From: Andy Lutomirski <luto@amacapital.net> To: Casey Schaufler <casey@schaufler-ca.com> Cc: Seth Forshee <seth.forshee@canonical.com>, "Eric W. Biederman" <ebiederm@xmission.com>, Alexander Viro <viro@zeniv.linux.org.uk>, Linux FS Devel <linux-fsdevel@vger.kernel.org>, LSM List <linux-security-module@vger.kernel.org>, SELinux-NSA <selinux@tycho.nsa.gov>, Serge Hallyn <serge.hallyn@canonical.com>, "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org> Subject: Re: [PATCH 0/7] Initial support for user namespace owned mounts Date: Thu, 16 Jul 2015 17:59:22 -0700 [thread overview] Message-ID: <CALCETrUTgfRzzdk3T0wZASSE+KC9S+kmyZbD6-xStS2RRaGiBw@mail.gmail.com> (raw) In-Reply-To: <55A85041.2070301@schaufler-ca.com> On Thu, Jul 16, 2015 at 5:45 PM, Casey Schaufler <casey@schaufler-ca.com> wrote: > On 7/16/2015 4:29 PM, Andy Lutomirski wrote: >> I really don't see the benefit of making up extra rules that apply to >> users outside a userns who try to access specifically a filesystem >> with backing store. They wouldn't make sense for filesystems without >> backing store. > > Sure it would. For Smack, it would be the label a file would be > created with, which would be the label of the process creating > the memory based filesystem. For SELinux the rules are more a > touch more sophisticated, but I'm sure that Paul or Stephen could > come up with how to determine it. > > The point, looping all the way back to the beginning, where we > were talking about just ignoring the labels on the filesystem, > is that if you use the same Smack label on the files in the > filesystem as the backing store file has, we'll all be happy. > If that label isn't something user can write to, he won't be > able to write to the mounted objects, either. If there is no > backing store then use the label of the process creating the > filesystem, which will be the user, which will mean everything > will work hunky dory. > > Yes, there's work involved, but I doubt there's a lot. Getting > the label from the backing store or the creating process is > simple enough. > So what if Smack used the label of the user creating the filesystem even for filesystems with backing store? IMO this ought to be doable with the LSM hooks -- it certainly seems reasonable for the LSM to be aware of who created a filesystem. In fact, I'd argue that if Smack can't do this with the proposed LSM hooks, then the hooks are insufficient. Presumably Smack could also figure out what was mounted, but keep in mind that there are filesystems like ntfs-3g out there. While ntfs-3g logically has backing store, I don't think the kernel actually knows about it. > >>>>> If you can mount a filesystem such that the labels are ignored you >>>>> are effectively specifying that the Smack label on the files be >>>>> determined by the defaulting rules. With CAP_MAC_ADMIN that's fine. >>>>> Without it, it's not. >>>> Can you explain what the threat model is here? I don't see what it is >>>> that you're trying to prevent. >>> Um, OK. >>> The filesystem has files with a hundred different Smack labels on it. >>> I mount it as an unlabeled filesystem and everything is readable by >>> everyone. Bad jojo. >> I still don't