Received: by 2002:a05:6a10:eb17:0:0:0:0 with SMTP id hx23csp2914722pxb; Mon, 6 Sep 2021 08:07:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxU7uWZ8Mwk5CqdDkc+OF5X8jXT+/faO9reqmFOtOire4PQ9gtrkTpNmIqITt8Wkre6YONX X-Received: by 2002:adf:c510:: with SMTP id q16mr14013259wrf.203.1630940869907; Mon, 06 Sep 2021 08:07:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1630940869; cv=none; d=google.com; s=arc-20160816; b=rYMtqKtaqQixt6QCnS2/Ql3ECfiYB3xA4CDfBg1ke73cyeSOZ/K7GreQXIsXpbCwP/ 1K/TwqRMp2kA72akhY/l8fUvHrw2cY4igsvL+j2go+9rho5zJqtV0Bc+5W1ScC5iJPi6 +GuZfu7KAD/fVeJ6r5PVvgma7+eOzjI+8py3+Gfdr8bh0HT2r2wjPhuswze3KLxcR7aZ Og3MdsN6CjBUMs+i/XVEdXt4JqBKH+68jpJOTa7AgExAdd1DmSeqA6sVmro/REBojQWb Ef52hFbNKPbUZh9IuOo/bC4lAbI8pIQu0vD+DgFpLoctEOlszt1AMRvo7Q1jV07CKJC/ 2Iuw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=LuJQ3d86zOdSndkgpNKh8Y22Hrim56ARoO6+9G+J+AQ=; b=obajdDBDkqETLCZYaATJ3uLvf5uwcG6aKlc45UxjpctyL1oCvnznvnvRWpo/BbIdid hhoIiF8uXYPCDdicruTdcMOoSYWpsZ1NXm4WrrI5yc2VAgepJCO7WSgrxIv6PP89DH5g 3QJorhimjbY+eQVf41o6r+LBABdVh5JSA0PpewdChKB51HA/N2cErm+0u3QesvTT6pwJ yaGn5iv1URmTYUXbE1rDdj1FTO+cGXD85QvZchWgHGrgs6pmkL+P2HpIY0synlACz9w+ RqA28lFkNVEQS5WSRA08tG/xBNbAcQzqiNOylQ10N0tnKIXLImLnEtP5QZEBe8CpSEuL ce7g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=MgG8y6zF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i10si2426957edv.459.2021.09.06.08.07.25; Mon, 06 Sep 2021 08:07:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=MgG8y6zF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243586AbhIFO4j (ORCPT + 99 others); Mon, 6 Sep 2021 10:56:39 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:35866 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243594AbhIFO4i (ORCPT ); Mon, 6 Sep 2021 10:56:38 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630940133; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=LuJQ3d86zOdSndkgpNKh8Y22Hrim56ARoO6+9G+J+AQ=; b=MgG8y6zFwCDaMQwcj+PNVJcgsl9uW5tnqXVzmeQuFqviRGaQ1BV11tLruvfjAr/6TE/ZbX xhm4aNPSVr92kcUoHWDH2Sbg5XbjJVr7V856Ht5234GlDDXG6Pxz5zPVvvNqEdV/7PAfEn b1bIe0o0wd4dBda4/pM41K07fLHudhw= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-588-DvUAzUd4NhGWZd0ItWbbSA-1; Mon, 06 Sep 2021 10:55:32 -0400 X-MC-Unique: DvUAzUd4NhGWZd0ItWbbSA-1 Received: by mail-wm1-f69.google.com with SMTP id w25-20020a1cf6190000b0290252505ddd56so2422902wmc.3 for ; Mon, 06 Sep 2021 07:55:32 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=LuJQ3d86zOdSndkgpNKh8Y22Hrim56ARoO6+9G+J+AQ=; b=eH3NRoJwWaniptMNNIhRqmIqhDUMaKS+BGrFSdTdP7oNml1fLzCjbwqr8ZnRloL1vB KrRojD+6zAPU1UX31Rw7FTOUZq0AX3j8884urQDeBUqXfxexXMHIvTDQR2i+9j5saobz ll2rTppnVVqyE1IYrZvj4yrZDmBAL+77gcCPl5vPRAeU4VdPfgHovGY4A7WeMbE0SO7e ahazDsudHlU1sS6Zfq07IT339p1bp7WZqmz4zU5xvg6Nc8UMEupVUVgtZRReC4ajIPxi NOHoAD7vmnW8n1UXMa6lotbf9NTiy4SFwEf9zO1F0h3lgu28PydoGIbvY6G8aMV/pcgK 3vtQ== X-Gm-Message-State: AOAM530sTJaLPQa6eL8XSchc7wKggdwYMTLJ3LkEkFgZ+TRTsBjPyLci gd5Td0CAqGEQbDhssgQ89u3+YFQUc+j/Q9UHuMVQ6CRnYoF7pav61bn3nbaHY4xWYfOEyL+/QgK ambzC5pnCX0xbfroFQ9/ske7y X-Received: by 2002:a7b:c1cf:: with SMTP id a15mr12111945wmj.85.1630940131321; Mon, 06 Sep 2021 07:55:31 -0700 (PDT) X-Received: by 2002:a7b:c1cf:: with SMTP id a15mr12111916wmj.85.1630940131068; Mon, 06 Sep 2021 07:55:31 -0700 (PDT) Received: from work-vm (cpc109021-salf6-2-0-cust453.10-2.cable.virginm.net. [82.29.237.198]) by smtp.gmail.com with ESMTPSA id o5sm8023611wrw.17.2021.09.06.07.55.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 06 Sep 2021 07:55:30 -0700 (PDT) Date: Mon, 6 Sep 2021 15:55:28 +0100 From: "Dr. David Alan Gilbert" To: Casey Schaufler Cc: Vivek Goyal , viro@zeniv.linux.org.uk, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, virtio-fs@redhat.com, dwalsh@redhat.com, christian.brauner@ubuntu.com, casey.schaufler@intel.com, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, tytso@mit.edu, miklos@szeredi.hu, gscrivan@redhat.com, bfields@redhat.com, stephen.smalley.work@gmail.com, agruenba@redhat.com, david@fromorbit.com Subject: Re: [PATCH v3 0/1] Relax restrictions on user.* xattr Message-ID: References: <20210902152228.665959-1-vgoyal@redhat.com> <79dcd300-a441-cdba-e523-324733f892ca@schaufler-ca.com> <3bca47d0-747d-dd49-a03f-e0fa98eaa2f7@schaufler-ca.com> <1f33e6ef-e896-09ef-43b1-6c5fac40ba5f@schaufler-ca.