From: Seth Forshee <seth.forshee@canonical.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
Serge Hallyn <serge.hallyn@canonical.com>,
Andy Lutomirski <luto@amacapital.net>,
linux-kernel@vger.kernel.org,
Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH 0/7] Initial support for user namespace owned mounts
Date: Thu, 16 Jul 2015 08:59:47 -0500 [thread overview]
Message-ID: <20150716135947.GC77715@ubuntu-hedt> (raw)
In-Reply-To: <87615k7pyu.fsf@x220.int.ebiederm.org>
On Wed, Jul 15, 2015 at 10:15:21PM -0500, Eric W. Biederman wrote:
>
> Seth I think for the LSMs we should start with:
>
> diff --git a/security/security.c b/security/security.c
> index 062f3c997fdc..5b6ece92a8e5 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -310,6 +310,8 @@ int security_sb_statfs(struct dentry *dentry)
> int security_sb_mount(const char *dev_name, struct path *path,
> const char *type, unsigned long flags, void *data)
> {
> + if (current_user_ns() != &init_user_ns)
> + return -EPERM;
> return call_int_hook(sb_mount, 0, dev_name, path, type, flags, data);
> }
This just makes it impossible to mount from a user namespace. Every
mount from current_user_ns() != &init_user_ns will fail.
> Then we should push this down into all of the lsms.
> Then when we should remove or relax or change the check as appropriate
> in each lsm.
>
> The point is this is good enough to see that it is trivially safe,
> and this allows us to focus on the core issues, and stop worrying about
> the lsms for a bit.
>
> Then we can focus on each lsm one at at time and take the time to really
> understand them and talk with their maintainers etc to make certain
> we get things correct.
>
> This should remove the need for your patches 5, 6 and 7. For the
> immediate future.
I'm still not entirely sure what you were trying to do, maybe refuse to
mount whenever a security module is loaded? I think this could be a good
option to start, but couldn't we restrict it to only the LSMs which use
xattrs for security labels? In situations where the filesystem cannot
supply security policy metadata I can't think of any reason to disallow
the mounts.
Seth
WARNING: multiple messages have this Message-ID (diff)
From: Seth Forshee <seth.forshee@canonical.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Serge Hallyn <serge.hallyn@canonical.com>,
linux-kernel@vger.kernel.org,
Andy Lutomirski <luto@amacapital.net>,
linux-security-module@vger.kernel.org,
Alexander Viro <viro@zeniv.linux.org.uk>,
selinux@tycho.nsa.gov, linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH 0/7] Initial support for user namespace owned mounts
Date: Thu, 16 Jul 2015 08:59:47 -0500 [thread overview]
Message-ID: <20150716135947.GC77715@ubuntu-hedt> (raw)
In-Reply-To: <87615k7pyu.fsf@x220.int.ebiederm.org>
On Wed, Jul 15, 2015 at 10:15:21PM -0500, Eric W. Biederman wrote:
>
> Seth I think for the LSMs we should start with:
>
> diff --git a/security/security.c b/security/security.c
> index 062f3c997fdc..5b6ece92a8e5 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -310,6 +310,8 @@ int security_sb_statfs(struct dentry *dentry)
> int security_sb_mount(const char *dev_name, struct path *path,
> const char *type, unsigned long flags, void *data)
> {
> + if (current_user_ns() != &init_user_ns)
> + return -EPERM;
> return call_int_hook(sb_mount, 0, dev_name, path, type, flags, data);
> }
This just makes it impossible to mount from a user namespace. Every
mount from current_user_ns() != &init_user_ns will fail.
> Then we should push this down into all of the lsms.
> Then when we should remove or relax or change the check as appropriate
> in each lsm.
>
> The point is this is good enough to see that it is trivially safe,
> and this allows us to focus on the core issues, and stop worrying about
> the lsms for a bit.
>
> Then we can focus on each lsm one at at time and take the time to really
> understand them and talk with their maintainers etc to make certain
> we get things correct.
>
> This should remove the need for your patches 5, 6 and 7. For the
> immediate future.
I'm still not entirely sure what you were trying to do, maybe refuse to
mount whenever a security module is loaded? I think this could be a good
option to start, but couldn't we restrict it to only the LSMs which use
xattrs for security labels? In situations where the filesystem cannot
supply security policy metadata I can't think of any reason to disallow
the mounts.
