lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 Mar 2015 11:57:01 -0700 From: Andy Lutomirski <luto@...capital.net> To: Konstantin Khlebnikov <koct9i@...il.com> Cc: Konstantin Khlebnikov <khlebnikov@...dex-team.ru>, Linux FS Devel <linux-fsdevel@...r.kernel.org>, Dave Chinner <david@...morbit.com>, Jan Kara <jack@...e.cz>, "linux-ext4@...r.kernel.org" <linux-ext4@...r.kernel.org>, "Theodore Ts'o" <tytso@....edu>, Dmitry Monakhov <dmonakhov@...nvz.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, Li Xi <pkuelelixi@...il.com> Subject: Re: [PATCH RFC v2 2/6] fs: protected project id On Tue, Mar 10, 2015 at 11:51 AM, Konstantin Khlebnikov <koct9i@...il.com> wrote: > On Tue, Mar 10, 2015 at 8:32 PM, Andy Lutomirski <luto@...capital.net> wrote: >> On Tue, Mar 10, 2015 at 10:22 AM, Konstantin Khlebnikov >> <khlebnikov@...dex-team.ru> wrote: >>> Historically XFS project id doesn't have any permission control: file owner >>> is able to set any project id. Later they was sealed with user-namespace: >>> XFS allows to change it only from init user-ns. That works fine for isolated >>> containers or if user doesn't have direct access to the filesystem (NFS/FTP). >>> >>> This patch adds sysctl fs.protected_projects which makes changing project id >>> privileged operation which requires CAP_SYS_RESOURCE in current user-namespace. >>> Thus there are two levels of protection: project id mapping in user-ns defines >>> set of permitted projects and capability protects operations within this set. >> >> If I understand this right, this doesn't work. If I lack >> CAP_SYS_RESOURCE but I have two projids mapped, then I can create a >> new userns, map both projids, and get CAP_SYS_RESOURCE. > > Setting project id mapping for nested user-namespace also requires > this capability in parent namespace. The same as for setting uid/gid > mapping but without special case for mapping current uid/gid because > task has no "current" project id. > > This is mentioned in cover letter but I forget it here. Sorry. Right, sorry. I'm still used to projid mappings being unprotected. --Andy > >> >> --Andy >> -- >> To unsubscribe from this list: send the line "unsubscribe linux-ext4" in >> the body of a message to majordomo@...r.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html -- Andy Lutomirski AMA Capital Management, LLC -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists