Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp652260pxb; Wed, 15 Sep 2021 10:01:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzv6MD+FGkXAoktAlQwRB/32RxLewXxJANDU6oCel2Myg+7nhz8zBsw/gvxiImS96oUfLuX X-Received: by 2002:a92:6e0e:: with SMTP id j14mr761887ilc.190.1631725275282; Wed, 15 Sep 2021 10:01:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631725275; cv=none; d=google.com; s=arc-20160816; b=jWrXaNAIksT0zxZK1saz3Js3El974f8uYSByQICAUCst4A67oXmXV6i4+maLCHa8dU zEufKCM/1zQX3b1W6DDRXDg1IaTpsfXHcGx3Q2ZNiSHhp4je30svwakd4szCjwNI1Exr /NuYx3XXRxejfTagC4XPfqQHVzQsh6xRv+yBavkMTcrM2Bwxm28Aff+XfeCktGBc94I4 tP9doRZo5E69suEj7m3qBRkmywE8BkiLvyuAqG+ST3CM8aVBtPgQNDBKiWMX2WuORxEF vFQdvs65NMqhbMJgl51jvKSiG51+x0QIwR71+Gjq26mv7XayBaq+D1JdPR4kcNYkH7e9 RPlQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:reply-to:message-id:subject:cc:to:from:date; bh=DdZWmfxi+odWo4q+d3In/aokEk1/6Q5Fh7N4M5gLBBU=; b=x3kYeixolIBYQcsBdLExrnsK3F8hxH0atixGU1SuQFaVPhiLl4KHYcVV1Y1FBgKB2a wtka9H92KGXdLLmSBIzMk1fDYRGsxQleX+7wSG89wi5t7HDyzMT5ixYNuXHs9C4Favc1 Bpq82r+XaNxpWraazLWegZz+xYRk6TAUS2HC7SC9uJH2jMfd1EGNT/TXEzVrYaPuv0d4 jEl+bldMUOi687zbzilpfKE/ENn1miew6eFj047rdP1bCe/S3QH2gBSwIDX3bo4E0qC5 ZISrX2ITIES9fYKvouiD92touqt/Y17MrNkUEDaJHKa+UEboMz/xOqCkTWNiDCFU1Ef9 HiDA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q17si391636ilj.154.2021.09.15.10.01.02; Wed, 15 Sep 2021 10:01:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229826AbhIORBR (ORCPT + 99 others); Wed, 15 Sep 2021 13:01:17 -0400 Received: from wind.enjellic.com ([76.10.64.91]:58928 "EHLO wind.enjellic.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229690AbhIORBQ (ORCPT ); Wed, 15 Sep 2021 13:01:16 -0400 X-Greylist: delayed 1542 seconds by postgrey-1.27 at vger.kernel.org; Wed, 15 Sep 2021 13:01:15 EDT Received: from wind.enjellic.com (localhost [127.0.0.1]) by wind.enjellic.com (8.15.2/8.15.2) with ESMTP id 18FGXT0I002910; Wed, 15 Sep 2021 11:33:29 -0500 Received: (from greg@localhost) by wind.enjellic.com (8.15.2/8.15.2/Submit) id 18FGXRgh002909; Wed, 15 Sep 2021 11:33:27 -0500 Date: Wed, 15 Sep 2021 11:33:27 -0500 From: "Dr. Greg" To: Vivek Goyal Cc: Bruce Fields , Casey Schaufler , "Dr. David Alan Gilbert" , Alexander Viro , linux-fsdevel , LKML , virtio-fs@redhat.com, Daniel Walsh , Christian Brauner , Casey Schaufler , LSM , selinux@vger.kernel.org, "Theodore Ts'o" , Miklos Szeredi , Giuseppe Scrivano , stephen.smalley.work@gmail.com, Andreas Gruenbacher , Dave Chinner Subject: Re: [PATCH v3 0/1] Relax restrictions on user.* xattr Message-ID: <20210915163327.GA2324@wind.enjellic.com> Reply-To: "Dr. Greg" References: <3bca47d0-747d-dd49-a03f-e0fa98eaa2f7@schaufler-ca.com> <1f33e6ef-e896-09ef-43b1-6c5fac40ba5f@schaufler-ca.com> <496e92bf-bf9e-a56b-bd73-3c1d0994a064@schaufler-ca.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.3 (wind.enjellic.com [127.0.0.1]); Wed, 15 Sep 2021 11:33:29 -0500 (CDT) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Sep 14, 2021 at 10:32:13AM -0400, Vivek Goyal wrote: Good morning, I hope the day is going well for everyone. > On Tue, Sep 14, 2021 at 09:59:19AM -0400, Bruce Fields wrote: > > On Tue, Sep 14, 2021 at 8:52 AM Vivek Goyal wrote: > > > Same is the requirement for regular containers and that's why > > > podman (and possibly other container managers), make top level > > > storage directory only readable and searchable by root, so that > > > unpriveleged entities on host can not access container root filesystem > > > data. > > > > Note--if that directory is on NFS, making it readable and searchable > > by root is very weak protection, since it's often possible for an > > attacker to guess filehandles and access objects without the need for > > directory lookups. > open_by_handle_at() requires CAP_DAC_READ_SEARCH. And if you have > CAP_DAC_READ_SEARCH, you don't need to even guess file handles. You > should be able to read/search through all directories, IIUC. > > So how does one make sure that shared directory on host is not > accessible to unprivileged entities. If making directory accessible > to root only is weaker security, what are the options for stronger > security. I've been watching this thread, with some interest, given what we have been working on with respect to providing a new security framework that merges IMA and LSM and external security co-processor technology. Some observations based on those experiences and this thread. Casey is an expert on MAC and capability based security systems, unfortunately for our industry, particularly bog standard system administrators, a rarefied set of skills. It may be helpful to consider his concerns and position on the issues involved in the framework of the number of systems that have, and blog posts that recommend, setting 'selinux=0' on the kernel command-line. I believe the best summary of his position on this issue, is the notion that placing security labels, even in transitive form in user accessible attributes, subordinates the security of the guest system, regardless of the MAC policy it implements, to the DAC based policy on the host system. Given that, there are no legitimate security guarantees that are inferrable based on the guest MAC policy. A legitimate pundit, could and probably should question, in the face of container filesystems and virtual machine images, whether any type of inferrable security guarantees are possible, but that is a question and argument for another day. I didn't see any mention of EVM brought up in these discussions, which may provide some options to improve the security integrity state of the guest. The 800 pound gorilla in the corner in all of this, is that inferrable security guarantees in guests require a certifiable chain of trust from the creator of the object to the kernel context that is making the security gating decisions on the object. A hard to implement and prove concept in bare metal trusted systems, let alone the myriad of edge cases lurking in namespaced and virtual environments. Which, in a nod to the other corner of the ring, may simply mean, with our current state of deployable technology, you pay your money and take your chances in these virtual environments. Which would in turn support the notion of a minimum security, ie. DAC, based effort. > Vivek Have a good remainder of the week. Dr. Greg As always, Dr. Greg Wettstein, Ph.D, Worker Autonomously self-defensive Enjellic Systems Development, LLC IOT platforms and edge devices. 4206 N. 19th Ave. Fargo, ND 58102 PH: 701-281-1686 EMAIL: dg@enjellic.com ------------------------------------------------------------------------------ "This place is so screwed up. It's just like the Titanic, only we don't even have a band playing. -- Terrance George Wieland Resurrection.