From mboxrd@z Thu Jan 1 00:00:00 1970 From: Vivek Goyal Subject: Re: [PATCH v2] xattr: Enable security.capability in user namespaces Date: Mon, 17 Jul 2017 14:58:11 -0400 Message-ID: <20170717185811.GC15794@redhat.com> References: <1499785511-17192-1-git-send-email-stefanb@linux.vnet.ibm.com> <1499785511-17192-2-git-send-email-stefanb@linux.vnet.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: <1499785511-17192-2-git-send-email-stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: Stefan Berger Cc: lkp-JC7UmRfGjtg@public.gmane.org, containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org, linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org, casey-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org, zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org List-Id: containers.vger.kernel.org On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote: [..] > +/* > + * xattr_list_userns_rewrite - Rewrite list of xattr names for user namespaces > + * or determine needed size for attribute list > + * in case size == 0 > + * > + * In a user namespace we do not present all extended attributes to the > + * user. We filter out those that are in the list of userns supported xattr. > + * Besides that we filter out those with @uid= when there is no mapping > + * for that uid in the current user namespace. > + * > + * @list: list of 0-byte separated xattr names > + * @size: the size of the list; may be 0 to determine needed list size > + * @list_maxlen: allocated buffer size of list > + */ > +static ssize_t > +xattr_list_userns_rewrite(char *list, ssize_t size, size_t list_maxlen) > +{ > + char *nlist = NULL; > + size_t s_off, len, nlen; > + ssize_t d_off; > + char *name, *newname; > + > + if (!list || size < 0 || current_user_ns() == &init_user_ns) size will never be less than 0 here. Only caller calls this function only if size is >0. So can we remove this? What about case of "!list". So if user space called listxattr(foo, NULL, 0), we want to return the size of buffer as if all the xattrs will be returned to user space. But in practice we probably will filter out some xattrs so actually returned string will be smaller than size reported previously. Looks like that's the intent of "!list" condition here. Just wanted to make sure, hence asking. BTW, I am testing this with overlayfs and trying to figure out if switching of creds will create issues. Simple operations like listxattr and getxattr and setxattr so far worked for me. And reason seems to be that name transformation we are doing in top layer based on creds of caller (and not based on creds of mounter). Vivek From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751547AbdGQS6O (ORCPT ); Mon, 17 Jul 2017 14:58:14 -0400 Received: from mx1.redhat.com ([209.132.183.28]:53036 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751437AbdGQS6N (ORCPT ); Mon, 17 Jul 2017 14:58:13 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 2535661B84 Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=vgoyal@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 2535661B84 Date: Mon, 17 Jul 2017 14:58:11 -0400 From: Vivek Goyal To: Stefan Berger Cc: ebiederm@xmission.com, containers@lists.linux-foundation.org, lkp@01.org, linux-kernel@vger.kernel.org, zohar@linux.vnet.ibm.com, tycho@docker.com, serge@hallyn.com, James.Bottomley@HansenPartnership.com, christian.brauner@mailbox.org, amir73il@gmail.com, linux-security-module@vger.kernel.org, casey@schaufler-ca.com, Stefan Berger Subject: Re: [PATCH v2] xattr: Enable security.capability in user namespaces Message-ID: <20170717185811.GC15794@redhat.com> References: <1499785511-17192-1-git-send-email-stefanb@linux.vnet.ibm.com> <1499785511-17192-2-git-send-email-stefanb@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1499785511-17192-2-git-send-email-stefanb@linux.vnet.ibm.com> User-Agent: Mutt/1.7.1 (2016-10-04) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Mon, 17 Jul 2017 18:58:12 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote: [..] > +/* > + * xattr_list_userns_rewrite - Rewrite list of xattr names for user namespaces > + * or determine needed size for attribute list > + * in case size == 0 > + * > + * In a user namespace we do not present all extended attributes to the > + * user. We filter out those that are in the list of userns supported xattr. > + * Besides that we filter out those with @uid= when there is no mapping > + * for that uid in the current user namespace. > + * > + * @list: list of 0-byte separated xattr names > + * @size: the size of the list; may be 0 to determine needed list size > + * @list_maxlen: allocated buffer size of list > + */ > +static ssize_t > +xattr_list_userns_rewrite(char *list, ssize_t size, size_t list_maxlen) > +{ > + char *nlist = NULL; > + size_t s_off, len, nlen; > + ssize_t d_off; > + char *name, *newname; > + > + if (!list || size < 0 || current_user_ns() == &init_user_ns) size will never be less than 0 here. Only caller calls this function only if size is >0. So can we remove this? What about case of "!list". So if user space called listxattr(foo, NULL, 0), we want to return the size of buffer as if