From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753778AbbG2QSK (ORCPT ); Wed, 29 Jul 2015 12:18:10 -0400 Received: from h2.hallyn.com ([78.46.35.8]:43396 "EHLO h2.hallyn.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751154AbbG2QSI (ORCPT ); Wed, 29 Jul 2015 12:18:08 -0400 Date: Wed, 29 Jul 2015 11:18:06 -0500 From: "Serge E. Hallyn" To: "Serge E. Hallyn" Cc: "Eric W. Biederman" , Andy Lutomirski , Seth Forshee , Alexander Viro , Serge Hallyn , James Morris , Linux FS Devel , LSM List , SELinux-NSA , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH 3/7] fs: Ignore file caps in mounts from other user namespaces Message-ID: <20150729161806.GB21625@mail.hallyn.com> References: <1436989569-69582-1-git-send-email-seth.forshee@canonical.com> <1436989569-69582-4-git-send-email-seth.forshee@canonical.com> <20150715214848.GA24204@mail.hallyn.com> <87wpy1camr.fsf@x220.int.ebiederm.org> <87io9kzq5g.fsf@x220.int.ebiederm.org> <87wpy0u1zo.fsf@x220.int.ebiederm.org> <20150729160450.GA21625@mail.hallyn.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20150729160450.GA21625@mail.hallyn.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jul 29, 2015 at 11:04:50AM -0500, Serge E. Hallyn wrote: > On Thu, Jul 16, 2015 at 12:04:43AM -0500, Eric W. Biederman wrote: > > > I tend to thing that, if we're not honoring the fcaps, we shouldn't be > > > honoring the setuid bit either. After all, it's really not a trusted > > > file, even though the only user who could have messed with it really > > > is the apparent owner. > > > > For the file caps we can't honor them because you don't have the bits > > in struct cred. > > > > For setuid we can honor it, and setuid is something that the user > > namespace allows. > > Setuid is something explicitly tied to the user id. File capabilities > are MAC, that is, explicitly orthogonal to user id. So 100% agreed with > honoring setuid in user_ns and, for now, ignoring file caps. Hm. No. Seems like both should be fine when current is in the mounter's user_ns, and ignored otherwise. (The below is still needed :) > As I've mentioned a few times privately, I'm intending to implement > user-namespaced file capabilities as a new xattr. Design is not 100% > nailed down, but probably it would support a set of userns_fcaps, each > of which lists the k_uid of the root user in the namespace assigning the > filecaps, followed by three sets. Then when exec()ing the file, if > the current->userns->root user has a userns_fcap entry, or there is a -1 > entry, then use that, else use nothing. I think this is a very importing > thing to support, to remove a barrier to shipping packages with software > using filecaps. Without this, any package, say ping, which wants to > support being installed in a (unprivileged) cotainer would need to also > support use without filecaps, meaning that will likely be the only > supported mode. > > -serge From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id t6TGI9J6029263 for ; Wed, 29 Jul 2015 12:18:10 -0400 Date: Wed, 29 Jul 2015 11:18:06 -0500 From: "Serge E. Hallyn" To: "Serge E. Hallyn" Subject: Re: [PATCH 3/7] fs: Ignore file caps in mounts from other user namespaces Message-ID: <20150729161806.GB21625@mail.hallyn.com> References: <1436989569-69582-1-git-send-email-seth.forshee@canonical.com> <1436989569-69582-4-git-send-email-seth.forshee@canonical.com> <20150715214848.GA24204@mail.hallyn.com> <87wpy1camr.fsf@x220.int.ebiederm.org> <87io9kzq5g.fsf@x220.int.ebiederm.org> <87wpy0u1zo.fsf@x220.int.ebiederm.org> <20150729160450.GA21625@mail.hallyn.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii In-Reply-To: <20150729160450.GA21625@mail.hallyn.com> Cc: Serge Hallyn , SELinux-NSA , "linux-kernel@vger.kernel.org" , Andy Lutomirski , Seth Forshee , LSM List , James Morris , Linux FS Devel , Alexander Viro List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: On Wed, Jul 29, 2015 at 11:04:50AM -0500, Serge E. Hallyn wrote: > On Thu, Jul 16, 2015 at 12:04:43AM -0500, Eric W. Biederman wrote: > > > I tend to thing that, if we're not honoring the fcaps, we shouldn't be > > > honoring the setuid bit either. After all, it's really not a trusted > > > file, even though the only user who could have messed with it really > > > is the apparent owner. > > > > For the file caps we can't honor them because you don't have the bits > > in struct cred. > > > > For setuid we can honor it, and setuid is something that the user > > namespace allows. > > Setuid is something explicitly tied to the user id. File capabilities > are MAC, that is, explicitly orthogonal to user id. So 100% agreed with > honoring setuid in user_ns and, for now, ignoring file caps. Hm. No. Seems like both should be fine when current is in the mounter's user_ns, and ignored otherwise. (The below is still needed :) > As I've mentioned a few times privately, I'm intending to implement > user-namespaced file capabilities as a new xattr. Design is not 100% > nailed down, but probably it would support a set of userns_fcaps, each > of which lists the k_uid of the root user in the namespace assigning the > filecaps, followed by three sets. Then when exec()ing the file, if > the current->userns->root user has a userns_fcap entry, or there is a -1 > entry, then use that, else use nothing. I think this is a very importing > thing to support, to remove a barrier to shipping packages with software > using filecaps. Without this, any package, say ping, which wants to > support being installed in a (unprivileged) cotainer would need to also > support use without filecaps, meaning that will likely be the only > supported mode. > > -serge