From patchwork Fri Apr 22 15:38:34 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 613751 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2001:1868:205::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3qs0GN6gtRz9t4h for ; Sat, 23 Apr 2016 01:41:32 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical-com.20150623.gappssmtp.com header.i=@canonical-com.20150623.gappssmtp.com header.b=AIK8dQxG; dkim-atps=neutral Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux)) id 1atdBz-00047n-CY; Fri, 22 Apr 2016 15:40:27 +0000 Received: from mail-oi0-x233.google.com ([2607:f8b0:4003:c06::233]) by bombadil.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux)) id 1atdBL-0001r6-Mx for linux-mtd@lists.infradead.org; Fri, 22 Apr 2016 15:39:49 +0000 Received: by mail-oi0-x233.google.com with SMTP id x201so120339677oif.3 for ; Fri, 22 Apr 2016 08:39:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=DAyL4Vjvkd4bLXqKT0Hq7+h3u6oHI9c4vfL//Ps6QiM=; b=AIK8dQxG4HSyGE7ZdoTb7dzHNO1+8fQMjYfROtAqMeaKdhQsQ9DsODJfw2ogxaEf3H 1JUh+R4iDK8ucHrYQ8mpP9IujXRsbgGkYaakCQxiksz8nPSVzr5HxRU1JRpGzALnHK9f nw65hawHG6AHkP7JSspOnny4r9fOnIn53MfsJs4Pb2T6DcaBukZ+LqVCmKqjBdkuZdSm g8OqQfVnepIGhfdyDUMSpwvagNHpT090NT+CeqZM0lhVokZTBUolODHAKQGDe0GqvTEY X4ckL6jWb5yUZaPp65yozZplrc1PQk7zTpl7Hb+ZVZgTfIl2KF6RuBp/RU1axF/wgU8w 9zYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=DAyL4Vjvkd4bLXqKT0Hq7+h3u6oHI9c4vfL//Ps6QiM=; b=Bw8v0wpdeMgTSyN+OBp35CVcdSt9FA6h8c1uvRuYMiBVjSzLV2TtQ821nHntzeUQL3 tzSFUgU6No4iR7Og2dAaenAYPAbciL8RdmlOnlFv7oJkBCah8FdvzFOZcVwyyeIG8tVf /vFMxco4x2kW1c1mE9fzKPtjrV8Nr5J2LaDHI1Dqw9eTWRPFjC05DdaofDD0cCTAS5UC 0Q758GKCykm8ibI0TI2Y9DZvi64KWFPP9w2/NKKFqq4jly1Ru2gBqxlN+QerGhiQI48i 9/Zpxb0FTrlP9hm7LkdPxrCoeYRgBA7xOVqsWwruztKhXxnk2JU5xhFKEaWxU0aTeX62 e5nw== X-Gm-Message-State: AOPr4FUj35Qc6/QiuGlnrKWyDKRQCgPsRyIaZO3i/8MJEROKkfHfvim3wbETSzcb4c8cl8aK X-Received: by 10.202.56.4 with SMTP id f4mr8883644oia.125.1461339566515; Fri, 22 Apr 2016 08:39:26 -0700 (PDT) Received: from localhost ([2605:a601:aab:f920:ad1c:41df:dcb1:a4a0]) by smtp.gmail.com with ESMTPSA id u71sm478486ota.19.2016.04.22.08.39.25 (version=TLS1_2 cipher=AES128-SHA bits=128/128); Fri, 22 Apr 2016 08:39:25 -0700 (PDT) From: Seth Forshee To: "Eric W. Biederman" , Serge Hallyn , James Morris , "Serge E. Hallyn" Subject: [PATCH v3 17/21] capabilities: Allow privileged user in s_user_ns to set security.* xattrs Date: Fri, 22 Apr 2016 10:38:34 -0500 Message-Id: <1461339521-123191-18-git-send-email-seth.forshee@canonical.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1461339521-123191-1-git-send-email-seth.forshee@canonical.com> References: <1461339521-123191-1-git-send-email-seth.forshee@canonical.com> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20160422_083947_985977_BBAA8AAD X-CRM114-Status: GOOD ( 11.89 ) X-Spam-Score: -2.6 (--) X-Spam-Report: SpamAssassin version 3.4.0 on bombadil.infradead.org summary: Content analysis details: (-2.6 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [2607:f8b0:4003:c06:0:0:0:233 listed in] [list.dnswl.org] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-bcache@vger.kernel.org, Miklos Szeredi , Seth Forshee , dm-devel@redhat.com, linux-security-module@vger.kernel.org, Richard Weinberger , linux-kernel@vger.kernel.org, linux-raid@vger.kernel.org, fuse-devel@lists.sourceforge.net, Austin S Hemmelgarn , linux-mtd@lists.infradead.org, Alexander Viro , selinux@tycho.nsa.gov, linux-fsdevel@vger.kernel.org, cgroups@vger.kernel.org, Pavel Tikhomirov MIME-Version: 1.0 Sender: "linux-mtd" Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org A privileged user in s_user_ns will generally have the ability to manipulate the backing store and insert security.* xattrs into the filesystem directly. Therefore the kernel must be prepared to handle these xattrs from unprivileged mounts, and it makes little sense for commoncap to prevent writing these xattrs to the filesystem. The capability and LSM code have already been updated to appropriately handle xattrs from unprivileged mounts, so it is safe to loosen this restriction on setting xattrs. The exception to this logic is that writing xattrs to a mounted filesystem may also cause the LSM inode_post_setxattr or inode_setsecurity callbacks to be invoked. SELinux will deny the xattr update by virtue of applying mountpoint labeling to unprivileged userns mounts, and Smack will deny the writes for any user without global CAP_MAC_ADMIN, so loosening the capability check in commoncap is safe in this respect as well. Signed-off-by: Seth Forshee Acked-by: Serge Hallyn --- security/commoncap.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/security/commoncap.c b/security/commoncap.c index e657227d221e..12477afaa8ed 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -664,15 +664,17 @@ int cap_bprm_secureexec(struct linux_binprm *bprm) int cap_inode_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size, int flags) { + struct user_namespace *user_ns = dentry->d_sb->s_user_ns; + if (!strcmp(name, XATTR_NAME_CAPS)) { - if (!capable(CAP_SETFCAP)) + if (!ns_capable(user_ns, CAP_SETFCAP)) return -EPERM; return 0; } if (!strncmp(name, XATTR_SECURITY_PREFIX, sizeof(XATTR_SECURITY_PREFIX) - 1) && - !capable(CAP_SYS_ADMIN)) + !ns_capable(user_ns, CAP_SYS_ADMIN)) return -EPERM; return 0; } @@ -690,15 +692,17 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name, */ int cap_inode_removexattr(struct dentry *dentry, const char *name) { + struct user_namespace *user_ns = dentry->d_sb->s_user_ns; + if (!strcmp(name, XATTR_NAME_CAPS)) { - if (!capable(CAP_SETFCAP)) + if (!ns_capable(user_ns, CAP_SETFCAP)) return -EPERM; return 0; } if (!strncmp(name, XATTR_SECURITY_PREFIX, sizeof(XATTR_SECURITY_PREFIX) - 1) && - !capable(CAP_SYS_ADMIN)) + !ns_capable(user_ns, CAP_SYS_ADMIN)) return -EPERM; return 0; }