all the xattrs will be returned to user space. But in practice we probably will filter out some xattrs so actually returned string will be smaller than size reported previously. Looks like that's the intent of "!list" condition here. Just wanted to make sure, hence asking. BTW, I am testing this with overlayfs and trying to figure out if switching of creds will create issues. Simple operations like listxattr and getxattr and setxattr so far worked for me. And reason seems to be that name transformation we are doing in top layer based on creds of caller (and not based on creds of mounter). Vivek From mboxrd@z Thu Jan 1 00:00:00 1970 From: vgoyal@redhat.com (Vivek Goyal) Date: Mon, 17 Jul 2017 14:58:11 -0400 Subject: [PATCH v2] xattr: Enable security.capability in user namespaces In-Reply-To: <1499785511-17192-2-git-send-email-stefanb@linux.vnet.ibm.com> References: <1499785511-17192-1-git-send-email-stefanb@linux.vnet.ibm.com> <1499785511-17192-2-git-send-email-stefanb@linux.vnet.ibm.com> Message-ID: <20170717185811.GC15794@redhat.com> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote: [..] > +/* > + * xattr_list_userns_rewrite - Rewrite list of xattr names for user namespaces > + * or determine needed size for attribute list > + * in case size == 0 > + * > + * In a user namespace we do not present all extended attributes to the > + * user. We filter out those that are in the list of userns supported xattr. > + * Besides that we filter out those with @uid= when there is no mapping > + * for that uid in the current user namespace. > + * > + * @list: list of 0-byte separated xattr names > + * @size: the size of the list; may be 0 to determine needed list size > + * @list_maxlen: allocated buffer size of list > + */ > +static ssize_t > +xattr_list_userns_rewrite(char *list, ssize_t size, size_t list_maxlen) > +{ > + char *nlist = NULL; > + size_t s_off, len, nlen; > + ssize_t d_off; > + char *name, *newname; > + > + if (!list || size < 0 || current_user_ns() == &init_user_ns) size will never be less than 0 here. Only caller calls this function only if size is >0. So can we remove this? What about case of "!list". So if user space called listxattr(foo, NULL, 0), we want to return the size of buffer as if all the xattrs will be returned to user space. But in practice we probably will filter out some xattrs so actually returned string will be smaller than size reported previously. Looks like that's the intent of "!list" condition here. Just wanted to make sure, hence asking. BTW, I am testing this with overlayfs and trying to figure out if switching of creds will create issues. Simple operations like listxattr and getxattr and setxattr so far worked for me. And reason seems to be that name transformation we are doing in top layer based on creds of caller (and not based on creds of mounter). Vivek -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: multipart/mixed; boundary="===============6568785546537166732==" MIME-Version: 1.0 From: Vivek Goyal To: lkp@lists.01.org Subject: Re: [PATCH v2] xattr: Enable security.capability in user namespaces Date: Mon, 17 Jul 2017 14:58:11 -0400 Message-ID: <20170717185811.GC15794@redhat.com> In-Reply-To: <1499785511-17192-2-git-send-email-stefanb@linux.vnet.ibm.com> List-Id: --===============6568785546537166732== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote: [..] > +/* > + * xattr_list_userns_rewrite - Rewrite list of xattr names for user name= spaces > + * or determine needed size for attribute li= st > + * in case size =3D=3D 0 > + * > + * In a user namespace we do not present all extended attributes to the > + * user. We filter out those that are in the list of userns supported xa= ttr. > + * Besides that we filter out those with @uid=3D when there is no m= apping > + * for that uid in the current user namespace. > + * > + * @list: list of 0-byte separated xattr names > + * @size: the size of the list; may be 0 to determine needed list= size > + * @list_maxlen: allocated buffer size of list > + */ > +static ssize_t > +xattr_list_userns_rewrite(char *list, ssize_t size, size_t list_maxlen) > +{ > + char *nlist =3D NULL; > + size_t s_off, len, nlen; > + ssize_t d_off; > + char *name, *newname; > + > + if (!list || size < 0 || current_user_ns() =3D=3D &init_user_ns) size will never be less than 0 here. Only caller calls this function only if size is >0. So can we remove this? What about case of "!list". So if user space called listxattr(foo, NULL, 0), we want to return the size of buffer as if all the xattrs will be returned to user space. But in practice we probably will filter out some xattrs so actually returned string will be smaller than size reported previously. Looks like that's the intent of "!list" condition here. Just wanted to make sure, hence asking. BTW, I am testing this with overlayfs and trying to figure out if switching of creds will create issues. Simple operations like listxattr and getxattr and setxattr so far worked for me. And reason seems to be that name transformation we are doing in top layer based on creds of caller (and not based on creds of mounter). = Vivek --===============6568785546537166732==--