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1f33e6ef-e896-09ef-43b1-6c5fac40ba5f@schaufler-ca.com> User-Agent: Mutt/2.0.7 (2021-05-04) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org * Casey Schaufler (casey@schaufler-ca.com) wrote: > On 9/2/2021 1:06 PM, Vivek Goyal wrote: > > If LSMs are not configured, > > then hiding the directory is the solution. > > It's not a solution at all. It's wishful thinking that > some admin is going to do absolutely everything right, will > never make a mistake and will never, ever, read the mount(2) > man page. That is why we run our virtiofsd with a sandbox setup and seccomp; and frankly anything we can or could turn on we would. > > So why that's not a solution and only relying on CAP_SYS_ADMIN is the > > solution. I don't understand that part. > > It comes back to your design, which is fundamentally flawed. You > can't store system security information in an attribute that can > be manipulated by untrusted entities. That's why we have system.* > xattrs. You want to have an attribute on the host that maps to a > security attribute on the guest. The host has to protect the attribute > on the guest with mechanisms of comparable strength as the guest's > mechanisms. Can you just explain this line to me a bit more: > Otherwise you can't trust the guest with host data. Note we're not trying to trust the guest with the host data here; we're trying to allow the guest to store the data on the host, while trusting the host. > > It's a real shame that CAP_SYS_ADMIN is so scary. The capability > mechanism as implemented today won't scale to the hundreds of individual > capabilities it would need to break CAP_SYS_ADMIN up. Maybe someday. > I'm not convinced that there isn't a way to accomplish what you're > trying to do without privilege, but this isn't it, and I don't know > what is. Sorry. > > > Also if directory is not hidden, unprivileged users can change file > > data and other metadata. > > I assumed that you've taken that into account. Are you saying that > isn't going to be done correctly either? > > > Why that's not a concern and why there is > > so much of focus only security xattr. > > As with an NFS mount, the assumption is that UID 567 (or its magically > mapped equivalent) has the same access rights on both the server/host > and client/guest. I'm not worried about the mode bits because they are > presented consistently on both machines. If, on the other hand, an > attribute used to determine access is security.esprit on the guest and > user.security.esprit on the host, the unprivileged user on the host > can defeat the privilege requirements on the guest. That's why. We're OK with that; remember that the host can do wth it likes to the guest anyway - it can just go in and poke at the guests RAM if it wants to do something evil to the guest. We wouldn't suggest using a scheme like this once you have encrypted/protected guest RAM for example (SEV/TDX etc) > > If you were to block modification > > of file then you will have rely on LSMs. > > No. We're talking about the semantics of the xattr namespaces. > LSMs can further constrain access to xattrs, but the basic rules > of access to the user.* and security.* attributes are different > in any case. This is by design. I'm happy if you can suggest somewhere else to store the guests xattr data other than in one of the hosts xattr's - the challenge is doing that in a non-racy way, and making sure that the xattr's never get associated with the wrong file as seen by a guest. > > And if LSMs are not configured, > > then we will rely on shared directory not being visible. > > LSMs are not the problem. LSMs use security.* xattrs, which is why > they come up in the discussion. > > > Can you please help me understand why hiding shared directory from > > unprivileged users is not a solution > > Maybe you can describe the mechanism you use to "hide" a shared directory > on the host. If the filesystem is mounted on the host it seems unlikely > that you can provide a convincing argument for sufficient protection. Why? What can a guests fs mounted on the host, under one of the directories that's already typically used for container fs's do - it's already what fileservers, and existing container systems do. Dave > > (With both LSMs configured or > > not configured on host). That's a requirement for virtiofs anyway. > > And if we agree on that, then I don't see why using "user.*" xattrs > > for storing guest sercurity attributes is a problem. > > > > Thanks > > Vivek > > > -- Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK