Message ID | 1461699396-33000-18-git-send-email-seth.forshee@canonical.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
On Tue, 26 Apr 2016, Seth Forshee wrote: > A privileged user in s_user_ns will generally have the ability to > manipulate the backing store and insert security.* xattrs into > the filesystem directly. Therefore the kernel must be prepared to > handle these xattrs from unprivileged mounts, and it makes little > sense for commoncap to prevent writing these xattrs to the > filesystem. The capability and LSM code have already been updated > to appropriately handle xattrs from unprivileged mounts, so it > is safe to loosen this restriction on setting xattrs. > > The exception to this logic is that writing xattrs to a mounted > filesystem may also cause the LSM inode_post_setxattr or > inode_setsecurity callbacks to be invoked. SELinux will deny the > xattr update by virtue of applying mountpoint labeling to > unprivileged userns mounts, and Smack will deny the writes for > any user without global CAP_MAC_ADMIN, so loosening the > capability check in commoncap is safe in this respect as well. > > Signed-off-by: Seth Forshee <seth.forshee@canonical.com> > Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Acked-by: James Morris <james.l.morris@oracle.com>
diff --git a/security/commoncap.c b/security/commoncap.c index e657227d221e..12477afaa8ed 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -664,15 +664,17 @@ int cap_bprm_secureexec(struct linux_binprm *bprm) int cap_inode_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size, int flags) { + struct user_namespace *user_ns = dentry->d_sb->s_user_ns; + if (!strcmp(name, XATTR_NAME_CAPS)) { - if (!capable(CAP_SETFCAP)) + if (!ns_capable(user_ns, CAP_SETFCAP)) return -EPERM; return 0; } if (!strncmp(name, XATTR_SECURITY_PREFIX, sizeof(XATTR_SECURITY_PREFIX) - 1) && - !capable(CAP_SYS_ADMIN)) + !ns_capable(user_ns, CAP_SYS_ADMIN)) return -EPERM; return 0; } @@ -690,15 +692,17 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name, */ int cap_inode_removexattr(struct dentry *dentry, const char *name) { + struct user_namespace *user_ns = dentry->d_sb->s_user_ns; + if (!strcmp(name, XATTR_NAME_CAPS)) { - if (!capable(CAP_SETFCAP)) + if (!ns_capable(user_ns, CAP_SETFCAP)) return -EPERM; return 0; } if (!strncmp(name, XATTR_SECURITY_PREFIX, sizeof(XATTR_SECURITY_PREFIX) - 1) && - !capable(CAP_SYS_ADMIN)) + !ns_capable(user_ns, CAP_SYS_ADMIN)) return -EPERM; return 0; }