* [PATCH] fix namespaced fscaps when !CONFIG_SECURITY
@ 2020-11-17 15:08 Serge E. Hallyn
2020-11-17 16:11 ` Andrew G. Morgan
` (4 more replies)
0 siblings, 5 replies; 13+ messages in thread
From: Serge E. Hallyn @ 2020-11-17 15:08 UTC (permalink / raw)
To: lkml
Cc: James Morris, Hervé Guillemet, Andrew G. Morgan, Casey Schaufler
Namespaced file capabilities were introduced in 8db6c34f1dbc .
When userspace reads an xattr for a namespaced capability, a
virtualized representation of it is returned if the caller is
in a user namespace owned by the capability's owning rootid.
The function which performs this virtualization was not hooked
up if CONFIG_SECURITY=n. Therefore in that case the original
xattr was shown instead of the virtualized one.
To test this using libcap-bin (*1),
$ v=$(mktemp)
$ unshare -Ur setcap cap_sys_admin-eip $v
$ unshare -Ur setcap -v cap_sys_admin-eip $v
/tmp/tmp.lSiIFRvt8Y: OK
"setcap -v" verifies the values instead of setting them, and
will check whether the rootid value is set. Therefore, with
this bug un-fixed, and with CONFIG_SECURITY=n, setcap -v will
fail:
$ v=$(mktemp)
$ unshare -Ur setcap cap_sys_admin=eip $v
$ unshare -Ur setcap -v cap_sys_admin=eip $v
nsowner[got=1000, want=0],/tmp/tmp.HHDiOOl9fY differs in []
Fix this bug by calling cap_inode_getsecurity() in
security_inode_getsecurity() instead of returning
-EOPNOTSUPP, when CONFIG_SECURITY=n.
*1 - note, if libcap is too old for getcap to have the '-n'
option, then use verify-caps instead.
Signed-off-by: Serge Hallyn <serge@hallyn.com>
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1593431
Cc: Hervé Guillemet <herve@guillemet.org>
Cc: Andrew G. Morgan <morgan@kernel.org>
Cc: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/security.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index bc2725491560..39642626a707 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -869,7 +869,7 @@ static inline int security_inode_killpriv(struct dentry *dentry)
static inline int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
{
- return -EOPNOTSUPP;
+ return cap_inode_getsecurity(inode, name, buffer, alloc);
}
static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
--
2.25.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: [PATCH] fix namespaced fscaps when !CONFIG_SECURITY
2020-11-17 15:08 [PATCH] fix namespaced fscaps when !CONFIG_SECURITY Serge E. Hallyn
@ 2020-11-17 16:11 ` Andrew G. Morgan
2020-11-20 3:19 ` James Morris
2020-11-17 17:51 ` Casey Schaufler
` (3 subsequent siblings)
4 siblings, 1 reply; 13+ messages in thread
From: Andrew G. Morgan @ 2020-11-17 16:11 UTC (permalink / raw)
To: Serge E. Hallyn; +Cc: lkml, James Morris, Hervé Guillemet, Casey Schaufler
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
On Tue, Nov 17, 2020 at 7:09 AM Serge E. Hallyn <serge@hallyn.com> wrote:
>
> Namespaced file capabilities were introduced in 8db6c34f1dbc .
> When userspace reads an xattr for a namespaced capability, a
> virtualized representation of it is returned if the caller is
> in a user namespace owned by the capability's owning rootid.
> The function which performs this virtualization was not hooked
> up if CONFIG_SECURITY=n. Therefore in that case the original
> xattr was shown instead of the virtualized one.
>
> To test this using libcap-bin (*1),
>
> $ v=$(mktemp)
> $ unshare -Ur setcap cap_sys_admin-eip $v
> $ unshare -Ur setcap -v cap_sys_admin-eip $v
> /tmp/tmp.lSiIFRvt8Y: OK
>
> "setcap -v" verifies the values instead of setting them, and
> will check whether the rootid value is set. Therefore, with
> this bug un-fixed, and with CONFIG_SECURITY=n, setcap -v will
> fail:
>
> $ v=$(mktemp)
> $ unshare -Ur setcap cap_sys_admin=eip $v
> $ unshare -Ur setcap -v cap_sys_admin=eip $v
> nsowner[got=1000, want=0],/tmp/tmp.HHDiOOl9fY differs in []
>
> Fix this bug by calling cap_inode_getsecurity() in
> security_inode_getsecurity() instead of returning
> -EOPNOTSUPP, when CONFIG_SECURITY=n.
>
> *1 - note, if libcap is too old for getcap to have the '-n'
> option, then use verify-caps instead.
>
> Signed-off-by: Serge Hallyn <serge@hallyn.com>
> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1593431
> Cc: Hervé Guillemet <herve@guillemet.org>
> Cc: Andrew G. Morgan <morgan@kernel.org>
> Cc: Casey Schaufler <casey@schaufler-ca.com>
> ---
> include/linux/security.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/include/linux/security.h b/include/linux/security.h
> index bc2725491560..39642626a707 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -869,7 +869,7 @@ static inline int security_inode_killpriv(struct dentry *dentry)
>
> static inline int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
> {
> - return -EOPNOTSUPP;
> + return cap_inode_getsecurity(inode, name, buffer, alloc);
> }
>
> static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
> --
> 2.25.1
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] fix namespaced fscaps when !CONFIG_SECURITY
2020-11-17 15:08 [PATCH] fix namespaced fscaps when !CONFIG_SECURITY Serge E. Hallyn
2020-11-17 16:11 ` Andrew G. Morgan
@ 2020-11-17 17:51 ` Casey Schaufler
2020-11-20 3:16 ` James Morris
` (2 subsequent siblings)
4 siblings, 0 replies; 13+ messages in thread
From: Casey Schaufler @ 2020-11-17 17:51 UTC (permalink / raw)
To: Serge E. Hallyn, lkml
Cc: James Morris, Hervé Guillemet, Andrew G. Morgan, Casey Schaufler
On 11/17/2020 7:08 AM, Serge E. Hallyn wrote:
> Namespaced file capabilities were introduced in 8db6c34f1dbc .
> When userspace reads an xattr for a namespaced capability, a
> virtualized representation of it is returned if the caller is
> in a user namespace owned by the capability's owning rootid.
> The function which performs this virtualization was not hooked
> up if CONFIG_SECURITY=n. Therefore in that case the original
> xattr was shown instead of the virtualized one.
>
> To test this using libcap-bin (*1),
>
> $ v=$(mktemp)
> $ unshare -Ur setcap cap_sys_admin-eip $v
> $ unshare -Ur setcap -v cap_sys_admin-eip $v
> /tmp/tmp.lSiIFRvt8Y: OK
>
> "setcap -v" verifies the values instead of setting them, and
> will check whether the rootid value is set. Therefore, with
> this bug un-fixed, and with CONFIG_SECURITY=n, setcap -v will
> fail:
>
> $ v=$(mktemp)
> $ unshare -Ur setcap cap_sys_admin=eip $v
> $ unshare -Ur setcap -v cap_sys_admin=eip $v
> nsowner[got=1000, want=0],/tmp/tmp.HHDiOOl9fY differs in []
>
> Fix this bug by calling cap_inode_getsecurity() in
> security_inode_getsecurity() instead of returning
> -EOPNOTSUPP, when CONFIG_SECURITY=n.
>
> *1 - note, if libcap is too old for getcap to have the '-n'
> option, then use verify-caps instead.
>
> Signed-off-by: Serge Hallyn <serge@hallyn.com>
> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1593431
> Cc: Hervé Guillemet <herve@guillemet.org>
> Cc: Andrew G. Morgan <morgan@kernel.org>
> Cc: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
> ---
> include/linux/security.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/include/linux/security.h b/include/linux/security.h
> index bc2725491560..39642626a707 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -869,7 +869,7 @@ static inline int security_inode_killpriv(struct dentry *dentry)
>
> static inline int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
> {
> - return -EOPNOTSUPP;
> + return cap_inode_getsecurity(inode, name, buffer, alloc);
> }
>
> static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] fix namespaced fscaps when !CONFIG_SECURITY
2020-11-17 15:08 [PATCH] fix namespaced fscaps when !CONFIG_SECURITY Serge E. Hallyn
2020-11-17 16:11 ` Andrew G. Morgan
2020-11-17 17:51 ` Casey Schaufler
@ 2020-11-20 3:16 ` James Morris
2020-11-20 3:19 ` James Morris
[not found] ` <CALQRfL6q8ppuWi3ygY6iqh6SX9pnkVnvJDynTD61K2wUqerahg@mail.gmail.com>
4 siblings, 0 replies; 13+ messages in thread
From: James Morris @ 2020-11-20 3:16 UTC (permalink / raw)
To: Serge E. Hallyn
Cc: lkml, Hervé Guillemet, Andrew G. Morgan, Casey Schaufler,
linux-security-module
[-- Attachment #1: Type: text/plain, Size: 2294 bytes --]
[Adding LSM list]
On Tue, 17 Nov 2020, Serge E. Hallyn wrote:
> Namespaced file capabilities were introduced in 8db6c34f1dbc .
> When userspace reads an xattr for a namespaced capability, a
> virtualized representation of it is returned if the caller is
> in a user namespace owned by the capability's owning rootid.
> The function which performs this virtualization was not hooked
> up if CONFIG_SECURITY=n. Therefore in that case the original
> xattr was shown instead of the virtualized one.
>
> To test this using libcap-bin (*1),
>
> $ v=$(mktemp)
> $ unshare -Ur setcap cap_sys_admin-eip $v
> $ unshare -Ur setcap -v cap_sys_admin-eip $v
> /tmp/tmp.lSiIFRvt8Y: OK
>
> "setcap -v" verifies the values instead of setting them, and
> will check whether the rootid value is set. Therefore, with
> this bug un-fixed, and with CONFIG_SECURITY=n, setcap -v will
> fail:
>
> $ v=$(mktemp)
> $ unshare -Ur setcap cap_sys_admin=eip $v
> $ unshare -Ur setcap -v cap_sys_admin=eip $v
> nsowner[got=1000, want=0],/tmp/tmp.HHDiOOl9fY differs in []
>
> Fix this bug by calling cap_inode_getsecurity() in
> security_inode_getsecurity() instead of returning
> -EOPNOTSUPP, when CONFIG_SECURITY=n.
>
> *1 - note, if libcap is too old for getcap to have the '-n'
> option, then use verify-caps instead.
>
> Signed-off-by: Serge Hallyn <serge@hallyn.com>
> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1593431
> Cc: Hervé Guillemet <herve@guillemet.org>
> Cc: Andrew G. Morgan <morgan@kernel.org>
> Cc: Casey Schaufler <casey@schaufler-ca.com>
> ---
> include/linux/security.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/include/linux/security.h b/include/linux/security.h
> index bc2725491560..39642626a707 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -869,7 +869,7 @@ static inline int security_inode_killpriv(struct dentry *dentry)
>
> static inline int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
> {
> - return -EOPNOTSUPP;
> + return cap_inode_getsecurity(inode, name, buffer, alloc);
> }
>
> static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
>
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] fix namespaced fscaps when !CONFIG_SECURITY
2020-11-17 15:08 [PATCH] fix namespaced fscaps when !CONFIG_SECURITY Serge E. Hallyn
` (2 preceding siblings ...)
2020-11-20 3:16 ` James Morris
@ 2020-11-20 3:19 ` James Morris
[not found] ` <CALQRfL6q8ppuWi3ygY6iqh6SX9pnkVnvJDynTD61K2wUqerahg@mail.gmail.com>
4 siblings, 0 replies; 13+ messages in thread
From: James Morris @ 2020-11-20 3:19 UTC (permalink / raw)
To: Serge E. Hallyn
Cc: lkml, Hervé Guillemet, Andrew G. Morgan, Casey Schaufler,
linux-security-module
On Tue, 17 Nov 2020, Serge E. Hallyn wrote:
> *1 - note, if libcap is too old for getcap to have the '-n'
> option, then use verify-caps instead.
>
> Signed-off-by: Serge Hallyn <serge@hallyn.com>
> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1593431
"Perf fails to compile with python 3.7"
Wrong bug ID?
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] fix namespaced fscaps when !CONFIG_SECURITY
2020-11-17 16:11 ` Andrew G. Morgan
@ 2020-11-20 3:19 ` James Morris
2020-11-20 5:03 ` Andrew G. Morgan
0 siblings, 1 reply; 13+ messages in thread
From: James Morris @ 2020-11-20 3:19 UTC (permalink / raw)
To: Andrew G. Morgan
Cc: Serge E. Hallyn, lkml, Hervé Guillemet, Casey Schaufler,
linux-security-module
On Tue, 17 Nov 2020, Andrew G. Morgan wrote:
> Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
This should be Acked-by or Reviewed-by, unless this is your patch, or it
came via your tree.
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] fix namespaced fscaps when !CONFIG_SECURITY
2020-11-20 3:19 ` James Morris
@ 2020-11-20 5:03 ` Andrew G. Morgan
0 siblings, 0 replies; 13+ messages in thread
From: Andrew G. Morgan @ 2020-11-20 5:03 UTC (permalink / raw)
To: James Morris
Cc: Serge E. Hallyn, lkml, Hervé Guillemet, Casey Schaufler, LSM List
Reviewed-by: Andrew G. Morgan <morgan@kernel.org>
Works for me too.
On Thu, Nov 19, 2020 at 7:20 PM James Morris <jmorris@namei.org> wrote:
>
> On Tue, 17 Nov 2020, Andrew G. Morgan wrote:
>
> > Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
>
> This should be Acked-by or Reviewed-by, unless this is your patch, or it
> came via your tree.