understand. If it's a filesystem backed by a file that >> Seth has RW access to, then Seth can read everything on it, full stop. >> The security labels in the filesystem are irrelevant. > > Well, they can't be trusted, if that's what you mean. > That's why I'm saying that the objects exposed by mounting > this backing store need to be treated with the same security > attributes as the backing store. Fudge it for DAC if you are > so inclined, but I think it's the right way to go for MAC. > >> This is like saying that, if you put restrictive labels in the >> filesystem that lives on /dev/sda2 and give Seth ownership of >> /dev/sda2, then you expect Seth to be unable to bypass the policy >> specifies by your labels. > > Consider the Smack label on /dev/sda2. Smack does not care > who owns it, just what the Smack label is. Just like on > ~/seth/myfs. The backing store "object" is /dev/sda2 in the > one case, ~/seth/myfs in the other, and something in the ether > for a memory based filesystem. So long as the labels of the > files exposed on the mount point match those of the backing > store "object", Smack is going to be happy. Since you're > running without privilege, you can't change the labels on > the files. > > Now Seth, being the sneaky person that he is, could change > the Smack labels on the files in the backing store while it's > offline. Since he has access to the backing store, he can't > give himself more access by changing the labels within the > filesystem. He can give himself less, but I'm OK with that. > >> Or maybe I'm misunderstanding you. > > Probably, but I'm undoubtedly doing the same. > > If you're going to be at LinuxCon in Seattle we should > continue this discussion over the beverage of your choice. There's a small but not quite zero chance I'll be there. I'll probably be in Seoul. It's too bad that LSS and KS are in different places this year. --Andy
WARNING: multiple messages have this Message-ID (diff)
From: Andy Lutomirski <luto@amacapital.net> To: Casey Schaufler <casey@schaufler-ca.com> Cc: Serge Hallyn <serge.hallyn@canonical.com>, "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>, Seth Forshee <seth.forshee@canonical.com>, LSM List <linux-security-module@vger.kernel.org>, SELinux-NSA <selinux@tycho.nsa.gov>, Linux FS Devel <linux-fsdevel@vger.kernel.org>, Alexander Viro <viro@zeniv.linux.org.uk> Subject: Re: [PATCH 0/7] Initial support for user namespace owned mounts Date: Thu, 16 Jul 2015 17:59:22 -0700 [thread overview] Message-ID: <CALCETrUTgfRzzdk3T0wZASSE+KC9S+kmyZbD6-xStS2RRaGiBw@mail.gmail.com> (raw) In-Reply-To: <55A85041.2070301@schaufler-ca.com> On Thu, Jul 16, 2015 at 5:45 PM, Casey Schaufler <casey@schaufler-ca.com> wrote: > On 7/16/2015 4:29 PM, Andy Lutomirski wrote: >> I really don't see the benefit of making up extra rules that apply to >> users outside a userns who try to access specifically a filesystem >> with backing store. They wouldn't make sense for filesystems without >> backing store. > > Sure it would. For Smack, it would be the label a file would be > created with, which would be the label of the process creating > the memory based filesystem. For SELinux the rules are more a > touch more