespace will read > security.foo@uid= of the parent user namespace instead with uid > being the mapping of root in that parent user namespace. An > exception is if root is mapped to uid 0 on the host, and in this case > we will read security.foo directly. > --> reading security.foo will read security.foo@uid=1000 for uid > mapping of root to 1000. > > 1b) If security.foo@uid= is not available, the security.foo of the > parent namespace is tried to be read. This procedure is repeated up to > the init user namespace. This step only applies for reading of extended > attributes and provides the same behavior as older system where the > host's extended attributes applied to user namespaces. > > 2) All security.foo@uid= with valid uid mapping in the user namespace > can be read. The uid within the user namespace will be mapped to the > corresponding uid on the host and that uid will be used in the name of > the extended attribute. > -> reading security.foo@uid=1 will read security.foo@uid=1001 for uid > mapping of root to 1000, size of at least 2. > > All security.foo@uid= can be read (by root) on the host with values > of also being subject to checking for valid mappings. > > 3) No other security.foo* can be read. > > The same rules for reading apply to writing and removing of user > namespace enabled extended attributes. > > When listing extended attributes of a file, only those are presented > to the user namespace that have a valid mapping. Besides that, names > of the extended attributes are adjusted to represent the mapping. > This means that if root is mapped to uid 1000 on the host, the > security.foo@uid=1000 will be listed as security.foo in the user > namespace, security.foo@uid=1001 becomes security.foo@uid=1 and so on. > > Signed-off-by: Stefan Berger > Signed-off-by: Serge Hallyn > Reviewed-by: Serge Hallyn > --- > fs/xattr.c | 509 +++++++++++++++++++++++++++++++++++++++++++++-- > security/commoncap.c | 36 +++- > security/selinux/hooks.c | 9 +- > 3 files changed, 523 insertions(+), 31 deletions(-) I am just going to quickly and publicly point out that as designed this patch breaks evm inode metadata signing. As evm_config_xattrnames is not updated. While not completely insurmountable that seems like a strong limitation of this design. Eric