From: Stefan Berger <stefanb@linux.ibm.com>
To: jejb@linux.ibm.com, linux-integrity@vger.kernel.org
Cc: zohar@linux.ibm.com, serge@hallyn.com,
christian.brauner@ubuntu.com, containers@lists.linux.dev,
dmitry.kasatkin@gmail.com, ebiederm@xmission.com,
krzysztof.struczynski@huawei.com, roberto.sassu@huawei.com,
mpeters@redhat.com, lhinds@redhat.com, lsturman@redhat.com,
puiterwi@redhat.com, jamjoom@us.ibm.com,
linux-kernel@vger.kernel.org, paul@paul-moore.com,
rgb@redhat.com, linux-security-module@vger.kernel.org,
jmorris@namei.org
Subject: Re: [RFC 20/20] ima: Setup securityfs_ns for IMA namespace
Date: Wed, 1 Dec 2021 13:11:15 -0500 [thread overview]
Message-ID: <f2113d60-49d3-2e2d-7dbe-b831035f96a1@linux.ibm.com> (raw)
In-Reply-To: <6599ac61289e3316bff53602a0bc5970133251aa.camel@linux.ibm.com>
On 12/1/21 12:56, James Bottomley wrote:
> On Tue, 2021-11-30 at 11:06 -0500, Stefan Berger wrote:
> [...]
>> +
>> +/*
>> + * Fix the ownership (uid/gid) of the dentry's that couldn't be set
>> at the
>> + * time of their creation because the user namespace wasn't
>> configured, yet.
>> + */
>> +static void ima_fs_ns_fixup_uid_gid(struct ima_namespace *ns)
>> +{
>> + struct inode *inode;
>> + size_t i;
>> +
>> + if (ns->file_ownership_fixes_done ||
>> + ns->user_ns->uid_map.nr_extents == 0)
>> + return;
>> +
>> + ns->file_ownership_fixes_done = true;
>> + for (i = 0; i < IMAFS_DENTRY_LAST; i++) {
>> + if (!ns->dentry[i])
>> + continue;
>> + inode = ns->dentry[i]->d_inode;
>> + inode->i_uid = make_kuid(ns->user_ns, 0);
>> + inode->i_gid = make_kgid(ns->user_ns, 0);
>> + }
>> +}
>> +
>> +/* Fix the permissions when a file is opened */
>> +int ima_fs_ns_permission(struct user_namespace *mnt_userns, struct
>> inode *inode,
>> + int mask)
>> +{
>> + ima_fs_ns_fixup_uid_gid(get_current_ns());
>> + return generic_permission(mnt_userns, inode, mask);
>> +}
>> +
>> +const struct inode_operations ima_fs_ns_inode_operations = {
>> + .lookup = simple_lookup,
>> + .permission = ima_fs_ns_permission,
>> +};
>> +
> In theory this uid/gid shifting should have already been done for you
> and all of the above code should be unnecessary. What is supposed to
> happen is that the mount of securityfs_ns in the new user namespace
> should pick up a superblock s_user_ns for that new user namespace. Now
> inode_alloc() uses i_uid_write(inode, 0) which maps back through the
> s_user_ns to obtain the owner of the user namespace.
>
> What can happen is that if you do the inode allocation before (or even
> without) writing to the uid_map file, it maps back through an empty map
> and ends up with -1 for i_uid ... is this what you're seeing?
I tried this with runc and a user namespace active mapping uid 1000 on
the host to uid 0 in the container. There I run into the problem that
all of the files and directories without the above work-around are
mapped to 'nobody', just like all the files in sysfs in this case are
also mapped to nobody. This code resolved the issue.
sh-5.1# ls -l /sys/
total 0
drwxr-xr-x. 2 nobody nobody 0 Dec 1 18:06 block
drwxr-xr-x. 28 nobody nobody 0 Dec 1 18:06 bus
drwxr-xr-x. 54 nobody nobody 0 Dec 1 18:06 class
drwxr-xr-x. 4 nobody nobody 0 Dec 1 18:06 dev
drwxr-xr-x. 15 nobody nobody 0 Dec 1 18:06 devices
drwxrwxrwt. 2 root root 40 Dec 1 18:06 firmware
drwxr-xr-x. 9 nobody nobody 0 Dec 1 18:06 fs
drwxr-xr-x. 16 nobody nobody 0 Dec 1 18:06 kernel
drwxr-xr-x. 161 nobody nobody 0 Dec 1 18:06 module
drwxr-xr-x. 3 nobody nobody 0 Dec 1 18:06 power
sh-5.1# ls -l /sys/kernel/security/
total 0
lr--r--r--. 1 nobody nobody 0 Dec 1 18:06 ima -> integrity/ima
drwxr-xr-x. 3 nobody nobody 0 Dec 1 18:06 integrity
sh-5.1# ls -l /sys/kernel/security/ima/
total 0
-r--r-----. 1 root root 0 Dec 1 18:06 ascii_runtime_measurements
-r--r-----. 1 root root 0 Dec 1 18:06 binary_runtime_measurements
-rw-------. 1 root root 0 Dec 1 18:06 policy
-r--r-----. 1 root root 0 Dec 1 18:06 runtime_measurements_count
-r--r-----. 1 root root 0 Dec 1 18:06 violations
The nobody's are obviously sufficient to cd into the directories, but
for file accesses I wanted to see root and no changes to permissions.
