Received: by 2002:a05:7412:b10a:b0:f3:1519:9f41 with SMTP id az10csp1201902rdb;
        Fri, 1 Dec 2023 09:26:47 -0800 (PST)
X-Google-Smtp-Source: AGHT+IHwB20mXJm18s+xcERd4Mn0jNDaw8YZg8tDRmmHIaRQrJTuWQPhy5ThVawDyPhjPzffXaHr
X-Received: by 2002:a17:90a:d14f:b0:285:8a2a:1744 with SMTP id t15-20020a17090ad14f00b002858a2a1744mr25305621pjw.0.1701451606881;
        Fri, 01 Dec 2023 09:26:46 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1701451606; cv=none;
        d=google.com; s=arc-20160816;
        b=oLqGxVe273nHt1kD5o7SgIod5WrpQgItGeuKF/2HPBr+FiRCM09nk9zlU3VQP0NJiR
         HA17ny6lCk7w5ymXs1AM+USndciGrl9ylcxe0gngkR1a8cvSRT5Fhb7Yl1Ih0LMIsfnd
         N9OfNYBjW5Gl2QPTuiFQSUHjHPcMfbldsK5Z5nFWgftXnRBArwvbaYbfk/jxEQ1ggYKB
         KHBBw7cMmO+TGv4NkbUazr/MOxht9rDqvPz9hX8HtJQh13psb5p42kAZlw95VPaSPmDI
         UlQDcp8UghC75pefS2tpCxwSrb/xYlSmP/uMUrxEnxbhRq1aD60nXoCAnU1Xzb2YaMMI
         619A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=JHhTrvZ9PfVmBjWRUivHsNeFvsO83+lPF/EFHaXggok=;
        fh=7fXGgMwf+//x0JQxo8LE3wiBrkF7IJx/jxDwq0xWsEg=;
        b=eVWq+J+EmuEfgaT/s5lyKwoJEUNBY4FFl1lJcEKUBF/hjXWHS+GI1degZ9q4uDqEkt
         kysGGrrtaqvVa4xtU6ZMsGPz68yIKDoHcjmdKuiAGpLfTGZuiJfwAHIwGrepZYcwK9Kr
         VxTlCExPfg9Zrgrgcg7glkolO02mQaoPCfAVmLV8G27Abt8h+56SwUuI6Tf10NJ22J6j
         vfJzfS1H/tqWn2nOjq4q9nWBbSsC+tZvaju/QcJJNc4fGtJ4xAjvRxHh3NSkKEegk40L
         5vK8wBCE32cSEjCZ+AzlPJNu4bGlTxOIpw5hnyvrnd1OBh8azHWfei1ORwfd+q1JRszn
         C7Mg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=V9vMIDYP;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from snail.vger.email (snail.vger.email. [23.128.96.37])
        by mx.google.com with ESMTPS id o15-20020a170902d4cf00b001d052d36a15si1710124plg.303.2023.12.01.09.26.46
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 01 Dec 2023 09:26:46 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=V9vMIDYP;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by snail.vger.email (Postfix) with ESMTP id 81BD0812A96C;
	Fri,  1 Dec 2023 09:26:44 -0800 (PST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.11 at snail.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229468AbjLAR0d (ORCPT <rfc822;abelvesa@gmail.com> + 99 others);
        Fri, 1 Dec 2023 12:26:33 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35380 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S235282AbjLARZg (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 1 Dec 2023 12:25:36 -0500
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 33EC9325F
        for <linux-kernel@vger.kernel.org>; Fri,  1 Dec 2023 09:23:59 -0800 (PST)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7CE8CC433C9;
        Fri,  1 Dec 2023 17:23:58 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1701451438;
        bh=QOHfQ98nqwi1J2PTqSI0/MkweaWsRSnMcDSb7BkvBOI=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=V9vMIDYPf6fGlDBdjzQi9PZS9gxcBpq412PHC7r/ZK/odc6HD/kSB/HwMMMkZF8/v
         2foMpBAradhjkVCJJWjA4OXh8d43H7RtalIEB5rdglfZrQ0PXMmfYp3ntnTwa+uzp4
         lpH4Bsz0GCXyy5ytXIzm48N4Di7EciK62at7X0LzmQEw+e8Zn4RS6FPNeV2++4rsjP
         x/kzpzhPcBmJrznimNCHRRWqNThDtan5ekp6BrrjFWiUTixRBC7uO0FlfuNlOz05hQ
         c0SygCn6AuUc4Mlp12HZxzYSb8ZafJ8z2NYnpHY+nIk5ooeeAA7CUQdWx8qlI+fOMJ
         LM+sAouKgsgBg==
Date:   Fri, 1 Dec 2023 11:23:57 -0600
From:   "Seth Forshee (DigitalOcean)" <sforshee@kernel.org>
To:     Christian Brauner <brauner@kernel.org>
Cc:     Serge Hallyn <serge@hallyn.com>, Paul Moore <paul@paul-moore.com>,
        Eric Paris <eparis@redhat.com>,
        James Morris <jmorris@namei.org>,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        Miklos Szeredi <miklos@szeredi.hu>,
        Amir Goldstein <amir73il@gmail.com>,
        linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
        linux-security-module@vger.kernel.org, audit@vger.kernel.org,
        linux-unionfs@vger.kernel.org
Subject: Re: [PATCH 06/16] capability: provide a helper for converting
 vfs_caps to xattr for userspace
Message-ID: <ZWoWrRgNDVRv6BTB@do-x1extreme>
References: <20231129-idmap-fscap-refactor-v1-0-da5a26058a5b@kernel.org>
 <20231129-idmap-fscap-refactor-v1-6-da5a26058a5b@kernel.org>
 <20231201-seide-famos-74e8c23ee2cc@brauner>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20231201-seide-famos-74e8c23ee2cc@brauner>
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Fri, 01 Dec 2023 09:26:44 -0800 (PST)