sophisticated, but I'm sure that Paul or Stephen could > come up with how to determine it. > > The point, looping all the way back to the beginning, where we > were talking about just ignoring the labels on the filesystem, > is that if you use the same Smack label on the files in the > filesystem as the backing store file has, we'll all be happy. > If that label isn't something user can write to, he won't be > able to write to the mounted objects, either. If there is no > backing store then use the label of the process creating the > filesystem, which will be the user, which will mean everything > will work hunky dory. > > Yes, there's work involved, but I doubt there's a lot. Getting > the label from the backing store or the creating process is > simple enough. > So what if Smack used the label of the user creating the filesystem even for filesystems with backing store? IMO this ought to be doable with the LSM hooks -- it certainly seems reasonable for the LSM to be aware of who created a filesystem. In fact, I'd argue that if Smack can't do this with the proposed LSM hooks, then the hooks are insufficient. Presumably Smack could also figure out what was mounted, but keep in mind that there are filesystems like ntfs-3g out there. While ntfs-3g logically has backing store, I don't think the kernel actually knows about it. > >>>>> If you can mount a filesystem such that the labels are ignored you >>>>> are effectively specifying that the Smack label on the files be >>>>> determined by the defaulting rules. With CAP_MAC_ADMIN that's fine. >>>>> Without it, it's not. >>>> Can you explain what the threat model is here? I don't see what it is >>>> that you're trying to prevent. >>> Um, OK. >>> The filesystem has files with a hundred different Smack labels on it. >>> I mount it as an unlabeled filesystem and everything is readable by >>> everyone. Bad jojo. >> I still don't understand. If it's a filesystem backed by a file that >> Seth has RW access to, then Seth can read everything on it, full stop. >> The security labels in the filesystem are irrelevant. > > Well, they can't be trusted, if that's what you mean. > That's why I'm saying that the objects exposed by mounting > this backing store need to be treated with the same security > attributes as the backing store. Fudge it for DAC if you are > so inclined, but I think it's the right way to go for MAC. > >> This is like saying that, if you put restrictive labels in the >> filesystem that lives on /dev/sda2 and give Seth ownership of >> /dev/sda2, then you expect Seth to be unable to bypass the policy >> specifies by your labels. > > Consider the Smack label on /dev/sda2. Smack does not care > who owns it, just what the Smack label is. Just like on > ~/seth/myfs. The backing store "object" is /dev/sda2 in the > one case, ~/seth/myfs in the other, and something in the ether > for a memory based filesystem. So long as the labels of the > files exposed on the mount point match those of the backing > store "object", Smack is going to be happy. Since you're > running without privilege, you can't change the labels on > the files. > > Now Seth, being the sneaky person that he is, could change > the Smack