Seth
next prev parent reply other threads:[~2015-07-16 14:00 UTC|newest]
Thread overview: 232+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-15 19:46 [PATCH 0/7] Initial support for user namespace owned mounts Seth Forshee
2015-07-15 19:46 ` Seth Forshee
2015-07-15 19:46 ` [PATCH 1/7] fs: Add user namesapace member to struct super_block Seth Forshee
2015-07-15 19:46 ` Seth Forshee
2015-07-16 2:47 ` Eric W. Biederman
2015-07-16 2:47 ` Eric W. Biederman
2015-08-05 21:03 ` Seth Forshee
2015-08-05 21:03 ` Seth Forshee
2015-08-05 21:19 ` Eric W. Biederman
2015-08-05 21:19 ` Eric W. Biederman
2015-08-06 14:20 ` Seth Forshee
2015-08-06 14:20 ` Seth Forshee
2015-08-06 14:51 ` Stephen Smalley
2015-08-06 14:51 ` Stephen Smalley
2015-08-06 15:44 ` Seth Forshee
2015-08-06 15:44 ` Seth Forshee
2015-08-06 16:11 ` Stephen Smalley
2015-08-06 16:11 ` Stephen Smalley
2015-08-07 14:16 ` Seth Forshee
2015-08-07 14:16 ` Seth Forshee
2015-08-07 14:32 ` Seth Forshee
2015-08-07 14:32 ` Seth Forshee
2015-08-07 18:35 ` Casey Schaufler
2015-08-07 18:35 ` Casey Schaufler
2015-08-07 18:57 ` Seth Forshee
2015-08-07 18:57 ` Seth Forshee
2015-07-15 19:46 ` [PATCH 2/7] userns: Simpilify MNT_NODEV handling Seth Forshee
2015-07-15 19:46 ` Seth Forshee
2015-07-15 19:46 ` [PATCH 3/7] fs: Ignore file caps in mounts from other user namespaces Seth Forshee
2015-07-15 19:46 ` Seth Forshee
2015-07-15 21:48 ` Serge E. Hallyn
2015-07-15 21:48 ` Serge E. Hallyn
2015-07-15 21:50 ` Andy Lutomirski
2015-07-15 21:50 ` Andy Lutomirski
2015-07-15 22:35 ` Eric W. Biederman
2015-07-15 22:35 ` Eric W. Biederman
2015-07-16 1:14 ` Seth Forshee
2015-07-16 1:14 ` Seth Forshee
2015-07-16 1:23 ` Andy Lutomirski
2015-07-16 1:23 ` Andy Lutomirski
2015-07-16 13:06 ` Seth Forshee
2015-07-16 13:06 ` Seth Forshee
2015-07-16 1:19 ` Andy Lutomirski
2015-07-16 1:19 ` Andy Lutomirski
2015-07-16 4:23 ` Eric W. Biederman
2015-07-16 4:23 ` Eric W. Biederman
2015-07-16 4:49 ` Andy Lutomirski
2015-07-16 4:49 ` Andy Lutomirski
2015-07-16 5:04 ` Eric W. Biederman
2015-07-16 5:04 ` Eric W. Biederman
2015-07-16 5:15 ` Andy Lutomirski
2015-07-16 5:15 ` Andy Lutomirski
2015-07-16 5:44 ` Eric W. Biederman
2015-07-16 5:44 ` Eric W. Biederman
2015-07-16 13:13 ` Seth Forshee
2015-07-16 13:13 ` Seth Forshee
2015-07-17 0:43 ` Eric W. Biederman
2015-07-17 0:43 ` Eric W. Biederman
2015-07-29 16:04 ` Serge E. Hallyn
2015-07-29 16:04 ` Serge E. Hallyn
2015-07-29 16:18 ` Serge E. Hallyn
2015-07-29 16:18 ` Serge E. Hallyn
2015-07-15 19:46 ` [PATCH 4/7] fs: Treat foreign mounts as nosuid Seth Forshee
2015-07-15 19:46 ` Seth Forshee
2015-07-17 6:46 ` Nikolay Borisov
2015-07-17 6:46 ` Nikolay Borisov
2015-07-15 19:46 ` [PATCH 5/7] security: Restrict security attribute updates for userns mounts Seth Forshee
2015-07-15 19:46 ` Seth Forshee
2015-07-15 19:46 ` [PATCH 6/7] selinux: Ignore security labels on user namespace mounts Seth Forshee
2015-07-15 19:46 ` Seth Forshee
2015-07-16 13:23 ` Stephen Smalley
