From: Casey Schaufler <casey@schaufler-ca.com>
To: Seth Forshee <seth.forshee@canonical.com>,
"Eric W. Biederman" <ebiederm@xmission.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
Serge Hallyn <serge.hallyn@canonical.com>,
Andy Lutomirski <luto@amacapital.net>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 0/7] Initial support for user namespace owned mounts
Date: Wed, 15 Jul 2015 16:04:40 -0700 [thread overview]
Message-ID: <55A6E708.2050405@schaufler-ca.com> (raw)
In-Reply-To: <20150715214813.GB76420@ubuntu-hedt>
On 7/15/2015 2:48 PM, Seth Forshee wrote:
> On Wed, Jul 15, 2015 at 04:06:35PM -0500, Eric W. Biederman wrote:
>> Casey Schaufler <casey@schaufler-ca.com> writes:
>>
>>> On 7/15/2015 12:46 PM, Seth Forshee wrote:
>>>> These are the first in a larger set of patches that I've been working on
>>>> (with help from Eric Biederman) to support mounting ext4 and fuse
>>>> filesystems from within user namespaces. I've pushed the full series to:
>>>>
>>>> git://kernel.ubuntu.com/sforshee/linux.git userns-mounts
>>>>
>>>> Taking the series as a whole, the strategy is to handle as much of the
>>>> heavy lifting as possible in the vfs so the filesystems don't have to
>>>> handle weird edge cases. If you look at the full series you'll find that
>>>> the changes in ext4 to support user namespace mounts turn out to be
>>>> fairly minimal (fuse is a bit more complicated though as it must deal
>>>> with translating ids for a userspace process which is running in pid and
>>>> user namespaces).
>>>>
>>>> The patches I'm sending today lay some of the groundwork in the vfs and
>>>> related code. They fall into two broad groups:
>>>>
>>>> 1. Patches 1-2 add s_user_ns and simplify MNT_NODEV handling. These are
>>>> pretty straightforward, and Eric has expressed interest in merging
>>>> these patches soon. Note that patch 2 won't apply cleanly without
>>>> Eric's noexec patches for proc and sys [1].
>>>>
>>>> 2. Patches 2-7 tighten down security for mounts with s_user_ns !=
>>>> &init_user_ns. This includes updates to how file caps and suid are
>>>> handled and LSM updates to ignore security labels on superblocks
>>>> from non-init namespaces.
>>>>
>>>> The LSM changes in particular may not be optimal, as I don't have a
>>>> lot of familiarity with this code, so I'd be especially appreciative
>>>> of review of these changes and suggestions on how to improve them.
>>> Lukasz Pawelczyk <l.pawelczyk@samsung.com> proposed
>>> LSM support in user namespaces ([RFC] lsm: namespace hooks)
>>> that make a whole lot more sense than just turning off
>>> the option of using labels on files. Gutting the ability
>>> to use MAC in a namespace is a step down the road of
>>> making MAC and namespaces incompatible.
>> This is not "turning off the option to use labels on files".
>>
>> This is supporting mounting filesystems like ext4 by unprivileged users
>> and not trusting the labels they set in the same way as we trust labels
>> on filesystems mounted by privileged users.
>>
>> The first step needs to be not trusting those labels and treating such
>> filesystems as filesystems without label support. I hope that is Seth
>> has implemented.
>>
>> In the long run we can do more interesting things with such filesystems
>> once the appropriate LSM policy is in place.
> Yes, this exactly. Right now it looks to me like the only safe thing to
> do with mounts from unprivileged users is to ignore the security labels,
> so that's what I'm trying to do with these changes. If there's some
> better thing to do, or some better way to do it, I'm more than happy to
> receive that feedback.
If you ignore Smack labels you get a system that is broken.
Without specifying Smack mount options (requires CAP_MAC_ADMIN)
all your files will be labeled with the floor ("_") label. Unless
you're running with the floor label (Smack systems generally don't)
there won't be anything you can write to. You will be able to read
everything, which is also something you're unlikely to want. Like
I said, broken.
Personally, I don't believe that the goal of supporting
unprivileged mounts is especially sane. I am willing to
be educated, but I don't see a rational solution.