>
>
> --
> James Morris
> <jmorris@namei.org>
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] fix namespaced fscaps when !CONFIG_SECURITY
[not found] ` <CALQRfL6q8ppuWi3ygY6iqh6SX9pnkVnvJDynTD61K2wUqerahg@mail.gmail.com>
@ 2020-11-29 21:15 ` Serge E. Hallyn
2020-12-01 2:58 ` James Morris
0 siblings, 1 reply; 13+ messages in thread
From: Serge E. Hallyn @ 2020-11-29 21:15 UTC (permalink / raw)
To: James Morris
Cc: Serge E. Hallyn, Andrew G. Morgan, lkml, Hervé Guillemet,
Casey Schaufler
Hi James,
would you mind adding this to the security tree? (You can cherrypick
from https://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux.git/commit/?h=2020-11-29/fix-nscaps )
thanks,
-serge
On Tue, Nov 17, 2020 at 08:09:59AM -0800, Andrew G. Morgan wrote:
> Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
>
>
> On Tue, Nov 17, 2020 at 7:09 AM Serge E. Hallyn <serge@hallyn.com> wrote:
>
> > Namespaced file capabilities were introduced in 8db6c34f1dbc .
> > When userspace reads an xattr for a namespaced capability, a
> > virtualized representation of it is returned if the caller is
> > in a user namespace owned by the capability's owning rootid.
> > The function which performs this virtualization was not hooked
> > up if CONFIG_SECURITY=n. Therefore in that case the original
> > xattr was shown instead of the virtualized one.
> >
> > To test this using libcap-bin (*1),
> >
> > $ v=$(mktemp)
> > $ unshare -Ur setcap cap_sys_admin-eip $v
> > $ unshare -Ur setcap -v cap_sys_admin-eip $v
> > /tmp/tmp.lSiIFRvt8Y: OK
> >
> > "setcap -v" verifies the values instead of setting them, and
> > will check whether the rootid value is set. Therefore, with
> > this bug un-fixed, and with CONFIG_SECURITY=n, setcap -v will
> > fail:
> >
> > $ v=$(mktemp)
> > $ unshare -Ur setcap cap_sys_admin=eip $v
> > $ unshare -Ur setcap -v cap_sys_admin=eip $v
> > nsowner[got=1000, want=0],/tmp/tmp.HHDiOOl9fY differs in []
> >
> > Fix this bug by calling cap_inode_getsecurity() in
> > security_inode_getsecurity() instead of returning
> > -EOPNOTSUPP, when CONFIG_SECURITY=n.
> >
> > *1 - note, if libcap is too old for getcap to have the '-n'
> > option, then use verify-caps instead.
> >
> > Signed-off-by: Serge Hallyn <serge@hallyn.com>
> > Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1593431
> > Cc: Hervé Guillemet <herve@guillemet.org>
> > Cc: Andrew G. Morgan <morgan@kernel.org>
> > Cc: Casey Schaufler <casey@schaufler-ca.com>
> > ---
> > include/linux/security.h | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/include/linux/security.h b/include/linux/security.h
> > index bc2725491560..39642626a707 100644
> > --- a/include/linux/security.h
> > +++ b/include/linux/security.h
> > @@ -869,7 +869,7 @@ static inline int security_inode_killpriv(struct
> > dentry *dentry)
> >
> > static inline int security_inode_getsecurity(struct inode *inode, const
> > char *name, void **buffer, bool alloc)
> > {
> > - return -EOPNOTSUPP;
> > + return cap_inode_getsecurity(inode, name, buffer, alloc);
> > }
> >
> > static inline int security_inode_setsecurity(struct inode *inode, const
> > char *name, const void *value, size_t size, int flags)
> > --
> > 2.25.1
> >
> >
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] fix namespaced fscaps when !CONFIG_SECURITY
2020-11-29 21:15 ` Serge E. Hallyn
@ 2020-12-01 2:58 ` James Morris
2020-12-04 15:58 ` Andrew G. Morgan
0 siblings, 1 reply; 13+ messages in thread
From: James Morris @ 2020-12-01 2:58 UTC (permalink / raw)
To: Serge E. Hallyn
Cc: Andrew G. Morgan, lkml, Hervé Guillemet, Casey Schaufler
[-- Attachment #1: Type: text/plain, Size: 2986 bytes --]
On Sun, 29 Nov 2020, Serge E. Hallyn wrote:
> Hi James,
>
> would you mind adding this to the security tree? (You can cherrypick
> from https://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux.git/commit/?h=2020-11-29/fix-nscaps )
Sure.
>
> thanks,
> -serge
>
> On Tue, Nov 17, 2020 at 08:09:59AM -0800, Andrew G. Morgan wrote:
> > Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
> >
> >
> > On Tue, Nov 17, 2020 at 7:09 AM Serge E. Hallyn <serge@hallyn.com> wrote:
> >
> > > Namespaced file capabilities were introduced in 8db6c34f1dbc .
> > > When userspace reads an xattr for a namespaced capability, a
> > > virtualized representation of it is returned if the caller is
> > > in a user namespace owned by the capability's owning rootid.
