Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp4498941pxv; Tue, 29 Jun 2021 08:23:24 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyioSN+nntTPjlenDrV2F8T1GZznrGobasmh6MQx4f+KfUvBL+aoKQeIFYCnBrN9nFHlskl X-Received: by 2002:a17:906:f6d6:: with SMTP id jo22mr5314488ejb.26.1624980204403; Tue, 29 Jun 2021 08:23:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1624980204; cv=none; d=google.com; s=arc-20160816; b=B4bJf6tZK6zetzSQlf7IHEZeJv1VvHFLjDxy76WPYgZFEhy+dLXP3Gr0H4oNZ/QfMd 5hzJOfkS2bQuXtX7zZD7h3lRbdFidrxCKbBVh/IsOaiKcbLBzrEtpLcfW5KWf2UEPmD9 JicImWEEt3DHI0DiOsvpLmL8Q2VRAbBkFiHz7yLkiC/M3f/D0s4LFcSkXkIXBOon8RuJ hNCnW+jgiITQmm8MzIvOIAmi60Pr1q1MZF2C4Euym8YchOFKaf6laqS7D3Zytd+NS0Tx hFnkx2Xit++kcsLalYuZuWnvexUwccj30cwYwAuLBy1QIPtSZzyPVpZQi+BQ8maRMWZ2 dhOg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=7Fkq8ISJodPGui8B5jJOFqU9Bg1udkwvRSG9eU74aiM=; b=nA1MkU7xaEOD9NOUMKEZeyLFRBW7XkKNYFQRvkXw51yvOMg8e4cQpn/KwZiakIbIBj A+dnSqoLZQhqM8sywoc2aJTlkl8kmUgdRdLXFnzvaJmZoPfTNqYHL4xFjgWtExIexo/t NKwWvpovRp/2NtEXowXIr55HA22lYqjwT3atdnxbX0F5vA2XuNz2SXQdTiFxOWtF629o YNF+8hXr9TtcQY9toxMqzu10mKiDi+9coc9Wj15aHzKja+HdcC2rsGPW6TrUSicuwCpj 89zJXG8QaXDBiO0bIvW3Zpn2qReeLMUlUsW2OBcIEaxJoFwH5SNm55VNEijiUBPaB3bN PCJg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=gJjGzjTK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id hv6si12665035ejc.88.2021.06.29.08.23.00; Tue, 29 Jun 2021 08:23:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=gJjGzjTK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234754AbhF2PWl (ORCPT + 99 others); Tue, 29 Jun 2021 11:22:41 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:46101 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234741AbhF2PWk (ORCPT ); Tue, 29 Jun 2021 11:22:40 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1624980012; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=7Fkq8ISJodPGui8B5jJOFqU9Bg1udkwvRSG9eU74aiM=; b=gJjGzjTK/xwdSPEG6EC3Urqe+gr47WF02rdd/H1xnZ7fzUKYJjNWM0wasJt+2YHvH0/XJr 0qkf82wpB7vkDiA1RjGfwHX9SMHcOc6bU69JUq+645zT6MfH8asEUoQPB4J3WdBXvsr25/ YYP+B2JUx+OmhqEVsYdJCGVPzplqKUA= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-97-4agmsaUJMm22gB7tekRyFA-1; Tue, 29 Jun 2021 11:20:11 -0400 X-MC-Unique: 4agmsaUJMm22gB7tekRyFA-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B6B1A100CA88; Tue, 29 Jun 2021 15:20:09 +0000 (UTC) Received: from horse.redhat.com (ovpn-116-194.rdu2.redhat.com [10.10.116.194]) by smtp.corp.redhat.com (Postfix) with ESMTP id 71B4D5D6A1; Tue, 29 Jun 2021 15:20:08 +0000 (UTC) Received: by horse.redhat.com (Postfix, from userid 10451) id 0C3BD22054F; Tue, 29 Jun 2021 11:20:08 -0400 (EDT) Date: Tue, 29 Jun 2021 11:20:07 -0400 From: Vivek Goyal To: Casey Schaufler Cc: "Dr. David Alan Gilbert" , dwalsh@redhat.com, "Schaufler, Casey" , "linux-fsdevel@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "viro@zeniv.linux.org.uk" , "virtio-fs@redhat.com" , "berrange@redhat.com" , linux-security-module , "selinux@vger.kernel.org" Subject: Re: [RFC PATCH 0/1] xattr: Allow user.* xattr on symlink/special files if caller has CAP_SYS_RESOURCE Message-ID: <20210629152007.GC5231@redhat.com> References: <20210625191229.1752531-1-vgoyal@redhat.com> <20210628131708.GA1803896@redhat.com> <1b446468-dcf8-9e21-58d3-c032686eeee5@redhat.com> <5d8f033c-eba2-7a8b-f19a-1005bbb615ea@schaufler-ca.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jun 29, 2021 at 07:38:15AM -0700, Casey Schaufler wrote: [..] > >>>> User xattrs are less protected than security xattrs. You are exposing the > >>>> security xattrs on the guest to the possible whims of a malicious, unprivileged > >>>> actor on the host. All it needs is the right UID. > >>> Yep, we realise that; but when you're mainly interested in making sure > >>> the guest can't attack the host, that's less worrying. > >> That's uncomfortable. > > Why exactly? > > If a mechanism is designed with a known vulnerability you > fail your validation/evaluation efforts. We are working with the constraint that shared directory should not be accessible to unpriviliged users on host. And with that constraint, what you are referring to is not a vulnerability. > Your mechanism is > less general because other potential use cases may not be > as cavalier about the vulnerability. Prefixing xattrs with "user.virtiofsd" is just one of the options. virtiofsd has the capability to prefix "trusted.virtiofsd" as well. We have not chosen that because we don't want to give it CAP_SYS_ADMIN. So other use cases which don't like prefixing "user.virtiofsd", can give CAP_SYS_ADMIN and work with it. > I think that you can > approach this differently, get a solution that does everything > you want, and avoid the known problem. What's the solution? Are you referring to using "trusted.*" instead? But that has its own problem of giving CAP_SYS_ADMIN to virtiofsd. Thanks Vivek