From patchwork Tue Apr 26 19:36:30 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 8944641 Return-Path: X-Original-To: patchwork-selinux@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 29F4C9F1D3 for ; Tue, 26 Apr 2016 20:13:54 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 70EC12014A for ; Tue, 26 Apr 2016 20:13:53 +0000 (UTC) Received: from emsm-gh1-uea11.nsa.gov (smtp.nsa.gov [8.44.101.9]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 6A60220138 for ; Tue, 26 Apr 2016 20:13:52 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.24,538,1454976000"; d="scan'208";a="15644191" IronPort-PHdr: =?us-ascii?q?9a23=3AZF/TtBBMldIKb1749Cf5UyQJP3N1i/DPJgcQr6Af?= =?us-ascii?q?oPdwSPj6osbcNUDSrc9gkEXOFd2CrakU26yJ4uu5AjJIyK3CmU5BWaQEbwUCh8?= =?us-ascii?q?QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYsExnyfTB4?= =?us-ascii?q?Ov7yUtaLyZ/nh6btqtaKOFsArQH+SI0xBS3+lR/WuMgSjNkqAYcK4TyNnEF1ff?= =?us-ascii?q?9Lz3hjP1OZkkW0zM6x+Jl+73YY4Kp5pIZoGJ/3dKUgTLFeEC9ucyVsvJWq5lH/?= =?us-ascii?q?Sl7Fy2EdWS0p1FJiAgXJ4Qv/V5G7+n/3vOtw1CSAOOXmSLEvQjWl6eFgTxq+zG?= =?us-ascii?q?88OiQ2/Sn3g8h0naQT9AmsvRNyhY7dZIWEMtJ1d6Xae9IRTG4HVcFUAWgJIIq5?= =?us-ascii?q?YpBHKu0bJ+dD593/rl4Dtl26QwyrHvnu0RdPnHb92aB82OMkR0WOljctBd0D+F?= =?us-ascii?q?mS5PX8MKMDV6r9mLLF1zrOR/Nf3TPs7s7DdRV38t+WWrclSsfNyQEBEBnejlid?= =?us-ascii?q?4dj+Mi+VkOoKqXOb4udIXuupjGgmoAh15DOow5F/2cHymosJxwWcpm1Cy4EvKI?= =?us-ascii?q?j9ERYjbA=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2FPBQBiyx9X/wHyM5BeHAGCcCuBULt1IYF2F4UuTAEBAQE?= =?us-ascii?q?BAQICYieCLX1bPQEBAQMBAg8VEwYBAQwgCwECAwkBARcpCAgDAS0DAQUBCxEGA?= =?us-ascii?q?QcLBRgEAYgIAaVRgTE+MYpPhSgBBIxHAQEBBwEBAQEWBgqEDYIKiFoRAYV0jVl?= =?us-ascii?q?0iUiBVYxEgWWHRSWFQEWFX4dOMIEOYoIFGxaBU04Bh3iBNQEBAQ?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Apr 2016 20:13:27 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u3QKDPTi022309; Tue, 26 Apr 2016 16:13:26 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u3QJbENm172330 for ; Tue, 26 Apr 2016 15:37:14 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u3QJak06011587 for ; Tue, 26 Apr 2016 15:37:13 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0BLBQD9wR9X/yQp0ApeHYJwK4FQt3CEEYIkg2sCgUBMAQEBAQEBZieEQgEBAQMSFRkBATcBD1E0AQUBHAYBEiKICAGlV4ExPjGKT4UoAQSMSgEBAQEBAQEDAgEXBgqEDYIKjmCNWXSJSIFVjESBZYdFhWVFhV+HTjCBDmKBeA0bFoFTTgGJLQEBAQ X-IPAS-Result: A0BLBQD9wR9X/yQp0ApeHYJwK4FQt3CEEYIkg2sCgUBMAQEBAQEBZieEQgEBAQMSFRkBATcBD1E0AQUBHAYBEiKICAGlV4ExPjGKT4UoAQSMSgEBAQEBAQEDAgEXBgqEDYIKjmCNWXSJSIFVjESBZYdFhWVFhV+HTjCBDmKBeA0bFoFTTgGJLQEBAQ X-IronPort-AV: E=Sophos;i="5.24,537,1454994000"; d="scan'208";a="5410392" Received: from emsm-gh1-uea10.corp.nsa.gov (HELO emsm-gh1-uea10.nsa.gov) ([10.208.41.36]) by goalie.tycho.ncsc.mil with ESMTP; 26 Apr 2016 15:37:14 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3AAQWwYRN7nVzpJt5vOgol6mtUPXoX/o7sNwtQ0KIM?= =?us-ascii?q?zox0Lv3+rarrMEGX3/hxlliBBdydsKIUzbWH+Pm7ASQp2tWojjMrSNR0TRgLiM?= =?us-ascii?q?EbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpQAbFhi3Dwdp?= =?us-ascii?q?POO9QteU1JTnkb/jsMSIO01hv3mUX/BbFF2OtwLft80b08NJC50a7V/3mEZOYP?