From patchwork Mon Jan  4 18:03:53 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Seth Forshee <seth.forshee@canonical.com>
X-Patchwork-Id: 7949631
Return-Path: <linux-fsdevel-owner@kernel.org>
X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 0DABA9F1C0
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Mon,  4 Jan 2016 18:09:42 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 3854E2011D
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Mon,  4 Jan 2016 18:09:41 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 4CAA820109
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Mon,  4 Jan 2016 18:09:40 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753224AbcADSJL (ORCPT
	<rfc822;patchwork-linux-fsdevel@patchwork.kernel.org>);
	Mon, 4 Jan 2016 13:09:11 -0500
Received: from mail-io0-f179.google.com ([209.85.223.179]:35483 "EHLO
	mail-io0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752112AbcADSEm (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Mon, 4 Jan 2016 13:04:42 -0500
Received: by mail-io0-f179.google.com with SMTP id 77so132133428ioc.2
	for <linux-fsdevel@vger.kernel.org>;
	Mon, 04 Jan 2016 10:04:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=canonical-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=//qEzr7TRp7op3+bIH7WSySVS35SBzzY9CieT86Wfks=;
	b=U2jkxKb0GUgAWWIPak98Rpqmud5CfemDzKUUIIU4HUs8ZujwbJQ91CxUF6PwQyhFCe
	AV+lYwE+03pHV/hwUD0j4JqETxHnj1zdOQV/lDuoE5nEpf8vVmBBZzjn4kyy7bwlqoxr
	eY++JLPOj7XYdWxalKnT0n9sIsYVd+DfZr3wpCfs3Ff0TxLAYBlsARxz//V+SWL4mPI8
	tJR+ZUuNqo1bOa7DAv6OAd4Vkh83NYqh4F8IoOocMjpHB7mi0DBWwndbA3qt0qTwMLGU
	tkGiIA5a3eS/wM9I1tTL0szCPcAUpp71/NY12PkZZe6IqTrM3Ctu/Vk/Vtpk7Ui8xoin
	0b1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=//qEzr7TRp7op3+bIH7WSySVS35SBzzY9CieT86Wfks=;
	b=g4+XlTZb6Tm7Psk8zGlpF831peVnhXITRLXKWh2e+R9A+dj1OAmcpVrVMT2eaozg3W
	cXOaoBKqkfvlXxONewdn166NYGq2XvWb56YAjOBO6o6NE5q7rzx8+g9Sd6TACRK6YTYW
	g7hsyO55qxsuNMp5TM1S0Afm0m8YvA0aS0YMRHtIXkf4rrnw7cXsrPHHlsxoNmLWZ+97
	hbsib98MJtaTDYsjD4vSsNGP6kpTzjOZrhJA50i0dfiRQZzGdIAH5DdQePcaXx4XInqo
	bh08lpPyeTPCZCHychG7q2tECO+7SLth8/QPDDV816ZluezmDI4kuDOdSQSpnGLHhI2p
	aw8w==
X-Gm-Message-State: 
 ALoCoQmMosuDvNGRMqP0pWudV+PD/ZVNS81Bd/jIIHmtEI8blsVqoXuDdo+yuiN/OKhw4gAIYpbuRwwKbKV462EZ1rOL2Kdt9A==
X-Received: by 10.107.38.195 with SMTP id m186mr80967619iom.15.1451930681405;
	Mon, 04 Jan 2016 10:04:41 -0800 (PST)
Received: from localhost ([66.64.121.229]) by smtp.gmail.com with ESMTPSA id
	84sm28296391ioh.3.2016.01.04.10.04.40
	(version=TLS1_2 cipher=AES128-SHA bits=128/128);
	Mon, 04 Jan 2016 10:04:41 -0800 (PST)
From: Seth Forshee <seth.forshee@canonical.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>,
	Serge Hallyn <serge.hallyn@canonical.com>,
	James Morris <james.l.morris@oracle.com>,
	"Serge E. Hallyn" <serge@hallyn.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
	Richard Weinberger <richard.weinberger@gmail.com>,
	Austin S Hemmelgarn <ahferroin7@gmail.com>,
	Miklos Szeredi <miklos@szeredi.hu>,
	linux-kernel@vger.kernel.org, linux-bcache@vger.kernel.org,
	dm-devel@redhat.com, linux-raid@vger.kernel.org,
	linux-mtd@lists.infradead.org, linux-fsdevel@vger.kernel.org,
	fuse-devel@lists.sourceforge.net,
	linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
	Seth Forshee <seth.forshee@canonical.com>
Subject: [PATCH RESEND v2 14/18] capabilities: Allow privileged user in
	s_user_ns to set security.* xattrs
Date: Mon,  4 Jan 2016 12:03:53 -0600
Message-Id: <1451930639-94331-15-git-send-email-seth.forshee@canonical.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1451930639-94331-1-git-send-email-seth.forshee@canonical.com>
References: <1451930639-94331-1-git-send-email-seth.forshee@canonical.com>
Sender: linux-fsdevel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-fsdevel.vger.kernel.org>
X-Mailing-List: linux-fsdevel@vger.kernel.org
X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY
	autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