> > > The function which performs this virtualization was not hooked
> > > up if CONFIG_SECURITY=n. Therefore in that case the original
> > > xattr was shown instead of the virtualized one.
> > >
> > > To test this using libcap-bin (*1),
> > >
> > > $ v=$(mktemp)
> > > $ unshare -Ur setcap cap_sys_admin-eip $v
> > > $ unshare -Ur setcap -v cap_sys_admin-eip $v
> > > /tmp/tmp.lSiIFRvt8Y: OK
> > >
> > > "setcap -v" verifies the values instead of setting them, and
> > > will check whether the rootid value is set. Therefore, with
> > > this bug un-fixed, and with CONFIG_SECURITY=n, setcap -v will
> > > fail:
> > >
> > > $ v=$(mktemp)
> > > $ unshare -Ur setcap cap_sys_admin=eip $v
> > > $ unshare -Ur setcap -v cap_sys_admin=eip $v
> > > nsowner[got=1000, want=0],/tmp/tmp.HHDiOOl9fY differs in []
> > >
> > > Fix this bug by calling cap_inode_getsecurity() in
> > > security_inode_getsecurity() instead of returning
> > > -EOPNOTSUPP, when CONFIG_SECURITY=n.
> > >
> > > *1 - note, if libcap is too old for getcap to have the '-n'
> > > option, then use verify-caps instead.
> > >
> > > Signed-off-by: Serge Hallyn <serge@hallyn.com>
> > > Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1593431
> > > Cc: Hervé Guillemet <herve@guillemet.org>
> > > Cc: Andrew G. Morgan <morgan@kernel.org>
> > > Cc: Casey Schaufler <casey@schaufler-ca.com>
> > > ---
> > > include/linux/security.h | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/include/linux/security.h b/include/linux/security.h
> > > index bc2725491560..39642626a707 100644
> > > --- a/include/linux/security.h
> > > +++ b/include/linux/security.h
> > > @@ -869,7 +869,7 @@ static inline int security_inode_killpriv(struct
> > > dentry *dentry)
> > >
> > > static inline int security_inode_getsecurity(struct inode *inode, const
> > > char *name, void **buffer, bool alloc)
> > > {
> > > - return -EOPNOTSUPP;
> > > + return cap_inode_getsecurity(inode, name, buffer, alloc);
> > > }
> > >
> > > static inline int security_inode_setsecurity(struct inode *inode, const
> > > char *name, const void *value, size_t size, int flags)
> > > --
> > > 2.25.1
> > >
> > >
>
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] fix namespaced fscaps when !CONFIG_SECURITY
2020-12-01 2:58 ` James Morris
@ 2020-12-04 15:58 ` Andrew G. Morgan
2020-12-05 0:27 ` James Morris
2020-12-05 17:40 ` Serge E. Hallyn
0 siblings, 2 replies; 13+ messages in thread
From: Andrew G. Morgan @ 2020-12-04 15:58 UTC (permalink / raw)
To: James Morris; +Cc: Serge E. Hallyn, lkml, Hervé Guillemet, Casey Schaufler
The correct bug reference for this patch is:
https://bugzilla.kernel.org/show_bug.cgi?id=209689
Reviewed-by: Andrew G. Morgan <morgan@kernel.org>
On Mon, Nov 30, 2020 at 6:58 PM James Morris <jmorris@namei.org> wrote:
>
> On Sun, 29 Nov 2020, Serge E. Hallyn wrote:
>
> > Hi James,
> >
> > would you mind adding this to the security tree? (You can cherrypick
> > from https://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux.git/commit/?h=2020-11-29/fix-nscaps )
>
> Sure.
>
> >
> > thanks,
> > -serge
> >
> > On Tue, Nov 17, 2020 at 08:09:59AM -0800, Andrew G. Morgan wrote:
> > > Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
> > >
> > >
> > > On Tue, Nov 17, 2020 at 7:09 AM Serge E. Hallyn <serge@hallyn.com> wrote:
> > >
> > > > Namespaced file capabilities were introduced in 8db6c34f1dbc .
> > > > When userspace reads an xattr for a namespaced capability, a
> > > > virtualized representation of it is returned if the caller is
> > > > in a user namespace owned by the capability's owning rootid.
> > > > The function which performs this virtualization was not hooked
> > > > up if CONFIG_SECURITY=n. Therefore in that case the original
> > > > xattr was shown instead of the virtualized one.
