Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp2935976imm;
        Thu, 24 May 2018 19:24:38 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZpNKdld6dcm3ZAFLovQ/jSY/2NcCukjDXnXOsLcbAIwXYnIZ6F1QESAWk6rSMvtvQRQfJ/0
X-Received: by 2002:a62:d6da:: with SMTP id a87-v6mr551150pfl.200.1527215078146;
        Thu, 24 May 2018 19:24:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527215078; cv=none;
        d=google.com; s=arc-20160816;
        b=QuaKzGx6ihKM0SVz1S/iRqUTEv5GDtlVuzhP3IbGjMUPn5MwkzmhAi2JdrzIlm6rLp
         KT7NiTqEGdZiUbNhyDtQop3rZsH/o7f5B1JRAPxP7duR8oIBTDO7qDI/VxjV8hQNDXQo
         ez8An5uiCrXe3k556ugYeFYm6/42JD4pKjaCyb+zZDv+wTxDQZ7jpFdvHjJ8mBrcyyVh
         ZIu7sPi7Ipa33B1SpJrYq12axKIVQI2KCD9eXe5Ji4hlNffOR0Pkjzbzz0jCBFYb+Mkr
         ezZ5MvYeTVmfesZTO7Dqiec3D+p23PRPBTfJF/pZXZ7t8jKHsroCCmPb4Oh7JhVUiGPQ
         sK4A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date
         :arc-authentication-results;
        bh=pcQUr/iViOnwxwkPpkdCOtY6Xh/gVFIvhuE72A6E63M=;
        b=p+cXnHfWb4y/Kt3wLdrcDALUTOE/8g2lqsQL/dUXBOYmeF2J25Zoi2dJke7/il3T/1
         S4vOmFIJ9N+69eZgig6cjtiYvfHqFFhclaDgY2VlW3SWgdpSUnE32zIIZzEwHClz3P1K
         tNQvbNn0mOPnZKZueroQHy+OkliV3BtU05zSNdCbQb8/nnTAJDH/smDrmPj3QpYsZn7Y
         0YCko98HXZGmfS1/qkhemM+jm3GPvKWGK7f0GQ0t2Mt+RW0UI90i3XDbtCM5/6Hww0h+
         xnfRS06nRxd0XYG6YQpbWkv39cgv3x3aqNlJMo+G0Z2slfIGOUAHXgKmq7eouoUDDK2y
         FoaQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w6-v6si9088017pgb.11.2018.05.24.19.24.23;
        Thu, 24 May 2018 19:24:38 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S970997AbeEXP5o (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Thu, 24 May 2018 11:57:44 -0400
Received: from mx2.mailbox.org ([80.241.60.215]:27686 "EHLO mx2.mailbox.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S970986AbeEXP5n (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 24 May 2018 11:57:43 -0400
Received: from smtp2.mailbox.org (smtp2.mailbox.org [80.241.60.241])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mx2.mailbox.org (Postfix) with ESMTPS id 4F47741AE2;
        Thu, 24 May 2018 17:57:41 +0200 (CEST)
X-Virus-Scanned: amavisd-new at heinlein-support.de
Received: from smtp2.mailbox.org ([80.241.60.241])
        by spamfilter01.heinlein-hosting.de (spamfilter01.heinlein-hosting.de [80.241.56.115]) (amavisd-new, port 10030)
        with ESMTP id mJPmYryh3grh; Thu, 24 May 2018 17:57:40 +0200 (CEST)
Date:   Thu, 24 May 2018 17:57:37 +0200
From:   Christian Brauner <christian@brauner.io>
To:     "Eric W. Biederman" <ebiederm@xmission.com>
Cc:     Linux Containers <containers@lists.linux-foundation.org>,
        linux-fsdevel@vger.kernel.org,
        Seth Forshee <seth.forshee@canonical.com>,
        "Serge E. Hallyn" <serge@hallyn.com>, linux-kernel@vger.kernel.org
Subject: Re: [REVIEW][PATCH 5/6] capabilities: Allow privileged user in
 s_user_ns to set security.* xattrs
Message-ID: <20180524155737.GA19932@mailbox.org>
References: <87o9h6554f.fsf@xmission.com>
 <20180523232538.4880-5-ebiederm@xmission.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20180523232538.4880-5-ebiederm@xmission.com>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, May 23, 2018 at 06:25:37PM -0500, Eric W. Biederman wrote:
> A privileged user in s_user_ns will generally have the ability to
> manipulate the backing store and insert security.* xattrs into
> the filesystem directly. Therefore the kernel must be prepared to
> handle these xattrs from unprivileged mounts, and it makes little
> sense for commoncap to prevent writing these xattrs to the
> filesystem. The capability and LSM code have already been updated
> to appropriately handle xattrs from unprivileged mounts, so it
> is safe to loosen this restriction on setting xattrs.
> 
> The exception to this logic is that writing xattrs to a mounted
> filesystem may also cause the LSM inode_post_setxattr or
> inode_setsecurity callbacks to be invoked. SELinux will deny the
> xattr update by virtue of applying mountpoint labeling to
> unprivileged userns mounts, and Smack will deny the writes for
> any user without global CAP_MAC_ADMIN, so loosening the
> capability check in commoncap is safe in this respect as well.

Acked-by: Christian Brauner <christian@brauner.io>

> 
> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
> Acked-by: Serge Hallyn <serge.hallyn@canonical.com>

Note, I just talked to Serge. This should be Acked-by: Serge Hallyn <serge@hallyn.com>

> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
> ---
>  security/commoncap.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/security/commoncap.c b/security/commoncap.c
> index 1ce701fcb3f3..f4c33abd9959 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -919,6 +919,8 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
>  int cap_inode_setxattr(struct dentry *dentry, const char *name,
>  		       const void *value, size_t size, int flags)
>  {
> +	struct user_namespace *user_ns = dentry->d_sb->s_user_ns;
> +
>  	/* Ignore non-security xattrs */
>  	if (strncmp(name, XATTR_SECURITY_PREFIX,
>  			sizeof(XATTR_SECURITY_PREFIX) - 1) != 0)
> @@ -931,7 +933,7 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name,
>  	if (strcmp(name, XATTR_NAME_CAPS) == 0)
>  		return 0;
>  
> -	if (!capable(CAP_SYS_ADMIN))
> +	if (!ns_capable(user_ns, CAP_SYS_ADMIN))
>  		return -EPERM;
>  	return 0;
>  }
> @@ -949,6 +951,8 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name,
>   */
>  int cap_inode_removexattr(struct dentry *dentry, const char *name)
>  {
> +	struct user_namespace *user_ns = dentry->d_sb->s_user_ns;
> +
>  	/* Ignore non-security xattrs */
>  	if (strncmp(name, XATTR_SECURITY_PREFIX,
>  			sizeof(XATTR_SECURITY_PREFIX) - 1) != 0)
> @@ -964,7 +968,7 @@ int cap_inode_removexattr(struct dentry *dentry, const char *name)
>  		return 0;
>  	}
>  
> -	if (!capable(CAP_SYS_ADMIN))
> +	if (!ns_capable(user_ns, CAP_SYS_ADMIN))
>  		return -EPERM;
>  	return 0;
>  }
> -- 
> 2.14.1
>