From patchwork Mon Dec 7 21:21:23 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 7792911 Return-Path: X-Original-To: patchwork-selinux@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 6AB349F349 for ; Mon, 7 Dec 2015 23:18:25 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id B4D8320585 for ; Mon, 7 Dec 2015 23:18:24 +0000 (UTC) Received: from emvm-gh1-uea09.nsa.gov (emvm-gh1-uea09.nsa.gov [63.239.67.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id BE92D20576 for ; Mon, 7 Dec 2015 23:18:23 +0000 (UTC) X-TM-IMSS-Message-ID: <3eafdc1500007fb7@nsa.gov> Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by nsa.gov ([10.208.42.194]) with ESMTP (TREND IMSS SMTP Service 7.1) id 3eafdc1500007fb7 ; Mon, 7 Dec 2015 18:18:14 -0500 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id tB7NGWpa011389; Mon, 7 Dec 2015 18:16:32 -0500 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id tB7LQXlp263198 for ; Mon, 7 Dec 2015 16:26:33 -0500 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id tB7LNOqF001405 for ; Mon, 7 Dec 2015 16:26:33 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1DuBABD9WVW/7PfVdFeGQEBAQEPAQEBAYRLuxeEDQkXggyDawKCEwEBAQEBAYVAAQEBAxIVGQEBNwEPUTQBBQEcBgESIogNokeBMT4xileFVAEFi3UBAQEBAQEBAwIBGgYKhDqCEIw6DEGBMY0udohCjxeHNoYhhF+HDzaBF2OCBA0dFoFfUwGFbgEBAQ X-IPAS-Result: A1DuBABD9WVW/7PfVdFeGQEBAQEPAQEBAYRLuxeEDQkXggyDawKCEwEBAQEBAYVAAQEBAxIVGQEBNwEPUTQBBQEcBgESIogNokeBMT4xileFVAEFi3UBAQEBAQEBAwIBGgYKhDqCEIw6DEGBMY0udohCjxeHNoYhhF+HDzaBF2OCBA0dFoFfUwGFbgEBAQ X-IronPort-AV: E=Sophos;i="5.20,396,1444708800"; d="scan'208";a="5004910" Received: from emvm-gh1-uea08.nsa.gov ([10.208.42.193]) by goalie.tycho.ncsc.mil with ESMTP; 07 Dec 2015 16:23:40 -0500 X-TM-IMSS-Message-ID: <3e4ebfcc0002802e@nsa.gov> Received: from mail-io0-f179.google.com (mail-io0-f179.google.com [209.85.223.179]) by nsa.gov ([10.208.42.193]) with ESMTP (TREND IMSS SMTP Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id 3e4ebfcc0002802e ; Mon, 7 Dec 2015 16:23:37 -0500 Received: by iouu10 with SMTP id u10so4195168iou.0 for ; Mon, 07 Dec 2015 13:23:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=//qEzr7TRp7op3+bIH7WSySVS35SBzzY9CieT86Wfks=; b=B+uihdTHiNwB+2XluGOB7aOHuv9a/uWuhJh0GaFkcTlTBMxg6c6xrEP8ZUNkqeX1FJ TxTUBVb3AYkNRQjw2Hh2bhjQTVc8jRyoCtnfbsyoxjfxqEY9g/uBsPzm4+2y7he5HEtx k5rFuILtandJUY/G9iWjHtbHVXJsL9V75m7vxffoxd4hplgLeobhF8gD8oyJubdo0lXu rRQoRgUAJqO97COw6OoNxIX7l3fQ7fa5buLWqG2qY/sxe4zXiTM8dD1IfG+SjrjOPHq1 t1CpsWbIsh4QIeEzrNUfrgs+RedrYaBxiz0b9yvcmRxNt+0L9rAyuSj4msqDkpA4zvhe sBgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=//qEzr7TRp7op3+bIH7WSySVS35SBzzY9CieT86Wfks=; b=PteNn6WvZJovICAGOfCjwSyW14LGwGiL5qE8YkOzwNCPck4e467xqXf5+bNa6kOQ7Y eu87g6pg89s2J+m9C+7aSMAdlkQcq5LlVTBq+mYV0wTYKNjn7jlsyZdPO0IefPr/Dw8X mxXvRerduuIgbQi6pLjZMEATRzZWvmNmBcQeEJCVrsoqOw7sTVFA55Gd/QHV3oitzNiV 0B5RBD0ZIHePA/RYoWky+76937rEo9PIdaoRXRX/fxjXXQxuN4W/Z4IrPbkuRWCQNrNQ CT5tgTZTl8ntOpcb0FXJJq/Muy19q2brRmL2KiPrT6vuPMY/GJlavZD8awQL/Xg9cqII tH2A== X-Gm-Message-State: ALoCoQnvK/A8wu8yIQes7IjZMXp2De3GsCSlaUqyeU0OC2IR6aY0v8ItBVDQfT6pRMQqou21knq2FXJk7RTFpeaXAT0z5cSwRA== X-Received: by 10.107.136.217 with SMTP id s86mr506056ioi.142.1449523419058; Mon, 07 Dec 2015 13:23:39 -0800 (PST) Received: from localhost (199-87-125-144.dyn.kc.surewest.net. [199.87.125.144]) by smtp.gmail.com with ESMTPSA id z15sm7050304igg.20.2015.12.07.13.23.38 (version=TLS1_2 cipher=AES128-SHA bits=128/128); Mon, 07 Dec 2015 13:23:38 -0800 (PST) From: Seth Forshee To: "Eric W. Biederman" , Serge Hallyn , James Morris , "Serge E. Hallyn" Subject: [PATCH v2 14/18] capabilities: Allow privileged user in s_user_ns to set security.