lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87r30d255v.fsf@xmission.com>
Date:   Thu, 27 Apr 2017 11:20:44 -0500
From:   ebiederm@...ssion.com (Eric W. Biederman)
To:     "Serge E. Hallyn" <serge@...lyn.com>
Cc:     Seth Forshee <seth.forshee@...onical.com>,
        lkml <linux-kernel@...r.kernel.org>, linux-api@...r.kernel.org,
        linux-security-module@...r.kernel.org,
        Kees Cook <keescook@...omium.org>,
        Andreas Gruenbacher <agruenba@...hat.com>,
        Andy Lutomirski <luto@...nel.org>,
        "Andrew G. Morgan" <morgan@...nel.org>
Subject: Re: [PATCH] Introduce v3 namespaced file capabilities

ebiederm@...ssion.com (Eric W. Biederman) writes:

> "Serge E. Hallyn" <serge@...lyn.com> writes:
>
>> Quoting Eric W. Biederman (ebiederm@...ssion.com):
>>> 
>>> "Serge E. Hallyn" <serge@...lyn.com> writes:
>>> 
>>> > diff --git a/fs/xattr.c b/fs/xattr.c
>>> > index 7e3317c..75cc65a 100644
>>> > --- a/fs/xattr.c
>>> > +++ b/fs/xattr.c
>>> > @@ -170,12 +170,29 @@ int __vfs_setxattr_noperm(struct dentry *dentry, const char *name,
>>> >  		const void *value, size_t size, int flags)
>>> >  {
>>> >  	struct inode *inode = dentry->d_inode;
>>> > -	int error = -EAGAIN;
>>> > +	int error;
>>> > +	void *wvalue = NULL;
>>> > +	size_t wsize = 0;
>>> >  	int issec = !strncmp(name, XATTR_SECURITY_PREFIX,
>>> >  				   XATTR_SECURITY_PREFIX_LEN);
>>> >  
>>> > -	if (issec)
>>> > +	if (issec) {
>>> >  		inode->i_flags &= ~S_NOSEC;
>>> > +
>>> > +		if (!strcmp(name, "security.capability")) {
>>> > +			error = cap_setxattr_convert_nscap(dentry, value, size,
>>> > +					&wvalue, &wsize);
>>> > +			if (error < 0)
>>> > +				return error;
>>> > +			if (wvalue) {
>>> > +				value = wvalue;
>>> > +				size = wsize;
>>> > +			}
>>> > +		}
>>> > +	}
>>> > +
>>> > +	error = -EAGAIN;
>>> > +
>>> 
>>> Why is the conversion in __vfs_setxattr_noperm and not in setattr as
>>> was done for posix_acl_fix_xattr_from_user?
>>
>> I think I was thinking I wanted to catch all the vfs_setxattr operations,
>> but I don't think that's right.  Moving to setxattr seems right.  I'll
>> look around a bit more.
>
> Thanks.  This is one of these little details that we want a good answer
> to why there.  If you can document that in your patch description when
> you resend I would appreciate it.

Ok. Grrr.

Looking at this a little more getting it correct where we call the
conversion operation is critical. 

I believe the current placement of cap_setxattr_convert_nscap is
actively wrong.  In particular unless I am misleading something this
will trigger multiple conversions when setting one of these attributes
on overlayfs.

The stragey I adopted for for posix acls is:

   On a write from userspace convert from current_user_ns() to &init_user_ns.
   On a write to the filesystem convert from &init_user_ns to fs_user_ns.
   
   On a read from the filesystem convert from fs_user_ns to &init_user_ns
   On a read from the kernel to userspace convert from &init_user_ns
      to current_user_ns().

Overall a good strategy but no one we can trivially adopt for the
capability xattr as the second write to filesystem method does not
appear to actually exist for anything except for posix acls.

I need to think a little more about how we want to accomplish this for
the capability xattr.  My apoligies for leading you down a path that has
all of these bumps and then being sufficiently distracted not to help
you through this maze.

The only easy solution I can see is to just always keep things in
&init_user_ns inside the kernel.   That works until we bring fuse or
other unprivileged mounts onboard that have storage outside of the
kernel.

Seth and I will have to rework that for fuse support but that sounds
better than not letting such an issue prevent us from merging the code.


Eric

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