From patchwork Thu Oct 5 06:16:11 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lubomir Rintel X-Patchwork-Id: 9986489 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 33A2D6029B for ; Thu, 5 Oct 2017 06:24:21 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2506F2857E for ; Thu, 5 Oct 2017 06:24:21 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1800C28B96; Thu, 5 Oct 2017 06:24:21 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 373962857E for ; Thu, 5 Oct 2017 06:24:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751427AbdJEGYN (ORCPT ); Thu, 5 Oct 2017 02:24:13 -0400 Received: from shell.v3.sk ([92.60.52.57]:42783 "EHLO shell.v3.sk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751324AbdJEGYM (ORCPT ); Thu, 5 Oct 2017 02:24:12 -0400 X-Greylist: delayed 466 seconds by postgrey-1.27 at vger.kernel.org; Thu, 05 Oct 2017 02:24:12 EDT Received: from localhost (localhost [127.0.0.1]) by zimbra.v3.sk (Postfix) with ESMTP id DE47C5BF33; Thu, 5 Oct 2017 08:16:22 +0200 (CEST) Received: from shell.v3.sk ([127.0.0.1]) by localhost (zimbra.v3.sk [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id JlfJhOHzGIjn; Thu, 5 Oct 2017 08:16:20 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by zimbra.v3.sk (Postfix) with ESMTP id 049975BF88; Thu, 5 Oct 2017 08:16:20 +0200 (CEST) X-Virus-Scanned: amavisd-new at zimbra.v3.sk Received: from shell.v3.sk ([127.0.0.1]) by localhost (zimbra.v3.sk [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id fE8402No9msr; Thu, 5 Oct 2017 08:16:19 +0200 (CEST) Received: from belphegor.brq.redhat.com (nat-pool-brq-t.redhat.com [213.175.37.10]) by zimbra.v3.sk (Postfix) with ESMTPSA id AAB2C5BF84; Thu, 5 Oct 2017 08:16:18 +0200 (CEST) From: Lubomir Rintel To: linux-security-module@vger.kernel.org Cc: "Serge E . Hallyn" , "Eric W . Biederman" , linux-kernel@vger.kernel.org, Paul Moore , Stephen Smalley , Eric Paris , Lubomir Rintel Subject: [PATCH] selinux: check CAP_SETFCAP for a particular inode & mapped user Date: Thu, 5 Oct 2017 08:16:11 +0200 Message-Id: <20171005061611.6649-1-lkundrak@v3.sk> X-Mailer: git-send-email 2.13.6 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This allows setting "security.capability" xattr by a user that has CAP_SETFCAP in an userns with SELinux. Namespaced capabilities are supported, as of commit 8db6c34f1dbc ("Introduce v3 namespaced file capabilities"). Signed-off-by: Lubomir Rintel --- A casual warning: Please not assume I know what I'm really doing. I can now install iputils and /bin/ping in a LXC container, which is great, but I typically wouldn't be allowed anywhere near anything security related. Thank you! security/selinux/hooks.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f5d304736852..7bc5f4ffb4e0 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3127,11 +3127,12 @@ static int selinux_inode_getattr(const struct path *path) static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name) { const struct cred *cred = current_cred(); + struct inode *inode = d_backing_inode(dentry); if (!strncmp(name, XATTR_SECURITY_PREFIX, sizeof XATTR_SECURITY_PREFIX - 1)) { if (!strcmp(name, XATTR_NAME_CAPS)) { - if (!capable(CAP_SETFCAP)) + if (!capable_wrt_inode_uidgid(inode, CAP_SETFCAP)) return -EPERM; } else if (!capable(CAP_SYS_ADMIN)) { /* A different attribute in the security namespace.