A privileged user in s_user_ns will generally have the ability to
manipulate the backing store and insert security.* xattrs into
the filesystem directly. Therefore the kernel must be prepared to
handle these xattrs from unprivileged mounts, and it makes little
sense for commoncap to prevent writing these xattrs to the
filesystem. The capability and LSM code have already been updated
to appropriately handle xattrs from unprivileged mounts, so it
is safe to loosen this restriction on setting xattrs.

The exception to this logic is that writing xattrs to a mounted
filesystem may also cause the LSM inode_post_setxattr or
inode_setsecurity callbacks to be invoked. SELinux will deny the
xattr update by virtue of applying mountpoint labeling to
unprivileged userns mounts, and Smack will deny the writes for
any user without global CAP_MAC_ADMIN, so loosening the
capability check in commoncap is safe in this respect as well.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
---
 security/commoncap.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index 2119421613f6..d6c80c19c449 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -653,15 +653,17 @@ int cap_bprm_secureexec(struct linux_binprm *bprm)
 int cap_inode_setxattr(struct dentry *dentry, const char *name,
 		       const void *value, size_t size, int flags)
 {
+	struct user_namespace *user_ns = dentry->d_sb->s_user_ns;
+
 	if (!strcmp(name, XATTR_NAME_CAPS)) {
-		if (!capable(CAP_SETFCAP))
+		if (!ns_capable(user_ns, CAP_SETFCAP))
 			return -EPERM;
 		return 0;
 	}
 
 	if (!strncmp(name, XATTR_SECURITY_PREFIX,
 		     sizeof(XATTR_SECURITY_PREFIX) - 1) &&
-	    !capable(CAP_SYS_ADMIN))
+	    !ns_capable(user_ns, CAP_SYS_ADMIN))
 		return -EPERM;
 	return 0;
 }
@@ -679,15 +681,17 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name,
  */
 int cap_inode_removexattr(struct dentry *dentry, const char *name)
 {
+	struct user_namespace *user_ns = dentry->d_sb->s_user_ns;
+
 	if (!strcmp(name, XATTR_NAME_CAPS)) {
-		if (!capable(CAP_SETFCAP))
+		if (!ns_capable(user_ns, CAP_SETFCAP))
 			return -EPERM;
 		return 0;
 	}
 
 	if (!strncmp(name, XATTR_SECURITY_PREFIX,
 		     sizeof(XATTR_SECURITY_PREFIX) - 1) &&
-	    !capable(CAP_SYS_ADMIN))
+	    !ns_capable(user_ns, CAP_SYS_ADMIN))
 		return -EPERM;
 	return 0;
 }