Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2243847pxb; Fri, 29 Jan 2021 18:12:41 -0800 (PST) X-Google-Smtp-Source: ABdhPJzwUpfgXrzHKdqI4X6Ytzntrx9Jftz3RSOaKGpu4mREX2EzXnnk2AZLoW/A5eEpLaXvWj0u X-Received: by 2002:a17:906:ae81:: with SMTP id md1mr7025584ejb.222.1611972761477; Fri, 29 Jan 2021 18:12:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611972761; cv=none; d=google.com; s=arc-20160816; b=p55L7jVhoCOlr1mZQbcIBe/c/0ihqCIJaoVVzNO5xfClCive0qyohBkj8fWAT4iLKa fDVbbGycE5Iv2dq+v9g7VmbSDdsVK+ti0Vcw5l6zfmcMpGBKhL1RenL64jlfZ9R/k614 PYXubFVvYZjMl4T3qclC+DMJmslPixvXL6O8s6QQLr/V465A8nCxMds2xn1kaqd9SaYi Y7/Sab9Me7MzHutdCy7tSYEdcSWv2EL+QKDO//zG2c7N4E+6lgbYkXT4y/vRvzvX/gGz NRygtv9PzSObjiFOrdqCyGPSddx4DPLsah88tbFAxFbUd5sLyS4jQC0VFhVCqE3+f9lB 34+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=i703rWkj4iOgPvGuBp/isze01vkWeEGG/VqcswpG/zE=; b=AFE3eFp1SkB/pRbJ9vkEi1hMxoP3BEafTWk2Xw4FXNLSQ5JthorZqp1+1THiur3NL7 OTLl7g/60BFuX0l+Knjfn7VJLj2ALCbmd7s44h+7ngN3licbLIh7pOsvIGYUl+T5pZoD rSwHIavk46GFD4+N2jEDhUhCqCoZytVL/RGbadrwqiPnZs7p69vLFT6EWXzzspffIH+A joBbllHw55QoZqdGwnYI3zQ1S7cC3uORDKJIUhAdWYCPYZ2hRfJfKSmH8zxh+xZYr37a WP1AFWDy6mBcoHvAOa2dG24Jc/CPyxImlfUolq1UAq8zRmDJ1Zg4H3TRC79LtmMkkPMU wvvg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f9si6114114edr.611.2021.01.29.18.12.01; Fri, 29 Jan 2021 18:12:41 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230009AbhA3CJR (ORCPT + 99 others); Fri, 29 Jan 2021 21:09:17 -0500 Received: from mail.hallyn.com ([178.63.66.53]:45774 "EHLO mail.hallyn.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233254AbhA3CHQ (ORCPT ); Fri, 29 Jan 2021 21:07:16 -0500 Received: by mail.hallyn.com (Postfix, from userid 1001) id 6ADC26B5; Fri, 29 Jan 2021 20:04:51 -0600 (CST) Date: Fri, 29 Jan 2021 20:04:51 -0600 From: "Serge E. Hallyn" To: "Eric W. Biederman" Cc: "Serge E. Hallyn" , Miklos Szeredi , Miklos Szeredi , linux-fsdevel@vger.kernel.org, overlayfs , LSM , linux-kernel@vger.kernel.org, Christian Brauner Subject: Re: [PATCH 2/2] security.capability: fix conversions on getxattr Message-ID: <20210130020451.GA7163@mail.hallyn.com> References: <20210119162204.2081137-1-mszeredi@redhat.com> <20210119162204.2081137-3-mszeredi@redhat.com> <8735yw8k7a.fsf@x220.int.ebiederm.org> <20210128165852.GA20974@mail.hallyn.com> <20210129153807.GA1130@mail.hallyn.com> <87h7mzs5hi.fsf@x220.int.ebiederm.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87h7mzs5hi.fsf@x220.int.ebiederm.org> User-Agent: Mutt/1.9.4 (2018-02-28) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jan 29, 2021 at 05:11:53PM -0600, Eric W. Biederman wrote: > "Serge E. Hallyn" writes: > > > On Thu, Jan 28, 2021 at 08:44:26PM +0100, Miklos Szeredi wrote: > >> On Thu, Jan 28, 2021 at 6:09 PM Serge E. Hallyn wrote: > >> > > >> > On Tue, Jan 19, 2021 at 07:34:49PM -0600, Eric W. Biederman wrote: > >> > > Miklos Szeredi writes: > >> > > > >> > > > if (!rootid_owns_currentns(kroot)) { > >> > > > - kfree(tmpbuf); > >> > > > - return -EOPNOTSUPP; > >> > > > + size = -EOVERFLOW; > >> > > >> > Why this change? Christian (cc:d) noticed that this is a user visible change. > >> > Without this change, if you are in a userns which has different rootid, the > >> > EOVERFLOW tells vfs_getxattr to vall back to __vfs_getxattr() and so you can > >> > see the v3 capability with its rootid. > >> > > >> > With this change, you instead just get EOVERFLOW. > >> > >> Why would the user want to see nonsense (in its own userns) rootid and > >> what would it do with it? > > > > They would know that the data is there. > > But an error of -EOVERFLOW still indicates data is there. > You just don't get the data because it can not be represented. Ok - and this happens *after* the check for whether the rootid to maps into the current ns. That sounds reasonable, thanks. > >> Please give an example where an untranslatable rootid would make any > >> sense at all to the user. > > > > I may have accidentally, from init_user_ns, as uid 1000, set an > > fscap with rootid 100001 instead of 100000, and wonder why the > > cap is not working in the container where 100000 is root. > > Getting -EOVERFLOW when attempting to read the cap from inside > the user namespace will immediately tell you what is wrong. The rootid > does not map. > > That is how all the non-mapping situations are handled. Either > -EOVERFLOW or returning INVALID_UID/the unmapped user id aka nobody. > > The existing code is wrong because it returns a completely untranslated > uid, which is completely non-sense. > > An argument could be made for returning a rootid of 0xffffffff aka > INVALID_UID in a v3 cap xattr when the rootid can not be mapped. I > think that is what we do with posix_acls that contain ids that don't > map. My sense is returning -EOVERFLOW inside the container and > returning the v3 cap xattr outside the container will most quickly get > the problem diagnosed, and will be the most likely to not cause > problems. > > If there is a good case for returning a v3 cap with rootid of 0xffffffff > instead of -EOVERFLOW we can do that. Right now I don't see anything > that would be compelling in either direction. > > Eric > > >