From: Vivek Goyal <vgoyal@redhat.com>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>,
dwalsh@redhat.com, "Schaufler, Casey" <casey.schaufler@intel.com>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"viro@zeniv.linux.org.uk" <viro@zeniv.linux.org.uk>,
"virtio-fs@redhat.com" <virtio-fs@redhat.com>,
"berrange@redhat.com" <berrange@redhat.com>,
linux-security-module <linux-security-module@vger.kernel.org>,
"selinux@vger.kernel.org" <selinux@vger.kernel.org>
Subject: Re: [RFC PATCH 0/1] xattr: Allow user.* xattr on symlink/special files if caller has CAP_SYS_RESOURCE
Date: Tue, 29 Jun 2021 11:20:07 -0400 [thread overview]
Message-ID: <20210629152007.GC5231@redhat.com> (raw)
In-Reply-To: <e6f9ed0d-c101-01df-3dff-85c1b38f9714@schaufler-ca.com>
On Tue, Jun 29, 2021 at 07:38:15AM -0700, Casey Schaufler wrote:
[..]
> >>>> User xattrs are less protected than security xattrs. You are exposing the
> >>>> security xattrs on the guest to the possible whims of a malicious, unprivileged
> >>>> actor on the host. All it needs is the right UID.
> >>> Yep, we realise that; but when you're mainly interested in making sure
> >>> the guest can't attack the host, that's less worrying.
> >> That's uncomfortable.
> > Why exactly?
>
> If a mechanism is designed with a known vulnerability you
> fail your validation/evaluation efforts.
We are working with the constraint that shared directory should not be
accessible to unpriviliged users on host. And with that constraint, what
you are referring to is not a vulnerability.
> Your mechanism is
> less general because other potential use cases may not be
> as cavalier about the vulnerability.
Prefixing xattrs with "user.virtiofsd" is just one of the options.
virtiofsd has the capability to prefix "trusted.virtiofsd" as well.
We have not chosen that because we don't want to give it CAP_SYS_ADMIN.
So other use cases which don't like prefixing "user.virtiofsd", can
give CAP_SYS_ADMIN and work with it.
> I think that you can
> approach this differently, get a solution that does everything
> you want, and avoid the known problem.
What's the solution? Are you referring to using "trusted.*" instead? But
that has its own problem of giving CAP_SYS_ADMIN to virtiofsd.
Thanks
Vivek
WARNING: multiple messages have this Message-ID (diff)
From: Vivek Goyal <vgoyal@redhat.com>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: "berrange@redhat.com" <berrange@redhat.com>,
"selinux@vger.kernel.org" <selinux@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"virtio-fs@redhat.com" <virtio-fs@redhat.com>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
linux-security-module <linux-security-module@vger.kernel.org>,
"viro@zeniv.linux.org.uk" <viro@zeniv.linux.org.uk>,
"Schaufler, Casey" <casey.schaufler@intel.com>
Subject: Re: [Virtio-fs] [RFC PATCH 0/1] xattr: Allow user.* xattr on symlink/special files if caller has CAP_SYS_RESOURCE
Date: Tue, 29 Jun 2021 11:20:07 -0400 [thread overview]
Message-ID: <20210629152007.GC5231@redhat.com> (raw)
In-Reply-To: <e6f9ed0d-c101-01df-3dff-85c1b38f9714@schaufler-ca.com>
On Tue, Jun 29, 2021 at 07:38:15AM -0700, Casey Schaufler wrote:
[..]
> >>>> User xattrs are less protected than security xattrs. You are exposing the
> >>>> security xattrs on the guest to the possible whims of a malicious, unprivileged
> >>>> actor on the host. All it needs is the right UID.
> >>> Yep, we realise that; but when you're mainly interested in making sure
> >>> the guest can't attack the host, that's less worrying.
> >> That's uncomfortable.
> > Why exactly?
>
> If a mechanism is designed with a known vulnerability you
> fail your validation/evaluation efforts.
We are working with the constraint that shared directory should not be
accessible to unpriviliged users on host. And with that constraint, what
you are referring to is not a vulnerability.
> Your mechanism is
> less general because other potential use cases may not be
> as cavalier about the vulnerability.
Prefixing xattrs with "user.virtiofsd" is just one of the options.
virtiofsd has the capability to prefix "trusted.virtiofsd" as well.
We have not chosen that because we don't want to give it CAP_SYS_ADMIN.
So other use cases which don't like prefixing "user.virtiofsd", can
give CAP_SYS_ADMIN and work with it.
> I think that you can
> approach this differently, get a solution that does everything
> you want, and avoid the known problem.
What's the solution? Are you referring to using "trusted.*" instead? But
that has its own problem of giving CAP_SYS_ADMIN to virtiofsd.
Thanks
Vivek
next prev parent reply other threads:[~2021-06-29 15:20 UTC|newest]
Thread overview: 76+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-25 19:12 [RFC PATCH 0/1] xattr: Allow user.* xattr on symlink/special files if caller has CAP_SYS_RESOURCE Vivek Goyal
2021-06-25 19:12 ` [Virtio-fs] " Vivek Goyal
2021-06-25 19:12 ` [PATCH 1/1] xattr: Allow user.* xattr on symlink/special files with CAP_SYS_RESOURCE Vivek Goyal
2021-06-25 19:12 ` [Virtio-fs] " Vivek Goyal
2021-06-28 12:33 ` Christian Brauner
2021-06-28 12:33 ` [Virtio-fs] " Christian Brauner
2021-06-28 15:00 ` Vivek Goyal
2021-06-28 15:00 ` [Virtio-fs] " Vivek Goyal
2021-06-29 3:13 ` [xattr] 8d8cd767b6: ltp.setxattr02.fail kernel test robot
2021-06-29 3:13 ` [Virtio-fs] " kernel test robot
2021-06-29 3:13 ` kernel test robot
2021-06-29 3:13 ` [LTP] " kernel test robot
2021-06-29 12:59 ` Vivek Goyal
2021-06-29 12:59 ` [Virtio-fs] " Vivek Goyal
2021-06-29 12:59 ` Vivek Goyal
2021-06-29 12:59 ` [LTP] " Vivek Goyal
2021-06-25 21:49 ` [RFC PATCH 0/1] xattr: Allow user.* xattr on symlink/special files if caller has CAP_SYS_RESOURCE Schaufler, Casey
2021-06-25 21:49 ` [Virtio-fs] " Schaufler, Casey
2021-06-28 11:58 ` Dr. David Alan Gilbert
2021-06-28 11:58 ` [Virtio-fs] " Dr. David Alan Gilbert
2021-06-28 13:17 ` Vivek Goyal
2021-06-28 13:17 ` [Virtio-fs] " Vivek Goyal
2021-06-28 13:36 ` Daniel Walsh
2021-06-28 13:36 ` [Virtio-fs] " Daniel Walsh
2021-06-28 16:04 ` Casey Schaufler
2021-06-28 16:04 ` [Virtio-fs] " Casey Schaufler
2021-06-28 16:28 ` Dr. David Alan Gilbert
2021-06-28 16:28 ` [Virtio-fs] " Dr. David Alan Gilbert
2021-06-28 17:41 ` Casey Schaufler
2021-06-28 17:41 ` [Virtio-fs] " Casey Schaufler
2021-06-29 9:00 ` Dr. David Alan Gilbert
2021-06-29 9:00 ` [Virtio-fs] " Dr. David Alan Gilbert
2021-06-29 14:38 ` Casey Schaufler
2021-06-29 14:38 ` [Virtio-fs] " Casey Schaufler
2021-06-29 15:20 ` Vivek Goyal [this message]
2021-06-29 15:20 ` Vivek Goyal
2021-06-29 16:13 ` Casey Schaufler
2021-06-29 16:13 ` [Virtio-fs] " Casey Schaufler
2021-06-29 16:35 ` Dr. David Alan Gilbert
2021-06-29 16:35 ` [Virtio-fs] " Dr. David Alan Gilbert
2021-06-29 16:51 ` Casey Schaufler
2021-06-29 16:51 ` [Virtio-fs] " Casey Schaufler
2021-06-29 17:35 ` Vivek Goyal
2021-06-29 17:35 ` [Virtio-fs] " Vivek Goyal
2021-06-29 20:28 ` Daniel Walsh
2021-06-29 20:28 ` [Virtio-fs] " Daniel Walsh
2021-06-30 4:12 ` Theodore Ts'o
2021-06-30 4:12 ` [Virtio-fs] " Theodore Ts'o
2021-06-30 8:07 ` Dr. David Alan Gilbert
2021-06-30 8:07 ` [Virtio-fs] " Dr. David Alan Gilbert
2021-06-30 14:47 ` Theodore Ts'o
2021-06-30 14:47 ` [Virtio-fs] " Theodore Ts'o
2021-06-30 15:01 ` Dr. David Alan Gilbert
2021-06-30 15:01 ` [Virtio-fs] " Dr. David Alan Gilbert
2021-06-30 19:59 ` Theodore Ts'o
2021-06-30 19:59 ` [Virtio-fs] " Theodore Ts'o
2021-06-30 20:32 ` Vivek Goyal
2021-06-30 20:32 ` [Virtio-fs] " Vivek Goyal
2021-07-01 8:48 ` Dr. David Alan Gilbert
2021-07-01 8:48 ` [Virtio-fs] " Dr. David Alan Gilbert
2021-07-01 12:21 ` Vivek Goyal
2021-07-01 12:21 ` [Virtio-fs] " Vivek Goyal
2021-07-01 13:10 ` Vivek Goyal
2021-07-01 13:10 ` [Virtio-fs] " Vivek Goyal
2021-07-01 16:58 ` Casey Schaufler
2021-07-01 16:58 ` [Virtio-fs] " Casey Schaufler
2021-06-30 16:09 ` Vivek Goyal
2021-06-30 16:09 ` [Virtio-fs] " Vivek Goyal
2021-06-30 14:27 ` Vivek Goyal
2021-06-30 14:27 ` [Virtio-fs] " Vivek Goyal
2021-06-29 16:25 ` Theodore Ts'o
2021-06-29 16:25 ` [Virtio-fs] " Theodore Ts'o
2021-06-28 17:22 ` Vivek Goyal
2021-06-28 17:22 ` [Virtio-fs] " Vivek Goyal
2021-06-28 18:55 ` Daniel Walsh
2021-06-28 18:55 ` [Virtio-fs] " Daniel Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210629152007.GC5231@redhat.com \
--to=vgoyal@redhat.com \
--cc=berrange@redhat.com \
--cc=casey.schaufler@intel.com \
--cc=casey@schaufler-ca.com \
--cc=dgilbert@redhat.com \
--cc=dwalsh@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=selinux@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
--cc=virtio-fs@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.