> Seth
WARNING: multiple messages have this Message-ID (diff)
From: Casey Schaufler <casey@schaufler-ca.com>
To: Seth Forshee <seth.forshee@canonical.com>,
"Eric W. Biederman" <ebiederm@xmission.com>
Cc: Serge Hallyn <serge.hallyn@canonical.com>,
linux-kernel@vger.kernel.org,
Andy Lutomirski <luto@amacapital.net>,
linux-security-module@vger.kernel.org,
Alexander Viro <viro@zeniv.linux.org.uk>,
selinux@tycho.nsa.gov, linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH 0/7] Initial support for user namespace owned mounts
Date: Wed, 15 Jul 2015 16:04:40 -0700 [thread overview]
Message-ID: <55A6E708.2050405@schaufler-ca.com> (raw)
In-Reply-To: <20150715214813.GB76420@ubuntu-hedt>
On 7/15/2015 2:48 PM, Seth Forshee wrote:
> On Wed, Jul 15, 2015 at 04:06:35PM -0500, Eric W. Biederman wrote:
>> Casey Schaufler <casey@schaufler-ca.com> writes:
>>
>>> On 7/15/2015 12:46 PM, Seth Forshee wrote:
>>>> These are the first in a larger set of patches that I've been working on
>>>> (with help from Eric Biederman) to support mounting ext4 and fuse
>>>> filesystems from within user namespaces. I've pushed the full series to:
>>>>
>>>> git://kernel.ubuntu.com/sforshee/linux.git userns-mounts
>>>>
>>>> Taking the series as a whole, the strategy is to handle as much of the
>>>> heavy lifting as possible in the vfs so the filesystems don't have to
>>>> handle weird edge cases. If you look at the full series you'll find that
>>>> the changes in ext4 to support user namespace mounts turn out to be
>>>> fairly minimal (fuse is a bit more complicated though as it must deal
>>>> with translating ids for a userspace process which is running in pid and
>>>> user namespaces).
>>>>
>>>> The patches I'm sending today lay some of the groundwork in the vfs and
>>>> related code. They fall into two broad groups:
>>>>
>>>> 1. Patches 1-2 add s_user_ns and simplify MNT_NODEV handling. These are
>>>> pretty straightforward, and Eric has expressed interest in merging
>>>> these patches soon. Note that patch 2 won't apply cleanly without
>>>> Eric's noexec patches for proc and sys [1].
>>>>
>>>> 2. Patches 2-7 tighten down security for mounts with s_user_ns !=
>>>> &init_user_ns. This includes updates to how file caps and suid are
>>>> handled and LSM updates to ignore security labels on superblocks
>>>> from non-init namespaces.
>>>>
>>>> The LSM changes in particular may not be optimal, as I don't have a
>>>> lot of familiarity with this code, so I'd be especially appreciative
>>>> of review of these changes and suggestions on how to improve them.
>>> Lukasz Pawelczyk <l.pawelczyk@samsung.com> proposed
>>> LSM support in user namespaces ([RFC] lsm: namespace hooks)
>>> that make a whole lot more sense than just turning off
>>> the option of using labels on files. Gutting the ability
>>> to use MAC in a namespace is a step down the road of
>>> making MAC and namespaces incompatible.
>> This is not "turning off the option to use labels on files".
>>
>> This is supporting mounting filesystems like ext4 by unprivileged users
>> and not trusting the labels they set in the same way as we trust labels
>> on filesystems mounted by privileged users.
>>
>> The first step needs to be not trusting those labels and treating such
>> filesystems as filesystems without label support. I hope that is Seth
>> has implemented.
>>
>> In the long run we can do more interesting things with such filesystems
>> once the appropriate LSM policy is in place.
> Yes, this exactly. Right now it looks to me like the only safe thing to
> do with mounts from unprivileged users is to ignore the security labels,
> so that's what I'm trying to do with these changes. If there's some
> better thing to do, or some better way to do it, I'm more than happy to
> receive that feedback.
If you ignore Smack labels you get a system that is broken.
Without specifying Smack mount options (requires CAP_MAC_ADMIN)
all your files will be labeled with the floor ("_") label. Unless
you're running with the floor label (Smack systems generally don't)
there won't be anything you can write to. You will be able to read
everything, which is also something you're unlikely to want. Like
I said, broken.
Personally, I don't believe that the goal of supporting
unprivileged mounts is especially sane. I am willing to
be educated, but I don't see a rational solution.
> Seth
next prev parent reply other threads:[~2015-07-15 23:04 UTC|newest]
Thread overview: 232+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-15 19:46 [PATCH 0/7] Initial support for user namespace owned mounts Seth Forshee
2015-07-15 19:46 ` Seth Forshee
2015-07-15 19:46 ` [PATCH 1/7] fs: Add user namesapace member to struct super_block Seth Forshee
2015-07-15 19:46 ` Seth Forshee
2015-07-16 2:47 ` Eric W. Biederman
2015-07-16 2:47 ` Eric W. Biederman
2015-08-05 21:03 ` Seth Forshee
2015-08-05 21:03 ` Seth Forshee
2015-08-05 21:19 ` Eric W. Biederman
2015-08-05 21:19 ` Eric W. Biederman
2015-08-06 14:20 ` Seth Forshee
2015-08-06 14:20 ` Seth Forshee
2015-08-06 14:51 ` Stephen Smalley
2015-08-06 14:51 ` Stephen Smalley
2015-08-06 15:44 ` Seth Forshee
2015-08-06 15:44 ` Seth Forshee
2015-08-06 16:11 ` Stephen Smalley
2015-08-06 16:11 ` Stephen Smalley
2015-08-07 14:16 ` Seth Forshee
2015-08-07 14:16 ` Seth Forshee
2015-08-07 14:32 ` Seth Forshee
2015-08-07 14:32 ` Seth Forshee
2015-08-07 18:35 ` Casey Schaufler
2015-08-07 18:35 ` Casey Schaufler
2015-08-07 18:57 ` Seth Forshee
2015-08-07 18:57 ` Seth Forshee
2015-07-15 19:46 ` [PATCH 2/7] userns: Simpilify MNT_NODEV handling Seth Forshee
2015-07-15 19:46 ` Seth Forshee
2015-07-15 19:46 ` [PATCH 3/7] fs: Ignore file caps in mounts from other user namespaces Seth Forshee
2015-07-15 19:46 ` Seth Forshee
2015-07-15 21:48 ` Serge E. Hallyn
2015-07-15 21:48 ` Serge E. Hallyn
2015-07-15 21:50 ` Andy Lutomirski
2015-07-15 21:50 ` Andy Lutomirski
2015-07-15 22:35 ` Eric W. Biederman
2015-07-15 22:35 ` Eric W. Biederman
2015-07-16 1:14 ` Seth Forshee
2015-07-16 1:14 ` Seth Forshee
2015-07-16 1:23 ` Andy Lutomirski
2015-07-16 1:23 ` Andy Lutomirski
2015-07-16 13:06 ` Seth Forshee
2015-07-16 13:06 ` Seth Forshee
2015-07-16 1:19 ` Andy Lutomirski
2015-07-16 1:19 ` Andy Lutomirski
2015-07-16 4:23 ` Eric W. Biederman
2015-07-16 4:23 ` Eric W. Biederman
2015-07-16 4:49 ` Andy Lutomirski
2015-07-16 4:49 ` Andy Lutomirski
2015-07-16 5:04 ` Eric W. Biederman
2015-07-16 5:04 ` Eric W. Biederman
2015-07-16 5:15 ` Andy Lutomirski
2015-07-16 5:15 ` Andy Lutomirski
2015-07-16 5:44 ` Eric W. Biederman
2015-07-16 5:44 ` Eric W. Biederman
2015-07-16 13:13 ` Seth Forshee
2015-07-16 13:13 ` Seth Forshee
2015-07-17 0:43 ` Eric W. Biederman
2015-07-17 0:43 ` Eric W. Biederman
2015-07-29 16:04 ` Serge E. Hallyn
2015-07-29 16:04 ` Serge E. Hallyn
2015-07-29 16:18 ` Serge E. Hallyn
2015-07-29 16:18 ` Serge E. Hallyn
2015-07-15 19:46 ` [PATCH 4/7] fs: Treat foreign mounts as nosuid Seth Forshee
2015-07-15 19:46 ` Seth Forshee
2015-07-17 6:46 ` Nikolay Borisov
2015-07-17 6:46 ` Nikolay Borisov
2015-07-15 19:46 ` [PATCH 5/7] security: Restrict security attribute updates for userns mounts Seth Forshee
2015-07-15 19:46 ` Seth Forshee
2015-07-15 19:46 ` [PATCH 6/7] selinux: Ignore security labels on user namespace mounts Seth Forshee
2015-07-15 19:46 ` Seth Forshee
2015-07-16 13:23 ` Stephen Smalley
