linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] fix namespaced fscaps when !CONFIG_SECURITY
@ 2020-11-17 15:08 Serge E. Hallyn
  2020-11-17 16:11 ` Andrew G. Morgan
                   ` (4 more replies)
  0 siblings, 5 replies; 13+ messages in thread
From: Serge E. Hallyn @ 2020-11-17 15:08 UTC (permalink / raw)
  To: lkml
  Cc: James Morris, Hervé Guillemet, Andrew G. Morgan, Casey Schaufler

Namespaced file capabilities were introduced in 8db6c34f1dbc .
When userspace reads an xattr for a namespaced capability, a
virtualized representation of it is returned if the caller is
in a user namespace owned by the capability's owning rootid.
The function which performs this virtualization was not hooked
up if CONFIG_SECURITY=n.  Therefore in that case the original
xattr was shown instead of the virtualized one.

To test this using libcap-bin (*1),

$ v=$(mktemp)
$ unshare -Ur setcap cap_sys_admin-eip $v
$ unshare -Ur setcap -v cap_sys_admin-eip $v
/tmp/tmp.lSiIFRvt8Y: OK

"setcap -v" verifies the values instead of setting them, and
will check whether the rootid value is set.  Therefore, with
this bug un-fixed, and with CONFIG_SECURITY=n, setcap -v will
fail:

$ v=$(mktemp)
$ unshare -Ur setcap cap_sys_admin=eip $v
$ unshare -Ur setcap -v cap_sys_admin=eip $v
nsowner[got=1000, want=0],/tmp/tmp.HHDiOOl9fY differs in []

Fix this bug by calling cap_inode_getsecurity() in
security_inode_getsecurity() instead of returning
-EOPNOTSUPP, when CONFIG_SECURITY=n.

*1 - note, if libcap is too old for getcap to have the '-n'
option, then use verify-caps instead.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1593431
Cc: Hervé Guillemet <herve@guillemet.org>
Cc: Andrew G. Morgan <morgan@kernel.org>
Cc: Casey Schaufler <casey@schaufler-ca.com>
---
 include/linux/security.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index bc2725491560..39642626a707 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -869,7 +869,7 @@ static inline int security_inode_killpriv(struct dentry *dentry)
 
 static inline int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
 {
-	return -EOPNOTSUPP;
+	return cap_inode_getsecurity(inode, name, buffer, alloc);
 }
 
 static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
-- 
2.25.1


^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH] fix namespaced fscaps when !CONFIG_SECURITY
  2020-11-17 15:08 [PATCH] fix namespaced fscaps when !CONFIG_SECURITY Serge E. Hallyn
@ 2020-11-17 16:11 ` Andrew G. Morgan
  2020-11-20  3:19   ` James Morris
  2020-11-17 17:51 ` Casey Schaufler
                   ` (3 subsequent siblings)
  4 siblings, 1 reply; 13+ messages in thread
From: Andrew G. Morgan @ 2020-11-17 16:11 UTC (permalink / raw)
  To: Serge E. Hallyn; +Cc: lkml, James Morris, Hervé Guillemet, Casey Schaufler

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>


On Tue, Nov 17, 2020 at 7:09 AM Serge E. Hallyn <serge@hallyn.com> wrote:
>
> Namespaced file capabilities were introduced in 8db6c34f1dbc .
> When userspace reads an xattr for a namespaced capability, a
> virtualized representation of it is returned if the caller is
> in a user namespace owned by the capability's owning rootid.
> The function which performs this virtualization was not hooked
> up if CONFIG_SECURITY=n.  Therefore in that case the original
> xattr was shown instead of the virtualized one.
>
> To test this using libcap-bin (*1),
>
> $ v=$(mktemp)
> $ unshare -Ur setcap cap_sys_admin-eip $v
> $ unshare -Ur setcap -v cap_sys_admin-eip $v
> /tmp/tmp.lSiIFRvt8Y: OK
>
> "setcap -v" verifies the values instead of setting them, and
> will check whether the rootid value is set.  Therefore, with
> this bug un-fixed, and with CONFIG_SECURITY=n, setcap -v will
> fail:
>
> $ v=$(mktemp)
> $ unshare -Ur setcap cap_sys_admin=eip $v
> $ unshare -Ur setcap -v cap_sys_admin=eip $v
> nsowner[got=1000, want=0],/tmp/tmp.HHDiOOl9fY differs in []
>
> Fix this bug by calling cap_inode_getsecurity() in
> security_inode_getsecurity() instead of returning
> -EOPNOTSUPP, when CONFIG_SECURITY=n.
>
> *1 - note, if libcap is too old for getcap to have the '-n'
> option, then use verify-caps instead.
>
> Signed-off-by: Serge Hallyn <serge@hallyn.com>
> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1593431
> Cc: Hervé Guillemet <herve@guillemet.org>
> Cc: Andrew G. Morgan <morgan@kernel.org>
> Cc: Casey Schaufler <casey@schaufler-ca.com>
> ---
>  include/linux/security.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/include/linux/security.h b/include/linux/security.h
> index bc2725491560..39642626a707 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -869,7 +869,7 @@ static inline int security_inode_killpriv(struct dentry *dentry)
>
>  static inline int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
>  {
> -       return -EOPNOTSUPP;
> +       return cap_inode_getsecurity(inode, name, buffer, alloc);
>  }
>
>  static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
> --
> 2.25.1
>

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH] fix namespaced fscaps when !CONFIG_SECURITY
  2020-11-17 15:08 [PATCH] fix namespaced fscaps when !CONFIG_SECURITY Serge E. Hallyn
  2020-11-17 16:11 ` Andrew G. Morgan
@ 2020-11-17 17:51 ` Casey Schaufler
  2020-11-20  3:16 ` James Morris
                   ` (2 subsequent siblings)
  4 siblings, 0 replies; 13+ messages in thread
From: Casey Schaufler @ 2020-11-17 17:51 UTC (permalink / raw)
  To: Serge E. Hallyn, lkml
  Cc: James Morris, Hervé Guillemet, Andrew G. Morgan, Casey Schaufler

On 11/17/2020 7:08 AM, Serge E. Hallyn wrote:
> Namespaced file capabilities were introduced in 8db6c34f1dbc .
> When userspace reads an xattr for a namespaced capability, a
> virtualized representation of it is returned if the caller is
> in a user namespace owned by the capability's owning rootid.
> The function which performs this virtualization was not hooked
> up if CONFIG_SECURITY=n.  Therefore in that case the original
> xattr was shown instead of the virtualized one.
>
> To test this using libcap-bin (*1),
>
> $ v=$(mktemp)
> $ unshare -Ur setcap cap_sys_admin-eip $v
> $ unshare -Ur setcap -v cap_sys_admin-eip $v
> /tmp/tmp.lSiIFRvt8Y: OK
>
> "setcap -v" verifies the values instead of setting them, and
> will check whether the rootid value is set.  Therefore, with
> this bug un-fixed, and with CONFIG_SECURITY=n, setcap -v will
> fail:
>
> $ v=$(mktemp)
> $ unshare -Ur setcap cap_sys_admin=eip $v
> $ unshare -Ur setcap -v cap_sys_admin=eip $v
> nsowner[got=1000, want=0],/tmp/tmp.HHDiOOl9fY differs in []
>
> Fix this bug by calling cap_inode_getsecurity() in
> security_inode_getsecurity() instead of returning
> -EOPNOTSUPP, when CONFIG_SECURITY=n.
>
> *1 - note, if libcap is too old for getcap to have the '-n'
> option, then use verify-caps instead.
>
> Signed-off-by: Serge Hallyn <serge@hallyn.com>
> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1593431
> Cc: Hervé Guillemet <herve@guillemet.org>
> Cc: Andrew G. Morgan <morgan@kernel.org>
> Cc: Casey Schaufler <casey@schaufler-ca.com>

Acked-by: Casey Schaufler <casey@schaufler-ca.com>

> ---
>  include/linux/security.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/include/linux/security.h b/include/linux/security.h
> index bc2725491560..39642626a707 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -869,7 +869,7 @@ static inline int security_inode_killpriv(struct dentry *dentry)
>  
>  static inline int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
>  {
> -	return -EOPNOTSUPP;
> +	return cap_inode_getsecurity(inode, name, buffer, alloc);
>  }
>  
>  static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH] fix namespaced fscaps when !CONFIG_SECURITY
  2020-11-17 15:08 [PATCH] fix namespaced fscaps when !CONFIG_SECURITY Serge E. Hallyn
  2020-11-17 16:11 ` Andrew G. Morgan
  2020-11-17 17:51 ` Casey Schaufler
@ 2020-11-20  3:16 ` James Morris
  2020-11-20  3:19 ` James Morris
       [not found] ` <CALQRfL6q8ppuWi3ygY6iqh6SX9pnkVnvJDynTD61K2wUqerahg@mail.gmail.com>
  4 siblings, 0 replies; 13+ messages in thread
From: James Morris @ 2020-11-20  3:16 UTC (permalink / raw)
  To: Serge E. Hallyn
  Cc: lkml, Hervé Guillemet, Andrew G. Morgan, Casey Schaufler,
	linux-security-module

[-- Attachment #1: Type: text/plain, Size: 2294 bytes --]

[Adding LSM list]

On Tue, 17 Nov 2020, Serge E. Hallyn wrote:

> Namespaced file capabilities were introduced in 8db6c34f1dbc .
> When userspace reads an xattr for a namespaced capability, a
> virtualized representation of it is returned if the caller is
> in a user namespace owned by the capability's owning rootid.
> The function which performs this virtualization was not hooked
> up if CONFIG_SECURITY=n.  Therefore in that case the original
> xattr was shown instead of the virtualized one.
> 
> To test this using libcap-bin (*1),
> 
> $ v=$(mktemp)
> $ unshare -Ur setcap cap_sys_admin-eip $v
> $ unshare -Ur setcap -v cap_sys_admin-eip $v
> /tmp/tmp.lSiIFRvt8Y: OK
> 
> "setcap -v" verifies the values instead of setting them, and
> will check whether the rootid value is set.  Therefore, with
> this bug un-fixed, and with CONFIG_SECURITY=n, setcap -v will
> fail:
> 
> $ v=$(mktemp)
> $ unshare -Ur setcap cap_sys_admin=eip $v
> $ unshare -Ur setcap -v cap_sys_admin=eip $v
> nsowner[got=1000, want=0],/tmp/tmp.HHDiOOl9fY differs in []
> 
> Fix this bug by calling cap_inode_getsecurity() in
> security_inode_getsecurity() instead of returning
> -EOPNOTSUPP, when CONFIG_SECURITY=n.
> 
> *1 - note, if libcap is too old for getcap to have the '-n'
> option, then use verify-caps instead.
> 
> Signed-off-by: Serge Hallyn <serge@hallyn.com>
> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1593431
> Cc: Hervé Guillemet <herve@guillemet.org>
> Cc: Andrew G. Morgan <morgan@kernel.org>
> Cc: Casey Schaufler <casey@schaufler-ca.com>
> ---
>  include/linux/security.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/include/linux/security.h b/include/linux/security.h
> index bc2725491560..39642626a707 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -869,7 +869,7 @@ static inline int security_inode_killpriv(struct dentry *dentry)
>  
>  static inline int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
>  {
> -	return -EOPNOTSUPP;
> +	return cap_inode_getsecurity(inode, name, buffer, alloc);
>  }
>  
>  static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
> 

-- 
James Morris
<jmorris@namei.org>

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH] fix namespaced fscaps when !CONFIG_SECURITY
  2020-11-17 15:08 [PATCH] fix namespaced fscaps when !CONFIG_SECURITY Serge E. Hallyn
                   ` (2 preceding siblings ...)
  2020-11-20  3:16 ` James Morris
@ 2020-11-20  3:19 ` James Morris
       [not found] ` <CALQRfL6q8ppuWi3ygY6iqh6SX9pnkVnvJDynTD61K2wUqerahg@mail.gmail.com>
  4 siblings, 0 replies; 13+ messages in thread
From: James Morris @ 2020-11-20  3:19 UTC (permalink / raw)
  To: Serge E. Hallyn
  Cc: lkml, Hervé Guillemet, Andrew G. Morgan, Casey Schaufler,
	linux-security-module

On Tue, 17 Nov 2020, Serge E. Hallyn wrote:

> *1 - note, if libcap is too old for getcap to have the '-n'
> option, then use verify-caps instead.
> 
> Signed-off-by: Serge Hallyn <serge@hallyn.com>
> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1593431

"Perf fails to compile with python 3.7" 

Wrong bug ID?


-- 
James Morris
<jmorris@namei.org>


^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH] fix namespaced fscaps when !CONFIG_SECURITY
  2020-11-17 16:11 ` Andrew G. Morgan
@ 2020-11-20  3:19   ` James Morris
  2020-11-20  5:03     ` Andrew G. Morgan
  0 siblings, 1 reply; 13+ messages in thread
From: James Morris @ 2020-11-20  3:19 UTC (permalink / raw)
  To: Andrew G. Morgan
  Cc: Serge E. Hallyn, lkml, Hervé Guillemet, Casey Schaufler,
	linux-security-module

On Tue, 17 Nov 2020, Andrew G. Morgan wrote:

> Signed-off-by: Andrew G. Morgan <morgan@kernel.org>

This should be Acked-by or Reviewed-by, unless this is your patch, or it 
came via your tree.


-- 
James Morris
<jmorris@namei.org>


^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH] fix namespaced fscaps when !CONFIG_SECURITY
  2020-11-20  3:19   ` James Morris
@ 2020-11-20  5:03     ` Andrew G. Morgan
  0 siblings, 0 replies; 13+ messages in thread
From: Andrew G. Morgan @ 2020-11-20  5:03 UTC (permalink / raw)
  To: James Morris
  Cc: Serge E. Hallyn, lkml, Hervé Guillemet, Casey Schaufler, LSM List

Reviewed-by: Andrew G. Morgan <morgan@kernel.org>

Works for me too.

