From patchwork Mon Jan 4 18:03:53 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 7950341 Return-Path: X-Original-To: patchwork-selinux@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id F39CCBEEE5 for ; Mon, 4 Jan 2016 18:56:39 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 441F820340 for ; Mon, 4 Jan 2016 18:56:39 +0000 (UTC) Received: from emvm-gh1-uea08.nsa.gov (emvm-gh1-uea08.nsa.gov [63.239.67.9]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 31B0820306 for ; Mon, 4 Jan 2016 18:56:38 +0000 (UTC) X-TM-IMSS-Message-ID: <75e4c6940010481b@nsa.gov> Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by nsa.gov ([10.208.42.193]) with ESMTP (TREND IMSS SMTP Service 7.1) id 75e4c6940010481b ; Mon, 4 Jan 2016 13:54:35 -0500 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u04IrieK018801; Mon, 4 Jan 2016 13:53:46 -0500 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u04I4pl4225813 for ; Mon, 4 Jan 2016 13:04:51 -0500 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u04I4gpM013588 for ; Mon, 4 Jan 2016 13:04:51 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1CSAAAys4pWnLHfVdFeGQEBAQEPAQEBAYRJiFm1XwkYhXcCgWgBAQEBAQESAQEBAQEGDQkJIYRjAQEBAxIVGQEBNwEPUTQBBQEcBgESIogNok6BMT4xileFVAEFjB4BAQEBAQEBAwIBGgYKhDuCEYw4DEGBNo0+d4hWjy2HPYViRIUUhxY1gReCaA0VBx2BX1MBhQ8BAQE X-IPAS-Result: A1CSAAAys4pWnLHfVdFeGQEBAQEPAQEBAYRJiFm1XwkYhXcCgWgBAQEBAQESAQEBAQEGDQkJIYRjAQEBAxIVGQEBNwEPUTQBBQEcBgESIogNok6BMT4xileFVAEFjB4BAQEBAQEBAwIBGgYKhDuCEYw4DEGBNo0+d4hWjy2HPYViRIUUhxY1gReCaA0VBx2BX1MBhQ8BAQE X-IronPort-AV: E=Sophos;i="5.20,521,1444708800"; d="scan'208";a="5070762" Received: from emvm-gh1-uea08.nsa.gov ([10.208.42.193]) by goalie.tycho.ncsc.mil with ESMTP; 04 Jan 2016 13:04:42 -0500 X-TM-IMSS-Message-ID: <75b6b9a8001034a5@nsa.gov> Received: from mail-io0-f177.google.com (mail-io0-f177.google.com [209.85.223.177]) by nsa.gov ([10.208.42.193]) with ESMTP (TREND IMSS SMTP Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id 75b6b9a8001034a5 ; Mon, 4 Jan 2016 13:04:18 -0500 Received: by mail-io0-f177.google.com with SMTP id o67so442131384iof.3 for ; Mon, 04 Jan 2016 10:04:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=//qEzr7TRp7op3+bIH7WSySVS35SBzzY9CieT86Wfks=; b=U2jkxKb0GUgAWWIPak98Rpqmud5CfemDzKUUIIU4HUs8ZujwbJQ91CxUF6PwQyhFCe AV+lYwE+03pHV/hwUD0j4JqETxHnj1zdOQV/lDuoE5nEpf8vVmBBZzjn4kyy7bwlqoxr eY++JLPOj7XYdWxalKnT0n9sIsYVd+DfZr3wpCfs3Ff0TxLAYBlsARxz//V+SWL4mPI8 tJR+ZUuNqo1bOa7DAv6OAd4Vkh83NYqh4F8IoOocMjpHB7mi0DBWwndbA3qt0qTwMLGU tkGiIA5a3eS/wM9I1tTL0szCPcAUpp71/NY12PkZZe6IqTrM3Ctu/Vk/Vtpk7Ui8xoin 0b1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=//qEzr7TRp7op3+bIH7WSySVS35SBzzY9CieT86Wfks=; b=kPlqaN/tWkqg5w4bhLrddXijLXBcqcJ9Afvv0HksACdmsrRC8u3lOwZpDOjnMgRo3U OU0a/y9/nQJzugxuZBKtl4ezsnq8EYN22aqPr6CUaEgPkqdF271pmqvXJmaJ7N1TGBk8 5i/nsKmLFXCIdIwbyBaaxlaSvKKfvjKHExzFtHlbUUyjT41zUaj1DExGjuu8mQ6wn2A8 KKp9nC0hPTmiUeaSXemR0acVBq8oSQk6Em7j2OLxiUItSa4obnnFKzPYz82WxWLng/Ux 1UzPNuxpCZjF2xbWtR6ZD6zjv60f9bWQk52wCHB0eHQT6w/+eKfLXKClkBK4oaQ//2Xe ZeKg== X-Gm-Message-State: ALoCoQndWHhzH1QeP+kPYkO2xotA83gKrL3L+gNulkQ4s7L3sfcQAODEe9v7/+jC6foBwIUGM8Qh4jwMNh1TSdOfq9BKQs+wJg== X-Received: by 10.107.38.195 with SMTP id m186mr80967619iom.15.1451930681405; Mon, 04 Jan 2016 10:04:41 -0800 (PST) Received: from localhost ([66.64.121.229]) by smtp.gmail.com with ESMTPSA id 84sm28296391ioh.3.2016.01.04.10.04.40 (version=TLS1_2 cipher=AES128-SHA bits=128/128); Mon, 04 Jan 2016 10:04:41 -0800 (PST) From: Seth Forshee To: "Eric W. Biederman" , Serge Hallyn , James Morris , "Serge E. Hallyn" Subject: [PATCH RESEND v2 14/18] capabilities: Allow privileged user in s_user_ns to set security.