From patchwork Tue Apr 26 19:36:30 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 615133 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2001:1868:205::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3qvYLn1FTWz9t4h for ; Wed, 27 Apr 2016 05:39:13 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical-com.20150623.gappssmtp.com header.i=@canonical-com.20150623.gappssmtp.com header.b=ldn4otXb; dkim-atps=neutral Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux)) id 1av8oJ-00030f-9K; Tue, 26 Apr 2016 19:38:15 +0000 Received: from mail-io0-x22b.google.com ([2607:f8b0:4001:c06::22b]) by bombadil.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux)) id 1av8nd-00024T-CS for linux-mtd@lists.infradead.org; Tue, 26 Apr 2016 19:37:34 +0000 Received: by mail-io0-x22b.google.com with SMTP id d62so26320886iof.2 for ; Tue, 26 Apr 2016 12:37:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=dLDaL+duDLazpZxS3Qd1Y6ftu21NRZh/SKRUFsz+OkM=; b=ldn4otXbtCXxCJeodeAza7Iz51iMfficRsNvotFhvHxu/U6GSitrjFCUYzzTvVQ+Sg fkOa3yhQHQztjDUV4fh5c/lboAxAqlsYXOmnxOSNsXzljMmtG2NWVp31dzO0XidYp0Us RsuDAoc4OYDcK74Iyb5aeekaF6vArZNnUPHtp71dLJjNpfyTHmdvdQMTIt9x7qtpPPug sfobbkkEA+IwF877Pm1dVqRoGtk7kNWeBNg1K+kTZWYELJLT9IQFWzaOVTzGAGjSNF6N eoK1FdCC6zLGbxTFOf7v/xpNiXrhWBVdC9pWcokIMl4C7xqh+Ga85oDGMp0zyl4c0vDp wfQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=dLDaL+duDLazpZxS3Qd1Y6ftu21NRZh/SKRUFsz+OkM=; b=Z7JHTOvoOhvpWCwwpWgwCPDtoXU+GejeMnJUa6CuxbsBNK58pt/IrlNiJqlnx9IUNQ KKNf9XTnK6JQyWHxdK8Q3JRJq35GS1r+zVvc31G8b4d9iwdFe0wwywEz29x7xMofPsFr mRK1jC5xIudQhKGjmtsDOuicfW7QLc1aV6u3XMH6sRh9Rhxq2mFpidXipk2z4YLl2C23 wCNjRZzqGhmdIBBw8o/s1d6rDQPS2Ngm/lMJHfN5sxtu7f264DPHZJOQu7wdHqWpkqpa yw/i+RZpwjqEbuOYt2p2xg8d8oIQ+ljILcgizsUwrSn+Jt5L+LJ1Ye4VlBP8D4u9vgJo XcQw== X-Gm-Message-State: AOPr4FXT/Z/45IUet9kP5mod5fDT9e+TOBazHcrMp5/50DCOWLXm/n3xUwiiMo75du+FNwDo X-Received: by 10.107.30.17 with SMTP id e17mr5503897ioe.142.1461699432417; Tue, 26 Apr 2016 12:37:12 -0700 (PDT) Received: from localhost ([2605:a601:aab:f920:39a1:5bcf:aa:5b00]) by smtp.gmail.com with ESMTPSA id b202sm2367971ioe.27.2016.04.26.12.37.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 26 Apr 2016 12:37:11 -0700 (PDT) From: Seth Forshee To: "Eric W. Biederman" , Serge Hallyn , James Morris , "Serge E. Hallyn" Subject: [PATCH v4 17/21] capabilities: Allow privileged user in s_user_ns to set security.* xattrs Date: Tue, 26 Apr 2016 14:36:30 -0500 Message-Id: <1461699396-33000-18-git-send-email-seth.forshee@canonical.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1461699396-33000-1-git-send-email-seth.forshee@canonical.com> References: <1461699396-33000-1-git-send-email-seth.forshee@canonical.com> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20160426_123733_699273_5B267027 X-CRM114-Status: GOOD ( 13.13 ) X-Spam-Score: -2.6 (--) X-Spam-Report: SpamAssassin version 3.4.0 on bombadil.infradead.org summary: Content analysis details: (-2.6 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [2607:f8b0:4001:c06:0:0:0:22b listed in] [list.dnswl.org] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-bcache@vger.kernel.org, Miklos Szeredi , Seth Forshee , dm-devel@redhat.com, linux-security-module@vger.kernel.org, Richard Weinberger , linux-kernel@vger.kernel.org, linux-raid@vger.kernel.org, fuse-devel@lists.sourceforge.net, Austin S Hemmelgarn , linux-mtd@lists.infradead.org, Alexander Viro , selinux@tycho.nsa.gov, linux-fsdevel@vger.kernel.org, cgroups@vger.kernel.org, Pavel Tikhomirov MIME-Version: 1.0 Sender: "linux-mtd" Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org A privileged user in s_user_ns will generally have the ability to manipulate the backing store and insert security.* xattrs into the filesystem directly. Therefore the kernel must be prepared to handle these xattrs from unprivileged mounts, and it makes little sense for commoncap to prevent writing these xattrs to the filesystem. The capability and LSM code have already been updated to appropriately handle xattrs from unprivileged mounts, so it is safe to loosen this restriction on setting xattrs. The exception to this logic is that writing xattrs to a mounted filesystem may also cause the LSM inode_post_setxattr or inode_setsecurity callbacks to be invoked. SELinux will deny the xattr update by virtue of applying mountpoint labeling to unprivileged userns mounts, and Smack will deny the writes for any user without global CAP_MAC_ADMIN, so loosening the capability check in commoncap is safe in this respect as well. Signed-off-by: Seth Forshee Acked-by: Serge Hallyn Acked-by: James Morris --- security/commoncap.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/security/commoncap.c b/security/commoncap.c index e657227d221e..12477afaa8ed 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -664,15 +664,17 @@ int cap_bprm_secureexec(struct linux_binprm *bprm) int cap_inode_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size, int flags) { + struct user_namespace *user_ns = dentry->d_sb->s_user_ns; + if (!strcmp(name, XATTR_NAME_CAPS)) { - if (!capable(CAP_SETFCAP)) + if (!ns_capable(user_ns, CAP_SETFCAP)) return -EPERM; return 0; } if (!strncmp(name, XATTR_SECURITY_PREFIX, sizeof(XATTR_SECURITY_PREFIX) - 1) && - !capable(CAP_SYS_ADMIN)) + !ns_capable(user_ns, CAP_SYS_ADMIN)) return -EPERM; return 0; } @@ -690,15 +692,17 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name, */ int cap_inode_removexattr(struct dentry *dentry, const char *name) { + struct user_namespace *user_ns = dentry->d_sb->s_user_ns; + if (!strcmp(name, XATTR_NAME_CAPS)) { - if (!capable(CAP_SETFCAP)) + if (!ns_capable(user_ns, CAP_SETFCAP)) return -EPERM; return 0; } if (!strncmp(name, XATTR_SECURITY_PREFIX, sizeof(XATTR_SECURITY_PREFIX) - 1) && - !capable(CAP_SYS_ADMIN)) + !ns_capable(user_ns, CAP_SYS_ADMIN)) return -EPERM; return 0; }