labels on the files in the backing store while it's > offline. Since he has access to the backing store, he can't > give himself more access by changing the labels within the > filesystem. He can give himself less, but I'm OK with that. > >> Or maybe I'm misunderstanding you. > > Probably, but I'm undoubtedly doing the same. > > If you're going to be at LinuxCon in Seattle we should > continue this discussion over the beverage of your choice. There's a small but not quite zero chance I'll be there. I'll probably be in Seoul. It's too bad that LSS and KS are in different places this year. --Andy
next prev parent reply other threads:[~2015-07-17 0:59 UTC|newest] Thread overview: 232+ messages / expand[flat|nested] mbox.gz Atom feed top 2015-07-15 19:46 [PATCH 0/7] Initial support for user namespace owned mounts Seth Forshee 2015-07-15 19:46 ` Seth Forshee 2015-07-15 19:46 ` [PATCH 1/7] fs: Add user namesapace member to struct super_block Seth Forshee 2015-07-15 19:46 ` Seth Forshee 2015-07-16 2:47 ` Eric W. Biederman 2015-07-16 2:47 ` Eric W. Biederman 2015-08-05 21:03 ` Seth Forshee 2015-08-05 21:03 ` Seth Forshee 2015-08-05 21:19 ` Eric W. Biederman 2015-08-05 21:19 ` Eric W. Biederman 2015-08-06 14:20 ` Seth Forshee 2015-08-06 14:20 ` Seth Forshee 2015-08-06 14:51 ` Stephen Smalley 2015-08-06 14:51 ` Stephen Smalley 2015-08-06 15:44 ` Seth Forshee 2015-08-06 15:44 ` Seth Forshee 2015-08-06 16:11 ` Stephen Smalley 2015-08-06 16:11 ` Stephen Smalley 2015-08-07 14:16 ` Seth Forshee 2015-08-07 14:16 ` Seth Forshee 2015-08-07 14:32 ` Seth Forshee 2015-08-07 14:32 ` Seth Forshee 2015-08-07 18:35 ` Casey Schaufler 2015-08-07 18:35 ` Casey Schaufler 2015-08-07 18:57 ` Seth Forshee 2015-08-07 18:57 ` Seth Forshee 2015-07-15 19:46 ` [PATCH 2/7] userns: Simpilify MNT_NODEV handling Seth Forshee 2015-07-15 19:46 ` Seth Forshee 2015-07-15 19:46 ` [PATCH 3/7] fs: Ignore file caps in mounts from other user namespaces Seth Forshee 2015-07-15 19:46 ` Seth Forshee 2015-07-15 21:48 ` Serge E. Hallyn 2015-07-15 21:48 ` Serge E. Hallyn 2015-07-15 21:50 ` Andy Lutomirski 2015-07-15 21:50 ` Andy Lutomirski 2015-07-15 22:35 ` Eric W. Biederman 2015-07-15 22:35 ` Eric W. Biederman 2015-07-16 1:14 ` Seth Forshee 2015-07-16 1:14 ` Seth Forshee 2015-07-16 1:23 ` Andy Lutomirski 2015-07-16 1:23 ` Andy Lutomirski 2015-07-16 13:06 ` Seth Forshee 2015-07-16 13:06 ` Seth Forshee 2015-07-16 1:19 ` Andy Lutomirski 2015-07-16 1:19 ` Andy Lutomirski 2015-07-16 4:23 ` Eric W. Biederman 2015-07-16 4:23 ` Eric W. Biederman 2015-07-16 4:49 ` Andy Lutomirski 2015-07-16 4:49 ` Andy Lutomirski 2015-07-16 5:04 ` Eric W. Biederman 2015-07-16 5:04 ` Eric W. Biederman 2015-07-16 5:15 ` Andy Lutomirski 2015-07-16 5:15 ` Andy Lutomirski 2015-07-16 5:44 ` Eric W. Biederman 2015-07-16 5:44 ` Eric W. Biederman 2015-07-16 13:13 ` Seth Forshee 2015-07-16 13:13 ` Seth Forshee 2015-07-17 0:43 ` Eric W. Biederman 2015-07-17 0:43 ` Eric W. Biederman 2015-07-29 16:04 ` Serge E. Hallyn 2015-07-29 16:04 ` Serge E. Hallyn 2015-07-29 16:18 ` Serge E. Hallyn 2015-07-29 16:18 ` Serge E. Hallyn 2015-07-15 19:46 ` [PATCH 4/7] fs: Treat foreign mounts as nosuid Seth Forshee 2015-07-15 19:46 ` Seth Forshee 2015-07-17 