From patchwork Fri Apr 22 15:38:34 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 8913621 Return-Path: X-Original-To: patchwork-selinux@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 506E5BF440 for ; Fri, 22 Apr 2016 15:54:49 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 9AA7620256 for ; Fri, 22 Apr 2016 15:54:48 +0000 (UTC) Received: from emvm-gh1-uea09.nsa.gov (emvm-gh1-uea09.nsa.gov [8.44.101.9]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 43DAC2015E for ; Fri, 22 Apr 2016 15:54:47 +0000 (UTC) X-TM-IMSS-Message-ID: Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by nsa.gov ([10.208.42.194]) with ESMTP (TREND IMSS SMTP Service 7.1) id ad9fc3cb00000a4b ; Fri, 22 Apr 2016 11:51:10 -0400 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u3MFpYqD008961; Fri, 22 Apr 2016 11:51:34 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u3MFdnKk105336 for ; Fri, 22 Apr 2016 11:39:49 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u3MFdlDc004476 for ; Fri, 22 Apr 2016 11:39:49 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0DMBABlRRpX/yUp0ApeHYJwgXu3d4QQgiSDagKBdAEBAQEBAWYnhEIBAQEDEhUZAQE3AQ9RNAEFARwGARIiiAgBoHCBMT4xik+FKAEEjFwBAQEBAQEBAwIBFwYKhA2CCo5gjVh0iUiBVYxBgWSHRYVlRYVeh04wgQ5igXgNGxaBU04BiHoBAQE X-IPAS-Result: A0DMBABlRRpX/yUp0ApeHYJwgXu3d4QQgiSDagKBdAEBAQEBAWYnhEIBAQEDEhUZAQE3AQ9RNAEFARwGARIiiAgBoHCBMT4xik+FKAEEjFwBAQEBAQEBAwIBFwYKhA2CCo5gjVh0iUiBVYxBgWSHRYVlRYVeh04wgQ5igXgNGxaBU04BiHoBAQE X-IronPort-AV: E=Sophos;i="5.24,517,1454994000"; d="scan'208";a="5402629" Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov) ([10.208.41.37]) by goalie.tycho.ncsc.mil with ESMTP; 22 Apr 2016 11:39:30 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3A/aSjVRIQKm2ohxnHR9mcpTZWNBhigK39O0sv0rFi?= =?us-ascii?q?tYgSK//xwZ3uMQTl6Ol3ixeRBMOAu6IC1LKd4/yocFdDyKjCmUhKSIZLWR4BhJ?= =?us-ascii?q?detC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TWM5DIfUi/yKRBy?= =?us-ascii?q?brysXNWC34Loj6vip9X6WEZhunmUWftKNhK4rAHc5IE9oLBJDeIP8CbPuWZCYO?= =?us-ascii?q?9MxGlldhq5lhf44dqsrtY4q3wD89pozcNLUL37cqIkVvQYSW1+ayFmrPHs4FPu?= =?us-ascii?q?VwqErkRaGk8XnxZFGQ3M6luyCpr7syb2u/B48DmfPNbtTLcyHz+l6vEvACTlki?= =?us-ascii?q?gKfx4w9GXGjIQkl69Brx/npxV7x5/SSIqcMv14f6jUeZURQm8XGo5zXilMGcuZ?= =?us-ascii?q?aJEVDvFJaeRRqoTm4V9IqBykHwi3LOT1wzRMizn92qhsl6xrKgzc0wFoMpRGkH?= =?us-ascii?q?3QqMTzfu9GSu2vw6TgzTzHa+JQnzz67d6bXAompKS3UK5wOeTW01IvGg6N2k6d?= =?us-ascii?q?tYyjMTSPzeQAvkCQ5uxnU+OkgmphoAZ09Gv8jvwwg5XE09pGgmvP8j90lcNsfY?= =?us-ascii?q?W1?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A1FKAQCfQhpXjzXaVdFeHAGCcIF7t3eEB?= =?us-ascii?q?goXgXYXg2oCgXQBAQEBAQECAg8BAQEBBwsLCSGCXH1bPQEBAQMSFRkBATcBD1E?= =?us-ascii?q?0AQUBHAYBEiKICAGgbIExPjGKT4UoAQSMXQEBAQEBAQEDAgEXBgqEDYIKi1ILQ?= =?us-ascii?q?IJDjVh0iUiBVYxBgWSHRYVlRYVeh04wgQ6CWg0RChaBU04BiHoBAQE?