Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp1059856ybh; Thu, 16 Jul 2020 01:54:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzQK7MDWbsf0HP1CslbN5FDwYkSgxEJ0KJTPlu4B2AUne3d9arUdbOSlDcQ/CIr+eR0w/40 X-Received: by 2002:a17:906:b353:: with SMTP id cd19mr2777536ejb.395.1594889696634; Thu, 16 Jul 2020 01:54:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594889696; cv=none; d=google.com; s=arc-20160816; b=ihZ8z+zxokS01gw3wDA7RfK7z3rUF4XPudY4XGW+erzp2p0w5xavwpaPkqspFB1iUy IyxwFf7MPSna3KbK0IxlIimOVt5X6bz/sow+dQkjHhuT0E28MzqSM9k3CoSk+Sy2YK6U G9M5ZM7kZjKtfflkOq7wmkTD4k6PS+L38Gc+xsIC1BCKTz7VOP8kJsuFuz8WzdQPSxK4 Epiefq1dmEUuHvoYgzRin021M7BIcpZdItdTdz5h1t8xoZeWWJkwU4BTDt/NaM3iZBee G2cHRLsZssR99KDK3W0QhhJWYiImjsOd9Toqxi8b1kKb0g3RD2p0cBN976A8d19J+8cN bNbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=wyvEom0QmDj3GY5GfRrQZcTfD9Wu5TuT9OYjKdkpk6k=; b=nGB/pVSUTATBQKl2RpSJ3eNlZbw/doht821I8M1Xdg/YQsjaRX/WFF0Uxciu59CvPf PIo1ixlnKrhs32QLDhV4VpftR5bPiW93ddzBdQbLDiB524+nk6VD1Wq872lxbWwSMMvh +umduigP5q/xtuke1Eng1O+O73edsBVR2nSY1phxVpJkIKDVYCh2r9swIiQwmYMboRsq +6I1juP1SzXs7gPTpzOZkz/cFMXGaGz/wpyxTAiLAajuj/T3gq78OtMvYvDAPcZd+go7 axvypjpZQCVum39exkM+Se4tIREhGQt+Pk7x/gtFG9FYlmuotSOwLH3BIJezdIAhPy53 h1pw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l4si3066479edi.316.2020.07.16.01.54.34; Thu, 16 Jul 2020 01:54:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728244AbgGPIwD (ORCPT + 99 others); Thu, 16 Jul 2020 04:52:03 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:49435 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725867AbgGPIwC (ORCPT ); Thu, 16 Jul 2020 04:52:02 -0400 Received: from ip5f5af08c.dynamic.kabel-deutschland.de ([95.90.240.140] helo=wittgenstein) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jvzcE-0002BZ-15; Thu, 16 Jul 2020 08:51:42 +0000 Date: Thu, 16 Jul 2020 10:51:41 +0200 From: Christian Brauner To: Adrian Reber Cc: Eric Biederman , Pavel Emelyanov , Oleg Nesterov , Dmitry Safonov <0x7f454c46@gmail.com>, Andrei Vagin , Nicolas Viennot , =?utf-8?B?TWljaGHFgiBDxYJhcGnFhHNraQ==?= , Kamil Yurtsever , Dirk Petersen , Christine Flood , Casey Schaufler , Mike Rapoport , Radostin Stoyanov , Cyrill Gorcunov , Serge Hallyn , Stephen Smalley , Sargun Dhillon , Arnd Bergmann , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, selinux@vger.kernel.org, Eric Paris , Jann Horn , linux-fsdevel@vger.kernel.org Subject: Re: [PATCH v5 4/6] proc: allow access in init userns for map_files with CAP_CHECKPOINT_RESTORE Message-ID: <20200716085141.nr4wyeh62ahjwupd@wittgenstein> References: <20200715144954.1387760-1-areber@redhat.com> <20200715144954.1387760-5-areber@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20200715144954.1387760-5-areber@redhat.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jul 15, 2020 at 04:49:52PM +0200, Adrian Reber wrote: > Opening files in /proc/pid/map_files when the current user is > CAP_CHECKPOINT_RESTORE capable in the root namespace is useful for > checkpointing and restoring to recover files that are unreachable via > the file system such as deleted files, or memfd files. > > Signed-off-by: Adrian Reber > Signed-off-by: Nicolas Viennot > --- > fs/proc/base.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/fs/proc/base.c b/fs/proc/base.c > index 65893686d1f1..cada783f229e 100644 > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -2194,16 +2194,16 @@ struct map_files_info { > }; > > /* > - * Only allow CAP_SYS_ADMIN to follow the links, due to concerns about how the > - * symlinks may be used to bypass permissions on ancestor directories in the > - * path to the file in question. > + * Only allow CAP_SYS_ADMIN and CAP_CHECKPOINT_RESTORE to follow the links, due > + * to concerns about how the symlinks may be used to bypass permissions on > + * ancestor directories in the path to the file in question. > */ > static const char * > proc_map_files_get_link(struct dentry *dentry, > struct inode *inode, > struct delayed_call *done) > { > - if (!capable(CAP_SYS_ADMIN)) > + if (!capable(CAP_SYS_ADMIN) || !capable(CAP_CHECKPOINT_RESTORE)) So right now, when I'd do git grep checkpoint_restore_ns_capable I'd not hit that codepath which isn't great. So I'd suggest to use: if (!checkpoint_restore_ns_capable(&init_user_ns)) at the end of the day, capable() just calls ns_capable(&init_user_ns, ) anyway. Thanks! Christian