| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 14 Jul 2017 18:41:39 -0500
From: ebiederm@...ssion.com (Eric W. Biederman)
To: Stefan Berger <stefanb@...ux.vnet.ibm.com>
Cc: containers@...ts.linux-foundation.org, lkp@...org,
linux-kernel@...r.kernel.org, zohar@...ux.vnet.ibm.com,
tycho@...ker.com, serge@...lyn.com,
James.Bottomley@...senPartnership.com, vgoyal@...hat.com,
christian.brauner@...lbox.org, amir73il@...il.com,
linux-security-module@...r.kernel.org, casey@...aufler-ca.com,
Stefan Berger <stefanb@...ux.vnet.ibm.com>
Subject: Re: [PATCH v2] xattr: Enable security.capability in user namespaces
Stefan Berger <"Stefan Bergerstefanb"@linux.vnet.ibm.com> writes:
> From: Stefan Berger <stefanb@...ux.vnet.ibm.com>
>
> This patch enables security.capability in user namespaces but also
> takes a more general approach to enabling extended attributes in user
> namespaces.
>
> The following rules describe the approach using security.foo as a
> 'user namespace enabled' extended attribute:
>
> Reading of extended attributes:
>
> 1a) Reading security.foo from a user namespace will read
> security.foo@...=<uid> of the parent user namespace instead with uid
> being the mapping of root in that parent user namespace. An
> exception is if root is mapped to uid 0 on the host, and in this case
> we will read security.foo directly.
> --> reading security.foo will read security.foo@...=1000 for uid
> mapping of root to 1000.
>
> 1b) If security.foo@...=<uid> is not available, the security.foo of the
> parent namespace is tried to be read. This procedure is repeated up to
> the init user namespace. This step only applies for reading of extended
> attributes and provides the same behavior as older system where the
> host's extended attributes applied to user namespaces.
>
> 2) All security.foo@...=<uid> with valid uid mapping in the user namespace
> can be read. The uid within the user namespace will be mapped to the
> corresponding uid on the host and that uid will be used in the name of
> the extended attribute.
> -> reading security.foo@...=1 will read security.foo@...=1001 for uid
> mapping of root to 1000, size of at least 2.
>
> All security.foo@...=<uid> can be read (by root) on the host with values
> of <uid> also being subject to checking for valid mappings.
>
> 3) No other security.foo* can be read.
>
> The same rules for reading apply to writing and removing of user
> namespace enabled extended attributes.
>
> When listing extended attributes of a file, only those are presented
> to the user namespace that have a valid mapping. Besides that, names
> of the extended attributes are adjusted to represent the mapping.
> This means that if root is mapped to uid 1000 on the host, the
> security.foo@...=1000 will be listed as security.foo in the user
> namespace, security.foo@...=1001 becomes security.foo@...=1 and so on.
>
> Signed-off-by: Stefan Berger <stefanb@...ux.vnet.ibm.com>
> Signed-off-by: Serge Hallyn <serge@...lyn.com>
> Reviewed-by: Serge Hallyn <serge@...lyn.com>
> ---
> fs/xattr.c | 509 +++++++++++++++++++++++++++++++++++++++++++++--
> security/commoncap.c | 36 +++-
> security/selinux/hooks.c | 9 +-
> 3 files changed, 523 insertions(+), 31 deletions(-)
I am just going to quickly and publicly point out that as designed this
patch breaks evm inode metadata signing. As evm_config_xattrnames is not
updated.
While not completely insurmountable that seems like a strong limitation of
this design.
Eric
Powered by blists - more mailing lists