From patchwork Fri Aug 10 16:13:27 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Brauner X-Patchwork-Id: 10562925 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id F24AD14E2 for ; Fri, 10 Aug 2018 16:13:56 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DE81A2BC30 for ; Fri, 10 Aug 2018 16:13:56 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D24C02BDBA; Fri, 10 Aug 2018 16:13:56 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4B7772BC30 for ; Fri, 10 Aug 2018 16:13:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728273AbeHJSoY (ORCPT ); Fri, 10 Aug 2018 14:44:24 -0400 Received: from mail-wm0-f68.google.com ([74.125.82.68]:33172 "EHLO mail-wm0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728217AbeHJSoY (ORCPT ); Fri, 10 Aug 2018 14:44:24 -0400 Received: by mail-wm0-f68.google.com with SMTP id r24-v6so1875449wmh.0 for ; Fri, 10 Aug 2018 09:13:54 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=fQlEYCn6A9ZB8mwzIMZiDCoWbJv/I2/BURnjHoIWK0M=; b=eh5V8QnwO6gPkVJJvWE6aDIA7L4uBbc3FmV7L+YVaJVJ6mei/byBsqHQ5ntLVL7GZ2 51iGKupf8RzrEKxD0WH/9/XIMJnubauNIcDMMhj4KMgzXYyPbJohcNjK9DkD4CYdbpiQ S5WnT6EDv+5jsBPUHnKllW9+cgksu/mih4yczSb6wS/Qu0gauexy2z98R0SvXpmw7xSW 1EvXE88sZqdGS5kLbyltu7VzEAdq09ydkYJUx7OnVW7uOnzd9OrYglbmUFfJoe2gRZ/G i+g5uUcLgaNlPnf8DABncdGxlJUoeE723KhF0Ul0MBdRwrermqRXp00n16rB2q9tdvTt Rz0w== X-Gm-Message-State: AOUpUlHa8XO0yFHJh6xrctJioEFxZQoMM/kVnu9el3PkMm3g9XQqDl3+ 8vK7d3WOxF2t3RZ/9gwD2xTVCRSw1zY= X-Google-Smtp-Source: AA+uWPx+mLcKg9Nzmb5Pbpllusch+xZgvXF0Q8Oxb+DpoVuhoGZltN8A2ipdKkR8bk2B1P1YEcmIIQ== X-Received: by 2002:a1c:ea9b:: with SMTP id g27-v6mr1837958wmi.152.1533917633476; Fri, 10 Aug 2018 09:13:53 -0700 (PDT) Received: from localhost.localdomain (u-082-c008.eap.uni-tuebingen.de. [134.2.82.8]) by smtp.gmail.com with ESMTPSA id m13-v6sm9987615wru.93.2018.08.10.09.13.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 10 Aug 2018 09:13:52 -0700 (PDT) From: Christian Brauner To: linux-security-module@vger.kernel.org, containers@lists.linux-foundation.org Cc: serge@hallyn.com, morgan@kernel.org, Christian Brauner Subject: [PATCH 1/9] cap_file: use v3 xattr macros Date: Fri, 10 Aug 2018 18:13:27 +0200 Message-Id: <20180810161335.27036-2-christian@brauner.io> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180810161335.27036-1-christian@brauner.io> References: <20180810161335.27036-1-christian@brauner.io> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP On kernels supporting VFS_CAP_REVISION_3 we should make use the new macros. Signed-off-by: Christian Brauner Reviewed-by: Serge Hallyn --- libcap/cap_file.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/libcap/cap_file.c b/libcap/cap_file.c index 76aac8c..228d806 100644 --- a/libcap/cap_file.c +++ b/libcap/cap_file.c @@ -59,6 +59,13 @@ static cap_t _fcaps_load(struct vfs_cap_data *rawvfscap, cap_t result, break; #endif +#ifdef VFS_CAP_REVISION_3 + case VFS_CAP_REVISION_3: + tocopy = VFS_CAP_U32_3; + bytes -= XATTR_CAPS_SZ_3; + break; +#endif + default: cap_free(result); result = NULL; @@ -125,9 +132,15 @@ static int _fcaps_save(struct vfs_cap_data *rawvfscap, cap_t cap_d, #ifdef _LINUX_CAPABILITY_VERSION_3 case _LINUX_CAPABILITY_VERSION_3: +#ifdef