* xattrs Date: Mon, 4 Jan 2016 12:03:53 -0600 Message-Id: <1451930639-94331-15-git-send-email-seth.forshee@canonical.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1451930639-94331-1-git-send-email-seth.forshee@canonical.com> References: <1451930639-94331-1-git-send-email-seth.forshee@canonical.com> X-TM-AS-MML: disable X-Mailman-Approved-At: Mon, 04 Jan 2016 13:14:22 -0500 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: linux-bcache@vger.kernel.org, linux-security-module@vger.kernel.org, Seth Forshee , dm-devel@redhat.com, Miklos Szeredi , Richard Weinberger , linux-kernel@vger.kernel.org, linux-raid@vger.kernel.org, fuse-devel@lists.sourceforge.net, Austin S Hemmelgarn , linux-mtd@lists.infradead.org, Alexander Viro , selinux@tycho.nsa.gov, linux-fsdevel@vger.kernel.org MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP A privileged user in s_user_ns will generally have the ability to manipulate the backing store and insert security.* xattrs into the filesystem directly. Therefore the kernel must be prepared to handle these xattrs from unprivileged mounts, and it makes little sense for commoncap to prevent writing these xattrs to the filesystem. The capability and LSM code have already been updated to appropriately handle xattrs from unprivileged mounts, so it is safe to loosen this restriction on setting xattrs. The exception to this logic is that writing xattrs to a mounted filesystem may also cause the LSM inode_post_setxattr or inode_setsecurity callbacks to be invoked. SELinux will deny the xattr update by virtue of applying mountpoint labeling to unprivileged userns mounts, and Smack will deny the writes for any user without global CAP_MAC_ADMIN, so loosening the capability check in commoncap is safe in this respect as well. Signed-off-by: Seth Forshee Acked-by: Serge Hallyn --- security/commoncap.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/security/commoncap.c b/security/commoncap.c index 2119421613f6..d6c80c19c449 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -653,15 +653,17 @@ int cap_bprm_secureexec(struct linux_binprm *bprm) int cap_inode_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size, int flags) { + struct user_namespace *user_ns = dentry->d_sb->s_user_ns; + if (!strcmp(name, XATTR_NAME_CAPS)) { - if (!capable(CAP_SETFCAP)) + if (!ns_capable(user_ns, CAP_SETFCAP)) return -EPERM; return 0; } if (!strncmp(name, XATTR_SECURITY_PREFIX, sizeof(XATTR_SECURITY_PREFIX) - 1) && - !capable(CAP_SYS_ADMIN)) + !ns_capable(user_ns, CAP_SYS_ADMIN)) return -EPERM; return 0; } @@ -679,15 +681,17 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name, */ int cap_inode_removexattr(struct dentry *dentry, const char *name) { + struct user_namespace *user_ns = dentry->d_sb->s_user_ns; + if (!strcmp(name, XATTR_NAME_CAPS)) { - if (!capable(CAP_SETFCAP)) + if (!ns_capable(user_ns, CAP_SETFCAP)) return -EPERM; return 0; } if (!strncmp(name, XATTR_SECURITY_PREFIX, sizeof(XATTR_SECURITY_PREFIX) - 1) && - !capable(CAP_SYS_ADMIN)) + !ns_capable(user_ns, CAP_SYS_ADMIN)) return -EPERM; return 0; }