lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZWoWrRgNDVRv6BTB@do-x1extreme>
Date:   Fri, 1 Dec 2023 11:23:57 -0600
From:   "Seth Forshee (DigitalOcean)" <sforshee@...nel.org>
To:     Christian Brauner <brauner@...nel.org>
Cc:     Serge Hallyn <serge@...lyn.com>, Paul Moore <paul@...l-moore.com>,
        Eric Paris <eparis@...hat.com>,
        James Morris <jmorris@...ei.org>,
        Alexander Viro <viro@...iv.linux.org.uk>,
        Miklos Szeredi <miklos@...redi.hu>,
        Amir Goldstein <amir73il@...il.com>,
        linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
        linux-security-module@...r.kernel.org, audit@...r.kernel.org,
        linux-unionfs@...r.kernel.org
Subject: Re: [PATCH 06/16] capability: provide a helper for converting
 vfs_caps to xattr for userspace

On Fri, Dec 01, 2023 at 05:57:35PM +0100, Christian Brauner wrote:
> On Wed, Nov 29, 2023 at 03:50:24PM -0600, Seth Forshee (DigitalOcean) wrote:
> > cap_inode_getsecurity() implements a handful of policies for capability
> > xattrs read by userspace:
> > 
> >  - It returns EINVAL if the on-disk capability is in v1 format.
> > 
> >  - It masks off all bits in magic_etc except for the version and
> >    VFS_CAP_FLAGS_EFFECTIVE.
> > 
> >  - v3 capabilities are converted to v2 format if the rootid returned to
> >    userspace would be 0 or if the rootid corresponds to root in an
> >    ancestor user namespace.
> > 
> >  - It returns EOVERFLOW for a v3 capability whose rootid does not map to
> >    a valid id in current_user_ns() or to root in an ancestor namespace.
> 
> Nice. Precise and clear, please just drop these bullet points into the
> kernel-doc of that function.

Will do.

> > +/**
> > + * vfs_caps_to_user_xattr - convert vfs_caps to caps xattr for userspace
> > + *
> > + * @idmap:       idmap of the mount the inode was found from
> > + * @dest_userns: user namespace for ids in xattr data
> > + * @vfs_caps:    source vfs_caps data
> > + * @data:        destination buffer for rax xattr caps data
> > + * @size:        size of the @data buffer
> > + *
> > + * Converts a kernel-interrnal capability into the raw security.capability
> > + * xattr format. Includes permission checking and v2->v3 conversion as
> > + * appropriate.
> > + *
> > + * If the xattr is being read or written through an idmapped mount the
> > + * idmap of the vfsmount must be passed through @idmap. This function
> > + * will then take care to map the rootid according to @idmap.
> > + *
> > + * Return: On success, return 0; on error, return < 0.
> > + */
> > +int vfs_caps_to_user_xattr(struct mnt_idmap *idmap,
> > +			   struct user_namespace *dest_userns,
> > +			   const struct vfs_caps *vfs_caps,
> > +			   void *data, int size)
> > +{
> > +	struct vfs_ns_cap_data *ns_caps = data;
> > +	bool is_v3;
> > +	u32 magic;
> > +
> > +	/* Preserve previous behavior of returning EINVAL for v1 caps */
> > +	if ((vfs_caps->magic_etc & VFS_CAP_REVISION_MASK) == VFS_CAP_REVISION_1)
> > +		return -EINVAL;
> > +
> > +	size = __vfs_caps_to_xattr(idmap, dest_userns, vfs_caps, data, size);
> > +	if (size < 0)
> > +		return size;
> > +
> > +	magic = vfs_caps->magic_etc &
> > +		(VFS_CAP_REVISION_MASK | VFS_CAP_FLAGS_EFFECTIVE);
> > +	ns_caps->magic_etc = cpu_to_le32(magic);
> > +
> > +	/*
> > +	 * If this is a v3 capability with a valid, non-zero rootid, return
> > +	 * the v3 capability to userspace. A v3 capability with a rootid of
> > +	 * 0 will be converted to a v2 capability below for compatibility
> > +	 * with old userspace.
> > +	 */
> > +	is_v3 = (vfs_caps->magic_etc & VFS_CAP_REVISION_MASK) == VFS_CAP_REVISION_3;
> > +	if (is_v3) {
> > +		uid_t rootid = le32_to_cpu(ns_caps->rootid);
> > +		if (rootid != (uid_t)-1 && rootid != (uid_t)0)
> > +			return size;
> > +	}
> > +
> > +	if (!rootid_owns_currentns(vfs_caps->rootid))
> > +		return -EOVERFLOW;
> 
> For a v2 cap that we read vfs_caps->rootid will be vfsuid 0, right?
> So that means we're guaranteed to resolve that in the initial user
> namespace. IOW, rootid_owns_currentns() will indeed work with a pure v2
> cap. Ok. Just making sure that I understand that this won't cause
> EOVERFLOW for v2. But you would've likely seen that in tests right away.

Yes, that's all correct.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