> > > >
> > > > To test this using libcap-bin (*1),
> > > >
> > > > $ v=$(mktemp)
> > > > $ unshare -Ur setcap cap_sys_admin-eip $v
> > > > $ unshare -Ur setcap -v cap_sys_admin-eip $v
> > > > /tmp/tmp.lSiIFRvt8Y: OK
> > > >
> > > > "setcap -v" verifies the values instead of setting them, and
> > > > will check whether the rootid value is set. Therefore, with
> > > > this bug un-fixed, and with CONFIG_SECURITY=n, setcap -v will
> > > > fail:
> > > >
> > > > $ v=$(mktemp)
> > > > $ unshare -Ur setcap cap_sys_admin=eip $v
> > > > $ unshare -Ur setcap -v cap_sys_admin=eip $v
> > > > nsowner[got=1000, want=0],/tmp/tmp.HHDiOOl9fY differs in []
> > > >
> > > > Fix this bug by calling cap_inode_getsecurity() in
> > > > security_inode_getsecurity() instead of returning
> > > > -EOPNOTSUPP, when CONFIG_SECURITY=n.
> > > >
> > > > *1 - note, if libcap is too old for getcap to have the '-n'
> > > > option, then use verify-caps instead.
> > > >
> > > > Signed-off-by: Serge Hallyn <serge@hallyn.com>
> > > > Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1593431
> > > > Cc: Hervé Guillemet <herve@guillemet.org>
> > > > Cc: Andrew G. Morgan <morgan@kernel.org>
> > > > Cc: Casey Schaufler <casey@schaufler-ca.com>
> > > > ---
> > > > include/linux/security.h | 2 +-
> > > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > > >
> > > > diff --git a/include/linux/security.h b/include/linux/security.h
> > > > index bc2725491560..39642626a707 100644
> > > > --- a/include/linux/security.h
> > > > +++ b/include/linux/security.h
> > > > @@ -869,7 +869,7 @@ static inline int security_inode_killpriv(struct
> > > > dentry *dentry)
> > > >
> > > > static inline int security_inode_getsecurity(struct inode *inode, const
> > > > char *name, void **buffer, bool alloc)
> > > > {
> > > > - return -EOPNOTSUPP;
> > > > + return cap_inode_getsecurity(inode, name, buffer, alloc);
> > > > }
> > > >
> > > > static inline int security_inode_setsecurity(struct inode *inode, const
> > > > char *name, const void *value, size_t size, int flags)
> > > > --
> > > > 2.25.1
> > > >
> > > >
> >
>
> --
> James Morris
> <jmorris@namei.org>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] fix namespaced fscaps when !CONFIG_SECURITY
2020-12-04 15:58 ` Andrew G. Morgan
@ 2020-12-05 0:27 ` James Morris
2020-12-05 17:40 ` Serge E. Hallyn
1 sibling, 0 replies; 13+ messages in thread
From: James Morris @ 2020-12-05 0:27 UTC (permalink / raw)
To: Andrew G. Morgan
Cc: Serge E. Hallyn, lkml, Hervé Guillemet, Casey Schaufler,
linux-security-module
On Fri, 4 Dec 2020, Andrew G. Morgan wrote:
> The correct bug reference for this patch is:
>
> https://bugzilla.kernel.org/show_bug.cgi?id=209689
>
> Reviewed-by: Andrew G. Morgan <morgan@kernel.org>
Thanks.
Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git fixes-5.10
and next-testing
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] fix namespaced fscaps when !CONFIG_SECURITY
2020-12-04 15:58 ` Andrew G. Morgan
2020-12-05 0:27 ` James Morris
@ 2020-12-05 17:40 ` Serge E. Hallyn
2020-12-05 17:41 ` Serge E. Hallyn
1 sibling, 1 reply; 13+ messages in thread
From: Serge E. Hallyn @ 2020-12-05 17:40 UTC (permalink / raw)
To: Andrew G. Morgan
Cc: James Morris, Serge E. Hallyn, lkml, Hervé Guillemet,
Casey Schaufler
How odd - where did that come from?
James, I force-pushed that with corrected bugzilla link to
2020-11-29/fix-nscaps. Sorry about that.
On Fri, Dec 04, 2020 at 07:58:14AM -0800, Andrew G. Morgan wrote:
> The correct bug reference for this patch is:
>
> https://bugzilla.kernel.org/show_bug.cgi?id=209689
>
> Reviewed-by: Andrew G. Morgan <morgan@kernel.org>
>
> On Mon, Nov 30, 2020 at 6:58 PM James Morris <jmorris@namei.org> wrote:
> >
> > On Sun, 29 Nov 2020, Serge E. Hallyn wrote:
> >
> > > Hi James,
> > >
> > > would you mind adding this to the security tree? (You can cherrypick
> > > from https://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux.git/commit/?h=2020-11-29/fix-nscaps )
> >
> > Sure.
> >
> > >
> > > thanks,
> > > -serge
> > >
> > > On Tue, Nov 17, 2020 at 08:09:59AM -0800, Andrew G. Morgan wrote:
> > > > Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
> > > >
> > > >
> > > > On Tue, Nov 17, 2020 at 7:09 AM Serge E. Hallyn <serge@hallyn.com> wrote:
> > > >
> > > > > Namespaced file capabilities were introduced in 8db6c34f1dbc .