= X-IPAS-Result: =?us-ascii?q?A1FKAQCfQhpXjzXaVdFeHAGCcIF7t3eEBgoXgXYXg2oCgXQ?= =?us-ascii?q?BAQEBAQECAg8BAQEBBwsLCSGCXH1bPQEBAQMSFRkBATcBD1E0AQUBHAYBEiKIC?= =?us-ascii?q?AGgbIExPjGKT4UoAQSMXQEBAQEBAQEDAgEXBgqEDYIKi1ILQIJDjVh0iUiBVYx?= =?us-ascii?q?BgWSHRYVlRYVeh04wgQ6CWg0RChaBU04BiHoBAQE?= X-IronPort-AV: E=Sophos;i="5.24,517,1454976000"; d="scan'208";a="15532498" Received: from emvm-gh1-uea08.nsa.gov ([10.208.42.193]) by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-SHA; 22 Apr 2016 15:39:28 +0000 X-TM-IMSS-Message-ID: <61b63f7200000568@nsa.gov> Received: from mail-oi0-f53.google.com (mail-oi0-f53.google.com [209.85.218.53]) by nsa.gov ([10.208.42.193]) with ESMTP (TREND IMSS SMTP Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id 61b63f7200000568 ; Fri, 22 Apr 2016 11:38:49 -0400 Received: by mail-oi0-f53.google.com with SMTP id k142so120577300oib.1 for ; Fri, 22 Apr 2016 08:39:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=DAyL4Vjvkd4bLXqKT0Hq7+h3u6oHI9c4vfL//Ps6QiM=; b=AIK8dQxG4HSyGE7ZdoTb7dzHNO1+8fQMjYfROtAqMeaKdhQsQ9DsODJfw2ogxaEf3H 1JUh+R4iDK8ucHrYQ8mpP9IujXRsbgGkYaakCQxiksz8nPSVzr5HxRU1JRpGzALnHK9f nw65hawHG6AHkP7JSspOnny4r9fOnIn53MfsJs4Pb2T6DcaBukZ+LqVCmKqjBdkuZdSm g8OqQfVnepIGhfdyDUMSpwvagNHpT090NT+CeqZM0lhVokZTBUolODHAKQGDe0GqvTEY X4ckL6jWb5yUZaPp65yozZplrc1PQk7zTpl7Hb+ZVZgTfIl2KF6RuBp/RU1axF/wgU8w 9zYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=DAyL4Vjvkd4bLXqKT0Hq7+h3u6oHI9c4vfL//Ps6QiM=; b=U2SXJzcqRA2MNI3um10zMs8h41o9hS+uwYCwD2LLb5rCPSpCADp+OjbxKjjsppv39o kMloxVLzCX2Odbc6cL7GAJqO3dGB7u1fomUQAlGGn6nhe3X5YlfpdfNpHtquRNo5+6ky 78/9vKiifvF3bMN4D1jbiITw8u9GYG03CWNHkAWhc7yMhiRQ11SwVbR0LPj5w3+JsXDs O2A4Msrdk+SPrS0zJaDC2j/mV4XixVqlxHJedPbw2vOUppOLy3WVu6wDnLwVRhxHWbtI l72jqSM8VOxJiL+Ho/nFjPqFxEg4n7psrjtrm6xOH3UU0v/pSldKDXkjUn6FUGlDO5af /44w== X-Gm-Message-State: AOPr4FWsXm0jqp/xtulWFAyc9tulPgkdurU1VwuSKQcuZ5UFRlct/7fyIqLf6gKovBM0d8Sq X-Received: by 10.202.56.4 with SMTP id f4mr8883644oia.125.1461339566515; Fri, 22 Apr 2016 08:39:26 -0700 (PDT) Received: from localhost ([2605:a601:aab:f920:ad1c:41df:dcb1:a4a0]) by smtp.gmail.com with ESMTPSA id u71sm478486ota.19.2016.04.22.08.39.25 (version=TLS1_2 cipher=AES128-SHA bits=128/128); Fri, 22 Apr 2016 08:39:25 -0700 (PDT) From: Seth Forshee To: "Eric W. Biederman" , Serge Hallyn , James Morris , "Serge E. Hallyn" Subject: [PATCH v3 17/21] capabilities: Allow privileged user in s_user_ns to set security.* xattrs Date: Fri, 22 Apr 2016 10:38:34 -0500 Message-Id: <1461339521-123191-18-git-send-email-seth.forshee@canonical.