From patchwork Mon Dec  7 21:21:23 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Seth Forshee <seth.forshee@canonical.com>
X-Patchwork-Id: 7790921
Return-Path: <linux-fsdevel-owner@kernel.org>
X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 7A0DE9F1C2
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Mon,  7 Dec 2015 21:27:42 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 9F5F820557
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Mon,  7 Dec 2015 21:27:41 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id ADD752052F
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Mon,  7 Dec 2015 21:27:40 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755210AbbLGV0t (ORCPT
	<rfc822;patchwork-linux-fsdevel@patchwork.kernel.org>);
	Mon, 7 Dec 2015 16:26:49 -0500
Received: from mail-io0-f182.google.com ([209.85.223.182]:32914 "EHLO
	mail-io0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S933144AbbLGVXj (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Mon, 7 Dec 2015 16:23:39 -0500
Received: by iouu10 with SMTP id u10so4195173iou.0
	for <linux-fsdevel@vger.kernel.org>;
	Mon, 07 Dec 2015 13:23:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=canonical-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=//qEzr7TRp7op3+bIH7WSySVS35SBzzY9CieT86Wfks=;
	b=B+uihdTHiNwB+2XluGOB7aOHuv9a/uWuhJh0GaFkcTlTBMxg6c6xrEP8ZUNkqeX1FJ
	TxTUBVb3AYkNRQjw2Hh2bhjQTVc8jRyoCtnfbsyoxjfxqEY9g/uBsPzm4+2y7he5HEtx
	k5rFuILtandJUY/G9iWjHtbHVXJsL9V75m7vxffoxd4hplgLeobhF8gD8oyJubdo0lXu
	rRQoRgUAJqO97COw6OoNxIX7l3fQ7fa5buLWqG2qY/sxe4zXiTM8dD1IfG+SjrjOPHq1
	t1CpsWbIsh4QIeEzrNUfrgs+RedrYaBxiz0b9yvcmRxNt+0L9rAyuSj4msqDkpA4zvhe
	sBgA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=//qEzr7TRp7op3+bIH7WSySVS35SBzzY9CieT86Wfks=;
	b=Q71w9S1Rq4oBAOrMguDZFsHpOhk6ZMmlpJaC62Mjxq6xzNNU08zAwLzzeBseutI86r
	fidnky6nZJi4rqd9AX+sGxru5h204HgMPyn1a0zjq6YTGtbZkXGFG1RNj/fFWGJ/+XXw
	GtP//ZgMvbz7n7cST7eNavXPFA23tyRdp8ZgI7Fzu6c7O8BQaE6AgEvwsCzlINjA4XC6
	fGvvIhMJ01WNYigPD6jYW2ggsVkwxe6LaVjUE74ksHCkhmRYn+gNGjYtoiyYllc0M4ig
	ld5IMfRs7vntw2sKENeWt2XjrKBPphneyK5XwApA37tsvqBQssxBO8foKp8BP2GLcuS3
	dNuA==
X-Gm-Message-State: 
 ALoCoQlCMB3xap22MSnE4KydwXkjZoMgotKHxqoCp2tc/iILOu5qphG7lCPsFeIaPAJCFldqVzBbvN6yg/1At9ZeSsjmBgdCVw==
X-Received: by 10.107.136.217 with SMTP id s86mr506056ioi.142.1449523419058;
	Mon, 07 Dec 2015 13:23:39 -0800 (PST)
Received: from localhost (199-87-125-144.dyn.kc.surewest.net.
	[199.87.125.144]) by smtp.gmail.com with ESMTPSA id
	z15sm7050304igg.20.2015.12.07.13.23.38
	(version=TLS1_2 cipher=AES128-SHA bits=128/128);
	Mon, 07 Dec 2015 13:23:38 -0800 (PST)
From: Seth Forshee <seth.forshee@canonical.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>,
	Serge Hallyn <serge.hallyn@canonical.com>,
	James Morris <james.l.morris@oracle.com>,
	"Serge E. Hallyn" <serge@hallyn.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
	Richard Weinberger <richard.weinberger@gmail.com>,
	Austin S Hemmelgarn <ahferroin7@gmail.com>,
	Miklos Szeredi <miklos@szeredi.hu>,
	linux-bcache@vger.kernel.org, dm-devel@redhat.com,
	linux-raid@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-mtd@lists.infradead.org, linux-fsdevel@vger.kernel.org,
	fuse-devel@lists.sourceforge.net,
	linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
	Seth Forshee <seth.forshee@canonical.com>
Subject: [PATCH v2 14/18] capabilities: Allow privileged user in s_user_ns
	to set security.* xattrs
Date: Mon,  7 Dec 2015 15:21:23 -0600
Message-Id: <1449523289-144238-15-git-send-email-seth.forshee@canonical.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1449523289-144238-1-git-send-email-seth.forshee@canonical.com>
References: <1449523289-144238-1-git-send-email-seth.forshee@canonical.com>
Sender: linux-fsdevel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-fsdevel.vger.kernel.org>
X-Mailing-List: linux-fsdevel@vger.kernel.org
X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY
	autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

A privileged user in s_user_ns will generally have the ability to
manipulate the backing store and insert security.* xattrs into
the filesystem directly. Therefore the kernel must be prepared to
handle these xattrs from unprivileged mounts, and it makes little
sense for commoncap to prevent writing these xattrs to the
filesystem. The capability and LSM code have already been updated
to appropriately handle xattrs from unprivileged mounts, so it
is safe to loosen this restriction on setting xattrs.

The exception to this logic is that writing xattrs to a mounted
filesystem may also cause the LSM inode_post_setxattr or
inode_setsecurity callbacks to be invoked. SELinux will deny the
xattr update by virtue of applying mountpoint labeling to
unprivileged userns mounts, and Smack will deny the writes for
any user without global CAP_MAC_ADMIN, so loosening the
capability check in commoncap is safe in this respect as well.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
---
 security/commoncap.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index 2119421613f6..d6c80c19c449 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -653,15 +653,17 @@ int cap_bprm_secureexec(struct linux_binprm *bprm)
 int cap_inode_setxattr(struct dentry *dentry, const char *name,
 		       const void *value, size_t size, int flags)
 {
+	struct user_namespace *user_ns = dentry->d_sb->s_user_ns;
+
 	if (!strcmp(name, XATTR_NAME_CAPS)) {
-		if (!capable(CAP_SETFCAP))
+		if (!ns_capable(user_ns, CAP_SETFCAP))
 			return -EPERM;
 		return 0;
 	}
 
 	if (!strncmp(name, XATTR_SECURITY_PREFIX,
 		     sizeof(XATTR_SECURITY_PREFIX) - 1) &&
-	    !capable(CAP_SYS_ADMIN))
+	    !ns_capable(user_ns, CAP_SYS_ADMIN))
 		return -EPERM;
 	return 0;
 }
@@ -679,15 +681,17 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name,
  */
 int cap_inode_removexattr(struct dentry *dentry, const char *name)
 {
+	struct user_namespace *user_ns = dentry->d_sb->s_user_ns;
+
 	if (!strcmp(name, XATTR_NAME_CAPS)) {
-		if (!capable(CAP_SETFCAP))
+		if (!ns_capable(user_ns, CAP_SETFCAP))
 			return -EPERM;
 		return 0;
 	}
 
 	if (!strncmp(name, XATTR_SECURITY_PREFIX,
 		     sizeof(XATTR_SECURITY_PREFIX) - 1) &&
-	    !capable(CAP_SYS_ADMIN))
+	    !ns_capable(user_ns, CAP_SYS_ADMIN))
 		return -EPERM;
 	return 0;
 }