Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp1893371pxb; Sun, 18 Apr 2021 10:22:46 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy58gi8Gme5DmK6kJg0/HJFWXun4elMeRhGIN4fXdcRBIwPlYSaNP2mV06I6wZ7mCxTBCae X-Received: by 2002:a17:907:e88:: with SMTP id ho8mr18079839ejc.473.1618766566409; Sun, 18 Apr 2021 10:22:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618766566; cv=none; d=google.com; s=arc-20160816; b=GMB9BUZpPoLI1TEcFDSMRpA7ieJ2ocO2rY+DhGu0lu5spq7n1m3q9D80lKj2AdFkw0 BWlJ8JQCanSoLc07w9+PJHrNhP9L7qOfZs5dFC6bMUdK/mu+lmGtZOxTE71Vir6Lktk8 iLumiwGaVrxe8PYd4LTd0vz0hGtTC3g51SF+XLgmpVZgHw/S4fue0BePFpT920OuNCPa 16S6bP1WP94WLgNLl35l7yxXeo1l1aS0FNn1wj+wVcCz7Vx/shiJd+k2Mx2Z1q2c5OOS 9RFzDHIu1mDCUMmyKO8MzthEho/H3wH5FRh3TAS1AIC5xZ0aCscRmyr+KfXO4D0eJhJg QoKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=c3A3RJTg6KbrdEPdT13VqYzz5nVgV0V0mVfE9OTYwyc=; b=x9cNHX+qDbNIUCLH4a5+KCXrF9CEx6Mc5fp5jB+XtYY3W7YYP/v5E6LRSnaW6M+hgH /3hXMqH+j9V+8HhpVSNm5YmtP2R5UNaoCaRzO5kOmGB/46W3Y7NvfA9mz+WWc95yskC3 IATsJmGtduSspwy30612me7zHmu08NiwlScdr418l3872ulATWzRQmSLu54wTp0MiOqm NMpQBpfeadAl/pIGmZ+csuGrDIp14a+O30zWQZTEy/ausn7dmX0McvpyPo8VHSK+uCQo ioNdoxjAWCUUNR/rXW6w9iMUToOppAjZPXuIYcj3b+HvHEoSUEl7YGfzIIiDos5RkUA5 EalA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g22si9686450edp.459.2021.04.18.10.22.23; Sun, 18 Apr 2021 10:22:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230038AbhDRRWC (ORCPT + 99 others); Sun, 18 Apr 2021 13:22:02 -0400 Received: from mail.kernel.org ([198.145.29.99]:57604 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229783AbhDRRVx (ORCPT ); Sun, 18 Apr 2021 13:21:53 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id AE01861001; Sun, 18 Apr 2021 17:21:22 +0000 (UTC) Date: Sun, 18 Apr 2021 19:21:17 +0200 From: Christian Brauner To: "Serge E. Hallyn" Cc: lkml , Linus Torvalds , Kees Cook , "Andrew G. Morgan" , "Eric W. Biederman" , Greg Kroah-Hartman , security@kernel.org, Tycho Andersen , Andy Lutomirski Subject: Re: [PATCH] capabilities: require CAP_SETFCAP to map uid 0 (v3.2) Message-ID: <20210418172117.mjjaahgnd2hoxhf5@wittgenstein> References: <20210416045851.GA13811@mail.hallyn.com> <20210416150501.zam55gschpn2w56i@wittgenstein> <20210416213453.GA29094@mail.hallyn.com> <20210417021945.GA687@mail.hallyn.com> <20210417200434.GA17430@mail.hallyn.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20210417200434.GA17430@mail.hallyn.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Apr 17, 2021 at 03:04:34PM -0500, Serge Hallyn wrote: > A process running as uid 0 but without cap_setfcap currently can simply > unshare a new user namespace with uid 0 mapped to 0. While this task > will not have new capabilities against the parent namespace, there is > a loophole due to the way namespaced file capabilities work. File > capabilities valid in userns 1 are distinguised from file capabilities > valid in userns 2 by the kuid which underlies uid 0. Therefore > the restricted root process can unshare a new self-mapping namespace, > add a namespaced file capability onto a file, then use that file > capability in the parent namespace. > > To prevent that, do not allow mapping uid 0 if the process which > opened the uid_map file does not have CAP_SETFCAP, which is the capability > for setting file capabilities. > > A further wrinkle: a task can unshare its user namespace, then > open its uid_map file itself, and map (only) its own uid. In this > case we do not have the credential from before unshare, which was > potentially more restricted. So, when creating a user namespace, we > record whether the creator had CAP_SETFCAP. Then we can use that > during map_write(). > > With this patch: > > 1. unprivileged user can still unshare -Ur > > ubuntu@caps:~$ unshare -Ur > root@caps:~# logout > > 2. root user can still unshare -Ur > > ubuntu@caps:~$ sudo bash > root@caps:/home/ubuntu# unshare -Ur > root@caps:/home/ubuntu# logout > > 3. root user without CAP_SETFCAP cannot unshare -Ur: > > root@caps:/home/ubuntu# /sbin/capsh --drop=cap_setfcap -- > root@caps:/home/ubuntu# /sbin/setcap cap_setfcap=p /sbin/setcap > unable to set CAP_SETFCAP effective capability: Operation not permitted > root@caps:/home/ubuntu# unshare -Ur > unshare: write failed /proc/self/uid_map: Operation not permitted > > Signed-off-by: Serge Hallyn > > Changelog: > * fix logic in the case of writing to another task's uid_map > * rename 'ns' to 'map_ns', and make a file_ns local variable > * use /* comments */ > * update the CAP_SETFCAP comment in capability.h > * rename parent_unpriv to parent_can_setfcap (and reverse the > logic) > * remove printks > * clarify (i hope) the code comments > * update capability.h comment > * renamed parent_can_setfcap to parent_could_setfcap > * made the check its own disallowed_0_mapping() fn > * moved the check into new_idmap_permitted > * rename disallowed_0_mapping to verify_root_mapping > * change verify_root_mapping to Christian's suggested flow > --- Thank you. This looks good. I tested this with: - fstests - LXD testsuite - Podman testsuite - libcap testsuite Tested-by: Christian Brauner Reviewed-by: Christian Brauner