2015-07-22 16:02 ` Stephen Smalley
2015-07-22 16:14 ` Seth Forshee
2015-07-22 16:14 ` Seth Forshee
2015-07-22 20:25 ` Stephen Smalley
2015-07-22 20:25 ` Stephen Smalley
2015-07-22 20:40 ` Stephen Smalley
2015-07-22 20:40 ` Stephen Smalley
2015-07-23 13:57 ` Stephen Smalley
2015-07-23 13:57 ` Stephen Smalley
2015-07-23 14:39 ` Seth Forshee
2015-07-23 14:39 ` Seth Forshee
2015-07-23 15:36 ` Stephen Smalley
2015-07-23 15:36 ` Stephen Smalley
2015-07-23 16:23 ` Seth Forshee
2015-07-23 16:23 ` Seth Forshee
2015-07-24 15:11 ` Seth Forshee
2015-07-24 15:11 ` Seth Forshee
2015-07-30 15:57 ` Stephen Smalley
2015-07-30 15:57 ` Stephen Smalley
2015-07-30 16:24 ` Seth Forshee
2015-07-30 16:24 ` Seth Forshee
2015-07-15 19:46 ` [PATCH 7/7] smack: Don't use security labels for " Seth Forshee
2015-07-15 19:46 ` Seth Forshee
2015-07-15 20:43 ` Casey Schaufler
2015-07-15 20:43 ` Casey Schaufler
2015-07-15 20:36 ` [PATCH 0/7] Initial support for user namespace owned mounts Casey Schaufler
2015-07-15 20:36 ` Casey Schaufler
2015-07-15 21:06 ` Eric W. Biederman
2015-07-15 21:06 ` Eric W. Biederman
2015-07-15 21:48 ` Seth Forshee
2015-07-15 21:48 ` Seth Forshee
2015-07-15 22:28 ` Eric W. Biederman
2015-07-15 22:28 ` Eric W. Biederman
2015-07-16 1:05 ` Andy Lutomirski
2015-07-16 1:05 ` Andy Lutomirski
2015-07-16 2:20 ` Eric W. Biederman
2015-07-16 2:20 ` Eric W. Biederman
2015-07-16 13:12 ` Stephen Smalley
2015-07-16 13:12 ` Stephen Smalley
2015-07-15 23:04 ` Casey Schaufler [this message]
2015-07-15 23:04 ` Casey Schaufler
2015-07-15 22:39 ` Casey Schaufler
2015-07-15 22:39 ` Casey Schaufler
2015-07-16 1:08 ` Andy Lutomirski
2015-07-16 1:08 ` Andy Lutomirski
2015-07-16 2:54 ` Casey Schaufler
2015-07-16 2:54 ` Casey Schaufler
2015-07-16 4:47 ` Eric W. Biederman
2015-07-16 4:47 ` Eric W. Biederman
2015-07-17 0:09 ` Dave Chinner
2015-07-17 0:09 ` Dave Chinner
2015-07-17 0:42 ` Eric W. Biederman
2015-07-17 0:42 ` Eric W. Biederman
2015-07-17 2:47 ` Dave Chinner
2015-07-17 2:47 ` Dave Chinner
2015-07-21 17:37 ` J. Bruce Fields
2015-07-21 17:37 ` J. Bruce Fields
2015-07-22 7:56 ` Dave Chinner
2015-07-22 7:56 ` Dave Chinner
2015-07-22 14:09 ` J. Bruce Fields
2015-07-22 14:09 ` J. Bruce Fields
2015-07-22 16:52 ` Austin S Hemmelgarn
2015-07-22 16:52 ` Austin S Hemmelgarn
2015-07-22 17:41 ` J. Bruce Fields
2015-07-22 17:41 ` J. Bruce Fields
2015-07-23 1:51 ` Dave Chinner
2015-07-23 1:51 ` Dave Chinner
2015-07-23 13:19 ` J. Bruce Fields
2015-07-23 13:19 ` J. Bruce Fields
2015-07-23 23:48 ` Dave Chinner
2015-07-23 23:48 ` Dave Chinner
2015-07-18 0:07 ` Serge E. Hallyn
2015-07-18 0:07 ` Serge E. Hallyn
2015-07-20 17:54 ` Colin Walters
2015-07-20 17:54 ` Colin Walters
2015-07-16 11:16 ` Lukasz Pawelczyk
2015-07-16 11:16 ` Lukasz Pawelczyk
2015-07-17 0:10 ` Eric W. Biederman
2015-07-17 0:10 ` Eric W. Biederman
2015-07-17 10:13 ` Lukasz Pawelczyk
2015-07-17 10:13 ` Lukasz Pawelczyk
2015-07-16 3:15 ` Eric W. Biederman
2015-07-16 3:15 ` Eric W. Biederman