= =?us-ascii?q?lc3mhyJFiezF7W78a0+4N/oWwL46pyv+YJa6jxfrw5QLpEF3xmdjltvIy4/SXE?= =?us-ascii?q?GEGi/HoXGlpQ2jBJDgTI9hTzWN255ibwt+dx1TOfFd3zTKsvWDOkqaxsTUmswB?= =?us-ascii?q?wKLTE0uEHejshhiuoPux+7qBE5w4fQZJCTHPF3eKTbfNgTQSxKWcMHE2RjC4ax?= =?us-ascii?q?dMMqCPAbPP0Q+4v0olYV6x/4AA62HuL04jhSj3Ty0Osx1OF3VUmM5wE6EN9GnT?= =?us-ascii?q?KcjNzxMLYUG6jh16TSwjjrb/pS3Sb7roPPd0Zyj+uLWOdLfNbRgWcoDRjFg1jY?= =?us-ascii?q?/ZfoIzPT2OMXqGiW4sJrXOSojW8sogU3qT+qkJR/wrLVj54YnwiXvR5yx5w4cJ?= =?us-ascii?q?jhEBZ2?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0EAAQC5wh9Xj6nfVdFeHYJwgXu3cIQHC?= =?us-ascii?q?heBdheDawKBQEwBAQEBAQECAg8BAQEBBwsLCSEvgi19Wz0BAQEDEhUZAQE3AQ9?= =?us-ascii?q?RNAEFARwGARIiiAgBpVeBMT4xik+FKAEEjEoBAQEBAQEBAwIBFwYKhA2CCotSC?= =?us-ascii?q?0CCQ41ZdIlIgVWMRIFlh0WFZUWFX4dOMIEOgloNEQoWgVNOAYktAQEB?= X-IPAS-Result: =?us-ascii?q?A0EAAQC5wh9Xj6nfVdFeHYJwgXu3cIQHCheBdheDawKBQEw?= =?us-ascii?q?BAQEBAQECAg8BAQEBBwsLCSEvgi19Wz0BAQEDEhUZAQE3AQ9RNAEFARwGARIii?= =?us-ascii?q?AgBpVeBMT4xik+FKAEEjEoBAQEBAQEBAwIBFwYKhA2CCotSC0CCQ41ZdIlIgVW?= =?us-ascii?q?MRIFlh0WFZUWFX4dOMIEOgloNEQoWgVNOAYktAQEB?= X-IronPort-AV: E=Sophos;i="5.24,537,1454976000"; d="scan'208";a="13051024" Received: from mail-io0-f169.google.com ([209.85.223.169]) by emsm-gh1-uea10.nsa.gov with ESMTP/TLS/AES128-GCM-SHA256; 26 Apr 2016 19:37:12 +0000 Received: by mail-io0-f169.google.com with SMTP id d62so26320887iof.2 for ; Tue, 26 Apr 2016 12:37:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=dLDaL+duDLazpZxS3Qd1Y6ftu21NRZh/SKRUFsz+OkM=; b=ldn4otXbtCXxCJeodeAza7Iz51iMfficRsNvotFhvHxu/U6GSitrjFCUYzzTvVQ+Sg fkOa3yhQHQztjDUV4fh5c/lboAxAqlsYXOmnxOSNsXzljMmtG2NWVp31dzO0XidYp0Us RsuDAoc4OYDcK74Iyb5aeekaF6vArZNnUPHtp71dLJjNpfyTHmdvdQMTIt9x7qtpPPug sfobbkkEA+IwF877Pm1dVqRoGtk7kNWeBNg1K+kTZWYELJLT9IQFWzaOVTzGAGjSNF6N eoK1FdCC6zLGbxTFOf7v/xpNiXrhWBVdC9pWcokIMl4C7xqh+Ga85oDGMp0zyl4c0vDp wfQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=dLDaL+duDLazpZxS3Qd1Y6ftu21NRZh/SKRUFsz+OkM=; b=Iv2Rrdjn4jWhzQ6EYssO+6B2F68Z0JJC5D+H4Q1zhYy1Cvt1xy5blxXgOgXvuTzIs7 8HB88y52j3H1kGt+GirPQtOUi0iI6yxaTpAVkOv2Ofw3E1S+3mhpbLQq4umDuvmQmSOB cP5lwoPCBJoZ3Cx4LSwen5w83sfvI7sOTR6TRQNGswfwxYPh22BVJd9NTdjzthojEZ8T ZkdQr+QnEq1Kzabd4Zl1DfqQfjyOfjQJbGUc+rC/Dz/CaBdFonvKLQdkr11911AawvJ+ vsAnpxaCoikMVLkW20IeT3xdjw5/MMtLLBenqW72D+OI0WCg2sZuRbOuhy85MdRzcww8 eOfw== X-Gm-Message-State: AOPr4FWSBDpFRApVsslkv9gZOzNHvY3GUYC0baGtUxI9Zf/eMRJghs/p8vKrDnFpct4H6Y9n X-Received: by 10.107.30.17 with SMTP id e17mr5503897ioe.142.1461699432417; Tue, 26 Apr 2016 12:37:12 -0700 (PDT) Received: from localhost ([2605:a601:aab:f920:39a1:5bcf:aa:5b00]) by smtp.gmail.com with ESMTPSA id b202sm2367971ioe.27.2016.04.26.12.37.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 26 Apr 2016 12:37:11 -0700 (PDT) From: Seth Forshee To: "Eric W. Biederman" , Serge Hallyn , James Morris , "Serge E. Hallyn" Subject: [PATCH v4 17/21] capabilities: Allow privileged user in s_user_ns to set security.* xattrs Date: Tue, 26 Apr 2016 14:36:30 -0500 Message-Id: <1461699396-33000-18-git-send-email-seth.forshee@canonical.