On Thu, Nov 19, 2020 at 7:20 PM James Morris <jmorris@namei.org> wrote:
>
> On Tue, 17 Nov 2020, Andrew G. Morgan wrote:
>
> > Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
>
> This should be Acked-by or Reviewed-by, unless this is your patch, or it
> came via your tree.
>
>
> --
> James Morris
> <jmorris@namei.org>
>

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH] fix namespaced fscaps when !CONFIG_SECURITY
       [not found] ` <CALQRfL6q8ppuWi3ygY6iqh6SX9pnkVnvJDynTD61K2wUqerahg@mail.gmail.com>
@ 2020-11-29 21:15   ` Serge E. Hallyn
  2020-12-01  2:58     ` James Morris
  0 siblings, 1 reply; 13+ messages in thread
From: Serge E. Hallyn @ 2020-11-29 21:15 UTC (permalink / raw)
  To: James Morris
  Cc: Serge E. Hallyn, Andrew G. Morgan, lkml, Hervé Guillemet,
	Casey Schaufler

Hi James,

would you mind adding this to the security tree?  (You can cherrypick
from https://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux.git/commit/?h=2020-11-29/fix-nscaps )

thanks,
-serge

On Tue, Nov 17, 2020 at 08:09:59AM -0800, Andrew G. Morgan wrote:
> Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
> 
> 
> On Tue, Nov 17, 2020 at 7:09 AM Serge E. Hallyn <serge@hallyn.com> wrote:
> 
> > Namespaced file capabilities were introduced in 8db6c34f1dbc .
> > When userspace reads an xattr for a namespaced capability, a
> > virtualized representation of it is returned if the caller is
> > in a user namespace owned by the capability's owning rootid.
> > The function which performs this virtualization was not hooked
> > up if CONFIG_SECURITY=n.  Therefore in that case the original
> > xattr was shown instead of the virtualized one.
> >
> > To test this using libcap-bin (*1),
> >
> > $ v=$(mktemp)
> > $ unshare -Ur setcap cap_sys_admin-eip $v
> > $ unshare -Ur setcap -v cap_sys_admin-eip $v
> > /tmp/tmp.lSiIFRvt8Y: OK
> >
> > "setcap -v" verifies the values instead of setting them, and
> > will check whether the rootid value is set.  Therefore, with
> > this bug un-fixed, and with CONFIG_SECURITY=n, setcap -v will
> > fail:
> >
> > $ v=$(mktemp)
> > $ unshare -Ur setcap cap_sys_admin=eip $v
> > $ unshare -Ur setcap -v cap_sys_admin=eip $v
> > nsowner[got=1000, want=0],/tmp/tmp.HHDiOOl9fY differs in []
> >
> > Fix this bug by calling cap_inode_getsecurity() in
> > security_inode_getsecurity() instead of returning
> > -EOPNOTSUPP, when CONFIG_SECURITY=n.
> >
> > *1 - note, if libcap is too old for getcap to have the '-n'
> > option, then use verify-caps instead.
> >
> > Signed-off-by: Serge Hallyn <serge@hallyn.com>
> > Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1593431
> > Cc: Hervé Guillemet <herve@guillemet.org>
> > Cc: Andrew G. Morgan <morgan@kernel.org>
> > Cc: Casey Schaufler <casey@schaufler-ca.com>
> > ---
> >  include/linux/security.h | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/include/linux/security.h b/include/linux/security.h
> > index bc2725491560..39642626a707 100644
> > --- a/include/linux/security.h
> > +++ b/include/linux/security.h
> > @@ -869,7 +869,7 @@ static inline int security_inode_killpriv(struct
> > dentry *dentry)
> >
> >  static inline int security_inode_getsecurity(struct inode *inode, const
> > char *name, void **buffer, bool alloc)
> >  {
> > -       return -EOPNOTSUPP;
> > +       return cap_inode_getsecurity(inode, name, buffer, alloc);
> >  }
> >
> >  static inline int security_inode_setsecurity(struct inode *inode, const
> > char *name, const void *value, size_t size, int flags)
> > --
> > 2.25.1
> >
> >

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH] fix namespaced fscaps when !CONFIG_SECURITY
  2020-11-29 21:15   ` Serge E. Hallyn
@ 2020-12-01  2:58     ` James Morris
  2020-12-04 15:58       ` Andrew G. Morgan
  0 siblings, 1 reply; 13+ messages in thread
From: James Morris @ 2020-12-01  2:58 UTC (permalink / raw)
  To: Serge E. Hallyn
  Cc: Andrew G. Morgan, lkml, Hervé Guillemet, Casey Schaufler

[-- Attachment #1: Type: text/plain, Size: 2986 bytes --]

On Sun, 29 Nov 2020, Serge E. Hallyn wrote:

> Hi James,
> 
> would you mind adding this to the security tree?  (You can cherrypick
> from https://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux.git/commit/?h=2020-11-29/fix-nscaps )

Sure.