6:46 ` Nikolay Borisov 2015-07-17 6:46 ` Nikolay Borisov 2015-07-15 19:46 ` [PATCH 5/7] security: Restrict security attribute updates for userns mounts Seth Forshee 2015-07-15 19:46 ` Seth Forshee 2015-07-15 19:46 ` [PATCH 6/7] selinux: Ignore security labels on user namespace mounts Seth Forshee 2015-07-15 19:46 ` Seth Forshee 2015-07-16 13:23 ` Stephen Smalley 2015-07-22 16:02 ` Stephen Smalley 2015-07-22 16:14 ` Seth Forshee 2015-07-22 16:14 ` Seth Forshee 2015-07-22 20:25 ` Stephen Smalley 2015-07-22 20:25 ` Stephen Smalley 2015-07-22 20:40 ` Stephen Smalley 2015-07-22 20:40 ` Stephen Smalley 2015-07-23 13:57 ` Stephen Smalley 2015-07-23 13:57 ` Stephen Smalley 2015-07-23 14:39 ` Seth Forshee 2015-07-23 14:39 ` Seth Forshee 2015-07-23 15:36 ` Stephen Smalley 2015-07-23 15:36 ` Stephen Smalley 2015-07-23 16:23 ` Seth Forshee 2015-07-23 16:23 ` Seth Forshee 2015-07-24 15:11 ` Seth Forshee 2015-07-24 15:11 ` Seth Forshee 2015-07-30 15:57 ` Stephen Smalley 2015-07-30 15:57 ` Stephen Smalley 2015-07-30 16:24 ` Seth Forshee 2015-07-30 16:24 ` Seth Forshee 2015-07-15 19:46 ` [PATCH 7/7] smack: Don't use security labels for " Seth Forshee 2015-07-15 19:46 ` Seth Forshee 2015-07-15 20:43 ` Casey Schaufler 2015-07-15 20:43 ` Casey Schaufler 2015-07-15 20:36 ` [PATCH 0/7] Initial support for user namespace owned mounts Casey Schaufler 2015-07-15 20:36 ` Casey Schaufler 2015-07-15 21:06 ` Eric W. Biederman 2015-07-15 21:06 ` Eric W. Biederman 2015-07-15 21:48 ` Seth Forshee 2015-07-15 21:48 ` Seth Forshee 2015-07-15 22:28 ` Eric W. Biederman 2015-07-15 22:28 ` Eric W. Biederman 2015-07-16 1:05 ` Andy Lutomirski 2015-07-16 1:05 ` Andy Lutomirski 2015-07-16 2:20 ` Eric W. Biederman 2015-07-16 2:20 ` Eric W. Biederman 2015-07-16 13:12 ` Stephen Smalley 2015-07-16 13:12 ` Stephen Smalley 2015-07-15 23:04 ` Casey Schaufler 2015-07-15 23:04 ` Casey Schaufler 2015-07-15 22:39 ` Casey Schaufler 2015-07-15 22:39 ` Casey Schaufler 2015-07-16 1:08 ` Andy Lutomirski 2015-07-16 1:08 ` Andy Lutomirski 2015-07-16 2:54 ` Casey Schaufler 2015-07-16 2:54 ` Casey Schaufler 2015-07-16 4:47 ` Eric W. Biederman 2015-07-16 4:47 ` Eric W. Biederman 2015-07-17 0:09 ` Dave Chinner 2015-07-17 0:09 ` Dave Chinner 2015-07-17 0:42 ` Eric W. Biederman 2015-07-17 0:42 ` Eric W. Biederman 2015-07-17 2:47 ` Dave Chinner 2015-07-17 2:47 ` Dave Chinner 2015-07-21 17:37 ` J. Bruce Fields 2015-07-21 17:37 ` J. Bruce Fields 2015-07-22 7:56 ` Dave Chinner 2015-07-22 7:56 ` Dave Chinner 2015-07-22 14:09 ` J. Bruce Fields 2015-07-22 14:09 ` J. Bruce Fields 2015-07-22 16:52 ` Austin S Hemmelgarn 2015-07-22 16:52 ` Austin S Hemmelgarn 2015-07-22 17:41 ` J. Bruce Fields 2015-07-22 17:41 ` J. Bruce Fields 2015-07-23 1:51 ` Dave Chinner 2015-07-23 1:51 ` Dave Chinner 2015-07-23 13:19 ` J. Bruce Fields 2015-07-23 13:19 ` J. Bruce Fields 2015-07-23 23:48 ` Dave Chinner 2015-07-23 23:48 ` Dave Chinner 2015-07-18 0:07 ` Serge E. Hallyn 2015-07-18 0:07 ` Serge E. Hallyn 2015-07-20 17:54 ` Colin Walters 2015-07-20 17:54 ` Colin Walters 2015-07-16 11:16 ` Lukasz Pawelczyk 2015-07-16 11:16 ` Lukasz Pawelczyk 2015-07-17 0:10 ` Eric W. Biederman 2015-07-17 0:10 ` Eric W. Biederman 2015-07-17 10:13 ` Lukasz