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1461699396-33000-1-git-send-email-seth.forshee@canonical.com> References: <1461699396-33000-1-git-send-email-seth.forshee@canonical.com> X-Mailman-Approved-At: Tue, 26 Apr 2016 16:11:02 -0400 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: linux-bcache@vger.kernel.org, Miklos Szeredi , Seth Forshee , dm-devel@redhat.com, linux-security-module@vger.kernel.org, Richard Weinberger , linux-kernel@vger.kernel.org, linux-raid@vger.kernel.org, fuse-devel@lists.sourceforge.net, Austin S Hemmelgarn , linux-mtd@lists.infradead.org, Alexander Viro , selinux@tycho.nsa.gov, linux-fsdevel@vger.kernel.org, cgroups@vger.kernel.org, Pavel Tikhomirov MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, RP_MATCHES_RCVD, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP A privileged user in s_user_ns will generally have the ability to manipulate the backing store and insert security.* xattrs into the filesystem directly. Therefore the kernel must be prepared to handle these xattrs from unprivileged mounts, and it makes little sense for commoncap to prevent writing these xattrs to the filesystem. The capability and LSM code have already been updated to appropriately handle xattrs from unprivileged mounts, so it is safe to loosen this restriction on setting xattrs. The exception to this logic is that writing xattrs to a mounted filesystem may also cause the LSM inode_post_setxattr or inode_setsecurity callbacks to be invoked. SELinux will deny the xattr update by virtue of applying mountpoint labeling to unprivileged userns mounts, and Smack will deny the writes for any user without global CAP_MAC_ADMIN, so loosening the capability check in commoncap is safe in this respect as well. Signed-off-by: Seth Forshee Acked-by: Serge Hallyn Acked-by: James Morris --- security/commoncap.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/security/commoncap.c b/security/commoncap.c index e657227d221e..12477afaa8ed 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -664,15 +664,17 @@ int cap_bprm_secureexec(struct linux_binprm *bprm) int cap_inode_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size, int flags) { + struct user_namespace *user_ns = dentry->d_sb->s_user_ns; + if (!strcmp(name, XATTR_NAME_CAPS)) { - if (!capable(CAP_SETFCAP)) + if (!ns_capable(user_ns, CAP_SETFCAP)) return -EPERM; return 0; } if (!strncmp(name, XATTR_SECURITY_PREFIX, sizeof(XATTR_SECURITY_PREFIX) - 1) && - !capable(CAP_SYS_ADMIN)) + !ns_capable(user_ns, CAP_SYS_ADMIN)) return -EPERM; return 0; } @@ -690,15 +692,17 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name, */ int cap_inode_removexattr(struct dentry *dentry, const char *name) { + struct user_namespace *user_ns = dentry->d_sb->s_user_ns; + if (!strcmp(name, XATTR_NAME_CAPS)) { - if (!capable(CAP_SETFCAP)) + if (!ns_capable(user_ns, CAP_SETFCAP)) return -EPERM; return 0; } if (!strncmp(name, XATTR_SECURITY_PREFIX, sizeof(XATTR_SECURITY_PREFIX) - 1) && - !capable(CAP_SYS_ADMIN)) + !ns_capable(user_ns, CAP_SYS_ADMIN)) return -EPERM; return 0; }