From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756669AbdLVOcy (ORCPT ); Fri, 22 Dec 2017 09:32:54 -0500 Received: from mail-wm0-f68.google.com ([74.125.82.68]:41721 "EHLO mail-wm0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756167AbdLVOb0 (ORCPT ); Fri, 22 Dec 2017 09:31:26 -0500 X-Google-Smtp-Source: ACJfBouDHJTs1nNG/l2Uazn3ssDOHRIn3EcaBQlQA1EaUvH5AH3ri2IBDz3jyZb0Z4E6ooiWzpAj0g== From: Dongsu Park To: linux-kernel@vger.kernel.org Cc: containers@lists.linux-foundation.org, Alban Crequy , "Eric W . Biederman" , Miklos Szeredi , Seth Forshee , Sargun Dhillon , Dongsu Park , linux-security-module@vger.kernel.org, James Morris , Serge Hallyn Subject: [PATCH 06/11] capabilities: Allow privileged user in s_user_ns to set security.* xattrs Date: Fri, 22 Dec 2017 15:32:30 +0100 Message-Id: <5adc5e31c25beb987798ecc219df79671547a9ac.1512041070.git.dongsu@kinvolk.io> X-Mailer: git-send-email 2.13.6 In-Reply-To: References: Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Seth Forshee A privileged user in s_user_ns will generally have the ability to manipulate the backing store and insert security.* xattrs into the filesystem directly. Therefore the kernel must be prepared to handle these xattrs from unprivileged mounts, and it makes little sense for commoncap to prevent writing these xattrs to the filesystem. The capability and LSM code have already been updated to appropriately handle xattrs from unprivileged mounts, so it is safe to loosen this restriction on setting xattrs. The exception to this logic is that writing xattrs to a mounted filesystem may also cause the LSM inode_post_setxattr or inode_setsecurity callbacks to be invoked. SELinux will deny the xattr update by virtue of applying mountpoint labeling to unprivileged userns mounts, and Smack will deny the writes for any user without global CAP_MAC_ADMIN, so loosening the capability check in commoncap is safe in this respect as well. Patch v4 is available: https://patchwork.kernel.org/patch/8944641/ Cc: linux-security-module@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: James Morris Cc: Serge Hallyn Signed-off-by: Seth Forshee Signed-off-by: Dongsu Park --- security/commoncap.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/security/commoncap.c b/security/commoncap.c index 4f8e0934..dd0afef9 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -920,6 +920,8 @@ int cap_bprm_set_creds(struct linux_binprm *bprm) int cap_inode_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size, int flags) { + struct user_namespace *user_ns = dentry->d_sb->s_user_ns; + /* Ignore non-security xattrs */ if (strncmp(name, XATTR_SECURITY_PREFIX, sizeof(XATTR_SECURITY_PREFIX) - 1) != 0) @@ -932,7 +934,7 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name, if (strcmp(name, XATTR_NAME_CAPS) == 0) return 0; - if (!capable(CAP_SYS_ADMIN)) + if (!ns_capable(user_ns, CAP_SYS_ADMIN)) return -EPERM; return 0; } @@ -950,6 +952,8 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name, */ int cap_inode_removexattr(struct dentry *dentry, const char *name) { + struct user_namespace *user_ns = dentry->d_sb->s_user_ns; + /* Ignore non-security xattrs */ if (strncmp(name, XATTR_SECURITY_PREFIX, sizeof(XATTR_SECURITY_PREFIX) - 1) != 0) @@ -965,7 +969,7 @@ int cap_inode_removexattr(struct dentry *dentry, const char *name) return 0; } - if (!capable(CAP_SYS_ADMIN)) + if (!ns_capable(user_ns, CAP_SYS_ADMIN)) return -EPERM; return 0; } -- 2.13.6