From patchwork Tue Apr 26 19:36:30 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Seth Forshee <seth.forshee@canonical.com>
X-Patchwork-Id: 8943681
Return-Path: <linux-fsdevel-owner@kernel.org>
X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id 73EC4BF29F
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Tue, 26 Apr 2016 19:39:34 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 9C94820166
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Tue, 26 Apr 2016 19:39:33 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id A03202015A
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Tue, 26 Apr 2016 19:39:32 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752653AbcDZTjH (ORCPT
	<rfc822;patchwork-linux-fsdevel@patchwork.kernel.org>);
	Tue, 26 Apr 2016 15:39:07 -0400
Received: from mail-io0-f171.google.com ([209.85.223.171]:33441 "EHLO
	mail-io0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752943AbcDZThN (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Tue, 26 Apr 2016 15:37:13 -0400
Received: by mail-io0-f171.google.com with SMTP id f89so26283233ioi.0
	for <linux-fsdevel@vger.kernel.org>;
	Tue, 26 Apr 2016 12:37:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=canonical-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=dLDaL+duDLazpZxS3Qd1Y6ftu21NRZh/SKRUFsz+OkM=;
	b=ldn4otXbtCXxCJeodeAza7Iz51iMfficRsNvotFhvHxu/U6GSitrjFCUYzzTvVQ+Sg
	fkOa3yhQHQztjDUV4fh5c/lboAxAqlsYXOmnxOSNsXzljMmtG2NWVp31dzO0XidYp0Us
	RsuDAoc4OYDcK74Iyb5aeekaF6vArZNnUPHtp71dLJjNpfyTHmdvdQMTIt9x7qtpPPug
	sfobbkkEA+IwF877Pm1dVqRoGtk7kNWeBNg1K+kTZWYELJLT9IQFWzaOVTzGAGjSNF6N
	eoK1FdCC6zLGbxTFOf7v/xpNiXrhWBVdC9pWcokIMl4C7xqh+Ga85oDGMp0zyl4c0vDp
	wfQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=dLDaL+duDLazpZxS3Qd1Y6ftu21NRZh/SKRUFsz+OkM=;
	b=hKaIVBP1uCKSykx2IBf9eUMx9qOfLad7avVv+0DVgexAP/x4dm0FZmr4465IqthKxa
	4cdwRDNhIMc2Y8zy9OkAabZvkEf3Lf3BI2oH8j5/NtKcXrXw4MCOuWU6MrSzBTRUHjiZ
	w65MK8+2vBRXYeUyISgf3u6oNbKMt+aYdCEbmZ8ex1hU9EksSCbVtl3WLECOKpU9iUZn
	CSAgr53QdZNXicCkoF3hUuJLNh91ijhe+nY3zysN/00qH9xO6tOyHmmljn+v6qVhVhNx
	Cc/mI5YyamLIKmecahl4RDPpFV4lIeNOB5tuNHUnVU8NZ/9wUk+uKZdzB5Fne/CeHznV
	YrDQ==
X-Gm-Message-State: 
 AOPr4FUqVRHwBTEPLk3d4svz8kIeFV5h/1zSsfMxoKBaSdynmh5CYy6KzEcF+viaZeAcVhAD
X-Received: by 10.107.30.17 with SMTP id e17mr5503897ioe.142.1461699432417;
	Tue, 26 Apr 2016 12:37:12 -0700 (PDT)
Received: from localhost ([2605:a601:aab:f920:39a1:5bcf:aa:5b00])
	by smtp.gmail.com with ESMTPSA id
	b202sm2367971ioe.27.2016.04.26.12.37.11
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 26 Apr 2016 12:37:11 -0700 (PDT)
From: Seth Forshee <seth.forshee@canonical.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>,
	Serge Hallyn <serge.hallyn@canonical.com>,
	James Morris <james.l.morris@oracle.com>,
	"Serge E. Hallyn" <serge@hallyn.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
	Richard Weinberger <richard.weinberger@gmail.com>,
	Austin S Hemmelgarn <ahferroin7@gmail.com>,
	Miklos Szeredi <mszeredi@redhat.com>,
	Pavel Tikhomirov <ptikhomirov@virtuozzo.com>,
	linux-kernel@vger.kernel.org, linux-bcache@vger.kernel.org,
	dm-devel@redhat.com, linux-raid@vger.kernel.org,
	linux-mtd@lists.infradead.org, linux-fsdevel@vger.kernel.org,
	fuse-devel@lists.sourceforge.net,
	linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
	cgroups@vger.kernel.org, Seth Forshee <seth.forshee@canonical.com>
Subject: [PATCH v4 17/21] capabilities: Allow privileged user in s_user_ns
	to set security.* xattrs
Date: Tue, 26 Apr 2016 14:36:30 -0500
Message-Id: <1461699396-33000-18-git-send-email-seth.forshee@canonical.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1461699396-33000-1-git-send-email-seth.forshee@canonical.com>
References: <1461699396-33000-1-git-send-email-seth.forshee@canonical.com>
Sender: linux-fsdevel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-fsdevel.vger.kernel.org>
X-Mailing-List: linux-fsdevel@vger.kernel.org
X-Spam-Status: No, score=-7.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY
	autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