2015-07-22 16:02 ` Stephen Smalley
2015-07-22 16:14 ` Seth Forshee
2015-07-22 16:14 ` Seth Forshee
2015-07-22 20:25 ` Stephen Smalley
2015-07-22 20:25 ` Stephen Smalley
2015-07-22 20:40 ` Stephen Smalley
2015-07-22 20:40 ` Stephen Smalley
2015-07-23 13:57 ` Stephen Smalley
2015-07-23 13:57 ` Stephen Smalley
2015-07-23 14:39 ` Seth Forshee
2015-07-23 14:39 ` Seth Forshee
2015-07-23 15:36 ` Stephen Smalley
2015-07-23 15:36 ` Stephen Smalley
2015-07-23 16:23 ` Seth Forshee
2015-07-23 16:23 ` Seth Forshee
2015-07-24 15:11 ` Seth Forshee
2015-07-24 15:11 ` Seth Forshee
2015-07-30 15:57 ` Stephen Smalley
2015-07-30 15:57 ` Stephen Smalley
2015-07-30 16:24 ` Seth Forshee
2015-07-30 16:24 ` Seth Forshee
2015-07-15 19:46 ` [PATCH 7/7] smack: Don't use security labels for " Seth Forshee
2015-07-15 19:46 ` Seth Forshee
2015-07-15 20:43 ` Casey Schaufler
2015-07-15 20:43 ` Casey Schaufler
2015-07-15 20:36 ` [PATCH 0/7] Initial support for user namespace owned mounts Casey Schaufler
2015-07-15 20:36 ` Casey Schaufler
2015-07-15 21:06 ` Eric W. Biederman
2015-07-15 21:06 ` Eric W. Biederman
2015-07-15 21:48 ` Seth Forshee
2015-07-15 21:48 ` Seth Forshee
2015-07-15 22:28 ` Eric W. Biederman
2015-07-15 22:28 ` Eric W. Biederman
2015-07-16 1:05 ` Andy Lutomirski
2015-07-16 1:05 ` Andy Lutomirski
2015-07-16 2:20 ` Eric W. Biederman
2015-07-16 2:20 ` Eric W. Biederman
2015-07-16 13:12 ` Stephen Smalley
2015-07-16 13:12 ` Stephen Smalley
2015-07-15 23:04 ` Casey Schaufler
2015-07-15 23:04 ` Casey Schaufler
2015-07-15 22:39 ` Casey Schaufler
2015-07-15 22:39 ` Casey Schaufler
2015-07-16 1:08 ` Andy Lutomirski
2015-07-16 1:08 ` Andy Lutomirski
2015-07-16 2:54 ` Casey Schaufler
2015-07-16 2:54 ` Casey Schaufler
2015-07-16 4:47 ` Eric W. Biederman
2015-07-16 4:47 ` Eric W. Biederman
2015-07-17 0:09 ` Dave Chinner
2015-07-17 0:09 ` Dave Chinner
2015-07-17 0:42 ` Eric W. Biederman
2015-07-17 0:42 ` Eric W. Biederman
2015-07-17 2:47 ` Dave Chinner
2015-07-17 2:47 ` Dave Chinner
2015-07-21 17:37 ` J. Bruce Fields
2015-07-21 17:37 ` J. Bruce Fields
2015-07-22 7:56 ` Dave Chinner
2015-07-22 7:56 ` Dave Chinner
2015-07-22 14:09 ` J. Bruce Fields
2015-07-22 14:09 ` J. Bruce Fields
2015-07-22 16:52 ` Austin S Hemmelgarn
2015-07-22 16:52 ` Austin S Hemmelgarn
2015-07-22 17:41 ` J. Bruce Fields
2015-07-22 17:41 ` J. Bruce Fields
2015-07-23 1:51 ` Dave Chinner
2015-07-23 1:51 ` Dave Chinner
2015-07-23 13:19 ` J. Bruce Fields
2015-07-23 13:19 ` J. Bruce Fields
2015-07-23 23:48 ` Dave Chinner
2015-07-23 23:48 ` Dave Chinner
2015-07-18 0:07 ` Serge E. Hallyn
2015-07-18 0:07 ` Serge E. Hallyn
2015-07-20 17:54 ` Colin Walters
2015-07-20 17:54 ` Colin Walters
2015-07-16 11:16 ` Lukasz Pawelczyk
2015-07-16 11:16 ` Lukasz Pawelczyk
2015-07-17 0:10 ` Eric W. Biederman
2015-07-17 0:10 ` Eric W. Biederman
2015-07-17 10:13 ` Lukasz Pawelczyk
2015-07-17 10:13 ` Lukasz Pawelczyk
2015-07-16 3:15 ` Eric W. Biederman
2015-07-16 3:15 ` Eric W. Biederman