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1461339521-123191-1-git-send-email-seth.forshee@canonical.com> References: <1461339521-123191-1-git-send-email-seth.forshee@canonical.com> X-TM-AS-MML: disable X-Mailman-Approved-At: Fri, 22 Apr 2016 11:40:27 -0400 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: linux-bcache@vger.kernel.org, Miklos Szeredi , Seth Forshee , dm-devel@redhat.com, linux-security-module@vger.kernel.org, Richard Weinberger , linux-kernel@vger.kernel.org, linux-raid@vger.kernel.org, fuse-devel@lists.sourceforge.net, Austin S Hemmelgarn , linux-mtd@lists.infradead.org, Alexander Viro , selinux@tycho.nsa.gov, linux-fsdevel@vger.kernel.org, cgroups@vger.kernel.org, Pavel Tikhomirov MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, RP_MATCHES_RCVD, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP A privileged user in s_user_ns will generally have the ability to manipulate the backing store and insert security.* xattrs into the filesystem directly. Therefore the kernel must be prepared to handle these xattrs from unprivileged mounts, and it makes little sense for commoncap to prevent writing these xattrs to the filesystem. The capability and LSM code have already been updated to appropriately handle xattrs from unprivileged mounts, so it is safe to loosen this restriction on setting xattrs. The exception to this logic is that writing xattrs to a mounted filesystem may also cause the LSM inode_post_setxattr or inode_setsecurity callbacks to be invoked. SELinux will deny the xattr update by virtue of applying mountpoint labeling to unprivileged userns mounts, and Smack will deny the writes for any user without global CAP_MAC_ADMIN, so loosening the capability check in commoncap is safe in this respect as well. Signed-off-by: Seth Forshee Acked-by: Serge Hallyn --- security/commoncap.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/security/commoncap.c b/security/commoncap.c index e657227d221e..12477afaa8ed 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -664,15 +664,17 @@ int cap_bprm_secureexec(struct linux_binprm *bprm) int cap_inode_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size, int flags) { + struct user_namespace *user_ns = dentry->d_sb->s_user_ns; + if (!strcmp(name, XATTR_NAME_CAPS)) { - if (!capable(CAP_SETFCAP)) + if (!ns_capable(user_ns, CAP_SETFCAP)) return -EPERM; return 0; } if (!strncmp(name, XATTR_SECURITY_PREFIX, sizeof(XATTR_SECURITY_PREFIX) - 1) && - !capable(CAP_SYS_ADMIN)) + !ns_capable(user_ns, CAP_SYS_ADMIN)) return -EPERM; return 0; } @@ -690,15 +692,17 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name, */ int cap_inode_removexattr(struct dentry *dentry, const char *name) { + struct user_namespace *user_ns = dentry->d_sb->s_user_ns; + if (!strcmp(name, XATTR_NAME_CAPS)) { - if (!capable(CAP_SETFCAP)) + if (!ns_capable(user_ns, CAP_SETFCAP)) return -EPERM; return 0; } if (!strncmp(name, XATTR_SECURITY_PREFIX, sizeof(XATTR_SECURITY_PREFIX) - 1) && - !capable(CAP_SYS_ADMIN)) + !ns_capable(user_ns, CAP_SYS_ADMIN)) return -EPERM; return 0; }