lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 01 Dec 2021 17:01:41 -0500
From:   James Bottomley <jejb@...ux.ibm.com>
To:     Stefan Berger <stefanb@...ux.ibm.com>,
        linux-integrity@...r.kernel.org
Cc:     zohar@...ux.ibm.com, serge@...lyn.com,
        christian.brauner@...ntu.com, containers@...ts.linux.dev,
        dmitry.kasatkin@...il.com, ebiederm@...ssion.com,
        krzysztof.struczynski@...wei.com, roberto.sassu@...wei.com,
        mpeters@...hat.com, lhinds@...hat.com, lsturman@...hat.com,
        puiterwi@...hat.com, jamjoom@...ibm.com,
        linux-kernel@...r.kernel.org, paul@...l-moore.com, rgb@...hat.com,
        linux-security-module@...r.kernel.org, jmorris@...ei.org
Subject: Re: [RFC 20/20] ima: Setup securityfs_ns for IMA namespace

On Wed, 2021-12-01 at 16:34 -0500, Stefan Berger wrote:
> On 12/1/21 16:11, James Bottomley wrote:
> > On Wed, 2021-12-01 at 15:25 -0500, Stefan Berger wrote:
> > > On 12/1/21 14:21, James Bottomley wrote:
> > > > On Wed, 2021-12-01 at 13:11 -0500, Stefan Berger wrote:
> > > > > On 12/1/21 12:56, James Bottomley wrote:
> > > > [...]
> > > > > I tried this with runc and a user namespace active mapping
> > > > > uid
> > > > > 1000 on the host to uid 0 in the container. There I run into
> > > > > the
> > > > > problem that  all of the files and directories without the
> > > > > above
> > > > > work-around are mapped to 'nobody', just like all the files
> > > > > in
> > > > > sysfs in this case are also mapped to nobody. This code
> > > > > resolved
> > > > > the issue.
> > > > So I applied your patches with the permission shift commented
> > > > out
> > > > and instrumented inode_alloc() to see where it might be failing
> > > > and
> > > > I actually find it all works as expected for me:
> > > > 
> > > > ejb@...tdeb:~> unshare -r --user --mount --ima
> > > > root@...tdeb:~# mount -t securityfs_ns none
> > > > /sys/kernel/security
> > > > root@...tdeb:~# ls -l /sys/kernel/security/ima/
> > > > total 0
> > > > -r--r----- 1 root root 0 Dec  1 19:11
> > > > ascii_runtime_measurements
> > > > -r--r----- 1 root root 0 Dec  1 19:11
> > > > binary_runtime_measurements
> > > > -rw------- 1 root root 0 Dec  1 19:11 policy
> > > > -r--r----- 1 root root 0 Dec  1 19:11
> > > > runtime_measurements_count
> > > > -r--r----- 1 root root 0 Dec  1 19:11 violations
> > > > 
> > > > I think your problem is something to do with how runc is
> > > > installing
> > > > the uid/gid mappings.  If it's installing them after the
> > > > security_ns inodes are created then they get the -1 value
> > > > (because
> > > > no mappings exist in s_user_ns).  I can even demonstrate this
> > > > by
> > > > forcing unshare to enter the IMA namespace before writing the
> > > > mapping values and I'll see "nobody nogroup" above like you do.
> > > I am surprised you get this mapping even after commenting the
> > > permission adjustments... it doesn't work for me when I comment
> > > them
> > > out:
> > > 
> > > [stefanb@...-ns-dev rootfs]$ unshare -r --user --mount
> > > [root@...-ns-dev rootfs]# mount -t securityfs_ns none
> > > /sys/kernel/security/
> > > [root@...-ns-dev rootfs]# cd /sys/kernel/security/ima/
> > > [root@...-ns-dev ima]# ls -l
> > > total 0
> > > -r--r-----. 1 nobody nobody 0 Dec  1 15:20
> > > ascii_runtime_measurements
> > > -r--r-----. 1 nobody nobody 0 Dec  1 15:20
> > > binary_runtime_measurements
> > > -rw-------. 1 nobody nobody 0 Dec  1 15:20 policy
> > > -r--r-----. 1 nobody nobody 0 Dec  1 15:20
> > > runtime_measurements_count
> > > -r--r-----. 1 nobody nobody 0 Dec  1 15:20 violations
> > > [root@...-ns-dev ima]# cat /proc/self/uid_map
> > >            0       1000          1
> > > [root@...-ns-dev ima]# cat /proc/self/gid_map
> > >            0       1000          1
> > > 
> > > The initialization of securityfs and setup of files and
> > > directories
> > > happens at the same time as the IMA namespace is created. At this
> > > time there are no user mappings available, so that's why I need
> > > to
> > > make the adjustments 'late'.
> > There is one other possible difference:  To get the correct
> > s_user_ns
> 
> I am currently wondering why I cannot re-create your setup while 
> disabling the remapping...

OK, I think I figured it out.  When I applied your patches, it was on
top of my existing ones, so I had to massage them a bit.

Your problem is the securityfs inode creation is triggered inside
create_user_ns, which means it happens *before* ushare writes to the
proc/self/uid_map file, so the securityfs_inodes are always created on
an empty mapping and i_write_uid always sets the inode uid to -1.

I don't see this because my setup for everything is triggered off the
first use of the IMA namespace.  You'd need to have some type of lazy
setup of the inodes as well to give unshare time to install the uid/gid
mappings.

James

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