Received: by 2002:a05:7412:bbc7:b0:fc:a2b0:25d7 with SMTP id kh7csp777444rdb; Fri, 2 Feb 2024 03:59:03 -0800 (PST) X-Google-Smtp-Source: AGHT+IFVUGtVbh2boSxOvgjzoIdR2njioAKrCrwSB/igqUeuargWD80ybgukW5AYkYg3hIIQg53J X-Received: by 2002:a17:90b:911:b0:296:350b:7865 with SMTP id bo17-20020a17090b091100b00296350b7865mr2556376pjb.8.1706875143049; Fri, 02 Feb 2024 03:59:03 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706875143; cv=pass; d=google.com; s=arc-20160816; b=KF9TILRY44U7gYo9/gYzQsDu5BOEIOzTaSWKx8BNH7WgYH/7BOGMUCWXPUFQIgvrNR 7cdCg7HkExCNPchmfQXRtSX+AF1j63SZ1wne/WQuqnCmO0gcIIOypBI+jOY1o5sUb3UM WwJFURyOr8JUP4LgV1F3CdVyyOWusX0qcu8i+g9/TpLKi6Zo0Wn+qeWstJd8BU75HVWw VihduQdY+bdKGu/cPSHk+wik/s+bzpPtcZ4JzjZM86/YNoZj3F71lrjzTq1l1n9OFhTV 2oCCJlh6SsJHKwyfSqTugV+BDLyLSYASghJ6k6KGzWiCVPk4gb4iB9oxwlW8kMavbAnK e3UQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date:dkim-signature; bh=3hVAALqARtppnBiYMwF8uAmaY8kjMlIhGa4D9pyAnac=; fh=YRhsL3zSmowwulB2OY+AJRKX+K5FL97d0f67AHiTpQA=; b=aYkcP++3U6wL5YKWRbYCda8hD0UrOyS8H3rDCxSr7prhrPIXGgSAP+ZfSJ1VJS4QLZ TdntIDftsfPlSSlthnSFCjtKcbPZ4XWKh7/Pf7sxslhnghTxXx8VZ7JylxVOFgTQIPP9 S5ru370ndmtuVMm3r4781T9Kbg9DWhUK0Bacl5sRP8emT7k0CuNvHPCaVufws8Mf0KQp XRwFmAzY/P0e8Y+jnbBUwJAlQju3w1f41AvdcIHlXQXmclifHDr2prhOzTNVRrterhJ7 ZBoi/TmEVwZ8nXOHcgoQTs8TI2phBjWCO1L/prUFtAwT6GrbFBnX3TmVo8pOm2BSYc38 Bg0w==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="Iu0aN8r/"; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-49808-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-49808-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org X-Forwarded-Encrypted: i=1; AJvYcCV4vC36NELfrlmC6S2Qvkg7icqhu+JO0V8D/s3hU9OpEqnzHxuwlaN2Zfw8g2q2N14c+ee4d1axms9hPNIRVDg37Ky7YniEq1PIdyBOlg== Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id l17-20020a170902f69100b001d7404481f6si1695426plg.161.2024.02.02.03.59.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 02 Feb 2024 03:59:03 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-49808-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="Iu0aN8r/"; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-49808-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-49808-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 76B03287690 for ; Fri, 2 Feb 2024 11:58:40 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id D7A1613E222; Fri, 2 Feb 2024 11:58:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Iu0aN8r/" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F0C1A60270; Fri, 2 Feb 2024 11:58:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706875112; cv=none; b=hqqWfho23h2rjymnFK3FY0IfJ1oCQE45j7aXRYwK8lEShTbCAJcJJ77CnfKpjTAZ7EiG2CFTltRiY94QZpLJvzvfQfKien8FniKyCnG80Bd5X9BgEMFYZYPhEMfS49TDJRRXbjMhIXik+xq7BnumDF5hhWVJRRGHhaBDHqydTyQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706875112; c=relaxed/simple; bh=28eVMR5VejBPzOZM439WvuKU/7CA3CIN97T0u0bI17c=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=mlpvtMMdLGc5/GLuDCCnSAUN9e+JTiHOJpYFanZdiuGH+eZ6z04qHhAHc2c5eBDYsPfb3C6wQyBqhNOb+IxyemWkvZp1etdk/FHKxlFZ9lwuchIWNr+r7cyOAP8zzyKGmO+xFE4Npr9QKjtV816UiRbZdu8QfBGJKv5/LyfdBg8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Iu0aN8r/; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id F3135C433F1; Fri, 2 Feb 2024 11:58:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1706875111; bh=28eVMR5VejBPzOZM439WvuKU/7CA3CIN97T0u0bI17c=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Iu0aN8r/nNwsnPMpARRPy4agLoGLztKstfqsKYfTb+5rlNKthcKgU9oh3zHdJFQsx cikBsWOOM+4KuaRpCGiYjlCBXnByOz9bDZuR/d9wlewsI8SvaZ2XDA+kaxDWj4D9JW bk5ddYM+MFp5tlhdtrUogWa6gcTsK3wbI2GuChVUK6twv15cfUqZprysCBjFYM3k1J FoaF71I0zDXKVdAB7gjyVp8+Z7zlIlt9cfshpah8KRWfm93dEWPRAXdOyGLmbBuxD3 tOoP+Jhjk0KipFO4LQeGDldHsb2PiNSsd6Gvg8y1xyr7rH8ZvKNaVluwMNKgI178kF ll1WNINh93u1w== Date: Fri, 2 Feb 2024 12:58:25 +0100 From: Christian Brauner To: Amir Goldstein Cc: Stefan Berger , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-unionfs@vger.kernel.org, linux-kernel@vger.kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, miklos@szeredi.hu Subject: Re: [PATCH 1/5] security: allow finer granularity in permitting copy-up of security xattrs Message-ID: <20240202-quatsch-hochachtung-c3a41dd551a7@brauner> References: <20240130214620.3155380-1-stefanb@linux.ibm.com> <20240130214620.3155380-2-stefanb@linux.ibm.com> <20240131-lacht-elend-536d94682370@brauner> <05fe58a1-9b2c-4c1f-80a6-4cb5094a2126@linux.ibm.com> <20240201-zierpflanzen-allgegenwart-5eb1fa243a61@brauner> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: On Thu, Feb 01, 2024 at 04:18:32PM +0200, Amir Goldstein wrote: > On Thu, Feb 1, 2024 at 3:35 PM Christian Brauner wrote: > > > > On Wed, Jan 31, 2024 at 09:56:25AM -0500, Stefan Berger wrote: > > > > > > > > > On 1/31/24 09:25, Christian Brauner wrote: > > > > On Wed, Jan 31, 2024 at 03:25:29PM +0200, Amir Goldstein wrote: > > > > > On Tue, Jan 30, 2024 at 11:46 PM Stefan Berger wrote: > > > > > > > > > > > > Copying up xattrs is solely based on the security xattr name. For finer > > > > > > granularity add a dentry parameter to the security_inode_copy_up_xattr > > > > > > hook definition, allowing decisions to be based on the xattr content as > > > > > > well. > > > > > > > > > > > > Signed-off-by: Stefan Berger > > > > > > --- > > > > > > fs/overlayfs/copy_up.c | 2 +- > > > > > > include/linux/evm.h | 2 +- > > > > > > include/linux/lsm_hook_defs.h | 3 ++- > > > > > > include/linux/security.h | 4 ++-- > > > > > > security/integrity/evm/evm_main.c | 2 +- > > > > > > security/security.c | 7 ++++--- > > > > > > security/selinux/hooks.c | 2 +- > > > > > > security/smack/smack_lsm.c | 2 +- > > > > > > 8 files changed, 13 insertions(+), 11 deletions(-) > > > > > > > > > > > > diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c > > > > > > index b8e25ca51016..bd9ddcefb7a7 100644 > > > > > > --- a/fs/overlayfs/copy_up.c > > > > > > +++ b/fs/overlayfs/copy_up.c > > > > > > @@ -114,7 +114,7 @@ int ovl_copy_xattr(struct super_block *sb, const struct path *oldpath, struct de > > > > > > if (ovl_is_private_xattr(sb, name)) > > > > > > continue; > > > > > > > > > > > > - error = security_inode_copy_up_xattr(name); > > > > > > + error = security_inode_copy_up_xattr(old, name); > > > > > > > > > > What do you think about: > > > > > > > > > > error = security_inode_copy_up_xattr(name, NULL, 0); > > > > > > > > > > and then later... > > > > > > > > > > error = security_inode_copy_up_xattr(name, value, size); > > > > > > > > > > I am asking because overlayfs uses mnt_idmap(path->mnt) and you > > > > > have used nop_mnt_idmap inside evm hook. > > > > > this does not look right to me? > > > > > > > > So it's relevant if they interact with xattrs that care about the > > > > idmapping and that's POSIX ACLs and fscaps. And only if they perform > > > > permission checks such as posix_acl_update_mode() or something. IOW, it > > > > depends on what exactly EVM is doing. > > > > > > In 2/5 we are reading the value of security.evm to look at its contents. > > > > I'm not sure what this is supposed to be telling me in relation to the > > original question though. :) security.evm doesn't store any {g,u}id > > information afaict. IOW, it shouldn't matter? > > But it does. in evm_calc_hmac_or_hash() => hmac_add_misc(): > > hmac_misc.uid = from_kuid(&init_user_ns, inode->i_uid); > hmac_misc.gid = from_kgid(&init_user_ns, inode->i_gid); > > I guess as far as EVM is concerned, it should always be interested in the > absolute uig/gid values of the inode. There we go, thanks Amir. Yes, these EVM values can't be relative to any idmappings. If inode->i_uid has kuid 100000 and 100000 maps to zero in the caller's user namespace then you'd be storing hmac_misc.{g,u}id zero. That would be problematic as it would give the impression that real root caused that hmac to be written. So this really needs to store 100000 to make it clear that this was an unprivileged user that created these values.