Received: by 10.223.148.5 with SMTP id 5csp7573894wrq; Thu, 18 Jan 2018 07:02:09 -0800 (PST) X-Google-Smtp-Source: ACJfBovVSiwVZ43DcKcdr/dast6JfOlJ4FtDfJom3dOeJfPU+G5+P0RYTybud5AfJ+9ErJdIgPLr X-Received: by 10.101.93.142 with SMTP id f14mr732110pgt.82.1516287729394; Thu, 18 Jan 2018 07:02:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516287729; cv=none; d=google.com; s=arc-20160816; b=nblNowlVcy6XOEQ4R+Fn1hDV0Yl6YPfxebs7d8ieO4hXw2KewTy200z+/ISgPE4NME q7exPGlJHIpB63z7/u/8vS5OPk9/PbYmTrMVsFgB0o9DZ16XV59LpQn8fauNzddu6xUZ culwEdUit9dH6rL6BR81P3MT50D7QQA3QFX9N2xCg+bOQESi/6w6NZStKsc36SRPtf1l 5EwIyJYwI42lisLAGUqQkjlky9tGOwnXp8w31edLiyNBvOjwkstfCxkCY2DuAavRvGxe xngNyuKdMGuW6yeAwFK+w6hqxXeWJkGLgSNrpuIovOHE2W2C5tWJHqwFOvUqmrcd9XQs WQ/w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=z5gjIbNDEOvdd3UAX1W65fPhAskexgP+ODz9iOCPd7E=; b=w/mtL95GQoS8tSRwXo9i7tFXWygxy7kEtEFfr0TwT9Kda90VpJkN1Sfus9Wf6Inyk2 xSn8fs/RMaJrjTcm+GUYSCjok+kcTBGacjohz3wUHz9fvc7fdw7P/8bSEf2cBmTXPJP5 4mit8OXFY6WFObNUDKRd0U7SQv3dBJCKiBKG980nyo03nXDN2M6qvqf8IqSSRKolUp0/ 2RV5TISffl5OCGbo1737CZQMF+f7pRuRO7NuftGDIxdLjktsNAChEnjTPJWruNYgUi4c WhcEvVcek51O9zhCWkpq2aFSkXFxGb5ie0jIbOTk+Jv3YV4H3/mjagtMe0GHOafWhvBB 9nLA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kinvolk.io header.s=google header.b=U/DbWWQ5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 1si6988375pfn.311.2018.01.18.07.01.28; Thu, 18 Jan 2018 07:02:09 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kinvolk.io header.s=google header.b=U/DbWWQ5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755784AbeARO6s (ORCPT + 99 others); Thu, 18 Jan 2018 09:58:48 -0500 Received: from mail-pf0-f171.google.com ([209.85.192.171]:40126 "EHLO mail-pf0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754789AbeARO6n (ORCPT ); Thu, 18 Jan 2018 09:58:43 -0500 Received: by mail-pf0-f171.google.com with SMTP id i66so14766713pfd.7 for ; Thu, 18 Jan 2018 06:58:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kinvolk.io; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=z5gjIbNDEOvdd3UAX1W65fPhAskexgP+ODz9iOCPd7E=; b=U/DbWWQ5xUTTFducuiiyy/YcISZssHBk2c7ilVC8bZ1TpWklM/KMd0qqld4n2D0h8k fXAX8iPZhxKSLPq3vVziD1HJhIx/HBI0NO6DhJACkOl8zaGsHUzkiBI7tNRKngnRdJJS 8k9JcRDFgvKCHIYy6Ip6FldRC/5OhXH0fRRXQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=z5gjIbNDEOvdd3UAX1W65fPhAskexgP+ODz9iOCPd7E=; b=SNYnxvTvz4G91U+9rFZocraNh+nGkb029OYdbNAt13qktqt6ndAFneLMYxSA/X9Drl V9g7aaP+sIsLppelzNH7AFMxoEH7yuu0F629fOjul5qvrGmRh4QyO1XurZ8Qr27bokwi dqkEl/aCeIHw80Pn58hmvDqIetGz7U4tLWHRhvWD+c+ipHU1tpJMc4JWxg7ajXnuCIqB gRoeMe364/fQ2QlL6xSB1m1iKNnvOEBXMac6uoGHEFUCM7yXl+eI41es4flHVjRRcEGG NoN5/1XFtiXObFl+tNcTHmmHV2W4qr6TQH6Zmvp20ntkUELMjjNnYC0Fo25UipCAUWTv iRVw== X-Gm-Message-State: AKwxyte+D1KrVK1rkN+yT01K4ld72+MeGoFpFR4xW9KCzZ9WAEpoDZZU S2I1AL2ApuGSL6n7nrE3FM51WBOkWCCZrxfWaDXnGQ== X-Received: by 10.101.77.146 with SMTP id p18mr11553358pgq.75.1516287522263; Thu, 18 Jan 2018 06:58:42 -0800 (PST) MIME-Version: 1.0 Received: by 10.100.169.12 with HTTP; Thu, 18 