VFS_CAP_REVISION_3 + magic = VFS_CAP_REVISION_3; + tocopy = VFS_CAP_U32_3; + *bytes_p = XATTR_CAPS_SZ_3; +#else magic = VFS_CAP_REVISION_2; tocopy = VFS_CAP_U32_2; *bytes_p = XATTR_CAPS_SZ_2; +#endif break; #endif From patchwork Fri Aug 10 16:13:28 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Brauner X-Patchwork-Id: 10562929 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3556A90E3 for ; Fri, 10 Aug 2018 16:13:59 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 24DD52BC30 for ; Fri, 10 Aug 2018 16:13:59 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 196A62BDBA; Fri, 10 Aug 2018 16:13:59 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AAE142BC30 for ; Fri, 10 Aug 2018 16:13:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728217AbeHJSo0 (ORCPT ); Fri, 10 Aug 2018 14:44:26 -0400 Received: from mail-wm0-f67.google.com ([74.125.82.67]:55483 "EHLO mail-wm0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727698AbeHJSo0 (ORCPT ); Fri, 10 Aug 2018 14:44:26 -0400 Received: by mail-wm0-f67.google.com with SMTP id f21-v6so2474083wmc.5 for ; Fri, 10 Aug 2018 09:13:55 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=D9ZaI3uIKz4EEou64aIb41y4oBb6agXjflCD//M8b/8=; b=VDOHvPRe7YrKKPrt5uSvXSIB0b3Gi6RMZh69Zi1e5HO2M9XIa24IEnuyyJ9IISShD6 Tgh398Y6or+tPTUL6OZ0p2wcht9QQ1LHU3Rp07i/Mz7LJ6zM4DRm403ATsdqD0LVZxBj /YoFJgTooFbC4vDrQkStmWoKhP2XuBN42Ha/iXlgYtt9xyIBHXTRs3YdyJOvf9KCcKks 97utAgjYJtk1x124GBIymoypzKsBkisBgrVKBti0CRClR7rvkWIHVWApT9HEwAM0efmb /6QvLTsSLMMMDwkDX3Fu4USziBlj0brv/WtQXP76B1WlI/pC9uOuWwm+wrSiTJg30oAv raXw== X-Gm-Message-State: AOUpUlHkwySeePIUaKvSFnKfkeXDVTceeMLETAdW/b5J7tUrLfkjePF4 2Bte+q4VQFY+w1e8s+EB/T41zG5osdc= X-Google-Smtp-Source: AA+uWPz7U9H8tkS9Bfr74gvDmv3VBNiioxFFL61dU7sfnug9X8FirYlOUwxVJldJMVE8i3ammBeDKw== X-Received: by 2002:a1c:cc17:: with SMTP id h23-v6mr1852120wmb.82.1533917634558; Fri, 10 Aug 2018 09:13:54 -0700 (PDT) Received: from localhost.localdomain (u-082-c008.eap.uni-tuebingen.de. [134.2.82.8]) by smtp.gmail.com with ESMTPSA id m13-v6sm9987615wru.93.2018.08.10.09.13.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 10 Aug 2018 09:13:53 -0700 (PDT) From: Christian Brauner To: linux-security-module@vger.kernel.org, containers@lists.linux-foundation.org Cc: serge@hallyn.com, morgan@kernel.org, Christian Brauner Subject: [PATCH 2/9] capability: update to new uapi header Date: Fri, 10 Aug 2018 18:13:28 +0200 Message-Id: <20180810161335.27036-3-christian@brauner.io> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180810161335.27036-1-christian@brauner.io> References: <20180810161335.27036-1-christian@brauner.io> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP I'm not completely sure why libcap effectively vendors a copy of the capability uapi header but I assume there's a good reason for it. But let's update it to the newest version. Signed-off-by: Christian Brauner Reviewed-by: Serge Hallyn --- libcap/include/uapi/linux/capability.h | 39 +++++++++++++++++--------- 1 file changed, 26 insertions(+), 13 deletions(-) diff --git a/libcap/include/uapi/linux/capability.h b/libcap/include/uapi/linux/capability.h index 432e023..4a2d916 100644 --- a/libcap/include/uapi/linux/capability.h +++ b/libcap/include/uapi/linux/capability.h @@ -1,3 +1,4 @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ /* * This is * @@ -7,16 +8,14 @@ * * See here for the libcap library ("POSIX draft" compliance): * - * http://www.kernel.org/pub/linux/libs/security/linux-privs/ + * ftp://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/ */ -#ifndef _UAPI_LINUX_CAPABILITY_H -#define _UAPI_LINUX_CAPABILITY_H +#ifndef _LINUX_CAPABILITY_H +#define _LINUX_CAPABILITY_H #include -struct task_struct; - /* User-level do most of the mapping between kernel and user capabilities based on the version tag given by the kernel. The kernel might be somewhat backwards compatible, but don't bet on @@ -62,9 +61,13 @@ typedef struct __user_cap_data_struct { #define VFS_CAP_U32_2 2 #define XATTR_CAPS_SZ_2 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_2)) -#define XATTR_CAPS_SZ XATTR_CAPS_SZ_2 -#define VFS_CAP_U32 VFS_CAP_U32_2 -#define VFS_CAP_REVISION VFS_CAP_REVISION_2 +#define VFS_CAP_REVISION_3 0x03000000 +#define VFS_CAP_U32_3 2 +#define XATTR_CAPS_SZ_3 (sizeof(__le32)*(2 + 2*VFS_CAP_U32_3)) + +#define XATTR_CAPS_SZ XATTR_CAPS_SZ_3 +#define VFS_CAP_U32 VFS_CAP_U32_3 +#define VFS_CAP_REVISION VFS_CAP_REVISION_3 struct vfs_cap_data { __le32 magic_etc; /* Little endian */ @@ -74,7 +77,18 @@ struct vfs_cap_data { } data[VFS_CAP_U32]; }; -#ifndef __KERNEL__ +/* + * same as vfs_cap_data but with a rootid at the end + */ +struct vfs_ns_cap_data { + __le32 magic_etc; + struct { + __le32 permitted; /* Little endian */ + __le32 inheritable; /* Little endian */ + } data[VFS_CAP_U32]; + __le32 rootid; +}; + /* * Backwardly compatible definition for source code - trapped in a @@ -84,7 +98,6 @@ struct vfs_cap_data { #define _LINUX_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_1 #define _LINUX_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_1 -#endif /** @@ -207,7 +220,7 @@ struct vfs_cap_data { #define CAP_SYS_MODULE 16 /* Allow ioperm/iopl access */ -/* Allow sending USB messages to any device via /proc/bus/usb */ +/* Allow sending USB messages to any device via /dev/bus/usb */ #define CAP_SYS_RAWIO 17 @@ -349,7 +362,7 @@ struct vfs_cap_data { /* Allow reading the audit log via multicast netlink socket */ -#define CAP_AUDIT_READ 37 +#define CAP_AUDIT_READ 37 #define CAP_LAST_CAP CAP_AUDIT_READ @@ -364,4 +377,4 @@ struct vfs_cap_data { #define CAP_TO_MASK(x) (1 << ((x) & 31)) /* mask for indexed __u32 */ -#endif /* _UAPI_LINUX_CAPABILITY_H */ +#endif /* _LINUX_CAPABILITY_H */ From patchwork Fri Aug 10 16:13:29 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Brauner X-Patchwork-Id: 10562927 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9297C1390 for ; Fri, 10 Aug 2018 16:13:58 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 829C82BC30 for ; Fri, 10 Aug 2018 16:13:58 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 76BE02BDBA; Fri, 10 Aug 2018 16:13:58 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1C8852BC30 for ; Fri, 10 Aug 2018 16:13:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728075AbeHJSo0 (ORCPT ); Fri, 10 Aug 2018 14:44:26 -0400 Received: from mail-wm0-f41.google.com ([74.125.82.41]:36682 "EHLO