lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20150729161806.GB21625@mail.hallyn.com>
Date:	Wed, 29 Jul 2015 11:18:06 -0500
From:	"Serge E. Hallyn" <serge@...lyn.com>
To:	"Serge E. Hallyn" <serge@...lyn.com>
Cc:	"Eric W. Biederman" <ebiederm@...ssion.com>,
	Andy Lutomirski <luto@...capital.net>,
	Seth Forshee <seth.forshee@...onical.com>,
	Alexander Viro <viro@...iv.linux.org.uk>,
	Serge Hallyn <serge.hallyn@...onical.com>,
	James Morris <james.l.morris@...cle.com>,
	Linux FS Devel <linux-fsdevel@...r.kernel.org>,
	LSM List <linux-security-module@...r.kernel.org>,
	SELinux-NSA <selinux@...ho.nsa.gov>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 3/7] fs: Ignore file caps in mounts from other user
 namespaces

On Wed, Jul 29, 2015 at 11:04:50AM -0500, Serge E. Hallyn wrote:
> On Thu, Jul 16, 2015 at 12:04:43AM -0500, Eric W. Biederman wrote:
> > > I tend to thing that, if we're not honoring the fcaps, we shouldn't be
> > > honoring the setuid bit either.  After all, it's really not a trusted
> > > file, even though the only user who could have messed with it really
> > > is the apparent owner.
> > 
> > For the file caps we can't honor them because you don't have the bits
> > in struct cred.
> > 
> > For setuid we can honor it, and setuid is something that the user
> > namespace allows.
> 
> Setuid is something explicitly tied to the user id.  File capabilities
> are MAC, that is, explicitly orthogonal to user id.  So 100% agreed with
> honoring setuid in user_ns and, for now, ignoring file caps.

Hm.  No.  Seems like both should be fine when current is in the mounter's
user_ns, and ignored otherwise.

(The below is still needed :)

> As I've mentioned a few times privately, I'm intending to implement
> user-namespaced file capabilities as a new xattr.  Design is not 100%
> nailed down, but probably it would support a set of userns_fcaps, each
> of which lists the k_uid of the root user in the namespace assigning the
> filecaps, followed by three sets.  Then when exec()ing the file, if
> the current->userns->root user has a userns_fcap entry, or there is a -1
> entry, then use that, else use nothing.  I think this is a very importing
> thing to support, to remove a barrier to shipping packages with software
> using filecaps.  Without this, any package, say ping, which wants to
> support being installed in a (unprivileged) cotainer would need to also
> support use without filecaps, meaning that will likely be the only
> supported mode.
> 
> -serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