On Fri, Dec 01, 2023 at 05:57:35PM +0100, Christian Brauner wrote:
> On Wed, Nov 29, 2023 at 03:50:24PM -0600, Seth Forshee (DigitalOcean) wrote:
> > cap_inode_getsecurity() implements a handful of policies for capability
> > xattrs read by userspace:
> > 
> >  - It returns EINVAL if the on-disk capability is in v1 format.
> > 
> >  - It masks off all bits in magic_etc except for the version and
> >    VFS_CAP_FLAGS_EFFECTIVE.
> > 
> >  - v3 capabilities are converted to v2 format if the rootid returned to
> >    userspace would be 0 or if the rootid corresponds to root in an
> >    ancestor user namespace.
> > 
> >  - It returns EOVERFLOW for a v3 capability whose rootid does not map to
> >    a valid id in current_user_ns() or to root in an ancestor namespace.
> 
> Nice. Precise and clear, please just drop these bullet points into the
> kernel-doc of that function.

Will do.

> > +/**
> > + * vfs_caps_to_user_xattr - convert vfs_caps to caps xattr for userspace
> > + *
> > + * @idmap:       idmap of the mount the inode was found from
> > + * @dest_userns: user namespace for ids in xattr data
> > + * @vfs_caps:    source vfs_caps data
> > + * @data:        destination buffer for rax xattr caps data
> > + * @size:        size of the @data buffer
> > + *
> > + * Converts a kernel-interrnal capability into the raw security.capability
> > + * xattr format. Includes permission checking and v2->v3 conversion as
> > + * appropriate.
> > + *
> > + * If the xattr is being read or written through an idmapped mount the
> > + * idmap of the vfsmount must be passed through @idmap. This function
> > + * will then take care to map the rootid according to @idmap.
> > + *
> > + * Return: On success, return 0; on error, return < 0.
> > + */
> > +int vfs_caps_to_user_xattr(struct mnt_idmap *idmap,
> > +			   struct user_namespace *dest_userns,
> > +			   const struct vfs_caps *vfs_caps,
> > +			   void *data, int size)
> > +{
> > +	struct vfs_ns_cap_data *ns_caps = data;
> > +	bool is_v3;
> > +	u32 magic;
> > +
> > +	/* Preserve previous behavior of returning EINVAL for v1 caps */
> > +	if ((vfs_caps->magic_etc & VFS_CAP_REVISION_MASK) == VFS_CAP_REVISION_1)
> > +		return -EINVAL;
> > +
> > +	size = __vfs_caps_to_xattr(idmap, dest_userns, vfs_caps, data, size);
> > +	if (size < 0)
> > +		return size;
> > +
> > +	magic = vfs_caps->magic_etc &
> > +		(VFS_CAP_REVISION_MASK | VFS_CAP_FLAGS_EFFECTIVE);
> > +	ns_caps->magic_etc = cpu_to_le32(magic);
> > +
> > +	/*
> > +	 * If this is a v3 capability with a valid, non-zero rootid, return
> > +	 * the v3 capability to userspace. A v3 capability with a rootid of
> > +	 * 0 will be converted to a v2 capability below for compatibility
> > +	 * with old userspace.
> > +	 */
> > +	is_v3 = (vfs_caps->magic_etc & VFS_CAP_REVISION_MASK) == VFS_CAP_REVISION_3;
> > +	if (is_v3) {
> > +		uid_t rootid = le32_to_cpu(ns_caps->rootid);
> > +		if (rootid != (uid_t)-1 && rootid != (uid_t)0)
> > +			return size;
> > +	}
> > +
> > +	if (!rootid_owns_currentns(vfs_caps->rootid))
> > +		return -EOVERFLOW;
> 
> For a v2 cap that we read vfs_caps->rootid will be vfsuid 0, right?
> So that means we're guaranteed to resolve that in the initial user
> namespace. IOW, rootid_owns_currentns() will indeed work with a pure v2
> cap. Ok. Just making sure that I understand that this won't cause
> EOVERFLOW for v2. But you would've likely seen that in tests right away.

Yes, that's all correct.