Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751185AbdGOABV convert rfc822-to-8bit (ORCPT ); Fri, 14 Jul 2017 20:01:21 -0400 Received: from out03.mta.xmission.com ([166.70.13.233]:47201 "EHLO out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751004AbdGOABU (ORCPT ); Fri, 14 Jul 2017 20:01:20 -0400 From: ebiederm@xmission.com (Eric W. Biederman) To: James Bottomley Cc: Mimi Zohar , "Serge E. Hallyn" , Stefan Berger , Mimi Zohar , containers@lists.linux-foundation.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, casey@schaufler-ca.com, "Theodore Ts'o" , lkp@01.org References: <87y3rscz9j.fsf@xmission.com> <20170713164012.brj2flnkaaks2oci@thunk.org> <87k23cb6os.fsf@xmission.com> <847ccb2a-30c0-a94c-df6f-091c8901eaa0@linux.vnet.ibm.com> <87bmoo8bxb.fsf@xmission.com> <9a3010e5-ca2b-5e7a-656b-fcc14f7bec4e@linux.vnet.ibm.com> <87h8yf7szd.fsf@xmission.com> <65dbe654-0d99-03fa-c838-5a726b462826@linux.vnet.ibm.com> <20170714133437.GA16737@mail.hallyn.com> <596f808b-e21d-8296-5fef-23c1ce7ab778@linux.vnet.ibm.com> <20170714173556.GA19669@mail.hallyn.com> <1500058090.3583.28.camel@linux.vnet.ibm.com> <1500058362.2853.28.camel@HansenPartnership.com> <1500062619.3583.71.camel@linux.vnet.ibm.com> <1500064799.2853.36.camel@HansenPartnership.com> Date: Fri, 14 Jul 2017 18:53:16 -0500 In-Reply-To: <1500064799.2853.36.camel@HansenPartnership.com> (James Bottomley's message of "Fri, 14 Jul 2017 13:39:59 -0700") Message-ID: <87379yshhv.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT X-XM-SPF: eid=1dWAWG-0000Xn-OW;;;mid=<87379yshhv.fsf@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=67.3.213.87;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX1+BTX3kxtfGQnUBuYoPS/6SnOOVMMypxFQ= X-SA-Exim-Connect-IP: 67.3.213.87 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.7 XMSubLong Long Subject * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.4398] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa07 1397; Body=1 Fuz1=1 Fuz2=1] X-Spam-DCC: XMission; sa07 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;James Bottomley X-Spam-Relay-Country: X-Spam-Timing: total 5299 ms - load_scoreonly_sql: 0.04 (0.0%), signal_user_changed: 2.4 (0.0%), b_tie_ro: 1.66 (0.0%), parse: 0.89 (0.0%), extract_message_metadata: 11 (0.2%), get_uri_detail_list: 1.53 (0.0%), tests_pri_-1000: 4.8 (0.1%), tests_pri_-950: 1.18 (0.0%), tests_pri_-900: 1.06 (0.0%), tests_pri_-400: 23 (0.4%), check_bayes: 22 (0.4%), b_tokenize: 7 (0.1%), b_tok_get_all: 8 (0.1%), b_comp_prob: 2.3 (0.0%), b_tok_touch_all: 2.9 (0.1%), b_finish: 0.56 (0.0%), tests_pri_0: 1196 (22.6%), check_dkim_signature: 0.56 (0.0%), check_dkim_adsp: 3.5 (0.1%), tests_pri_500: 4055 (76.5%), poll_dns_idle: 4050 (76.4%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH v2] xattr: Enable security.capability in user namespaces X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2347 Lines: 47 James Bottomley writes: > On Fri, 2017-07-14 at 16:03 -0400, Mimi Zohar wrote: >> On Fri, 2017-07-14 at 11:52 -0700, James Bottomley wrote: >> > >> > On Fri, 2017-07-14 at 14:48 -0400, Mimi Zohar wrote: >> > > >> > > The concern is with a shared filesystems.  In that case, for IMA >> > > it would make sense to support a native and a namespace xattr. >> > >  If due to xattr space limitations we have to limit the number of >> > > xattrs, then we should limit it to two - a native and a namespace >> > > version, with a "uid=" tag - first namespace gets permission to >> > > write the namespace xattr.  Again, like in the layered case, if >> > > the namespace xattr doesn't exist, fall back to using the native >> > > xattr. >> > >> > Just on this point: if we're really concerned about the need on >> > shared filesystems to have multiple IMA signatures per file, might >> > it not make sense simply to support multiple signatures within the >> > security.ima xattr? The rules for writing signature updates within >> > user namespaces would be somewhat complex (say only able to replace >> > a signature for which you demonstrate you possess the key) but it >> > would lead to an implementation which would work for traditional >> > shared filesystems (like NFS) as well as containerised bind mounts. >> >> Writing security.ima requires being root with CAP_SYS_ADMIN >> privileges.  I wouldn't want to give root within the namespace >> permission to over write or just extend the native security.ima. > > but why?  That's partly the point of all of this: some security. > attributes can't be written by container root without some supervision > (the capability ones are the hugely problematic ones from this point of > view), but for some there's no reason they shouldn't be.  What would be > the reason that root in a container shouldn't be able to write the ima > xattr the same as host root could on its filesystem? Mimi said she ``native''. It competely makes sense for the things that the container doesn't ``own'' to not be allowed to be written/updated by the container. James you are making the case here for root in the container to write to the ima and evm attributes that are for the container. So I don't actually see any disagreement here except perhaps for terminology. Eric