Pawelczyk 2015-07-17 10:13 ` Lukasz Pawelczyk 2015-07-16 3:15 ` Eric W. Biederman 2015-07-16 3:15 ` Eric W. Biederman 2015-07-16 13:59 ` Seth Forshee 2015-07-16 13:59 ` Seth Forshee 2015-07-16 15:09 ` Casey Schaufler 2015-07-16 15:09 ` Casey Schaufler 2015-07-16 18:57 ` Seth Forshee 2015-07-16 18:57 ` Seth Forshee 2015-07-16 21:42 ` Casey Schaufler 2015-07-16 21:42 ` Casey Schaufler 2015-07-16 22:27 ` Andy Lutomirski 2015-07-16 22:27 ` Andy Lutomirski 2015-07-16 23:08 ` Casey Schaufler 2015-07-16 23:08 ` Casey Schaufler 2015-07-16 23:29 ` Andy Lutomirski 2015-07-16 23:29 ` Andy Lutomirski 2015-07-17 0:45 ` Casey Schaufler 2015-07-17 0:45 ` Casey Schaufler 2015-07-17 0:59 ` Andy Lutomirski [this message] 2015-07-17 0:59 ` Andy Lutomirski 2015-07-17 14:28 ` Serge E. Hallyn 2015-07-17 14:28 ` Serge E. Hallyn 2015-07-17 14:56 ` Seth Forshee 2015-07-17 14:56 ` Seth Forshee 2015-07-21 20:35 ` Seth Forshee 2015-07-21 20:35 ` Seth Forshee 2015-07-22 1:52 ` Casey Schaufler 2015-07-22 1:52 ` Casey Schaufler 2015-07-22 15:56 ` Seth Forshee 2015-07-22 15:56 ` Seth Forshee 2015-07-22 18:10 ` Casey Schaufler 2015-07-22 18:10 ` Casey Schaufler 2015-07-22 19:32 ` Seth Forshee 2015-07-22 19:32 ` Seth Forshee 2015-07-23 0:05 ` Casey Schaufler 2015-07-23 0:05 ` Casey Schaufler 2015-07-23 0:15 ` Eric W. Biederman 2015-07-23 0:15 ` Eric W. Biederman 2015-07-23 5:15 ` Seth Forshee 2015-07-23 5:15 ` Seth Forshee 2015-07-23 21:48 ` Casey Schaufler 2015-07-23 21:48 ` Casey Schaufler 2015-07-28 20:40 ` Seth Forshee 2015-07-28 20:40 ` Seth Forshee 2015-07-30 16:18 ` Casey Schaufler 2015-07-30 16:18 ` Casey Schaufler 2015-07-30 17:05 ` Eric W. Biederman 2015-07-30 17:05 ` Eric W. Biederman 2015-07-30 17:25 ` Seth Forshee 2015-07-30 17:25 ` Seth Forshee 2015-07-30 17:33 ` Eric W. Biederman 2015-07-30 17:33 ` Eric W. Biederman 2015-07-17 13:21 ` Seth Forshee 2015-07-17 13:21 ` Seth Forshee 2015-07-17 17:14 ` Casey Schaufler 2015-07-17 17:14 ` Casey Schaufler 2015-07-16 15:59 ` Seth Forshee 2015-07-16 15:59 ` Seth Forshee 2015-07-30 4:24 Amir Goldstein 2015-07-30 4:24 ` Amir Goldstein 2015-07-30 13:55 ` Seth Forshee 2015-07-30 13:55 ` Seth Forshee 2015-07-30 14:47 ` Amir Goldstein 2015-07-30 14:47 ` Amir Goldstein 2015-07-30 15:33 ` Casey Schaufler 2015-07-30 15:33 ` Casey Schaufler 2015-07-30 15:52 ` Colin Walters 2015-07-30 15:52 ` Colin Walters 2015-07-30 16:15 ` Eric W. Biederman 2015-07-30 16:15 ` Eric W. Biederman 2015-07-30 13:57 ` Serge Hallyn 2015-07-30 13:57 ` Serge Hallyn 2015-07-30 15:09 ` Amir Goldstein 2015-07-30 15:09 ` Amir Goldstein 2015-07-31 8:11 Amir Goldstein 2015-07-31 8:11 ` Amir Goldstein 2015-07-31 19:56 ` Casey Schaufler 2015-07-31 19:56 ` Casey Schaufler 2015-08-01 17:01 ` Amir Goldstein 2015-08-01 17:01 ` Amir Goldstein
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=CALCETrUTgfRzzdk3T0wZASSE+KC9S+kmyZbD6-xStS2RRaGiBw@mail.gmail.com \ --to=luto@amacapital.net \ --cc=casey@schaufler-ca.com \ --cc=ebiederm@xmission.com \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=selinux@tycho.nsa.gov \ --cc=serge.hallyn@canonical.com \ --cc=seth.forshee@canonical.com \ --cc=viro@zeniv.linux.org.uk \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.