> > > > > When userspace reads an xattr for a namespaced capability, a
> > > > > virtualized representation of it is returned if the caller is
> > > > > in a user namespace owned by the capability's owning rootid.
> > > > > The function which performs this virtualization was not hooked
> > > > > up if CONFIG_SECURITY=n. Therefore in that case the original
> > > > > xattr was shown instead of the virtualized one.
> > > > >
> > > > > To test this using libcap-bin (*1),
> > > > >
> > > > > $ v=$(mktemp)
> > > > > $ unshare -Ur setcap cap_sys_admin-eip $v
> > > > > $ unshare -Ur setcap -v cap_sys_admin-eip $v
> > > > > /tmp/tmp.lSiIFRvt8Y: OK
> > > > >
> > > > > "setcap -v" verifies the values instead of setting them, and
> > > > > will check whether the rootid value is set. Therefore, with
> > > > > this bug un-fixed, and with CONFIG_SECURITY=n, setcap -v will
> > > > > fail:
> > > > >
> > > > > $ v=$(mktemp)
> > > > > $ unshare -Ur setcap cap_sys_admin=eip $v
> > > > > $ unshare -Ur setcap -v cap_sys_admin=eip $v
> > > > > nsowner[got=1000, want=0],/tmp/tmp.HHDiOOl9fY differs in []
> > > > >
> > > > > Fix this bug by calling cap_inode_getsecurity() in
> > > > > security_inode_getsecurity() instead of returning
> > > > > -EOPNOTSUPP, when CONFIG_SECURITY=n.
> > > > >
> > > > > *1 - note, if libcap is too old for getcap to have the '-n'
> > > > > option, then use verify-caps instead.
> > > > >
> > > > > Signed-off-by: Serge Hallyn <serge@hallyn.com>
> > > > > Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1593431
> > > > > Cc: Hervé Guillemet <herve@guillemet.org>
> > > > > Cc: Andrew G. Morgan <morgan@kernel.org>
> > > > > Cc: Casey Schaufler <casey@schaufler-ca.com>
> > > > > ---
> > > > > include/linux/security.h | 2 +-
> > > > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > > > >
> > > > > diff --git a/include/linux/security.h b/include/linux/security.h
> > > > > index bc2725491560..39642626a707 100644
> > > > > --- a/include/linux/security.h
> > > > > +++ b/include/linux/security.h
> > > > > @@ -869,7 +869,7 @@ static inline int security_inode_killpriv(struct
> > > > > dentry *dentry)
> > > > >
> > > > > static inline int security_inode_getsecurity(struct inode *inode, const
> > > > > char *name, void **buffer, bool alloc)
> > > > > {
> > > > > - return -EOPNOTSUPP;
> > > > > + return cap_inode_getsecurity(inode, name, buffer, alloc);
> > > > > }
> > > > >
> > > > > static inline int security_inode_setsecurity(struct inode *inode, const
> > > > > char *name, const void *value, size_t size, int flags)
> > > > > --
> > > > > 2.25.1
> > > > >
> > > > >
> > >
> >
> > --
> > James Morris
> > <jmorris@namei.org>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] fix namespaced fscaps when !CONFIG_SECURITY
2020-12-05 17:40 ` Serge E. Hallyn
@ 2020-12-05 17:41 ` Serge E. Hallyn
0 siblings, 0 replies; 13+ messages in thread
From: Serge E. Hallyn @ 2020-12-05 17:41 UTC (permalink / raw)
To: Serge E. Hallyn
Cc: Andrew G. Morgan, James Morris, lkml, Hervé Guillemet,
Casey Schaufler
Oh, I see you'd changed it inline :) Thanks
On Sat, Dec 05, 2020 at 11:40:00AM -0600, Serge E. Hallyn wrote:
> How odd - where did that come from?
>
> James, I force-pushed that with corrected bugzilla link to
> 2020-11-29/fix-nscaps. Sorry about that.
>
> On Fri, Dec 04, 2020 at 07:58:14AM -0800, Andrew G. Morgan wrote:
> > The correct bug reference for this patch is:
> >
> > https://bugzilla.kernel.org/show_bug.cgi?id=209689
> >
> > Reviewed-by: Andrew G. Morgan <morgan@kernel.org>
> >
> > On Mon, Nov 30, 2020 at 6:58 PM James Morris <jmorris@namei.org> wrote:
> > >
> > > On Sun, 29 Nov 2020, Serge E. Hallyn wrote:
> > >
> > > > Hi James,
> > > >
> > > > would you mind adding this to the security tree? (You can cherrypick
> > > > from https://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux.git/commit/?h=2020-11-29/fix-nscaps )
> > >
> > > Sure.
