From patchwork Mon Mar 28 16:59:36 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Seth Forshee <seth.forshee@canonical.com>
X-Patchwork-Id: 8743741
Return-Path: <selinux-bounces@tycho.nsa.gov>
X-Original-To: patchwork-selinux@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 1CA9D9F7C9
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  4 Apr 2016 19:19:51 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 6569620263
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  4 Apr 2016 19:19:50 +0000 (UTC)
Received: from emvm-gh1-uea08.nsa.gov (emvm-gh1-uea08.nsa.gov [8.44.101.8])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 70C60201C8
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  4 Apr 2016 19:19:49 +0000 (UTC)
X-TM-IMSS-Message-ID: <05b8904c00072b6a@nsa.gov>
Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by nsa.gov
	([10.208.42.193]) with ESMTP (TREND IMSS SMTP Service 7.1) id
	05b8904c00072b6a ; Mon, 4 Apr 2016 14:55:19 -0400
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u34It8dF019340;
	Mon, 4 Apr 2016 14:55:19 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u2SH0NnP115236 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Mon, 28 Mar 2016 13:00:23 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u2SH0MKp027062
	for <selinux@tycho.nsa.gov>; Mon, 28 Mar 2016 13:00:23 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1DGAACkYvlWi7TWVdFcHAGCZoF7uGWEDYYNAoFvAQEBAQEBEgEBAQgLCwkfhHIBAQEBAgESFRMGAQE3AQQLCxgJGgsPBSABBQEiNYd9CAGiDoExPjGKT4UoAQSLRAEBAQEBAQEBAQEBAQEBAQEUBgqEDIIIhESEF4NQgiuONYkxgVKMKokzhWKNTS+BD4JYDREIFIFTTgGHPYE8AQEB
X-IPAS-Result: 
 A1DGAACkYvlWi7TWVdFcHAGCZoF7uGWEDYYNAoFvAQEBAQEBEgEBAQgLCwkfhHIBAQEBAgESFRMGAQE3AQQLCxgJGgsPBSABBQEiNYd9CAGiDoExPjGKT4UoAQSLRAEBAQEBAQEBAQEBAQEBAQEUBgqEDIIIhESEF4NQgiuONYkxgVKMKokzhWKNTS+BD4JYDREIFIFTTgGHPYE8AQEB
X-IronPort-AV: E=Sophos;i="5.24,407,1454994000"; d="scan'208";a="5330117"
Received: from emvm-gh1-uea09.nsa.gov ([10.208.42.194])
	by goalie.tycho.ncsc.mil with ESMTP; 28 Mar 2016 13:00:17 -0400
X-TM-IMSS-Message-ID: <2d207bef0001d2a9@nsa.gov>
Received: from mail-ob0-f180.google.com (mail-ob0-f180.google.com
	[209.85.214.180]) by nsa.gov ([10.208.42.194]) with ESMTP (TREND IMSS
	SMTP
	Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id 2d207bef0001d2a9 ;
	Mon, 28 Mar 2016 12:59:34 -0400
Received: by mail-ob0-f180.google.com with SMTP id kf9so99034717obc.1
	for <selinux@tycho.nsa.gov>; Mon, 28 Mar 2016 10:00:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=canonical-com.20150623.gappssmtp.com; s=20150623;
	h=date:from:to:cc:subject:message-id:references:mime-version
	:content-disposition:in-reply-to:user-agent;
	bh=WsXkbpvcJfNKxiCiEQrSjd5LiNJz2SUMp85QxLMksIw=;
	b=GcvLHCDEJYXk9SROojl3sEatV/y8Db1PtaTPLNfBZYCu10rKTpIfnnWqUQ1jW4M6Ah
	MM/cpn/OOwqTrhEnwOtmB0qqteET5yVmfk/2soYlT1TY2UTmw89yA3vMUlmOQ43nqRpq
	ceUL6eufPMegFsDQ0nGLDA42dq82VY3f9M6hXKtZCLz39MHuDWXOBefwGmjVM1iBLIxh
	2UGkACcXEgj7buFsPj0SFL0wK7l1Rp40vgpHX1Pvc+6Okip8+/k2waaTgOH74IJKln3I
	oXzWigunwUqGHo5SV/Wm8H9Lb8WbJbTPi4y9NCDNBD+9vbcGOHtsamV95EEvjRWfQGOf
	ZFuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:date:from:to:cc:subject:message-id:references
	:mime-version:content-disposition:in-reply-to:user-agent;
	bh=WsXkbpvcJfNKxiCiEQrSjd5LiNJz2SUMp85QxLMksIw=;
	b=CscTtjUqMTmkwVKTFiocfzApXgJYwcK2bvMiXP59WOH/mNJQI8eH8OCzXu+zv8y/k0
	5ZjkrS8tAGKrToSfWhdCNCye17q8L2hFBAKm8gmYAUVF3wVLCD/MG+aWMr1FIs0qgO15
	hXr8FBkHEiA2c64DjBhwko+fYCyEmmNYkigmKiKG7cy3j0SdCttONL/CDxHPtt44C2SK
	aPnaSVsn4R/YTqrvfuPkd7kG57us6wztFlgpOI3wanOL++FvDph4sUPG+c5hYe6FMRh0
	OTYKCKgXrh+0YSBfpkFd7brs7sorTZY9wRc58kRqXD1TtjgyoIc7F7I9ZGhbvBHEJZxb
	cwXQ==
X-Gm-Message-State: 
 AD7BkJJqAAdqRo91uQcvqgKT4DSpqzuVyJHyb+GrZg/Un8uMOvQhH1td1P8eGEB2V4cx00lH
X-Received: by 10.182.24.8 with SMTP id q8mr12305936obf.67.1459184415978;
	Mon, 28 Mar 2016 10:00:15 -0700 (PDT)
Received: from localhost ([2605:a601:aab:f920:7452:1f6b:5014:d4eb])
	by smtp.gmail.com with ESMTPSA id
	s194sm2493987oie.26.2016.03.28.10.00.14
	(version=TLS1_2 cipher=AES128-SHA bits=128/128);
	Mon, 28 Mar 2016 10:00:15 -0700 (PDT)
Date: Mon, 28 Mar 2016 11:59:36 -0500
From: Seth Forshee <seth.forshee@canonical.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Subject: Re: [PATCH RESEND v2 11/18] fs: Ensure the mounter of a filesystem
	is privileged towards its inodes
Message-ID: <20160328165936.GC137406@ubuntu-hedt>
References: <1451930639-94331-1-git-send-email-seth.forshee@canonical.com>
	<1451930639-94331-12-git-send-email-seth.forshee@canonical.com>
	<20160303170201.GA30224@ubuntu-hedt>
	<87twkl50g5.fsf@x220.int.ebiederm.org>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <87twkl50g5.fsf@x220.int.ebiederm.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-TM-AS-MML: disable
X-Mailman-Approved-At: Mon, 04 Apr 2016 10:21:26 -0400
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
Cc: linux-bcache@vger.kernel.org, Serge Hallyn <serge.hallyn@canonical.com>,
	dm-devel@redhat.com, Miklos Szeredi <miklos@szeredi.hu>,
	Richard Weinberger <richard.weinberger@gmail.com>,
	linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-raid@vger.kernel.org, fuse-devel@lists.sourceforge.net,
	Austin S Hemmelgarn <ahferroin7@gmail.com>,
	linux-mtd@lists.infradead.org,
	Alexander Viro <viro@zeniv.linux.org.uk>, selinux@tycho.nsa.gov,
	linux-fsdevel@vger.kernel.org
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RP_MATCHES_RCVD, T_DKIM_INVALID,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

