Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp753911pxb; Tue, 14 Sep 2021 08:03:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJydXMw6rKweN1VbsUmPorCXnHu3NQ6EB+C3RYU1670eNYRjbGeDudCbJB3FjTAG5m90Q+4r X-Received: by 2002:a05:6512:118c:: with SMTP id g12mr7887002lfr.362.1631631832739; Tue, 14 Sep 2021 08:03:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631631832; cv=none; d=google.com; s=arc-20160816; b=cE1lvtXhavUOA1N4bKXtJlTbDExEt3hiKXBdQenNNN8VZ11s8ZKzj5hKrM4EeCS+OZ hgluJvJcRnkybFos6cjXxUOHm7VHt15u432nIBEfcAVWLNcXbQjK0e6ppV5strudLdDc vofT0p9cltbw8/4o6hjL9Fajw+JMgRyMTnun1k1TgdLWjeyonOBbLWCV9Tcy5uEgJlUI LkSmNy3A6kxqAb7G3aMyfEJ+Wt4UVsUtn5306ZfQCxEqPbG4OlIPUGLzPePR4gO69/Sv OciiL2w2sQriI8iILY0uKa2UEAS+Cxoo+BqFgzvkF5opB9yb+SYp75QRQsif5rFSnaI3 JDLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=f4doVZdRhwwzGkMFAoRi2PUNaC9z4kzqnDQ6De1+mEk=; b=kewIaiFTcEnl8D+dlEXhcreZlbFFN34V4uOMVTSkQMoidx6m2UW9Ttv22v5qePbfb0 ZsL6MGFToHbpkDUMSjjtSaxNSE2iY+KOWoIF4k+am8I389g7hTHsP+agROkCvmxlCl2l 1VBE031+AvCS9bd/RM+VYHt7EZ2UJ9fmG2anUTkqOcxJ4fl8NznObz1wfKUL/M+njVb+ 1LsfuMQ/+hI5nOPZK31hWRTCI5f5ZThgx43XNKv1PPEzZgzvQYRMoCSM37jIXlkNVN8J BZhBgF5ZR+RVP7RuqVAT/sbe65qGntBxe6Zmv2HZgRRNKLNz7RXxibj9snbJaxd+kVsn sF6A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=T1GYAYZB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c17si11521349ljf.575.2021.09.14.08.03.21; Tue, 14 Sep 2021 08:03:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=T1GYAYZB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234159AbhINPCc (ORCPT + 99 others); Tue, 14 Sep 2021 11:02:32 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:34995 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232079AbhINPCb (ORCPT ); Tue, 14 Sep 2021 11:02:31 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1631631673; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=f4doVZdRhwwzGkMFAoRi2PUNaC9z4kzqnDQ6De1+mEk=; b=T1GYAYZBhwPfQ5/nR+ml/hTWlNetCXc3uBGr2ISr2FtplmX31s2TR3iYiWQMuLyf9degnK 2t74KNadb/P2toTx3P2YwAeFsZOeuMoIDO3UDezSbyhNKBN11H2XO7L+7drNBi9ZFjigLg uTeuUSMU/06zTmcGI7ZdUVDb0NbGprs= Received: from mail-io1-f71.google.com (mail-io1-f71.google.com [209.85.166.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-255-SiKwvEdNOnOWkXz8LHaILA-1; Tue, 14 Sep 2021 11:01:12 -0400 X-MC-Unique: SiKwvEdNOnOWkXz8LHaILA-1 Received: by mail-io1-f71.google.com with SMTP id i78-20020a6b3b51000000b005b8dd0f9e76so16451340ioa.9 for ; Tue, 14 Sep 2021 08:01:12 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=f4doVZdRhwwzGkMFAoRi2PUNaC9z4kzqnDQ6De1+mEk=; b=Ejex6ivmb6wn5g4ajjJL++ceAT0jZ/Ay3ykME8mUMiLs0GAPGPDzW+rOP4XXQZ0c22 Ai22Rn2C9qOyuMq6vMaJfBKU3mIFQPIORNzVM9m+hVs232rj6AYYbZMqheaUVVGiLv7J vfVcL4N2QzCuFy//tIfMKtCT1b3IrfgMsMLMHwygrVoFg4XJq0qVaKr/469hDYeP1v1D 7gd9PNRKbg7ZKsWYvcBE1VpGLsAACA5VVC2Bacq/eRVdZc/EOaWQwdZZAe0RS2IiVEPR VdccAGTVD3BoerZK0XcmWMhMkxG2Bat5+v6rO/3ZvM/qhEXPfcS+5iUvHmUd1UOkRA7i sR2g== X-Gm-Message-State: AOAM533R3zuP7Bq1xv2U9d5WvIxTrUohMF4JICwAEv52ojrPa6HIcE6O he/57RXiKXlmZsXEFSTqWQc5lo74jjkhoxOMl0tyxmBxX19rO90OR+mN2+dNMMDjBqvpYRlTh+A kFXqEk6ewnaxnDa64+OQSXz9vkuYVv5I/vWGR9Rs0 X-Received: by 2002:a05:6e02:1b88:: with SMTP id h8mr12302580ili.29.1631631671753; Tue, 14 Sep 2021 08:01:11 -0700 (PDT) X-Received: by 2002:a05:6e02:1b88:: with SMTP id h8mr12302560ili.29.1631631671531; Tue, 14 Sep 2021 08:01:11 -0700 (PDT) MIME-Version: 1.0 References: <79dcd300-a441-cdba-e523-324733f892ca@schaufler-ca.com> <3bca47d0-747d-dd49-a03f-e0fa98eaa2f7@schaufler-ca.com> <1f33e6ef-e896-09ef-43b1-6c5fac40ba5f@schaufler-ca.com> <496e92bf-bf9e-a56b-bd73-3c1d0994a064@schaufler-ca.com> In-Reply-To: From: Bruce Fields Date: Tue, 14 Sep 2021 11:01:00 -0400 Message-ID: Subject: Re: [PATCH v3 0/1] Relax restrictions on user.* xattr To: Vivek Goyal Cc: Casey Schaufler , "Dr. David Alan Gilbert" , Alexander Viro , linux-fsdevel , LKML , virtio-fs@redhat.com, Daniel Walsh , Christian Brauner , Casey Schaufler , LSM , selinux@vger.kernel.org, "Theodore Ts'o" , Miklos Szeredi , Giuseppe Scrivano , stephen.smalley.work@gmail.com, Andreas Gruenbacher , Dave Chinner Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Sep 14, 2021 at 10:32 AM Vivek Goyal wrote: > open_by_handle_at() requires CAP_DAC_READ_SEARCH. Or some sort of access to the network. If you can send rpc requests to the nfs server that appear to be from someone with access to the export, you can guess filehandles that allow access to objects under that directory. You'll need access to particular objects, but you won't need read or lookup access to the directory. You can prevent that if you set things up right, but these filehandle-issues are poorly understood, and people often forget to take them into account. --b. > And if you have > CAP_DAC_READ_SEARCH, you don't need to even guess file handles. You > should be able to read/search through all directories, IIUC. > > So how does one make sure that shared directory on host is not > accessible to unprivileged entities. If making directory accessible > to root only is weaker security, what are the options for stronger > security.