From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755704AbcEENFT (ORCPT <rfc822;w@1wt.eu>);
	Thu, 5 May 2016 09:05:19 -0400
Received: from mail-oi0-f47.google.com ([209.85.218.47]:33386 "EHLO
	mail-oi0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753391AbcEENFP (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Thu, 5 May 2016 09:05:15 -0400
Date: Thu, 5 May 2016 08:05:08 -0500
From: Seth Forshee <seth.forshee@canonical.com>
To: Serge Hallyn <serge.hallyn@ubuntu.com>
Cc: Djalal Harouni <tixxdz@gmail.com>,
        Alexander Viro <viro@zeniv.linux.org.uk>, Chris Mason <clm@fb.com>,
        tytso@mit.edu, Serge Hallyn <serge.hallyn@canonical.com>,
        Josh Triplett <josh@joshtriplett.org>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        Andy Lutomirski <luto@kernel.org>, linux-fsdevel@vger.kernel.org,
        linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org,
        Dongsu Park <dongsu@endocode.com>,
        David Herrmann <dh.herrmann@googlemail.com>,
        Miklos Szeredi <mszeredi@redhat.com>,
        Alban Crequy <alban.crequy@gmail.com>,
        Djalal Harouni <tixxdz@opendz.org>
Subject: Re: [RFC v2 PATCH 3/8] fs: Treat foreign mounts as nosuid
Message-ID: <20160505130508.GA63464@ubuntu-hedt>
References: <1462372014-3786-1-git-send-email-tixxdz@gmail.com>
 <1462372014-3786-4-git-send-email-tixxdz@gmail.com>
 <20160504231904.GA17801@ubuntumail>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20160504231904.GA17801@ubuntumail>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, May 04, 2016 at 11:19:04PM +0000, Serge Hallyn wrote:
> Quoting Djalal Harouni (tixxdz@gmail.com):
> > If a process gets access to a mount from a different user
> > namespace, that process should not be able to take advantage of
> > setuid files or selinux entrypoints from that filesystem.  Prevent
> > this by treating mounts from other mount namespaces and those not
> > owned by current_user_ns() or an ancestor as nosuid.
> > 
> > This patch was just adapted from the original one that was written
> > by Andy Lutomirski <luto@amacapital.net>
> > https://www.redhat.com/archives/dm-devel/2016-April/msg00374.html
> 
> I'm not sure that this makes sense given what you're doing.  In the
> case of Seth's set, a filesystem is mounted specifically (and privately)
> in a user namespace.  We don't want for instance the initial user ns
> to find a link to a setuid-root exploit left in the container-mounted
> filesystem.
> 
> But you are having a parent user namespace mount the fs so that its
> children can all access the fs, uid-shifted for convenience.  Not
> allowing the child namespaces to make use of setuid-root does not
> seem applicable here.

Right, the problem addressed by this patch probably isn't relevant to
this sort of uid shifting.

But I think there's another problem that needs to be addressed.
bprm_fill_uid() still gets the ids for sxid files unshifted from the
inode. We already protect against sxid to any user not in
bprm->cred->user_ns, so it will just ignore the sxid instead of e.g.
suid as global root from the id shifted mount, which is good. What would
be wanted though is to use the shifted ids so that something like
suid-root ping in the container rootfs would work.

Seth