Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp1438132imm; Wed, 23 May 2018 16:27:35 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpPsqDJFN3t6Q40+8Y10I2fsiPm2IOr869a1skYFzjB5I3ri72GTrqiGDByA5JIhjfSohza X-Received: by 2002:a17:902:b582:: with SMTP id a2-v6mr4826241pls.371.1527118055290; Wed, 23 May 2018 16:27:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527118055; cv=none; d=google.com; s=arc-20160816; b=pomnBswMRosDjW2cQj/0JZnYex9YdcxeEYomNJNZYrOKGOuTsD0wh4Fq2My3Y07FEB KrVE1io3TpApGRJJSuguk+nMRJ7NW4GCXiIff3QV+ak+LrgmK0meyIXo2xZ+TcdiO4jb yMOXXWBDi+A5UljF/ma8dxEls3rQeMl+7BGijBf5wUG18x3XjRHpMuaxLxRQIR+VGdTS 8YzBWFYa+fvfqern6egkDDikdEqRXFGntVFsAZgg7r64b3zrZMHpjuQyMFTvFXJ/G1r+ tKsGxBmmoYCWR4fwCDV4voaYAMh9FaDriQcAulCXpizhgeT349bgZ/nU8tT/TfeCz6xK XUiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:subject:references:in-reply-to:message-id :date:cc:to:from:arc-authentication-results; bh=nlvY6/2MqN57IwhB75tGPym6t5PVMj2IspazC1cbevk=; b=T9ML5IOZlZsh1kYZLJXDTqHysJ7wtjuOact2x1NK/U2QQBKRUt/zRAxM3czDy6CSfU WmlqxmPnk9AgLRmrGNWw2rdplEudNG9gjQOAabehiqyHcBA7dgq6lpVOBBJabSryHpBl 1yR1L3jplakCVONl0/jEQr848xM6lq4yI1ZviOoBZ1t1kfMvLAjhNDaO0n3XRsMLRW3D Dk5w47rPN1r4/aFf685/OqZjh3/2Ne549YZQgV+gP+ZfoNPxYsSyAIsVfe1uhBCIaZeM ID7AXVHMl9cv0d+t5EtUJ5JlXQb8rk2OkCZppL6j/pQBHpcWdv9qMgJgFTK/OeelqdJi z1MA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g17-v6si18851234plo.355.2018.05.23.16.27.20; Wed, 23 May 2018 16:27:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935016AbeEWX1A (ORCPT + 99 others); Wed, 23 May 2018 19:27:00 -0400 Received: from out01.mta.xmission.com ([166.70.13.231]:48382 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S935156AbeEWX0u (ORCPT ); Wed, 23 May 2018 19:26:50 -0400 Received: from in02.mta.xmission.com ([166.70.13.52]) by out01.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1fLd9d-0003ZO-Jg; Wed, 23 May 2018 17:26:49 -0600 Received: from [97.119.174.25] (helo=x220.int.ebiederm.org) by in02.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1fLd9c-0004ID-L7; Wed, 23 May 2018 17:26:49 -0600 From: "Eric W. Biederman" To: Linux Containers Cc: linux-fsdevel@vger.kernel.org, Seth Forshee , "Serge E. Hallyn" , Christian Brauner , linux-kernel@vger.kernel.org, "Eric W. Biederman" Date: Wed, 23 May 2018 18:25:37 -0500 Message-Id: <20180523232538.4880-5-ebiederm@xmission.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: <87o9h6554f.fsf@xmission.com> References: <87o9h6554f.fsf@xmission.com> X-XM-SPF: eid=1fLd9c-0004ID-L7;;;mid=<20180523232538.4880-5-ebiederm@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=97.119.174.25;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX18HpW5BPrTg4duoGHF2g1ZUqILm/2oIX6k= X-SA-Exim-Connect-IP: 97.119.174.25 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on sa01.xmission.com X-Spam-Level: *** X-Spam-Status: No, score=3.5 required=8.0 tests=ALL_TRUSTED,BAYES_50, DCC_CHECK_NEGATIVE,TR_Symld_Words,T_TooManySym_01,T_TooManySym_02,XMNoVowels, XMSubLong autolearn=disabled version=3.4.0 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.7 XMSubLong Long Subject * 1.5 TR_Symld_Words too many words that have symbols inside * 1.5 XMNoVowels Alpha-numberic number with no vowels * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5001] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa01 