> 
> thanks,
> -serge
> 
> On Tue, Nov 17, 2020 at 08:09:59AM -0800, Andrew G. Morgan wrote:
> > Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
> > 
> > 
> > On Tue, Nov 17, 2020 at 7:09 AM Serge E. Hallyn <serge@hallyn.com> wrote:
> > 
> > > Namespaced file capabilities were introduced in 8db6c34f1dbc .
> > > When userspace reads an xattr for a namespaced capability, a
> > > virtualized representation of it is returned if the caller is
> > > in a user namespace owned by the capability's owning rootid.
> > > The function which performs this virtualization was not hooked
> > > up if CONFIG_SECURITY=n.  Therefore in that case the original
> > > xattr was shown instead of the virtualized one.
> > >
> > > To test this using libcap-bin (*1),
> > >
> > > $ v=$(mktemp)
> > > $ unshare -Ur setcap cap_sys_admin-eip $v
> > > $ unshare -Ur setcap -v cap_sys_admin-eip $v
> > > /tmp/tmp.lSiIFRvt8Y: OK
> > >
> > > "setcap -v" verifies the values instead of setting them, and
> > > will check whether the rootid value is set.  Therefore, with
> > > this bug un-fixed, and with CONFIG_SECURITY=n, setcap -v will
> > > fail:
> > >
> > > $ v=$(mktemp)
> > > $ unshare -Ur setcap cap_sys_admin=eip $v
> > > $ unshare -Ur setcap -v cap_sys_admin=eip $v
> > > nsowner[got=1000, want=0],/tmp/tmp.HHDiOOl9fY differs in []
> > >
> > > Fix this bug by calling cap_inode_getsecurity() in
> > > security_inode_getsecurity() instead of returning
> > > -EOPNOTSUPP, when CONFIG_SECURITY=n.
> > >
> > > *1 - note, if libcap is too old for getcap to have the '-n'
> > > option, then use verify-caps instead.
> > >
> > > Signed-off-by: Serge Hallyn <serge@hallyn.com>
> > > Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1593431
> > > Cc: Hervé Guillemet <herve@guillemet.org>
> > > Cc: Andrew G. Morgan <morgan@kernel.org>
> > > Cc: Casey Schaufler <casey@schaufler-ca.com>
> > > ---
> > >  include/linux/security.h | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/include/linux/security.h b/include/linux/security.h
> > > index bc2725491560..39642626a707 100644
> > > --- a/include/linux/security.h
> > > +++ b/include/linux/security.h
> > > @@ -869,7 +869,7 @@ static inline int security_inode_killpriv(struct
> > > dentry *dentry)
> > >
> > >  static inline int security_inode_getsecurity(struct inode *inode, const
> > > char *name, void **buffer, bool alloc)
> > >  {
> > > -       return -EOPNOTSUPP;
> > > +       return cap_inode_getsecurity(inode, name, buffer, alloc);
> > >  }
> > >
> > >  static inline int security_inode_setsecurity(struct inode *inode, const
> > > char *name, const void *value, size_t size, int flags)
> > > --
> > > 2.25.1
> > >
> > >
> 

-- 
James Morris
<jmorris@namei.org>

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH] fix namespaced fscaps when !CONFIG_SECURITY
  2020-12-01  2:58     ` James Morris
@ 2020-12-04 15:58       ` Andrew G. Morgan
  2020-12-05  0:27         ` James Morris
  2020-12-05 17:40         ` Serge E. Hallyn
  0 siblings, 2 replies; 13+ messages in thread
From: Andrew G. Morgan @ 2020-12-04 15:58 UTC (permalink / raw)
  To: James Morris; +Cc: Serge E. Hallyn, lkml, Hervé Guillemet, Casey Schaufler

The correct bug reference for this patch is:

https://bugzilla.kernel.org/show_bug.cgi?id=209689

Reviewed-by: Andrew G. Morgan <morgan@kernel.org>

On Mon, Nov 30, 2020 at 6:58 PM James Morris <jmorris@namei.org> wrote:
>
> On Sun, 29 Nov 2020, Serge E. Hallyn wrote:
>
> > Hi James,
> >
> > would you mind adding this to the security tree?  (You can cherrypick
> > from https://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux.git/commit/?h=2020-11-29/fix-nscaps )
>
> Sure.
>
> >
> > thanks,
> > -serge
> >
> > On Tue, Nov 17, 2020 at 08:09:59AM -0800, Andrew G. Morgan wrote:
> > > Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
> > >
> > >
> > > On Tue, Nov 17, 2020 at 7:09 AM Serge E. Hallyn <serge@hallyn.com> wrote:
> > >
> > > > Namespaced file capabilities were introduced in 8db6c34f1dbc .
> > > > When userspace reads an xattr for a namespaced capability, a
> > > > virtualized representation of it is returned if the caller is
> > > > in a user namespace owned by the capability's owning rootid.
> > > > The function which performs this virtualization was not hooked
> > > > up if CONFIG_SECURITY=n.  Therefore in that case the original
> > > > xattr was shown instead of the virtualized one.
> > > >
> > > > To test this using libcap-bin (*1),
> > > >
> > > > $ v=$(mktemp)
> > > > $ unshare -Ur setcap cap_sys_admin-eip $v
> > > > $ unshare -Ur setcap -v cap_sys_admin-eip $v
> > > > /tmp/tmp.lSiIFRvt8Y: OK
> > > >
> > > > "setcap -v" verifies the values instead of setting them, and
> > > > will check whether the rootid value is set.  Therefore, with
> > > > this bug un-fixed, and with CONFIG_SECURITY=n, setcap -v will
> > > > fail:
> > > >
> > > > $ v=$(mktemp)
> > > > $ unshare -Ur setcap cap_sys_admin=eip $v
> > > > $ unshare -Ur setcap -v cap_sys_admin=eip $v
> > > > nsowner[got=1000, want=0],/tmp/tmp.HHDiOOl9fY differs in []
> > > >
> > > > Fix this bug by calling cap_inode_getsecurity() in
> > > > security_inode_getsecurity() instead of returning
> > > > -EOPNOTSUPP, when CONFIG_SECURITY=n.
> > > >
> > > > *1 - note, if libcap is too old for getcap to have the '-n'
> > > > option, then use verify-caps instead.
> > > >
> > > > Signed-off-by: Serge Hallyn <serge@hallyn.com>
> > > > Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1593431
> > > > Cc: Hervé Guillemet <herve@guillemet.org>
> > > > Cc: Andrew G. Morgan <morgan@kernel.org>
> > > > Cc: Casey Schaufler <casey@schaufler-ca.com>
> > > > ---
> > > >  include/linux/security.h | 2 +-
> > > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > >
> > > > diff --git a/include/linux/security.h b/include/linux/security.h
> > > > index bc2725491560..39642626a707 100644
> > > > --- a/include/linux/security.h
> > > > +++ b/include/linux/security.h
> > > > @@ -869,7 +869,7 @@ static inline int security_inode_killpriv(struct
> > > > dentry *dentry)
> > > >
> > > >  static inline int security_inode_getsecurity(struct inode *inode, const
> > > > char *name, void **buffer, bool alloc)
> > > >  {
> > > > -       return -EOPNOTSUPP;
> > > > +       return cap_inode_getsecurity(inode, name, buffer, alloc);
> > > >  }
> > > >
> > > >  static inline int security_inode_setsecurity(struct inode *inode, const
> > > > char *name, const void *value, size_t size, int flags)
> > > > --
> > > > 2.25.1
> > > >
> > > >
> >
>
> --
> James Morris
> <jmorris@namei.org>

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH] fix namespaced fscaps when !CONFIG_SECURITY
  2020-12-04 15:58       ` Andrew G. Morgan
@ 2020-12-05  0:27         ` James Morris
  2020-12-05 17:40         ` Serge E. Hallyn
  1 sibling, 0 replies; 13+ messages in thread
From: James Morris @ 2020-12-05  0:27 UTC (permalink / raw)
  To: Andrew G. Morgan
  Cc: Serge E. Hallyn, lkml, Hervé Guillemet, Casey Schaufler,
	linux-security-module

On Fri, 4 Dec 2020, Andrew G. Morgan wrote:

> The correct bug reference for this patch is:
> 
> https://bugzilla.kernel.org/show_bug.cgi?id=209689
> 
> Reviewed-by: Andrew G. Morgan <morgan@kernel.org>

Thanks.

Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git fixes-5.10
and next-testing


-- 
James Morris
<jmorris@namei.org>


^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH] fix namespaced fscaps when !CONFIG_SECURITY
  2020-12-04 15:58       ` Andrew G. Morgan
  2020-12-05  0:27         ` James Morris
@ 2020-12-05 17:40         ` Serge E. Hallyn
  2020-12-05 17:41           ` Serge E. Hallyn
  1 sibling, 1 reply; 13+ messages in thread
From: Serge E. Hallyn @ 2020-12-05 17:40 UTC (permalink / raw)
  To: Andrew G. Morgan
  Cc: James Morris, Serge E. Hallyn, lkml, Hervé Guillemet,
	Casey Schaufler

How odd - where did that come from?

James, I force-pushed that with corrected bugzilla link to
2020-11-29/fix-nscaps.  Sorry about that.

