From patchwork Fri Dec 22 14:32:30 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dongsu Park <dongsu@kinvolk.io>
X-Patchwork-Id: 10130589
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	DA80060318
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Fri, 22 Dec 2017 14:34:05 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D06BF29FE4
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Fri, 22 Dec 2017 14:34:05 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id C542729FF1; Fri, 22 Dec 2017 14:34:05 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 710BF29FE4
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Fri, 22 Dec 2017 14:34:05 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756214AbdLVOc3 (ORCPT
	<rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
	Fri, 22 Dec 2017 09:32:29 -0500
Received: from mail-wm0-f67.google.com ([74.125.82.67]:41995 "EHLO
	mail-wm0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1755940AbdLVOb0 (ORCPT
	<rfc822;linux-security-module@vger.kernel.org>);
	Fri, 22 Dec 2017 09:31:26 -0500
Received: by mail-wm0-f67.google.com with SMTP id b199so22295116wme.1
	for <linux-security-module@vger.kernel.org>;
	Fri, 22 Dec 2017 06:31:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kinvolk.io; s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=pOc/2w2+fj+uUzSJ4dtwHQoTYEWyitTRz3GNpmh9FUQ=;
	b=M0OYaZdM0174aYStUEE5tOM3xdGpoWPuEDpTRUmMD6wH0QAzqYixZ/k7hPIeUxUfzG
	lTagkVSEkp7gJt2y2oWSw81DhbJtUebRIi7926A33lbD1en1aCdlAp38ZEJXsPUDK06w
	DmkWaATZ0dPNQmqqsgcyxpiCX+xNVpQu0mRUo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=pOc/2w2+fj+uUzSJ4dtwHQoTYEWyitTRz3GNpmh9FUQ=;
	b=RQ1l8zVaxR49DEGxdj1UHDRyrFcDggPkPfklFpzTFoUeSsjM21tKKKhvWISNHB2WBm
	OeIoLMnNgWRRqLlCWnTv0GSwOXvWCYKsc4RAKB6mrqGsnHHgMBWIx5QgpxubM5OnTH5+
	D325WR1fgI5HFZxoE2iFLAHhsKn6GiCeGPrpfFIRQHMx/cnW7R93pBE/e8pPDVXY33u2
	3MhNDMR7x7pr7f+nQA8ZaSzw3cLJPrZKPQIBBhsPtAQZ+tMgIshFTOBVCi0C0JVyN4e8
	4ZOmmYDxfQo1LQilAq+7EAG+dclGG+BEYnciqG0aEqhE3vt8H0B4Ib4DgV+OQRU0XjjV
	9/3w==
X-Gm-Message-State: AKGB3mLQ4FDrZ53p4aDW6WsdPcjNAwLNP38An8e7AJjy1sIF+xrpIpYd
	G2yPiEjsC+JlcXav5ARifFyOag==
X-Google-Smtp-Source: 
 ACJfBouDHJTs1nNG/l2Uazn3ssDOHRIn3EcaBQlQA1EaUvH5AH3ri2IBDz3jyZb0Z4E6ooiWzpAj0g==
X-Received: by 10.80.178.195 with SMTP id p61mr15563797edd.113.1513953085560;
	Fri, 22 Dec 2017 06:31:25 -0800 (PST)
Received: from dberlin.localdomain ([178.19.216.175])
	by smtp.gmail.com with ESMTPSA id
	j39sm19698065ede.38.2017.12.22.06.31.24
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Fri, 22 Dec 2017 06:31:25 -0800 (PST)
From: Dongsu Park <dongsu@kinvolk.io>
To: linux-kernel@vger.kernel.org
Cc: containers@lists.linux-foundation.org, Alban Crequy <alban@kinvolk.io>,
	"Eric W . Biederman" <ebiederm@xmission.com>,
	Miklos Szeredi <mszeredi@redhat.com>,
	Seth Forshee <seth.forshee@canonical.com>,
	Sargun Dhillon <sargun@sargun.me>, Dongsu Park <dongsu@kinvolk.io>,
	linux-security-module@vger.kernel.org,
	James Morris <james.l.morris@oracle.com>, Serge Hallyn <serge@hallyn.com>
Subject: [PATCH 06/11] capabilities: Allow privileged user in s_user_ns to
	set security.* xattrs
Date: Fri, 22 Dec 2017 15:32:30 +0100
Message-Id: 
 <5adc5e31c25beb987798ecc219df79671547a9ac.1512041070.git.dongsu@kinvolk.io>
X-Mailer: git-send-email 2.13.6
In-Reply-To: <cover.1512741134.git.dongsu@kinvolk.io>
References: <cover.1512741134.git.dongsu@kinvolk.io>
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Seth Forshee <seth.forshee@canonical.com>

A privileged user in s_user_ns will generally have the ability to
manipulate the backing store and insert security.* xattrs into
the filesystem directly. Therefore the kernel must be prepared to
handle these xattrs from unprivileged mounts, and it makes little
sense for commoncap to prevent writing these xattrs to the
filesystem. The capability and LSM code have already been updated
to appropriately handle xattrs from unprivileged mounts, so it
is safe to loosen this restriction on setting xattrs.

The exception to this logic is that writing xattrs to a mounted
filesystem may also cause the LSM inode_post_setxattr or
inode_setsecurity callbacks to be invoked. SELinux will deny the
xattr update by virtue of applying mountpoint labeling to
unprivileged userns mounts, and Smack will deny the writes for
any user without global CAP_MAC_ADMIN, so loosening the
capability check in commoncap is safe in this respect as well.

Patch v4 is available: https://patchwork.kernel.org/patch/8944641/

Cc: linux-security-module@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: James Morris <james.l.morris@oracle.com>
Cc: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Signed-off-by: Dongsu Park <dongsu@kinvolk.io>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
---
 security/commoncap.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index 4f8e0934..dd0afef9 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -920,6 +920,8 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
 int cap_inode_setxattr(struct dentry *dentry, const char *name,
 		       const void *value, size_t size, int flags)
 {
+	struct user_namespace *user_ns = dentry->d_sb->s_user_ns;
+
 	/* Ignore non-security xattrs */
 	if (strncmp(name, XATTR_SECURITY_PREFIX,
 			sizeof(XATTR_SECURITY_PREFIX) - 1) != 0)
@@ -932,7 +934,7 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name,
 	if (strcmp(name, XATTR_NAME_CAPS) == 0)
 		return 0;
 
-	if (!capable(CAP_SYS_ADMIN))
+	if (!ns_capable(user_ns, CAP_SYS_ADMIN))
 		return -EPERM;
 	return 0;
 }
@@ -950,6 +952,8 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name,
  */
 int cap_inode_removexattr(struct dentry *dentry, const char *name)
 {
+	struct user_namespace *user_ns = dentry->d_sb->s_user_ns;
+
 	/* Ignore non-security xattrs */
 	if (strncmp(name, XATTR_SECURITY_PREFIX,
 			sizeof(XATTR_SECURITY_PREFIX) - 1) != 0)
@@ -965,7 +969,7 @@ int cap_inode_removexattr(struct dentry *dentry, const char *name)
 		return 0;
 	}
 
-	if (!capable(CAP_SYS_ADMIN))
+	if (!ns_capable(user_ns, CAP_SYS_ADMIN))
 		return -EPERM;
 	return 0;
 }