Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp731780pxb; Tue, 14 Sep 2021 07:35:23 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx5HcT4bIMcH+Yb0BnhOkGAQZ1/6wU+ZMmmMn4K8J31qn3WcLWS9nIoWm52T7GTTpmic1Bx X-Received: by 2002:a17:906:3693:: with SMTP id a19mr19523473ejc.237.1631630123205; Tue, 14 Sep 2021 07:35:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631630123; cv=none; d=google.com; s=arc-20160816; b=zqPukMJ61QTFHdFl7SvufRIPZteS+uCOrT2SqUJbT/8osow04ayI42zvf34RExRKB2 /4HYFEXTkEMXM6ZkVD20expZWL0QBDqnBB4phqt0UN292tfN9P+a5My86eVVIM33UsUm GIPPXk8d2krQ4GuVDh72t+CqzDDA0gW+bRSTZrUB4VJgy4CpeG0Kjm3GbKe9LdnK2m56 8OeIZPQvssLPHJuS9f8f9q89sgJ9hAM+KZEzzh99I+ViJ8amNmxRP1Wphwe29YaCzqSx yCgYc83124THHuOognjUoGQufid6Yl1baT29YMTlziDj9zIbrJv+bbDj0pqy1BW91eKq omQw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=kfXYUmJTGW/jK+1WjU3DFfoUA/V3RTprHGsP9ym3psc=; b=VVHfXAhQqYKFK4LzGMsuuorTFtSSMSrtq+J6R0xhTgPANso6Md0QUhWDXx1iWy/32g sV2XVKROtdXBBL7wTuydGAYSzHeee8HUhqQvkWyf5iGU5HhzgxaNr5vJhhZe/KDGXQTP ZOUHH+ySe1p3tgPH6Mvdj+VlN4IF5OlvumbGaO9QNX3aPwhWLkmI7cct1Lo6WPnH+PTg LPHu46QvD7TMXIfukqKbVulfj+lpHWxkdTiWc8Ttttc3ccZELxWGE+hwxHCeH5StmdfD X0T0bhEZCSE5k+rdEA89wLjOYvreYmzBrrF52pLVy9axRZQVeGAeauJsmlu7315HAiU/ BkWA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=gpY3bJC2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id di4si12870404ejc.95.2021.09.14.07.34.59; Tue, 14 Sep 2021 07:35:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=gpY3bJC2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233777AbhINOdi (ORCPT + 99 others); Tue, 14 Sep 2021 10:33:38 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:28296 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233789AbhINOdf (ORCPT ); Tue, 14 Sep 2021 10:33:35 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1631629937; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=kfXYUmJTGW/jK+1WjU3DFfoUA/V3RTprHGsP9ym3psc=; b=gpY3bJC28Gl43L09hhG7NKDLDKMA4BtxFloHXoWH4x/wSffw+sf3uJElQAN/BQWXUak/MU xKqkMyjf+CgUs2RpxeciEy6Fu5qT+1EedFGJBduoPml5ZfXYTX3dVXzw6sI8JGXToegSXP V6D9OaJux6uChstAWERmeZRnhQZ4+7g= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-533-EUqDmxvLNaC-bY9gFNnT9w-1; Tue, 14 Sep 2021 10:32:16 -0400 X-MC-Unique: EUqDmxvLNaC-bY9gFNnT9w-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 5D96E10144E3; Tue, 14 Sep 2021 14:32:14 +0000 (UTC) Received: from horse.redhat.com (unknown [10.22.9.32]) by smtp.corp.redhat.com (Postfix) with ESMTP id B62955D6A8; Tue, 14 Sep 2021 14:32:13 +0000 (UTC) Received: by horse.redhat.com (Postfix, from userid 10451) id 380F5220779; Tue, 14 Sep 2021 10:32:13 -0400 (EDT) Date: Tue, 14 Sep 2021 10:32:13 -0400 From: Vivek Goyal To: Bruce Fields Cc: Casey Schaufler , "Dr. David Alan Gilbert" , Alexander Viro , linux-fsdevel , LKML , virtio-fs@redhat.com, Daniel Walsh , Christian Brauner , Casey Schaufler , LSM , selinux@vger.kernel.org, Theodore Ts'o , Miklos Szeredi , Giuseppe Scrivano , stephen.smalley.work@gmail.com, Andreas Gruenbacher , Dave Chinner Subject: Re: [PATCH v3 0/1] Relax restrictions on user.* xattr Message-ID: References: <79dcd300-a441-cdba-e523-324733f892ca@schaufler-ca.com> <3bca47d0-747d-dd49-a03f-e0fa98eaa2f7@schaufler-ca.com> <1f33e6ef-e896-09ef-43b1-6c5fac40ba5f@schaufler-ca.com> <496e92bf-bf9e-a56b-bd73-3c1d0994a064@schaufler-ca.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Sep 14, 2021 at 09:59:19AM -0400, Bruce Fields wrote: > On Tue, Sep 14, 2021 at 8:52 AM Vivek Goyal wrote: > > Same is the requirement for regular containers and that's why > > podman (and possibly other container managers), make top level > > storage directory only readable and searchable by root, so that > > unpriveleged entities on host can not access container root filesystem > > data. > > Note--if that directory is on NFS, making it readable and searchable > by root is very weak protection, since it's often possible for an > attacker to guess filehandles and access objects without the need for > directory lookups. open_by_handle_at() requires CAP_DAC_READ_SEARCH. And if you have CAP_DAC_READ_SEARCH, you don't need to even guess file handles. You should be able to read/search through all directories, IIUC. So how does one make sure that shared directory on host is not accessible to unprivileged entities. If making directory accessible to root only is weaker security, what are the options for stronger security. Vivek