On Fri, Dec 04, 2020 at 07:58:14AM -0800, Andrew G. Morgan wrote:
> The correct bug reference for this patch is:
> 
> https://bugzilla.kernel.org/show_bug.cgi?id=209689
> 
> Reviewed-by: Andrew G. Morgan <morgan@kernel.org>
> 
> On Mon, Nov 30, 2020 at 6:58 PM James Morris <jmorris@namei.org> wrote:
> >
> > On Sun, 29 Nov 2020, Serge E. Hallyn wrote:
> >
> > > Hi James,
> > >
> > > would you mind adding this to the security tree?  (You can cherrypick
> > > from https://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux.git/commit/?h=2020-11-29/fix-nscaps )
> >
> > Sure.
> >
> > >
> > > thanks,
> > > -serge
> > >
> > > On Tue, Nov 17, 2020 at 08:09:59AM -0800, Andrew G. Morgan wrote:
> > > > Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
> > > >
> > > >
> > > > On Tue, Nov 17, 2020 at 7:09 AM Serge E. Hallyn <serge@hallyn.com> wrote:
> > > >
> > > > > Namespaced file capabilities were introduced in 8db6c34f1dbc .
> > > > > When userspace reads an xattr for a namespaced capability, a
> > > > > virtualized representation of it is returned if the caller is
> > > > > in a user namespace owned by the capability's owning rootid.
> > > > > The function which performs this virtualization was not hooked
> > > > > up if CONFIG_SECURITY=n.  Therefore in that case the original
> > > > > xattr was shown instead of the virtualized one.
> > > > >
> > > > > To test this using libcap-bin (*1),
> > > > >
> > > > > $ v=$(mktemp)
> > > > > $ unshare -Ur setcap cap_sys_admin-eip $v
> > > > > $ unshare -Ur setcap -v cap_sys_admin-eip $v
> > > > > /tmp/tmp.lSiIFRvt8Y: OK
> > > > >
> > > > > "setcap -v" verifies the values instead of setting them, and
> > > > > will check whether the rootid value is set.  Therefore, with
> > > > > this bug un-fixed, and with CONFIG_SECURITY=n, setcap -v will
> > > > > fail:
> > > > >
> > > > > $ v=$(mktemp)
> > > > > $ unshare -Ur setcap cap_sys_admin=eip $v
> > > > > $ unshare -Ur setcap -v cap_sys_admin=eip $v
> > > > > nsowner[got=1000, want=0],/tmp/tmp.HHDiOOl9fY differs in []
> > > > >
> > > > > Fix this bug by calling cap_inode_getsecurity() in
> > > > > security_inode_getsecurity() instead of returning
> > > > > -EOPNOTSUPP, when CONFIG_SECURITY=n.
> > > > >
> > > > > *1 - note, if libcap is too old for getcap to have the '-n'
> > > > > option, then use verify-caps instead.
> > > > >
> > > > > Signed-off-by: Serge Hallyn <serge@hallyn.com>
> > > > > Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1593431
> > > > > Cc: Hervé Guillemet <herve@guillemet.org>
> > > > > Cc: Andrew G. Morgan <morgan@kernel.org>
> > > > > Cc: Casey Schaufler <casey@schaufler-ca.com>
> > > > > ---
> > > > >  include/linux/security.h | 2 +-
> > > > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > > >
> > > > > diff --git a/include/linux/security.h b/include/linux/security.h
> > > > > index bc2725491560..39642626a707 100644
> > > > > --- a/include/linux/security.h
> > > > > +++ b/include/linux/security.h
> > > > > @@ -869,7 +869,7 @@ static inline int security_inode_killpriv(struct
> > > > > dentry *dentry)
> > > > >
> > > > >  static inline int security_inode_getsecurity(struct inode *inode, const
> > > > > char *name, void **buffer, bool alloc)
> > > > >  {
> > > > > -       return -EOPNOTSUPP;
> > > > > +       return cap_inode_getsecurity(inode, name, buffer, alloc);
> > > > >  }
> > > > >
> > > > >  static inline int security_inode_setsecurity(struct inode *inode, const
> > > > > char *name, const void *value, size_t size, int flags)
> > > > > --
> > > > > 2.25.1
> > > > >
> > > > >
> > >
> >
> > --
> > James Morris
> > <jmorris@namei.org>

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH] fix namespaced fscaps when !CONFIG_SECURITY
  2020-12-05 17:40         ` Serge E. Hallyn
@ 2020-12-05 17:41           ` Serge E. Hallyn
  0 siblings, 0 replies; 13+ messages in thread
From: Serge E. Hallyn @ 2020-12-05 17:41 UTC (permalink / raw)
  To: Serge E. Hallyn
  Cc: Andrew G. Morgan, James Morris, lkml, Hervé Guillemet,
	Casey Schaufler

