Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp3359481pxb; Tue, 20 Apr 2021 06:42:10 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw5NfPyn1hT9COdZKVUMPrFrv45ksLQlwsryvL6VIwcHGncxf9fyBoYAjsvjV0b7Hywrfvo X-Received: by 2002:aa7:c7da:: with SMTP id o26mr32358006eds.244.1618926129997; Tue, 20 Apr 2021 06:42:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618926129; cv=none; d=google.com; s=arc-20160816; b=HC8MBiRhAL/gWtIQJz2plPotKLr/lVm7bC6SLziTbiWhPZBqTafvI8v39eiaxAL3Qq k+DxENcc95DXYU8FTGCOKHPUVRc8cP6Nv20gyfog6CQOfQNAUJ0VK84OhXn2rpMEqFrs TfEjGUhEjV6WxT4U17v8GzxugLQDggTPKTViPQP/06wOX/8kEHMjavKMmbhQN8wTccqE UmKkagAZWCmLNY/g9YZAayBBNpApzudrv4SYlZCqZL3JlubPWLHKQEFQl7h+bJwTZN9c rp7VjVxK9JtsLolegBUMa3jhD4zdkkhmAPwNRyi2z9m3Y5jPzbVT4JCC4SSK79E3YSs3 +jdA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=tHePcLRUd5ZofuYVlW53bqBwpbO952VGo1/n+X1UFCk=; b=d4g+TVBG5hSHjU+msIK7sS9aet0MFlI/I+hrSHVJRbiFX0r3wgKpqXTPwpuqHZ7Bah h98GSTMm5IDHVH0ZmhXNJz4RHJr+Dt90JibczLy/ZgtJtCVrGjL5RGEkO2wt7EkuZhAR i9j+EqsYqR9ZqHLKYwhIl1iwy6tWZjDM2YeYm4CE7u37YHX/NrmkTOaTXOgZFyouV2ry 5QuQqq1YplXJLPZta5IuxzP3o76oWhep8SrigGUIfKMm3R6UvahCmY+z52dfyvdi4WwE d/BVhvNDEJmqShcDkhd5iuS5Mgyl5QWfKf4rhJM6PIszvf4DdHaVLD455SC1d4b+iSsv 7cLg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g1si14918030ejw.615.2021.04.20.06.41.45; Tue, 20 Apr 2021 06:42:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232364AbhDTNlV (ORCPT + 99 others); Tue, 20 Apr 2021 09:41:21 -0400 Received: from mail.hallyn.com ([178.63.66.53]:40168 "EHLO mail.hallyn.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230408AbhDTNlU (ORCPT ); Tue, 20 Apr 2021 09:41:20 -0400 Received: by mail.hallyn.com (Postfix, from userid 1001) id 46FDE471; Tue, 20 Apr 2021 08:40:47 -0500 (CDT) Date: Tue, 20 Apr 2021 08:40:47 -0500 From: "Serge E. Hallyn" To: Giuseppe Scrivano Cc: "Eric W. Biederman" , Christian Brauner , lkml , Linus Torvalds , Kees Cook , "Andrew G. Morgan" , Greg Kroah-Hartman , security@kernel.org, Tycho Andersen , Andy Lutomirski , "Serge E. Hallyn" Subject: Re: [PATCH] capabilities: require CAP_SETFCAP to map uid 0 (v3.2) Message-ID: <20210420134047.GA11346@mail.hallyn.com> References: <20210416045851.GA13811@mail.hallyn.com> <20210416150501.zam55gschpn2w56i@wittgenstein> <20210416213453.GA29094@mail.hallyn.com> <20210417021945.GA687@mail.hallyn.com> <20210417200434.GA17430@mail.hallyn.com> <87mttu9sqg.fsf@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87mttu9sqg.fsf@redhat.com> User-Agent: Mutt/1.9.4 (2018-02-28) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 19, 2021 at 05:52:39PM +0200, Giuseppe Scrivano wrote: > ebiederm@xmission.com (Eric W. Biederman) writes: > > > Guiseppe can you take a look at this? > > > > This is a second attempt at tightening up the semantics of writing to > > file capabilities from a user namespace. > > > > The first attempt was reverted with 3b0c2d3eaa83 ("Revert 95ebabde382c > > ("capabilities: Don't allow writing ambiguous v3 file capabilities")"), > > which corrected the issue reported in: > > https://github.com/containers/buildah/issues/3071 > > > > There is a report the podman testsuite passes. While different this > > looks in many ways much more strict than the code that was reverted. So > > while I can imagine this change doesn't cause problems as is, I will be > > surprised. > > thanks for pulling me in the discussion. > > I've tested the patch with several cases similar to the issue we had in > the past and the patch seems to work well. > > Podman creates all the user namespaces within the same parent user > namespace. In the parent user namespace all the capabilities are kept > and AFAIK Docker does the same. I'd expect a change in behavior only > for nested user namespaces in containers where CAP_SETFCAP is not > granted, but that is not a common configuration given that CAP_SETFCAP > is added by default. > > > > "Serge E. Hallyn" writes: > > > >> +/** > >> + * verify_root_map() - check the uid 0 mapping > >> + * @file: idmapping file > >> + * @map_ns: user namespace of the target process > >> + * @new_map: requested idmap > >> + * > >> + * If a process requested a mapping for uid 0 onto uid 0, verify that the > >> + * process writing the map had the CAP_SETFCAP capability as the target process > >> + * will be able to write fscaps that are valid in ancestor user namespaces. > >> + * > >> + * Return: true if the mapping is allowed, false if not. > >> + */ > >> +static bool verify_root_map(const struct file *file, > >> + struct user_namespace *map_ns, > >> + struct uid_gid_map *new_map) > >> +{ > >> + int idx; > >> + const struct user_namespace *file_ns = file->f_cred->user_ns; > >> + struct uid_gid_extent *extent0 = NULL; > >> + > >> + for (idx = 0; idx < new_map->nr_extents; idx++) { > >> + u32 lower_first; > > nit: lower_first seems unused? Drat - I noticed that Sunday or Monday and forgot to remove it, thanks. > >> + > >> + if (new_map->nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS) > >> + extent0 = &new_map->extent[idx]; > >> + else > >> + extent0 = &new_map->forward[idx]; > >> + if (extent0->lower_first == 0) > >> + break; > >> + > >> + extent0 = NULL; > >> + } > > Tested-by: Giuseppe Scrivano Awesome - thanks for testing.