From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754708AbdFWRU1 (ORCPT ); Fri, 23 Jun 2017 13:20:27 -0400 Received: from h2.hallyn.com ([78.46.35.8]:58994 "EHLO h2.hallyn.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754561AbdFWRUZ (ORCPT ); Fri, 23 Jun 2017 13:20:25 -0400 Date: Fri, 23 Jun 2017 12:20:16 -0500 From: "Serge E. Hallyn" To: James Bottomley Cc: "Serge E. Hallyn" , Casey Schaufler , Amir Goldstein , Stefan Berger , "Eric W. Biederman" , Linux Containers , lkp@01.org, xiaolong.ye@intel.com, linux-kernel , Mimi Zohar , Tycho Andersen , christian.brauner@mailbox.org, Vivek Goyal , LSM List Subject: Re: [PATCH 0/3] Enable namespaced file capabilities Message-ID: <20170623172016.GA19551@mail.hallyn.com> References: <1498157989-11814-1-git-send-email-stefanb@linux.vnet.ibm.com> <20170623160026.GA18257@mail.hallyn.com> <20170623163030.GA18820@mail.hallyn.com> <1498237641.3641.15.camel@HansenPartnership.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1498237641.3641.15.camel@HansenPartnership.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Quoting James Bottomley (James.Bottomley@HansenPartnership.com): > On Fri, 2017-06-23 at 11:30 -0500, Serge E. Hallyn wrote: > > Quoting Casey Schaufler (casey@schaufler-ca.com): > > > Or maybe just security.ns.capability, taking James' comment into > > > account. > > > > That last one may be suitable as an option, useful for his particular > > (somewhat barbaric :) use case, but it's not ok for the general > > solution. > > > > If uid 1000 was delegated the subuids 100000-199999, it should be > > able to write a file capability for use by his subuids, but that file > > capability must not apply to other subuids. > > I don't think it's barbaric, I think it's the common use case. Let me :) sorry. Yes, it is the common case, and even lxd does it that way. But lxc itself does not, and while there are shortcomings (including this one, file capabilities) which require 'barbaric' use of privilege to set things up in some cases, I prefer we not get complacent and accept it as proper. > give a more comprehensible answer in terms of docker and IMA. Lets > suppose I'm running docker locally and in a test cloud both with userns > enabled. > > I build an image locally, mapping my uid (1000) to root. If I begin > with a standard base, each of the files has a security.ima signature. > Now I add my layer, which involves updating a file, so I need to write > a new signature to security.ima. Because I'm running user namespaced, > the update gets written at security.ima@uid=1000 when I do a docker > save. > > Now supposing I deploy that image to a cloud. As a tenant, the cloud > gives me real uid 4531 and maps that to root. Execution of the binary > fails because it tries to use the underlying signature (in > security.ima) as there is no xattr named security.ima@uid=4531 In this example, how do you, if you do, shift the owner of the file into the mapped user namespace? Or are you happy to have the file owned by an invalid user nobody? (There certainly are cases where that would be ok, but I suspect you're shifting the file) > So my essential point is that building the real kuid into the permanent > record of the xattr damages image portability, which is touted as one > of the real advantages of container images. 'container images' aren't portable in that sense now - for at least many cases - because you have to shift the uid. However you're doing that, you may be able to shift the xattr the same way. -serge