Jan 2018 06:58:41 -0800 (PST) In-Reply-To: References: <877etbcmnd.fsf@xmission.com> From: Alban Crequy Date: Thu, 18 Jan 2018 15:58:41 +0100 Message-ID: Subject: Re: [PATCH v5 00/11] FUSE mounts from non-init user namespaces To: "Eric W. Biederman" Cc: Dongsu Park , LKML , Linux Containers , Miklos Szeredi , Seth Forshee , Sargun Dhillon Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jan 9, 2018 at 4:05 PM, Dongsu Park wrote: > Hi, > > On Mon, Dec 25, 2017 at 8:05 AM, Eric W. Biederman > wrote: >> Dongsu Park writes: >> >>> This patchset v5 is based on work by Seth Forshee and Eric Biederman. >>> The latest patchset was v4: >>> https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1132206.html >>> >>> At the moment, filesystems backed by physical medium can only be mounted >>> by real root in the initial user namespace. This restriction exists >>> because if it's allowed for root user in non-init user namespaces to >>> mount the filesystem, then it effectively allows the user to control the >>> underlying source of the filesystem. In case of FUSE, the source would >>> mean any underlying device. >>> >>> However, in many use cases such as containers, it's necessary to allow >>> filesystems to be mounted from non-init user namespaces. Goal of this >>> patchset is to allow FUSE filesystems to be mounted from non-init user >>> namespaces. Support for other filesystems like ext4 are not in the >>> scope of this patchset. >>> >>> Let me describe how to test mounting from non-init user namespaces. It's >>> assumed that tests are done via sshfs, a userspace filesystem based on >>> FUSE with ssh as backend. Testing system is Fedora 27. >> >> In general I am for this work, and more bodies and more eyes on it is >> generally better. >> >> I will review this after the New Year, I am out for the holidays right >> now. > > Thanks. I'll wait for your review. Hi Eric, Do you have some cycles for this now that it is the new year? A review on the associated ima issue would also be appreciated: https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1587678.html Cheers, Alban >>> ==== >>> $ sudo dnf install -y sshfs >>> $ sudo mkdir -p /mnt/userns >>> >>> ### workaround to get the sshfs permission checks >>> $ sudo chown -R $UID:$UID /etc/ssh/ssh_config.d /usr/share/crypto-policies >>> >>> $ unshare -U -r -m >>> # sshfs root@localhost: /mnt/userns >>> >>> ### You can see sshfs being mounted from a non-init user namespace >>> # mount | grep sshfs >>> root@localhost: on /mnt/userns type fuse.sshfs >>> (rw,nosuid,nodev,relatime,user_id=0,group_id=0) >>> >>> # touch /mnt/userns/test >>> # ls -l /mnt/userns/test >>> -rw-r--r-- 1 root root 0 Dec 11 19:01 /mnt/userns/test >>> ==== >>> >>> Open another terminal, check the mountpoint from outside the namespace. >>> >>> ==== >>> $ grep userns /proc/$(pidof sshfs)/mountinfo >>> 131 102 0:35 / /mnt/userns rw,nosuid,nodev,relatime - fuse.sshfs >>> root@localhost: rw,user_id=0,group_id=0 >>> ==== >>> >>> After all tests