Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp2606482pxb; Mon, 19 Apr 2021 09:24:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyI9uXKGutot4yDHisYcTWMa58I6Ns9MufARLe5iZN+s4h6uRtEz8TAxb0FaybcL0xZTW7Q X-Received: by 2002:a17:906:4eda:: with SMTP id i26mr22906881ejv.301.1618849489298; Mon, 19 Apr 2021 09:24:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618849489; cv=none; d=google.com; s=arc-20160816; b=QTV9RQCSWL56jVk2LvHu3LRg3GZ/b/DIr6KEnn5TI9wtzFeKEhEwwRnF8TZCgrXFs0 lk4spkeXY7922FZ1/Ypg8DLSVCoBdWhxgvEjBcndZWxoGPBtrHoNkx5Xtrwy4V2FJ/qd CBUMjgcTU4hWQ9OiUjkEbcnepZIm/gfa7cuPvJCefDNXjqqsIHQagVqnOf9D/vQ0baxB mZYHv+GtWhXMjMMDqz8YxPz9mEM4/IOzbmBUZN8Or/7Bfiox2KYZ8yzg85n93ker51GB 2bZTOqMsFOp8lQHNY5mMqXNHBA/JS45EYCUkbjcR4Fa0W+ILYMNFVVl9wB8LABEllXLK uXTg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=epKe2eRQ1RxDvqddWxYdQ2We++rf4wEY7aXKnJq6kvw=; b=VcYBKUJh8+qru7GK4PW1l8HiUHFOIaM5ZEh/HMyfi0SNniRlRc7dfi/fvCalvM5b0C 3UY/DSjXOvBbmYtrEcl45JQOJuLojK0WLjNGQkF6cU9h5t/yI4kaN6VgohgRziMtsMzw YfLgwNs+ryhyrujOODAGQOznVzrnp+kKPQxHZ4CQWAEyYd6pIZmdrrUoB2hrGVqh/nIl UqzC8fmPj61jPh+Di8fspYNjMMcqAHrOEKBxfst2kGGkW/ORZbT1vAm9IIft/0fABXRt uj2l6liw4EZ1dVlPbExMqLQQ0dDYBeAwz+1Z2C1WkxgVjdjo9S5zTczhXgMWRzWL+0dR FcsQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k1si12590100ejj.10.2021.04.19.09.24.25; Mon, 19 Apr 2021 09:24:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242326AbhDSQDv (ORCPT + 99 others); Mon, 19 Apr 2021 12:03:51 -0400 Received: from mail.kernel.org ([198.145.29.99]:38512 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242298AbhDSQCw (ORCPT ); Mon, 19 Apr 2021 12:02:52 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id C172761246; Mon, 19 Apr 2021 16:02:17 +0000 (UTC) Date: Mon, 19 Apr 2021 18:02:14 +0200 From: Christian Brauner To: Giuseppe Scrivano Cc: "Eric W. Biederman" , lkml , Linus Torvalds , Kees Cook , "Andrew G. Morgan" , Greg Kroah-Hartman , security@kernel.org, Tycho Andersen , Andy Lutomirski , "Serge E. Hallyn" Subject: Re: [PATCH] capabilities: require CAP_SETFCAP to map uid 0 (v3.2) Message-ID: <20210419160214.fbwloe4n55inwxqn@wittgenstein> References: <20210416045851.GA13811@mail.hallyn.com> <20210416150501.zam55gschpn2w56i@wittgenstein> <20210416213453.GA29094@mail.hallyn.com> <20210417021945.GA687@mail.hallyn.com> <20210417200434.GA17430@mail.hallyn.com> <87mttu9sqg.fsf@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <87mttu9sqg.fsf@redhat.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 19, 2021 at 05:52:39PM +0200, Giuseppe Scrivano wrote: > ebiederm@xmission.com (Eric W. Biederman) writes: > > > Guiseppe can you take a look at this? > > > > This is a second attempt at tightening up the semantics of writing to > > file capabilities from a user namespace. > > > > The first attempt was reverted with 3b0c2d3eaa83 ("Revert 95ebabde382c > > ("capabilities: Don't allow writing ambiguous v3 file capabilities")"), > > which corrected the issue reported in: > > https://github.com/containers/buildah/issues/3071 > > > > There is a report the podman testsuite passes. While different this > > looks in many ways much more strict than the code that was reverted. So > > while I can imagine this change doesn't cause problems as is, I will be > > surprised. > > thanks for pulling me in the discussion. > > I've tested the patch with several cases similar to the issue we had in > the past and the patch seems to work well. > > Podman creates all the user namespaces within the same parent user > namespace. In the parent user namespace all the capabilities are kept > and AFAIK Docker does the same. I'd expect a change in behavior only > for nested user namespaces in containers where CAP_SETFCAP is not > granted, but that is not a common configuration given that CAP_SETFCAP > is added by default. Same for us and we do have extensive nested container workloads with other runtimes running containers too. > > > > "Serge E. Hallyn" writes: > > > >> +/** > >> + * verify_root_map() - check the uid 0 mapping > >> + * @file: idmapping file > >> + * @map_ns: user namespace of the target process > >> + * @new_map: requested idmap > >> + * > >> + * If a process requested a mapping for uid 0 onto uid 0, verify that the > >> + * process writing the map had the CAP_SETFCAP capability as the target process > >> + * will be able to write fscaps that are valid in ancestor user namespaces. > >> + * > >> + * Return: true if the mapping is allowed, false if not. > >> + */ > >> +static bool verify_root_map(const struct file *file, > >> + struct user_namespace *map_ns, > >> + struct uid_gid_map *new_map) > >> +{ > >> + int idx; > >> + const struct user_namespace *file_ns = file->f_cred->user_ns; > >> + struct uid_gid_extent *extent0 = NULL; > >> + > >> + for (idx = 0; idx < new_map->nr_extents; idx++) { > >> + u32 lower_first; > > nit: lower_first seems unused? > > >> + > >> + if (new_map->nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS) > >> + extent0 = &new_map->extent[idx]; > >> + else > >> + extent0 = &new_map->forward[idx]; > >> + if (extent0->lower_first == 0) > >> + break; > >> + > >> + extent0 = NULL; > >> + } > > Tested-by: Giuseppe Scrivano Thanks for running the tests and confirming my results! Christian