[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20170623205118.GA23674@mail.hallyn.com>
Date: Fri, 23 Jun 2017 15:51:18 -0500
From: "Serge E. Hallyn" <serge@...lyn.com>
To: Vivek Goyal <vgoyal@...hat.com>
Cc: "Serge E. Hallyn" <serge@...lyn.com>,
Stefan Berger <stefanb@...ux.vnet.ibm.com>,
ebiederm@...ssion.com, containers@...ts.linux-foundation.org,
lkp@...org, xiaolong.ye@...el.com, linux-kernel@...r.kernel.org,
zohar@...ux.vnet.ibm.com, tycho@...ker.com,
James.Bottomley@...senPartnership.com,
christian.brauner@...lbox.org, amir73il@...il.com,
linux-security-module@...r.kernel.org
Subject: Re: [PATCH 0/3] Enable namespaced file capabilities
Quoting Vivek Goyal (vgoyal@...hat.com):
> On Fri, Jun 23, 2017 at 03:17:23PM -0500, Serge E. Hallyn wrote:
> > Quoting Vivek Goyal (vgoyal@...hat.com):
> > > On Thu, Jun 22, 2017 at 02:59:46PM -0400, Stefan Berger wrote:
> > > > This series of patches primary goal is to enable file capabilities
> > > > in user namespaces without affecting the file capabilities that are
> > > > effective on the host. This is to prevent that any unprivileged user
> > > > on the host maps his own uid to root in a private namespace, writes
> > > > the xattr, and executes the file with privilege on the host.
> > > >
> > > > We achieve this goal by writing extended attributes with a different
> > > > name when a user namespace is used. If for example the root user
> > > > in a user namespace writes the security.capability xattr, the name
> > > > of the xattr that is actually written is encoded as
> > > > security.capability@...=1000 for root mapped to uid 1000 on the host.
> > > > When listing the xattrs on the host, the existing security.capability
> > > > as well as the security.capability@...=1000 will be shown. Inside the
> > > > namespace only 'security.capability', with the value of
> > > > security.capability@...=1000, is visible.
> > >
> > > Hi Stefan,
> > >
> > > Got a question. If child usernamespace sets a
> > > security.capability@...=1000, can any of the parent namespace remove it?
> > >
> > > IOW, I set capability from usernamespace and tried to remove it from
> > > host and that failed. Is that expected.
> > >
> > > # Inside usernamespce
> > > $setcap cat_net_raw+ep foo.txt
> > >
> > > # outside user namespace
> > > $listxattr foo.txt
> > > xattr: security.capability@...=1000
> > > xattr: security.selinux
> > >
> > > # outside user namespace
> > > setfattr -x security.capability@uid foo.txt
> > > setfattr: foo.txt: Invalid argument
> > >
> > > Doing a strace shows removexattr() failed. May this will need fixing?
> > >
> > > removexattr("testfile.txt", "security.capability@uid") = -1 EINVAL
> > > (Invalid argument)
> >
> > That's not the right xattr, though, does
> >
> > setfattr -x security.capability@...=1000 foo.txt
> >
> > work?
>
> Yep, that works (as root on host). My bad.
>
> >
> > If you are in fact uid=1000 then that should work.
>
> Tried setfattr -x as uid 1000 in init_user_ns and that seems to have
> issues.
D'oh, yes, I was thinking wrongly. You need *privilege* over the uid, meaning
CAP_SETFACL against your user_ns and uid 1000 mapped into the user_ns. So yeah
just uid 1000 won't suffice.
Powered by blists - more mailing lists