Stefan
>
> James
>
>
next prev parent reply other threads:[~2021-12-01 18:11 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-30 16:06 [RFC 00/20] ima: Namespace IMA with audit support in IMA-ns Stefan Berger
2021-11-30 16:06 ` [RFC 01/20] ima: Add IMA namespace support Stefan Berger
2021-11-30 21:53 ` kernel test robot
2021-11-30 21:53 ` kernel test robot
2021-11-30 22:03 ` kernel test robot
2021-11-30 22:03 ` kernel test robot
2021-11-30 22:42 ` [RFC PATCH] ima: imans_cache_init() can be static kernel test robot
2021-11-30 22:44 ` [RFC 01/20] ima: Add IMA namespace support kernel test robot
2021-11-30 16:06 ` [RFC 02/20] ima: Define ns_status for storing namespaced iint data Stefan Berger
2021-11-30 23:21 ` kernel test robot
2021-11-30 23:21 ` kernel test robot
2021-12-01 0:31 ` [RFC PATCH] ima: insert_ns_status() can be static kernel test robot
2021-12-01 0:33 ` [RFC 02/20] ima: Define ns_status for storing namespaced iint data kernel test robot
2021-11-30 16:06 ` [RFC 03/20] ima: Namespace audit status flags Stefan Berger
2021-11-30 16:06 ` [RFC 04/20] ima: Move delayed work queue and variables into ima_namespace Stefan Berger
2021-11-30 16:06 ` [RFC 05/20] ima: Move IMA's keys queue related " Stefan Berger
2021-11-30 16:06 ` [RFC 06/20] ima: Move policy " Stefan Berger
2021-11-30 19:29 ` kernel test robot
2021-11-30 16:06 ` [RFC 07/20] ima: Move ima_htable " Stefan Berger
2021-11-30 16:06 ` [RFC 08/20] ima: Move measurement list related variables " Stefan Berger
2021-12-02 12:46 ` James Bottomley
2021-12-02 13:41 ` Stefan Berger
2021-12-02 16:29 ` James Bottomley
2021-12-02 16:45 ` Stefan Berger
2021-12-02 17:44 ` James Bottomley
2021-12-02 18:03 ` Stefan Berger
2021-12-02 20:03 ` James Bottomley
2021-11-30 16:06 ` [RFC 09/20] ima: Only accept AUDIT rules for IMA non-init_ima_ns namespaces for now Stefan Berger
2021-11-30 16:06 ` [RFC 10/20] ima: Implement hierarchical processing of file accesses Stefan Berger
2021-11-30 16:06 ` [RFC 11/20] securityfs: Prefix global variables with securityfs_ Stefan Berger
2021-11-30 16:06 ` [RFC 12/20] securityfs: Pass static variables as parameters from top level functions Stefan Berger
2021-12-01 3:55 ` [RFC PATCH] securityfs: _securityfs_create_symlink() can be static kernel test robot
2021-12-01 4:02 ` [RFC 12/20] securityfs: Pass static variables as parameters from top level functions kernel test robot
2021-11-30 16:06 ` [RFC 13/20] securityfs: Build securityfs_ns for namespacing support Stefan Berger
2021-12-02 13:35 ` Christian Brauner
2021-12-02 13:47 ` Stefan Berger
2021-11-30 16:06 ` [RFC 14/20] ima: Move some IMA policy and filesystem related variables into ima_namespace Stefan Berger
2021-11-30 16:06 ` [RFC 15/20] capabilities: Introduce CAP_INTEGRITY_ADMIN Stefan Berger
2021-11-30 17:27 ` Casey Schaufler
2021-11-30 17:41 ` Stefan Berger
2021-11-30 17:50 ` Casey Schaufler
2021-11-30 16:06 ` [RFC 16/20] ima: Use ns_capable() for namespace policy access Stefan Berger
2021-11-30 16:06 ` [RFC 17/20] ima: Use integrity_admin_ns_capable() to check corresponding capability Stefan Berger
2021-12-01 16:58 ` James Bottomley
2021-12-01 17:35 ` Stefan Berger
2021-12-01 19:29 ` James Bottomley
2021-12-02 7:16 ` Denis Semakin
2021-12-02 12:33 ` James Bottomley
2021-12-02 17:54 ` Stefan Berger
2021-12-02 12:59 ` Christian Brauner
2021-12-02 13:01 ` Christian Brauner
2021-12-02 15:58 ` Casey Schaufler
2021-11-30 16:06 ` [RFC 18/20] userns: Introduce a refcount variable for calling early teardown function Stefan Berger
2021-11-30 16:06 ` [RFC 19/20] ima/userns: Define early teardown function for IMA namespace Stefan Berger
2021-11-30 20:42 ` kernel test robot
2021-11-30 16:06 ` [RFC 20/20] ima: Setup securityfs_ns " Stefan Berger
2021-12-01 2:14 ` [RFC PATCH] ima: ima_fs_ns_permission() can be static kernel test robot
2021-12-01 2:15 ` [RFC 20/20] ima: Setup securityfs_ns for IMA namespace kernel test robot
2021-12-01 17:56 ` James Bottomley
2021-12-01 18:11 ` Stefan Berger [this message]
2021-12-01 19:21 ` James Bottomley
2021-12-01 20:25 ` Stefan Berger
2021-12-01 21:11 ` James Bottomley
2021-12-01 21:34 ` Stefan Berger
2021-12-01 22:01 ` James Bottomley
2021-12-01 22:09 ` Stefan Berger
2021-12-01 22:19 ` James Bottomley
2021-12-02 0:02 ` Stefan Berger
2021-12-02 13:18 ` Christian Brauner
2021-12-02 13:52 ` Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f2113d60-49d3-2e2d-7dbe-b831035f96a1@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux.dev \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiederm@xmission.com \
--cc=jamjoom@us.ibm.com \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=krzysztof.struczynski@huawei.com \
--cc=lhinds@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lsturman@redhat.com \
--cc=mpeters@redhat.com \
--cc=paul@paul-moore.com \
--cc=puiterwi@redhat.com \
--cc=rgb@redhat.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.