On Fri, Mar 04, 2016 at 04:43:06PM -0600, Eric W. Biederman wrote:
> In general this is only an issue if uids and gids on the filesystem
> do not map into the user namespace.
> 
> Therefore the general fix is to limit the logic of checking for
> capabilities in s_user_ns if we are dealing with INVALID_UID and
> INVALID_GID.  For proc and kernfs that should never be the case
> so the problem becomes a non-issue.
> 
> Further I would look at limiting that relaxation to just
> inode_change_ok. 

Finally got around to implementing this today; is the patch below what
you had in mind?

> So that we can easily wrap that check per filesystem
> and deny the relaxation for proc and kernfs.  proc and kernfs already
> have wrappers for .setattr so denying changes when !uid_vaid and
> !gid_valid would be a trivial addition, and ensure calamity does
> not ensure.

I'm confused about this part though. As you say above, proc and kernfs
will never have inodes with invalid ids, so it's not an issue. Do you
just mean this to be extra insurance against problems?

Thanks,
Seth

diff --git a/fs/attr.c b/fs/attr.c
index 3cfaaac4a18e..f2bcd3f7dfbb 100644
--- a/fs/attr.c
+++ b/fs/attr.c
@@ -16,6 +16,31 @@
 #include <linux/evm.h>
 #include <linux/ima.h>
 
+static bool chown_ok(const struct inode *inode, kuid_t uid)
+{
+	if (uid_eq(current_fsuid(), inode->i_uid) && uid_eq(uid, inode->i_uid))
+		return true;
+	if (capable_wrt_inode_uidgid(inode, CAP_CHOWN))
+		return true;
+	if (!uid_valid(inode->i_uid) &&
+	    ns_capable(inode->i_sb->s_user_ns, CAP_CHOWN))
+		return true;
+	return false;
+}
+
+static bool chgrp_ok(const struct inode *inode, kgid_t gid)
+{
+	if (uid_eq(current_fsuid(), inode->i_uid) &&
+	    (in_group_p(gid) || gid_eq(gid, inode->i_gid)))
+		return true;
+	if (capable_wrt_inode_uidgid(inode, CAP_CHOWN))
+		return true;
+	if (!gid_valid(inode->i_gid) &&
+	    ns_capable(inode->i_sb->s_user_ns, CAP_CHOWN))
+		return true;
+	return false;
+}
+
 /**
  * inode_change_ok - check if attribute changes to an inode are allowed
  * @inode:	inode to check
@@ -58,17 +83,11 @@ int inode_change_ok(const struct inode *inode, struct iattr *attr)
 		return 0;
 
 	/* Make sure a caller can chown. */
-	if ((ia_valid & ATTR_UID) &&
-	    (!uid_eq(current_fsuid(), inode->i_uid) ||
-	     !uid_eq(attr->ia_uid, inode->i_uid)) &&
-	    !capable_wrt_inode_uidgid(inode, CAP_CHOWN))
+	if ((ia_valid & ATTR_UID) && !chown_ok(inode, attr->ia_uid))
 		return -EPERM;
 
 	/* Make sure caller can chgrp. */
-	if ((ia_valid & ATTR_GID) &&
-	    (!uid_eq(current_fsuid(), inode->i_uid) ||
-	    (!in_group_p(attr->ia_gid) && !gid_eq(attr->ia_gid, inode->i_gid))) &&
-	    !capable_wrt_inode_uidgid(inode, CAP_CHOWN))
+	if ((ia_valid & ATTR_GID) && !chgrp_ok(inode, attr->ia_gid))
 		return -EPERM;
 
 	/* Make sure a caller can chmod. */