2015-07-16 13:59 ` Seth Forshee
2015-07-16 13:59 ` Seth Forshee
2015-07-16 15:09 ` Casey Schaufler
2015-07-16 15:09 ` Casey Schaufler
2015-07-16 18:57 ` Seth Forshee
2015-07-16 18:57 ` Seth Forshee
2015-07-16 21:42 ` Casey Schaufler
2015-07-16 21:42 ` Casey Schaufler
2015-07-16 22:27 ` Andy Lutomirski
2015-07-16 22:27 ` Andy Lutomirski
2015-07-16 23:08 ` Casey Schaufler
2015-07-16 23:08 ` Casey Schaufler
2015-07-16 23:29 ` Andy Lutomirski
2015-07-16 23:29 ` Andy Lutomirski
2015-07-17 0:45 ` Casey Schaufler
2015-07-17 0:45 ` Casey Schaufler
2015-07-17 0:59 ` Andy Lutomirski
2015-07-17 0:59 ` Andy Lutomirski
2015-07-17 14:28 ` Serge E. Hallyn
2015-07-17 14:28 ` Serge E. Hallyn
2015-07-17 14:56 ` Seth Forshee
2015-07-17 14:56 ` Seth Forshee
2015-07-21 20:35 ` Seth Forshee
2015-07-21 20:35 ` Seth Forshee
2015-07-22 1:52 ` Casey Schaufler
2015-07-22 1:52 ` Casey Schaufler
2015-07-22 15:56 ` Seth Forshee
2015-07-22 15:56 ` Seth Forshee
2015-07-22 18:10 ` Casey Schaufler
2015-07-22 18:10 ` Casey Schaufler
2015-07-22 19:32 ` Seth Forshee
2015-07-22 19:32 ` Seth Forshee
2015-07-23 0:05 ` Casey Schaufler
2015-07-23 0:05 ` Casey Schaufler
2015-07-23 0:15 ` Eric W. Biederman
2015-07-23 0:15 ` Eric W. Biederman
2015-07-23 5:15 ` Seth Forshee
2015-07-23 5:15 ` Seth Forshee
2015-07-23 21:48 ` Casey Schaufler
2015-07-23 21:48 ` Casey Schaufler
2015-07-28 20:40 ` Seth Forshee
2015-07-28 20:40 ` Seth Forshee
2015-07-30 16:18 ` Casey Schaufler
2015-07-30 16:18 ` Casey Schaufler
2015-07-30 17:05 ` Eric W. Biederman
2015-07-30 17:05 ` Eric W. Biederman
2015-07-30 17:25 ` Seth Forshee
2015-07-30 17:25 ` Seth Forshee
2015-07-30 17:33 ` Eric W. Biederman
2015-07-30 17:33 ` Eric W. Biederman
2015-07-17 13:21 ` Seth Forshee
2015-07-17 13:21 ` Seth Forshee
2015-07-17 17:14 ` Casey Schaufler
2015-07-17 17:14 ` Casey Schaufler
2015-07-16 15:59 ` Seth Forshee
2015-07-16 15:59 ` Seth Forshee
2015-07-30 4:24 Amir Goldstein
2015-07-30 4:24 ` Amir Goldstein
2015-07-30 13:55 ` Seth Forshee
2015-07-30 13:55 ` Seth Forshee
2015-07-30 14:47 ` Amir Goldstein
2015-07-30 14:47 ` Amir Goldstein
2015-07-30 15:33 ` Casey Schaufler
2015-07-30 15:33 ` Casey Schaufler
2015-07-30 15:52 ` Colin Walters
2015-07-30 15:52 ` Colin Walters
2015-07-30 16:15 ` Eric W. Biederman
2015-07-30 16:15 ` Eric W. Biederman
2015-07-30 13:57 ` Serge Hallyn
2015-07-30 13:57 ` Serge Hallyn
2015-07-30 15:09 ` Amir Goldstein
2015-07-30 15:09 ` Amir Goldstein
2015-07-31 8:11 Amir Goldstein
2015-07-31 8:11 ` Amir Goldstein
2015-07-31 19:56 ` Casey Schaufler
2015-07-31 19:56 ` Casey Schaufler
2015-08-01 17:01 ` Amir Goldstein
2015-08-01 17:01 ` Amir Goldstein
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55A6E708.2050405@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=ebiederm@xmission.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=selinux@tycho.nsa.gov \
--cc=serge.hallyn@canonical.com \
--cc=seth.forshee@canonical.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.