lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20150729160450.GA21625@mail.hallyn.com>
Date:	Wed, 29 Jul 2015 11:04:50 -0500
From:	"Serge E. Hallyn" <serge@...lyn.com>
To:	"Eric W. Biederman" <ebiederm@...ssion.com>
Cc:	Andy Lutomirski <luto@...capital.net>,
	"Serge E. Hallyn" <serge@...lyn.com>,
	Seth Forshee <seth.forshee@...onical.com>,
	Alexander Viro <viro@...iv.linux.org.uk>,
	Serge Hallyn <serge.hallyn@...onical.com>,
	James Morris <james.l.morris@...cle.com>,
	Linux FS Devel <linux-fsdevel@...r.kernel.org>,
	LSM List <linux-security-module@...r.kernel.org>,
	SELinux-NSA <selinux@...ho.nsa.gov>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 3/7] fs: Ignore file caps in mounts from other user
 namespaces

On Thu, Jul 16, 2015 at 12:04:43AM -0500, Eric W. Biederman wrote:
> > I tend to thing that, if we're not honoring the fcaps, we shouldn't be
> > honoring the setuid bit either.  After all, it's really not a trusted
> > file, even though the only user who could have messed with it really
> > is the apparent owner.
> 
> For the file caps we can't honor them because you don't have the bits
> in struct cred.
> 
> For setuid we can honor it, and setuid is something that the user
> namespace allows.

Setuid is something explicitly tied to the user id.  File capabilities
are MAC, that is, explicitly orthogonal to user id.  So 100% agreed with
honoring setuid in user_ns and, for now, ignoring file caps.

As I've mentioned a few times privately, I'm intending to implement
user-namespaced file capabilities as a new xattr.  Design is not 100%
nailed down, but probably it would support a set of userns_fcaps, each
of which lists the k_uid of the root user in the namespace assigning the
filecaps, followed by three sets.  Then when exec()ing the file, if
the current->userns->root user has a userns_fcap entry, or there is a -1
entry, then use that, else use nothing.  I think this is a very importing
thing to support, to remove a barrier to shipping packages with software
using filecaps.  Without this, any package, say ping, which wants to
support being installed in a (unprivileged) cotainer would need to also
support use without filecaps, meaning that will likely be the only
supported mode.

-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