From: "Eric W. Biederman" <ebiederm@xmission.com>
To: Linux Containers <containers@lists.linux-foundation.org>
Cc: linux-fsdevel@vger.kernel.org,
Seth Forshee <seth.forshee@canonical.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Christian Brauner <christian@brauner.io>,
linux-kernel@vger.kernel.org,
"Eric W. Biederman" <ebiederm@xmission.com>
Subject: [REVIEW][PATCH 5/6] capabilities: Allow privileged user in s_user_ns to set security.* xattrs
Date: Wed, 23 May 2018 18:25:37 -0500 [thread overview]
Message-ID: <20180523232538.4880-5-ebiederm@xmission.com> (raw)
In-Reply-To: <87o9h6554f.fsf@xmission.com>
A privileged user in s_user_ns will generally have the ability to
manipulate the backing store and insert security.* xattrs into
the filesystem directly. Therefore the kernel must be prepared to
handle these xattrs from unprivileged mounts, and it makes little
sense for commoncap to prevent writing these xattrs to the
filesystem. The capability and LSM code have already been updated
to appropriately handle xattrs from unprivileged mounts, so it
is safe to loosen this restriction on setting xattrs.
The exception to this logic is that writing xattrs to a mounted
filesystem may also cause the LSM inode_post_setxattr or
inode_setsecurity callbacks to be invoked. SELinux will deny the
xattr update by virtue of applying mountpoint labeling to
unprivileged userns mounts, and Smack will deny the writes for
any user without global CAP_MAC_ADMIN, so loosening the
capability check in commoncap is safe in this respect as well.
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
---
security/commoncap.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/security/commoncap.c b/security/commoncap.c
index 1ce701fcb3f3..f4c33abd9959 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -919,6 +919,8 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
int cap_inode_setxattr(struct dentry *dentry, const char *name,
const void *value, size_t size, int flags)
{
+ struct user_namespace *user_ns = dentry->d_sb->s_user_ns;
+
/* Ignore non-security xattrs */
if (strncmp(name, XATTR_SECURITY_PREFIX,
sizeof(XATTR_SECURITY_PREFIX) - 1) != 0)
@@ -931,7 +933,7 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name,
if (strcmp(name, XATTR_NAME_CAPS) == 0)
return 0;
- if (!capable(CAP_SYS_ADMIN))
+ if (!ns_capable(user_ns, CAP_SYS_ADMIN))
return -EPERM;
return 0;
}
@@ -949,6 +951,8 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name,
*/
int cap_inode_removexattr(struct dentry *dentry, const char *name)
{
+ struct user_namespace *user_ns = dentry->d_sb->s_user_ns;
+
/* Ignore non-security xattrs */
if (strncmp(name, XATTR_SECURITY_PREFIX,
sizeof(XATTR_SECURITY_PREFIX) - 1) != 0)
@@ -964,7 +968,7 @@ int cap_inode_removexattr(struct dentry *dentry, const char *name)
return 0;
}
- if (!capable(CAP_SYS_ADMIN))
+ if (!ns_capable(user_ns, CAP_SYS_ADMIN))
return -EPERM;
return 0;
}
--
2.14.1
next prev parent reply other threads:[~2018-05-23 23:26 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-23 23:22 [REVIEW][PATCH 0/6] Wrapping up the vfs support for unprivileged mounts Eric W. Biederman
2018-05-23 23:25 ` [REVIEW][PATCH 1/6] vfs: Don't allow changing the link count of an inode with an invalid uid or gid Eric W. Biederman
2018-05-24 12:58 ` Seth Forshee
2018-05-24 22:30 ` Christian Brauner
2018-05-23 23:25 ` [REVIEW][PATCH 2/6] vfs: Allow userns root to call mknod on owned filesystems Eric W. Biederman
2018-05-24 13:55 ` Seth Forshee
2018-05-24 16:55 ` Eric W. Biederman
2018-05-24 17:22 ` Seth Forshee
2018-05-24 19:12 ` Christian Brauner
2018-05-23 23:25 ` [REVIEW][PATCH 3/6] fs: Allow superblock owner to replace invalid owners of inodes Eric W. Biederman
2018-05-23 23:41 ` [REVIEW][PATCH v2 " Eric W. Biederman
2018-05-24 22:30 ` Christian Brauner
2018-05-23 23:25 ` [REVIEW][PATCH 4/6] fs: Allow superblock owner to access do_remount_sb() Eric W. Biederman
2018-05-24 15:58 ` Christian Brauner
2018-05-24 16:45 ` Eric W. Biederman
2018-05-24 17:28 ` Christian Brauner
2018-05-23 23:25 ` Eric W. Biederman [this message]
2018-05-24 15:57 ` [REVIEW][PATCH 5/6] capabilities: Allow privileged user in s_user_ns to set security.* xattrs Christian Brauner
2018-05-23 23:25 ` [REVIEW][PATCH 6/6] fs: Allow CAP_SYS_ADMIN in s_user_ns to freeze and thaw filesystems Eric W. Biederman
2018-05-24 15:59 ` Christian Brauner
2018-05-24 21:46 ` [REVIEW][PATCH 0/6] Wrapping up the vfs support for unprivileged mounts Theodore Y. Ts'o
2018-05-24 23:23 ` Eric W. Biederman
2018-05-25 3:57 ` Dave Chinner
2018-05-25 4:06 ` Darrick J. Wong
2018-05-29 13:12 ` Eric W. Biederman
2018-05-29 22:17 ` Dave Chinner
2018-05-30 2:34 ` Eric W. Biederman
2018-05-30 4:34 ` Dave Chinner
2018-05-29 15:40 ` Dongsu Park
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180523232538.4880-5-ebiederm@xmission.com \
--to=ebiederm@xmission.com \
--cc=christian@brauner.io \
--cc=containers@lists.linux-foundation.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=seth.forshee@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).