2015-07-16 13:59 ` Seth Forshee [this message]
2015-07-16 13:59 ` Seth Forshee
2015-07-16 15:09 ` Casey Schaufler
2015-07-16 15:09 ` Casey Schaufler
2015-07-16 18:57 ` Seth Forshee
2015-07-16 18:57 ` Seth Forshee
2015-07-16 21:42 ` Casey Schaufler
2015-07-16 21:42 ` Casey Schaufler
2015-07-16 22:27 ` Andy Lutomirski
2015-07-16 22:27 ` Andy Lutomirski
2015-07-16 23:08 ` Casey Schaufler
2015-07-16 23:08 ` Casey Schaufler
2015-07-16 23:29 ` Andy Lutomirski
2015-07-16 23:29 ` Andy Lutomirski
2015-07-17 0:45 ` Casey Schaufler
2015-07-17 0:45 ` Casey Schaufler
2015-07-17 0:59 ` Andy Lutomirski
2015-07-17 0:59 ` Andy Lutomirski
2015-07-17 14:28 ` Serge E. Hallyn
2015-07-17 14:28 ` Serge E. Hallyn
2015-07-17 14:56 ` Seth Forshee
2015-07-17 14:56 ` Seth Forshee
2015-07-21 20:35 ` Seth Forshee
2015-07-21 20:35 ` Seth Forshee
2015-07-22 1:52 ` Casey Schaufler
2015-07-22 1:52 ` Casey Schaufler
2015-07-22 15:56 ` Seth Forshee
2015-07-22 15:56 ` Seth Forshee
2015-07-22 18:10 ` Casey Schaufler
2015-07-22 18:10 ` Casey Schaufler
2015-07-22 19:32 ` Seth Forshee
2015-07-22 19:32 ` Seth Forshee
2015-07-23 0:05 ` Casey Schaufler
2015-07-23 0:05 ` Casey Schaufler
2015-07-23 0:15 ` Eric W. Biederman
2015-07-23 0:15 ` Eric W. Biederman
2015-07-23 5:15 ` Seth Forshee
2015-07-23 5:15 ` Seth Forshee
2015-07-23 21:48 ` Casey Schaufler
2015-07-23 21:48 ` Casey Schaufler
2015-07-28 20:40 ` Seth Forshee
2015-07-28 20:40 ` Seth Forshee
2015-07-30 16:18 ` Casey Schaufler
2015-07-30 16:18 ` Casey Schaufler
2015-07-30 17:05 ` Eric W. Biederman
2015-07-30 17:05 ` Eric W. Biederman
2015-07-30 17:25 ` Seth Forshee
2015-07-30 17:25 ` Seth Forshee
2015-07-30 17:33 ` Eric W. Biederman
2015-07-30 17:33 ` Eric W. Biederman
2015-07-17 13:21 ` Seth Forshee
2015-07-17 13:21 ` Seth Forshee
2015-07-17 17:14 ` Casey Schaufler
2015-07-17 17:14 ` Casey Schaufler
2015-07-16 15:59 ` Seth Forshee
2015-07-16 15:59 ` Seth Forshee
2015-07-30 4:24 Amir Goldstein
2015-07-30 4:24 ` Amir Goldstein
2015-07-30 13:55 ` Seth Forshee
2015-07-30 13:55 ` Seth Forshee
2015-07-30 14:47 ` Amir Goldstein
2015-07-30 14:47 ` Amir Goldstein
2015-07-30 15:33 ` Casey Schaufler
2015-07-30 15:33 ` Casey Schaufler
2015-07-30 15:52 ` Colin Walters
2015-07-30 15:52 ` Colin Walters
2015-07-30 16:15 ` Eric W. Biederman
2015-07-30 16:15 ` Eric W. Biederman
2015-07-30 13:57 ` Serge Hallyn
2015-07-30 13:57 ` Serge Hallyn
2015-07-30 15:09 ` Amir Goldstein
2015-07-30 15:09 ` Amir Goldstein
2015-07-31 8:11 Amir Goldstein
2015-07-31 8:11 ` Amir Goldstein
2015-07-31 19:56 ` Casey Schaufler
2015-07-31 19:56 ` Casey Schaufler
2015-08-01 17:01 ` Amir Goldstein
2015-08-01 17:01 ` Amir Goldstein
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150716135947.GC77715@ubuntu-hedt \
--to=seth.forshee@canonical.com \
--cc=casey@schaufler-ca.com \
--cc=ebiederm@xmission.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=selinux@tycho.nsa.gov \
--cc=serge.hallyn@canonical.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.