Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp2601365pxb; Mon, 19 Apr 2021 09:17:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyowQUCrjZhvRrOuyUbULJE0FEnkaUK93FMU7GPnYXYOKtZN5lPPLS8oeZ8SY/cKhz693Zm X-Received: by 2002:a17:906:2512:: with SMTP id i18mr23318789ejb.86.1618849078712; Mon, 19 Apr 2021 09:17:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618849078; cv=none; d=google.com; s=arc-20160816; b=tIVFfyIl3/fMG9ZyR4R7AuOfAmJqB8Et/+UE8oOS4JsnAeth6ZqkgktGRcjAXY+E5J dJnpCHI02Flr/e9ulfQLbnfYTa686wfUZ93y5MJlwr34H7keOuLce6hTUlW3bQ3XQJCL lSlBlYRnSpFAPJuqhhEvphDJ27kg/e55mKLLI2Ibdu1k8vbGMsHm/ZLRU/ga6qN13fxl LB+rQNC9YwI0TjzEkKkrbkaMFblOE3otCuMSI+U1EgSeh8VMtn9X2r8XGYUbTNFIq5rx 4Amu55OUZ3yW79Asm664hQooxz/DJdnlg94O+uIV4/7Ywkw3P1JCMvqTdU1B7msKlDAM b9HQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:user-agent :references:in-reply-to:subject:cc:to:from:dkim-signature; bh=P+x2ajsN6vA5q7Sqzhq1ODsacFSkptFt6V8siAoACbA=; b=iDE5TLW01/MZOUoK6R5ypZ6SYPyX0FRsgXdkNJupHDqYJ0vPevYXX9gfp45NUXF2I0 guZOgz6NAhyxfWGj00X4/Bw/thjH7FHC6cR1KNwDbVgZjRQdnCtj5RvVK1SCDAAzULvF xKrp5lXvD4XI8o5boYwAVnlcRQdhjkbKsZppx6axn6ljJbBD8WmLoSrDCLCRcN31L3d5 FLqg1k/IQtB8s49jXwRf2hsrtCXKebW78lczTCCG4iLoU7mo+nH+ZpY0QVRq7Pg+qOq+ +Sx+cNUZLnSjbuekUI6TpmfwIiJEzQiW0VS2ir5bBIVmnSH8fWe+ezSpZPRCyXockEha oWiA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=W506B8m2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h23si11677397ejc.171.2021.04.19.09.17.34; Mon, 19 Apr 2021 09:17:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=W506B8m2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240971AbhDSPxV (ORCPT + 99 others); Mon, 19 Apr 2021 11:53:21 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:52197 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240580AbhDSPxU (ORCPT ); Mon, 19 Apr 2021 11:53:20 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1618847570; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=P+x2ajsN6vA5q7Sqzhq1ODsacFSkptFt6V8siAoACbA=; b=W506B8m2KkcrXYmkY0liSVw/jHs2el2KMJnryyW3wFwtwcBc6KtFMH75X+vk/Jy+Wl0qYj c3aCalUbn3BeGT5PWvnl7ITIbt3+XQBm3UJOwxxRTO7BeSU8c6ceDvunhKGtquTaepkoZ4 DzqN1uGmCCTzWVJBWJyM0qQlqEzHOBY= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-559-JaqfVXWSOdaqqfJOlvL-fQ-1; Mon, 19 Apr 2021 11:52:45 -0400 X-MC-Unique: JaqfVXWSOdaqqfJOlvL-fQ-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B5994107ACCA; Mon, 19 Apr 2021 15:52:42 +0000 (UTC) Received: from localhost (ovpn-113-32.ams2.redhat.com [10.36.113.32]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C7B5C5D9C0; Mon, 19 Apr 2021 15:52:41 +0000 (UTC) From: Giuseppe Scrivano To: ebiederm@xmission.com (Eric W. Biederman) Cc: Christian Brauner , lkml , Linus Torvalds , Kees Cook , "Andrew G. Morgan" , Greg Kroah-Hartman , security@kernel.org, Tycho Andersen , Andy Lutomirski , "Serge E. Hallyn" Subject: Re: [PATCH] capabilities: require CAP_SETFCAP to map uid 0 (v3.2) In-Reply-To: (Eric W. Biederman's message of "Sun, 18 Apr 2021 16:19:16 -0500") References: <20210416045851.GA13811@mail.hallyn.com> <20210416150501.zam55gschpn2w56i@wittgenstein> <20210416213453.GA29094@mail.hallyn.com> <20210417021945.GA687@mail.hallyn.com> <20210417200434.GA17430@mail.hallyn.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) Date: Mon, 19 Apr 2021 17:52:39 +0200 Message-ID: <87mttu9sqg.fsf@redhat.com> MIME-Version: 1.0 Content-Type: text/plain X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org ebiederm@xmission.com (Eric W. Biederman) writes: > Guiseppe can you take a look at this? > > This is a second attempt at tightening up the semantics of writing to > file capabilities from a user namespace. > > The first attempt was reverted with 3b0c2d3eaa83 ("Revert 95ebabde382c > ("capabilities: Don't allow writing ambiguous v3 file capabilities")"), > which corrected the issue reported in: > https://github.com/containers/buildah/issues/3071 > > There is a report the podman testsuite passes. While different this > looks in many ways much more strict than the code that was reverted. So > while I can imagine this change doesn't cause problems as is, I will be > surprised. thanks for pulling me in the discussion. I've tested the patch with several cases similar to the issue we had in the past and the patch seems to work well. Podman creates all the user namespaces within the same parent user namespace. In the parent user namespace all the capabilities are kept and AFAIK Docker does the same. I'd expect a change in behavior only for nested user namespaces in containers where CAP_SETFCAP is not granted, but that is not a common configuration given that CAP_SETFCAP is added by default. > "Serge E. Hallyn" writes: > >> +/** >> + * verify_root_map() - check the uid 0 mapping >> + * @file: idmapping file >> + * @map_ns: user namespace of the target process >> + * @new_map: requested idmap >> + * >> + * If a process requested a mapping for uid 0 onto uid 0, verify that the >> + * process writing the map had the CAP_SETFCAP capability as the target process >> + * will be able to write fscaps that are valid in ancestor user namespaces. >> + * >> + * Return: true if the mapping is allowed, false if not. >> + */ >> +static bool verify_root_map(const struct file *file, >> + struct user_namespace *map_ns, >> + struct uid_gid_map *new_map) >> +{ >> + int idx; >> + const struct user_namespace *file_ns = file->f_cred->user_ns; >> + struct uid_gid_extent *extent0 = NULL; >> + >> + for (idx = 0; idx < new_map->nr_extents; idx++) { >> + u32 lower_first; nit: lower_first seems unused? >> + >> + if (new_map->nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS) >> + extent0 = &new_map->extent[idx]; >> + else >> + extent0 = &new_map->forward[idx]; >> + if (extent0->lower_first == 0) >> + break; >> + >> + extent0 = NULL; >> + } Tested-by: Giuseppe Scrivano Regards, Giuseppe