are done, you can unmount the filesystem >>> inside the namespace. >>> >>> ==== >>> # fusermount -u /mnt/userns >>> ==== >>> >>> Changes since v4: >>> * Remove other parts like ext4 to keep the patchset minimal for FUSE >>> * Add and change commit messages >>> * Describe how to test non-init user namespaces >>> >>> TODO: >>> * Think through potential security implications. There are 2 patches >>> being prepared for security issues. One is "ima: define a new policy >>> option named force" by Mimi Zohar, which adds an option to specify >>> that the results should not be cached: >>> https://marc.info/?l=linux-integrity&m=151275680115856&w=2 >>> The other one is to basically prevent FUSE results from being cached, >>> which is still in progress. >>> >>> * Test IMA/LSMs. Details are written in >>> https://github.com/kinvolk/fuse-userns-patches/blob/master/tests/TESTING_INTEGRITY.md >>> >>> Patches 1-2 deal with an additional flag of lookup_bdev() to check for >>> additional inode permission. >>> >>> Patches 3-7 allow the superblock owner to change ownership of inodes, and >>> deal with additional capability checks w.r.t user namespaces. >>> >>> Patches 8-10 allow FUSE filesystems to be mounted outside of the init >>> user namespace. >>> >>> Patch 11 handles a corner case of non-root users in EVM. >>> >>> The patchset is also available in our github repo: >>> https://github.com/kinvolk/linux/tree/dongsu/fuse-userns-v5-1 >>> >>> >>> Eric W. Biederman (1): >>> fs: Allow superblock owner to change ownership of inodes >>> >>> Seth Forshee (10): >>> block_dev: Support checking inode permissions in lookup_bdev() >>> mtd: Check permissions towards mtd block device inode when mounting >>> fs: Don't remove suid for CAP_FSETID for userns root >>> fs: Allow superblock owner to access do_remount_sb() >>> capabilities: Allow privileged user in s_user_ns to set security.* >>> xattrs >>> fs: Allow CAP_SYS_ADMIN in s_user_ns to freeze and thaw filesystems >>> fuse: Support fuse filesystems outside of init_user_ns >>> fuse: Restrict allow_other to the superblock's namespace or a >>> descendant >>> fuse: Allow user namespace mounts >>> evm: Don't update hmacs in user ns mounts >>> >>> drivers/md/bcache/super.c | 2 +- >>> drivers/md/dm-table.c | 2 +- >>> drivers/mtd/mtdsuper.c | 6 +++++- >>> fs/attr.c | 34 ++++++++++++++++++++++++++-------- >>> fs/block_dev.c | 13 ++++++++++--- >>> fs/fuse/cuse.c | 3 ++- >>> fs/fuse/dev.c | 11 ++++++++--- >>> fs/fuse/dir.c | 16 ++++++++-------- >>> fs/fuse/fuse_i.h | 6 +++++- >>> fs/fuse/inode.c | 35 +++++++++++++++++++++-------------- >>> fs/inode.c | 6 ++++-- >>> fs/ioctl.c | 4 ++-- >>> fs/namespace.c | 4 ++-- >>> fs/proc/base.c | 7 +++++++ >>> fs/proc/generic.c | 7 +++++++ >>> fs/proc/proc_sysctl.c | 7 +++++++ >>> fs/quota/quota.c | 2 +- >>> include/linux/fs.h | 2 +- >>> kernel/user_namespace.c | 1 + >>> security/commoncap.c | 8 ++++++-- >>> security/integrity/evm/evm_crypto.c | 3 ++- >>> 21 files changed, 127 insertions(+), 52 deletions(-)