A privileged user in s_user_ns will generally have the ability to
manipulate the backing store and insert security.* xattrs into
the filesystem directly. Therefore the kernel must be prepared to
handle these xattrs from unprivileged mounts, and it makes little
sense for commoncap to prevent writing these xattrs to the
filesystem. The capability and LSM code have already been updated
to appropriately handle xattrs from unprivileged mounts, so it
is safe to loosen this restriction on setting xattrs.

The exception to this logic is that writing xattrs to a mounted
filesystem may also cause the LSM inode_post_setxattr or
inode_setsecurity callbacks to be invoked. SELinux will deny the
xattr update by virtue of applying mountpoint labeling to
unprivileged userns mounts, and Smack will deny the writes for
any user without global CAP_MAC_ADMIN, so loosening the
capability check in commoncap is safe in this respect as well.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Acked-by: James Morris <james.l.morris@oracle.com>
---
 security/commoncap.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index e657227d221e..12477afaa8ed 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -664,15 +664,17 @@ int cap_bprm_secureexec(struct linux_binprm *bprm)
 int cap_inode_setxattr(struct dentry *dentry, const char *name,
 		       const void *value, size_t size, int flags)
 {
+	struct user_namespace *user_ns = dentry->d_sb->s_user_ns;
+
 	if (!strcmp(name, XATTR_NAME_CAPS)) {
-		if (!capable(CAP_SETFCAP))
+		if (!ns_capable(user_ns, CAP_SETFCAP))
 			return -EPERM;
 		return 0;
 	}
 
 	if (!strncmp(name, XATTR_SECURITY_PREFIX,
 		     sizeof(XATTR_SECURITY_PREFIX) - 1) &&
-	    !capable(CAP_SYS_ADMIN))
+	    !ns_capable(user_ns, CAP_SYS_ADMIN))
 		return -EPERM;
 	return 0;
 }
@@ -690,15 +692,17 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name,
  */
 int cap_inode_removexattr(struct dentry *dentry, const char *name)
 {
+	struct user_namespace *user_ns = dentry->d_sb->s_user_ns;
+
 	if (!strcmp(name, XATTR_NAME_CAPS)) {
-		if (!capable(CAP_SETFCAP))
+		if (!ns_capable(user_ns, CAP_SETFCAP))
 			return -EPERM;
 		return 0;
 	}
 
 	if (!strncmp(name, XATTR_SECURITY_PREFIX,
 		     sizeof(XATTR_SECURITY_PREFIX) - 1) &&
-	    !capable(CAP_SYS_ADMIN))
+	    !ns_capable(user_ns, CAP_SYS_ADMIN))
 		return -EPERM;
 	return 0;
 }