> > >
> > > >
> > > > thanks,
> > > > -serge
> > > >
> > > > On Tue, Nov 17, 2020 at 08:09:59AM -0800, Andrew G. Morgan wrote:
> > > > > Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
> > > > >
> > > > >
> > > > > On Tue, Nov 17, 2020 at 7:09 AM Serge E. Hallyn <serge@hallyn.com> wrote:
> > > > >
> > > > > > Namespaced file capabilities were introduced in 8db6c34f1dbc .
> > > > > > When userspace reads an xattr for a namespaced capability, a
> > > > > > virtualized representation of it is returned if the caller is
> > > > > > in a user namespace owned by the capability's owning rootid.
> > > > > > The function which performs this virtualization was not hooked
> > > > > > up if CONFIG_SECURITY=n. Therefore in that case the original
> > > > > > xattr was shown instead of the virtualized one.
> > > > > >
> > > > > > To test this using libcap-bin (*1),
> > > > > >
> > > > > > $ v=$(mktemp)
> > > > > > $ unshare -Ur setcap cap_sys_admin-eip $v
> > > > > > $ unshare -Ur setcap -v cap_sys_admin-eip $v
> > > > > > /tmp/tmp.lSiIFRvt8Y: OK
> > > > > >
> > > > > > "setcap -v" verifies the values instead of setting them, and
> > > > > > will check whether the rootid value is set. Therefore, with
> > > > > > this bug un-fixed, and with CONFIG_SECURITY=n, setcap -v will
> > > > > > fail:
> > > > > >
> > > > > > $ v=$(mktemp)
> > > > > > $ unshare -Ur setcap cap_sys_admin=eip $v
> > > > > > $ unshare -Ur setcap -v cap_sys_admin=eip $v
> > > > > > nsowner[got=1000, want=0],/tmp/tmp.HHDiOOl9fY differs in []
> > > > > >
> > > > > > Fix this bug by calling cap_inode_getsecurity() in
> > > > > > security_inode_getsecurity() instead of returning
> > > > > > -EOPNOTSUPP, when CONFIG_SECURITY=n.
> > > > > >
> > > > > > *1 - note, if libcap is too old for getcap to have the '-n'
> > > > > > option, then use verify-caps instead.
> > > > > >
> > > > > > Signed-off-by: Serge Hallyn <serge@hallyn.com>
> > > > > > Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1593431
> > > > > > Cc: Hervé Guillemet <herve@guillemet.org>
> > > > > > Cc: Andrew G. Morgan <morgan@kernel.org>
> > > > > > Cc: Casey Schaufler <casey@schaufler-ca.com>
> > > > > > ---
> > > > > > include/linux/security.h | 2 +-
> > > > > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > > > > >
> > > > > > diff --git a/include/linux/security.h b/include/linux/security.h
> > > > > > index bc2725491560..39642626a707 100644
> > > > > > --- a/include/linux/security.h
> > > > > > +++ b/include/linux/security.h
> > > > > > @@ -869,7 +869,7 @@ static inline int security_inode_killpriv(struct
> > > > > > dentry *dentry)
> > > > > >
> > > > > > static inline int security_inode_getsecurity(struct inode *inode, const
> > > > > > char *name, void **buffer, bool alloc)
> > > > > > {
> > > > > > - return -EOPNOTSUPP;
> > > > > > + return cap_inode_getsecurity(inode, name, buffer, alloc);
> > > > > > }
> > > > > >
> > > > > > static inline int security_inode_setsecurity(struct inode *inode, const
> > > > > > char *name, const void *value, size_t size, int flags)
> > > > > > --
> > > > > > 2.25.1
> > > > > >
> > > > > >
> > > >
> > >
> > > --
> > > James Morris
> > > <jmorris@namei.org>
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2020-12-05 18:38 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-17 15:08 [PATCH] fix namespaced fscaps when !CONFIG_SECURITY Serge E. Hallyn
2020-11-17 16:11 ` Andrew G. Morgan
2020-11-20 3:19 ` James Morris
2020-11-20 5:03 ` Andrew G. Morgan
2020-11-17 17:51 ` Casey Schaufler
2020-11-20 3:16 ` James Morris
2020-11-20 3:19 ` James Morris
[not found] ` <CALQRfL6q8ppuWi3ygY6iqh6SX9pnkVnvJDynTD61K2wUqerahg@mail.gmail.com>
2020-11-29 21:15 ` Serge E. Hallyn
2020-12-01 2:58 ` James Morris
2020-12-04 15:58 ` Andrew G. Morgan
2020-12-05 0:27 ` James Morris
2020-12-05 17:40 ` Serge E. Hallyn
2020-12-05 17:41 ` Serge E. Hallyn
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).