* xattrs Date: Mon, 7 Dec 2015 15:21:23 -0600 Message-Id: <1449523289-144238-15-git-send-email-seth.forshee@canonical.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1449523289-144238-1-git-send-email-seth.forshee@canonical.com> References: <1449523289-144238-1-git-send-email-seth.forshee@canonical.com> X-TM-AS-MML: disable X-Mailman-Approved-At: Mon, 07 Dec 2015 16:44:28 -0500 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: linux-security-module@vger.kernel.org, Seth Forshee , dm-devel@redhat.com, Miklos Szeredi , Richard Weinberger , linux-bcache@vger.kernel.org, linux-kernel@vger.kernel.org, linux-raid@vger.kernel.org, fuse-devel@lists.sourceforge.net, Austin S Hemmelgarn , linux-mtd@lists.infradead.org, Alexander Viro , selinux@tycho.nsa.gov, linux-fsdevel@vger.kernel.org MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP A privileged user in s_user_ns will generally have the ability to manipulate the backing store and insert security.* xattrs into the filesystem directly. Therefore the kernel must be prepared to handle these xattrs from unprivileged mounts, and it makes little sense for commoncap to prevent writing these xattrs to the filesystem. The capability and LSM code have already been updated to appropriately handle xattrs from unprivileged mounts, so it is safe to loosen this restriction on setting xattrs. The exception to this logic is that writing xattrs to a mounted filesystem may also cause the LSM inode_post_setxattr or inode_setsecurity callbacks to be invoked. SELinux will deny the xattr update by virtue of applying mountpoint labeling to unprivileged userns mounts, and Smack will deny the writes for any user without global CAP_MAC_ADMIN, so loosening the capability check in commoncap is safe in this respect as well. Signed-off-by: Seth Forshee Acked-by: Serge Hallyn --- security/commoncap.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/security/commoncap.c b/security/commoncap.c index 2119421613f6..d6c80c19c449 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -653,15 +653,17 @@ int cap_bprm_secureexec(struct linux_binprm *bprm) int cap_inode_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size, int flags) { + struct user_namespace *user_ns = dentry->d_sb->s_user_ns; + if (!strcmp(name, XATTR_NAME_CAPS)) { - if (!capable(CAP_SETFCAP)) + if (!ns_capable(user_ns, CAP_SETFCAP)) return -EPERM; return 0; } if (!strncmp(name, XATTR_SECURITY_PREFIX, sizeof(XATTR_SECURITY_PREFIX) - 1) && - !capable(CAP_SYS_ADMIN)) + !ns_capable(user_ns, CAP_SYS_ADMIN)) return -EPERM; return 0; } @@ -679,15 +681,17 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name, */ int cap_inode_removexattr(struct dentry *dentry, const char *name) { + struct user_namespace *user_ns = dentry->d_sb->s_user_ns; + if (!strcmp(name, XATTR_NAME_CAPS)) { - if (!capable(CAP_SETFCAP)) + if (!ns_capable(user_ns, CAP_SETFCAP)) return -EPERM; return 0; } if (!strncmp(name, XATTR_SECURITY_PREFIX, sizeof(XATTR_SECURITY_PREFIX) - 1) && - !capable(CAP_SYS_ADMIN)) + !ns_capable(user_ns, CAP_SYS_ADMIN)) return -EPERM; return 0; }