mail-wm0-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728217AbeHJSo0 (ORCPT ); Fri, 10 Aug 2018 14:44:26 -0400 Received: by mail-wm0-f41.google.com with SMTP id w24-v6so2466826wmc.1 for ; Fri, 10 Aug 2018 09:13:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Up9yntkNzmasgtYTnuExuF+X9r0cCAeVZU8/ElAjnmI=; b=VRkeOHFmXXZXWmakrLIvm9y6qFKddmRyA6HTTFOcwCQeDYSl2ygIdeS6jJeb1Zr1uQ inON2Lqmq6gArLOlXqlnonzTo0ydh5p6lT0uDbDiE26pQ/gaalJhoOhH/iJ8F432N/zw F88QhWUsuRpX/8Jkv5wtHasV8nVdmkVqtIHncFdJI2UbdwkfawZnZriFRpgbHPIqS3yl d0ASXvz/YE5p6CalDsF2b2Fo94BelCUFHLnWVJFbNzfEh8sX/RDkX46lfovkvu+Pg50/ cdTtOLjpJEE3uMK3IKNQeCNUBzH5xmuAam8BMJeRtW2WeWPu9zya/XkXGKA5d/AI9Kpo czCw== X-Gm-Message-State: AOUpUlG+EUkiS0SGguIWhXpHgLtDm1pnw/qvp0mpPOgWUk6MZrJRyiVT jPbkitvO9WF5WIjmIQKGf+kZSkQ7AN4= X-Google-Smtp-Source: AA+uWPyhzX8ejKiVxzANaiXPQx40ZaaV9OJPD8oRuxsQB0jz3RsOwm1ZKdyPWHlqlQ/p3Yh26Z+Giw== X-Received: by 2002:a1c:f611:: with SMTP id w17-v6mr1846512wmc.143.1533917635488; Fri, 10 Aug 2018 09:13:55 -0700 (PDT) Received: from localhost.localdomain (u-082-c008.eap.uni-tuebingen.de. [134.2.82.8]) by smtp.gmail.com with ESMTPSA id m13-v6sm9987615wru.93.2018.08.10.09.13.54 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 10 Aug 2018 09:13:54 -0700 (PDT) From: Christian Brauner To: linux-security-module@vger.kernel.org, containers@lists.linux-foundation.org Cc: serge@hallyn.com, morgan@kernel.org, Christian Brauner Subject: [PATCH 3/9] cap_file: use struct vfs_ns_cap_data if possible Date: Fri, 10 Aug 2018 18:13:29 +0200 Message-Id: <20180810161335.27036-4-christian@brauner.io> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180810161335.27036-1-christian@brauner.io> References: <20180810161335.27036-1-christian@brauner.io> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP On kernels with VFS_CAP_REVISION_3 we should use struct_vfs_ns_cap_data. Signed-off-by: Christian Brauner Reviewed-by: Serge Hallyn --- libcap/cap_file.c | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/libcap/cap_file.c b/libcap/cap_file.c index 228d806..9b8f11e 100644 --- a/libcap/cap_file.c +++ b/libcap/cap_file.c @@ -37,8 +37,12 @@ extern int fremovexattr(int, const char *); #define FIXUP_32BITS(x) (x) #endif -static cap_t _fcaps_load(struct vfs_cap_data *rawvfscap, cap_t result, +#ifdef VFS_CAP_REVISION_3 +static cap_t _fcaps_load(struct vfs_ns_cap_data *rawvfscap, cap_t result, int bytes) +#else +static cap_t _fcaps_load(struct vfs_cap_data *rawvfscap, cap_t result, int bytes) +#endif { __u32 magic_etc; unsigned tocopy, i; @@ -102,8 +106,12 @@ static cap_t _fcaps_load(struct vfs_cap_data *rawvfscap, cap_t result, return result; } -static int _fcaps_save(struct vfs_cap_data *rawvfscap, cap_t cap_d, +#ifdef VFS_CAP_REVISION_3 +static int _fcaps_save(struct vfs_ns_cap_data *rawvfscap, cap_t cap_d, int *bytes_p) +#else +static int _fcaps_save(struct vfs_cap_data *rawvfscap, cap_t cap_d, int *bytes_p) +#endif { __u32 eff_not_zero, magic; unsigned tocopy, i; @@ -203,7 +211,11 @@ cap_t cap_get_fd(int fildes) /* allocate a new capability set */ result = cap_init(); if (result) { +#ifdef VFS_CAP_REVISION_3 + struct vfs_ns_cap_data rawvfscap; +#else struct vfs_cap_data rawvfscap; +#endif int sizeofcaps; _cap_debug("getting fildes