Oh, I see you'd changed it inline :)  Thanks

On Sat, Dec 05, 2020 at 11:40:00AM -0600, Serge E. Hallyn wrote:
> How odd - where did that come from?
> 
> James, I force-pushed that with corrected bugzilla link to
> 2020-11-29/fix-nscaps.  Sorry about that.
> 
> On Fri, Dec 04, 2020 at 07:58:14AM -0800, Andrew G. Morgan wrote:
> > The correct bug reference for this patch is:
> > 
> > https://bugzilla.kernel.org/show_bug.cgi?id=209689
> > 
> > Reviewed-by: Andrew G. Morgan <morgan@kernel.org>
> > 
> > On Mon, Nov 30, 2020 at 6:58 PM James Morris <jmorris@namei.org> wrote:
> > >
> > > On Sun, 29 Nov 2020, Serge E. Hallyn wrote:
> > >
> > > > Hi James,
> > > >
> > > > would you mind adding this to the security tree?  (You can cherrypick
> > > > from https://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux.git/commit/?h=2020-11-29/fix-nscaps )
> > >
> > > Sure.
> > >
> > > >
> > > > thanks,
> > > > -serge
> > > >
> > > > On Tue, Nov 17, 2020 at 08:09:59AM -0800, Andrew G. Morgan wrote:
> > > > > Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
> > > > >
> > > > >
> > > > > On Tue, Nov 17, 2020 at 7:09 AM Serge E. Hallyn <serge@hallyn.com> wrote:
> > > > >
> > > > > > Namespaced file capabilities were introduced in 8db6c34f1dbc .
> > > > > > When userspace reads an xattr for a namespaced capability, a
> > > > > > virtualized representation of it is returned if the caller is
> > > > > > in a user namespace owned by the capability's owning rootid.
> > > > > > The function which performs this virtualization was not hooked
> > > > > > up if CONFIG_SECURITY=n.  Therefore in that case the original
> > > > > > xattr was shown instead of the virtualized one.
> > > > > >
> > > > > > To test this using libcap-bin (*1),
> > > > > >
> > > > > > $ v=$(mktemp)
> > > > > > $ unshare -Ur setcap cap_sys_admin-eip $v
> > > > > > $ unshare -Ur setcap -v cap_sys_admin-eip $v
> > > > > > /tmp/tmp.lSiIFRvt8Y: OK
> > > > > >
> > > > > > "setcap -v" verifies the values instead of setting them, and
> > > > > > will check whether the rootid value is set.  Therefore, with
> > > > > > this bug un-fixed, and with CONFIG_SECURITY=n, setcap -v will
> > > > > > fail:
> > > > > >
> > > > > > $ v=$(mktemp)
> > > > > > $ unshare -Ur setcap cap_sys_admin=eip $v
> > > > > > $ unshare -Ur setcap -v cap_sys_admin=eip $v
> > > > > > nsowner[got=1000, want=0],/tmp/tmp.HHDiOOl9fY differs in []
> > > > > >
> > > > > > Fix this bug by calling cap_inode_getsecurity() in
> > > > > > security_inode_getsecurity() instead of returning
> > > > > > -EOPNOTSUPP, when CONFIG_SECURITY=n.
> > > > > >
> > > > > > *1 - note, if libcap is too old for getcap to have the '-n'
> > > > > > option, then use verify-caps instead.
> > > > > >
> > > > > > Signed-off-by: Serge Hallyn <serge@hallyn.com>
> > > > > > Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1593431
> > > > > > Cc: Hervé Guillemet <herve@guillemet.org>
> > > > > > Cc: Andrew G. Morgan <morgan@kernel.org>
> > > > > > Cc: Casey Schaufler <casey@schaufler-ca.com>
> > > > > > ---
> > > > > >  include/linux/security.h | 2 +-
> > > > > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > > > >
> > > > > > diff --git a/include/linux/security.h b/include/linux/security.h
> > > > > > index bc2725491560..39642626a707 100644
> > > > > > --- a/include/linux/security.h
> > > > > > +++ b/include/linux/security.h
> > > > > > @@ -869,7 +869,7 @@ static inline int security_inode_killpriv(struct
> > > > > > dentry *dentry)
> > > > > >
> > > > > >  static inline int security_inode_getsecurity(struct inode *inode, const
> > > > > > char *name, void **buffer, bool alloc)
> > > > > >  {
> > > > > > -       return -EOPNOTSUPP;
> > > > > > +       return cap_inode_getsecurity(inode, name, buffer, alloc);
> > > > > >  }
> > > > > >
> > > > > >  static inline int security_inode_setsecurity(struct inode *inode, const
> > > > > > char *name, const void *value, size_t size, int flags)
> > > > > > --
> > > > > > 2.25.1
> > > > > >
> > > > > >
> > > >
> > >
> > > --
> > > James Morris
> > > <jmorris@namei.org>

^ permalink raw reply	[flat|nested] 13+ messages in thread

end of thread, other threads:[~2020-12-05 18:38 UTC | newest]

Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-17 15:08 [PATCH] fix namespaced fscaps when !CONFIG_SECURITY Serge E. Hallyn
2020-11-17 16:11 ` Andrew G. Morgan
2020-11-20  3:19   ` James Morris
2020-11-20  5:03     ` Andrew G. Morgan
2020-11-17 17:51 ` Casey Schaufler
2020-11-20  3:16 ` James Morris
2020-11-20  3:19 ` James Morris
     [not found] ` <CALQRfL6q8ppuWi3ygY6iqh6SX9pnkVnvJDynTD61K2wUqerahg@mail.gmail.com>
2020-11-29 21:15   ` Serge E. Hallyn
2020-12-01  2:58     ` James Morris
2020-12-04 15:58       ` Andrew G. Morgan
2020-12-05  0:27         ` James Morris
2020-12-05 17:40         ` Serge E. Hallyn
2020-12-05 17:41           ` Serge E. Hallyn

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).