1397; Body=1 Fuz1=1 Fuz2=1] * 0.0 T_TooManySym_02 5+ unique symbols in subject * 0.0 T_TooManySym_01 4+ unique symbols in subject X-Spam-DCC: XMission; sa01 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ***;Linux Containers X-Spam-Relay-Country: X-Spam-Timing: total 600 ms - load_scoreonly_sql: 0.05 (0.0%), signal_user_changed: 3.0 (0.5%), b_tie_ro: 2.0 (0.3%), parse: 1.25 (0.2%), extract_message_metadata: 31 (5.1%), get_uri_detail_list: 3.3 (0.6%), tests_pri_-1000: 14 (2.3%), tests_pri_-950: 2.1 (0.4%), tests_pri_-900: 1.64 (0.3%), tests_pri_-400: 33 (5.6%), check_bayes: 32 (5.3%), b_tokenize: 13 (2.2%), b_tok_get_all: 8 (1.3%), b_comp_prob: 4.6 (0.8%), b_tok_touch_all: 2.9 (0.5%), b_finish: 0.81 (0.1%), tests_pri_0: 501 (83.6%), check_dkim_signature: 0.87 (0.1%), check_dkim_adsp: 5 (0.9%), tests_pri_500: 7 (1.2%), rewrite_mail: 0.00 (0.0%) Subject: [REVIEW][PATCH 5/6] capabilities: Allow privileged user in s_user_ns to set security.* xattrs X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org A privileged user in s_user_ns will generally have the ability to manipulate the backing store and insert security.* xattrs into the filesystem directly. Therefore the kernel must be prepared to handle these xattrs from unprivileged mounts, and it makes little sense for commoncap to prevent writing these xattrs to the filesystem. The capability and LSM code have already been updated to appropriately handle xattrs from unprivileged mounts, so it is safe to loosen this restriction on setting xattrs. The exception to this logic is that writing xattrs to a mounted filesystem may also cause the LSM inode_post_setxattr or inode_setsecurity callbacks to be invoked. SELinux will deny the xattr update by virtue of applying mountpoint labeling to unprivileged userns mounts, and Smack will deny the writes for any user without global CAP_MAC_ADMIN, so loosening the capability check in commoncap is safe in this respect as well. Signed-off-by: Seth Forshee Acked-by: Serge Hallyn Signed-off-by: Eric W. Biederman --- security/commoncap.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/security/commoncap.c b/security/commoncap.c index 1ce701fcb3f3..f4c33abd9959 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -919,6 +919,8 @@ int cap_bprm_set_creds(struct linux_binprm *bprm) int cap_inode_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size, int flags) { + struct user_namespace *user_ns = dentry->d_sb->s_user_ns; + /* Ignore non-security xattrs */ if (strncmp(name, XATTR_SECURITY_PREFIX, sizeof(XATTR_SECURITY_PREFIX) - 1) != 0) @@ -931,7 +933,7 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name, if (strcmp(name, XATTR_NAME_CAPS) == 0) return 0; - if (!capable(CAP_SYS_ADMIN)) + if (!ns_capable(user_ns, CAP_SYS_ADMIN)) return -EPERM; return 0; } @@ -949,6 +951,8 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name, */ int cap_inode_removexattr(struct dentry *dentry, const char *name) { + struct user_namespace *user_ns = dentry->d_sb->s_user_ns; + /* Ignore non-security xattrs */ if (strncmp(name, XATTR_SECURITY_PREFIX, sizeof(XATTR_SECURITY_PREFIX) - 1) != 0) @@ -964,7 +968,7 @@ int cap_inode_removexattr(struct dentry *dentry, const char *name) return 0; } - if (!capable(CAP_SYS_ADMIN)) + if (!ns_capable(user_ns, CAP_SYS_ADMIN)) return -EPERM; return 0; } -- 2.14.1