capabilities"); @@ -233,7 +245,11 @@ cap_t cap_get_file(const char *filename) /* allocate a new capability set */ result = cap_init(); if (result) { +#ifdef VFS_CAP_REVISION_3 + struct vfs_ns_cap_data rawvfscap; +#else struct vfs_cap_data rawvfscap; +#endif int sizeofcaps; _cap_debug("getting filename capabilities"); @@ -259,7 +275,11 @@ cap_t cap_get_file(const char *filename) int cap_set_fd(int fildes, cap_t cap_d) { +#ifdef VFS_CAP_REVISION_3 + struct vfs_ns_cap_data rawvfscap; +#else struct vfs_cap_data rawvfscap; +#endif int sizeofcaps; struct stat buf; @@ -291,7 +311,11 @@ int cap_set_fd(int fildes, cap_t cap_d) int cap_set_file(const char *filename, cap_t cap_d) { +#ifdef VFS_CAP_REVISION_3 + struct vfs_ns_cap_data rawvfscap; +#else struct vfs_cap_data rawvfscap; +#endif int sizeofcaps; struct stat buf; From patchwork Fri Aug 10 16:13:30 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Brauner X-Patchwork-Id: 10562931 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id ED7601390 for ; Fri, 10 Aug 2018 16:13:59 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DDF322BC30 for ; Fri, 10 Aug 2018 16:13:59 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D211F2BDC0; Fri, 10 Aug 2018 16:13:59 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7BC9E2BC30 for ; Fri, 10 Aug 2018 16:13:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728303AbeHJSo2 (ORCPT ); Fri, 10 Aug 2018 14:44:28 -0400 Received: from mail-wr1-f66.google.com ([209.85.221.66]:38598 "EHLO mail-wr1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728347AbeHJSo1 (ORCPT ); Fri, 10 Aug 2018 14:44:27 -0400 Received: by mail-wr1-f66.google.com with SMTP id v14-v6so8773349wro.5 for ; Fri, 10 Aug 2018 09:13:57 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=uVK+TqK/3WoyktpBX4aU5Mp8uh9LxFrC6A/b09qDXPY=; b=gi7Evbs+eKkf2yTtqTz7nJpVlHkla1yieRjYWl/MwQ1JHRQ4gYD/I6p2Dk3hzluYoy Gk9nW8ENfls1aFoKsFx1w5eUhpeZ8KTTj++S+YmjcvKPmtrHh+IEEFQKebwnF8jQmrW3 WY9l5lGHX51yKy1w8EuGheeMMeUilThyqzoi5DFtN3D1pcOvpcDXAeCRhR/zuJeYG+gY uTGZSiD9K20WMq0OKzlZSjtYEs4W3dGSy2mgFRE/p+3BbrQLoP6r7bPavYNwiqNAmfJi VdIGshyQr8AnZGYPAu+DabbrfNoz8t+tFYMqttoabYJB/2SCvBkVkvSXFoT214iwB+6j fRsQ== X-Gm-Message-State: AOUpUlEOvUyO1/yX25njG1iN4mQfwNV9+BQC3jAqDpPhj58oasrODVrQ KKW4LqP+fm322I7MfOc+OECZLRg/DMY= X-Google-Smtp-Source: AA+uWPz7GYAqoiuasvdehWusLg0jJlr99IcUjCGhvucNk3R6PT/U61ZKHuP+sjcgjcP0iqbnsnwqaA== X-Received: by 2002:adf:e78d:: with SMTP id n13-v6mr4682412wrm.136.1533917636484; Fri, 10 Aug 2018 09:13:56 -0700 (PDT) Received: from localhost.localdomain (u-082-c008.eap.uni-tuebingen.de. [134.2.82.8]) by smtp.gmail.com with ESMTPSA id m13-v6sm9987615wru.93.2018.08.10.09.13.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 10 Aug 2018 09:13:55 -0700 (PDT) From: Christian Brauner To: linux-security-module@vger.kernel.org, containers@lists.linux-foundation.org Cc: serge@hallyn.com, morgan@kernel.org, Christian Brauner Subject: [PATCH 4/9] cap_file: add new rootid argument Date: Fri, 10 Aug 2018 18:13:30 +0200 Message-Id: <20180810161335.27036-5-christian@brauner.io> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180810161335.27036-1-christian@brauner.io> References: <20180810161335.27036-1-christian@brauner.io> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Newer kernels support setting file capabilities in user namespaces. In addition to directly setting file capabilites in a user namespaces they can also be set in lieu of another user namespace by passing a uid down to the kernel which will convert it to an appropriate kuid_t representation. This commit adds a new rootid argument to the internal struct _cap_struct so that we can store the rootid when the kernel supports VFS_CAP_REVISION_3 and returns a struct vfs_ns_cap_data. Signed-off-by: Christian Brauner Reviewed-by: Serge Hallyn --- libcap/libcap.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libcap/libcap.h b/libcap/libcap.h index 2596c11..9abe4a2 100644 --- a/libcap/libcap.h +++ b/libcap/libcap.h @@ -118,6 +118,7 @@ struct _cap_struct { struct __user_cap_data_struct set; __u32 flat[NUMBER_OF_CAP_SETS]; } u[_LIBCAP_CAPABILITY_U32S]; + uid_t rootid; }; /* the maximum bits supportable */ From patchwork Fri Aug 10 16:13:31 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Brauner X-Patchwork-Id: 10562933 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 35DB914E2 for ; Fri, 10 Aug 2018 16:14:00 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 261A72BC30 for ; Fri, 10 Aug 2018 16:14:00 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1A67A2BDBA; Fri, 10 Aug 2018 16:14:00 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B7FE42BC6E for ; Fri, 10 Aug 2018 16:13:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728396AbeHJSo2 (ORCPT ); Fri, 10 Aug 2018 14:44:28 -0400 Received: from mail-wr1-f68.google.com ([209.85.221.68]:40736 "EHLO mail-wr1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727698AbeHJSo2 (ORCPT ); Fri, 10 Aug 2018 14:44:28 -0400 Received: by mail-wr1-f68.google.com with SMTP id h15-v6so8771974wrs.7 for ; Fri, 10 Aug 2018 09:13:58 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=gPiHagThTPc8YDgQrBAin0BD7as/Wv0/TFFwQJWegXQ=; b=Nl4BIyZUiyuKFD/tqYYJq4wtJCpOXh3wzq63foW/63b8Cgv25nuw3WXnVPsEfk7n/I 3hA2WTzehUvelm+hBWkgwO4lEWtL7TVN+bSAIAItqCLXmNZNPM8QMPVDxV/wDp48S0g2 kK0Xpor/BeDmdyFqMbJnQIhz89PPxkC3m1jNECnEQcJaSoEPCNMt5HitpVRKowmq+9XR Z7QIXMy+/40uo9sX8whgNxgxuVlucJHhK8MOqkDTWSGKByfvH9CPjtp2luhdHFLFKz4+ 6nAH2i12jdmLj21WlAFzd5vnhRR2nYAN69wxY1RB9tb3xP7+hdkFcNXRxSPLnZ3oOUSd xVSA== X-Gm-Message-State: AOUpUlFODvejKsveKbo/443c+zO3moy5CJQ0L4k3dxleiHbm1Aq2sjLL dR24VVMqorxz1nymDcooaURhHaKoYz0= X-Google-Smtp-Source: AA+uWPzNKch04mb1H16EWyUHWMNShLYw0rypGzSR0s2gXC3iSWj7sfRpd1rzTv0ZJMvVsdOt2SntCA== X-Received: by 2002:adf:fcc3:: with SMTP id f3-v6mr4589127wrs.216.1533917637383; Fri, 10 Aug 2018 09:13:57 -0700 (PDT) Received: from localhost.localdomain (u-082-c008.eap.uni-tuebingen.de. [134.2.82.8]) by smtp.gmail.com with ESMTPSA id m13-v6sm9987615wru.93.2018.08.10.09.13.56 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 10 Aug 2018 09:13:56 -0700 (PDT) From: Christian Brauner To: linux-security-module@vger.kernel.org, containers@lists.linux-foundation.org Cc: serge@hallyn.com, morgan@kernel.org, Christian Brauner Subject: [PATCH 5/9] cap_file: initialize rootid in _fcaps_load() Date: Fri, 10 Aug 2018 18:13:31 +0200 Message-Id: <20180810161335.27036-6-christian@brauner.io> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180810161335.27036-1-christian@brauner.io> References: <20180810161335.27036-1-christian@brauner.io> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP When the kernel supports namespaced file capabilites (VFS_REVISION_3) it will return a struct vfs_ns_cap_data that will contain an additional rootid field recording the rootid of the file capability sets in the current user namespace. When libcap has been compiled on a kernel that supports VFS_CAP_REVISION_3 but is used on a kernel that does not support VFS_CAP_REVISION_3 we need to initialize the root id of struct vfs_ns_cap_data to zero so that no invalid data is passed along when a VFS_REVISION_2 fcap was set on the file. Signed-off-by: Christian Brauner Reviewed-by: Serge Hallyn --- libcap/cap_file.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libcap/cap_file.c b/libcap/cap_file.c index 9b8f11e..eb98bf7 100644 --- a/libcap/cap_file.c +++ b/libcap/cap_file.c @@ -103,6 +103,13 @@ static cap_t _fcaps_load(struct vfs_cap_data *rawvfscap, cap_t result, int bytes i++; } +#ifdef VFS_CAP_REVISION_3 + /* The kernel returns the rootid as a _le32. In case we're on a big endian + * machine we need to fix this up. + */ + result->rootid = FIXUP_32BITS(rawvfscap->rootid); +#endif + return result; } @@ -221,6 +228,7 @@ cap_t cap_get_fd(int fildes) _cap_debug("getting fildes capabilities"); /* fill the capability sets via a system call */ + rawvfscap.rootid = 0; sizeofcaps = fgetxattr(fildes, XATTR_NAME_CAPS, &rawvfscap, sizeof(rawvfscap)); if (sizeofcaps < ssizeof(rawvfscap.magic_etc)) { @@ -255,6 +263,7 @@ cap_t cap_get_file(const char *filename) _cap_debug("getting filename capabilities"); /* fill the capability sets via a system call */ + rawvfscap.rootid = 0; sizeofcaps = getxattr(filename, XATTR_NAME_CAPS, &rawvfscap, sizeof(rawvfscap)); if (sizeofcaps < ssizeof(rawvfscap.magic_etc)) { From patchwork Fri Aug 10 16:13:32 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Brauner X-Patchwork-Id: 10562935 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 817C214E2 for ; Fri, 10 Aug 2018 16:14:01 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 718B02BC30 for ; Fri, 10 Aug 2018 16:14:01 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 65D4E2BDBA; Fri, 10 Aug 2018 16:14:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 15D382BC30 for ; Fri, 10 Aug 2018 16:14:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728317AbeHJSo3 (ORCPT ); Fri, 10 Aug 2018 14:44:29 -0400 Received: from mail-wr1-f65.google.com ([209.85.221.65]:33088 "EHLO mail-wr1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727698AbeHJSo2 (ORCPT ); Fri, 10 Aug 2018 14:44:28 -0400 Received: by mail-wr1-f65.google.com with SMTP id g6-v6so8799480wrp.0 for ; Fri, 10 Aug 2018 09:13:59 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=kTkE68RjSPWmr1zwAEbmluNorPCRRAlE1WzSyB96EnU=; b=Nk89/HCQK+rtYwg/92r/1jbTWlM0EU8I49dP4pIFS+xCeh5FrHm8Yjdutr7l4qoMB0 AMajnKAxKSL2ASZID82Kkwio0nCMWTI9XEPYD2PcrDlBBhDb3jP9fyeK7YMHV4S1S8XF ACEqbhH8VTPGMid7QzuklLVFwhVk180zXK4A0XEtHCT7W6PFCBG26t1NNrpEaPdLTuAr hi7bSTKoULdOrIofO3JibAP7aGxfEaBERRHuT5SBmsO2BG90gNsBTGM7a/bl1MaCYTte 6qonoDHlb5MJp5Ww5gXkN0+rAHD2Cl/vOhjq9VPBUTOs9aW6tKRMT6w7GZuyxDSvHRSv PfVg== X-Gm-Message-State: AOUpUlGPW2tHHy10dCRvqHdPx5GFiDo8Jhu6wBrrqXTGizJUZpfBwy0I BQteOmXCj5DMS3uC/XBf4qKe4V9DPCw= X-Google-Smtp-Source: AA+uWPyR6Ok47l57OvuzN1mQh5Yon5bN30MpiSxCjVLqh+zm4ZtOVvTizvh3jcbEZ4CEpT6rwcqFSA== X-Received: by 2002:adf:a197:: with SMTP id u23-v6mr4922191wru.50.1533917638404; Fri, 10 Aug 2018 09:13:58 -0700 (PDT) Received: from localhost.localdomain (u-082-c008.eap.uni-tuebingen.de. [134.2.82.8]) by smtp.gmail.com with ESMTPSA id m13-v6sm9987615wru.93.2018.08.10.09.13.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 10 Aug 2018 09:13:57 -0700 (PDT) From: Christian Brauner To: linux-security-module@vger.kernel.org, containers@lists.linux-foundation.org Cc: serge@hallyn.com, morgan@kernel.org, Christian Brauner Subject: [PATCH 6/9] capability: add cap_get_nsowner() Date: Fri, 10 Aug 2018 18:13:32 +0200 Message-Id: <20180810161335.27036-7-christian@brauner.io> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180810161335.27036-1-christian@brauner.io> References: <20180810161335.27036-1-christian@brauner.io> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP cap_get_nsowner() allows to retrieve the rootid of the file capability sets in the current user namespace. Signed-off-by: Christian Brauner Reviewed-by: Serge Hallyn --- libcap/cap_file.c | 16 ++++++++++++++++ libcap/include/sys/capability.h | 1 + 2 files changed, 17 insertions(+) diff --git a/libcap/cap_file.c b/libcap/cap_file.c index eb98bf7..7acd60c 100644 --- a/libcap/cap_file.c +++ b/libcap/cap_file.c @@ -277,6 +277,16 @@ cap_t cap_get_file(const char *filename) return result; } +/* + * Get rootid as seen in the current user namespace for the file capability + * sets. + */ + +uid_t cap_get_nsowner(cap_t cap_d) +{ + return cap_d->rootid; +} + /* * Set the capabilities of an open file, as specified by its file * descriptor. @@ -363,6 +373,12 @@ cap_t cap_get_file(const char *filename) return NULL; } +uid_t cap_get_nsowner(cap_t cap_d) +{ + errno = EINVAL; + return -1; +} + int cap_set_fd(int fildes, cap_t cap_d) { errno = EINVAL; diff --git a/libcap/include/sys/capability.h b/libcap/include/sys/capability.h index 0976fa7..42d8154 100644 --- a/libcap/include/sys/capability.h +++ b/libcap/include/sys/capability.h @@ -82,6 +82,7 @@ extern int cap_clear_flag(cap_t, cap_flag_t); /* libcap/cap_file.c */ extern cap_t cap_get_fd(int); extern cap_t cap_get_file(const char *); +extern uid_t cap_get_nsowner(cap_t); extern int cap_set_fd(int, cap_t); extern int cap_set_file(const char *, cap_t); From patchwork Fri Aug 10 16:13:33 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Brauner X-Patchwork-Id: 10562937 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BEAB31390 for ; Fri, 10 Aug 2018 16:14:04 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id ABE1F2BC6E for ; Fri, 10 Aug 2018 16:14:04 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A00A22BDD0; Fri, 10 Aug 2018 16:14:04 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 908932BC6E for ; Fri, 10 Aug 2018 16:14:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728347AbeHJSob (ORCPT ); Fri, 10 Aug 2018 14:44:31 -0400 Received: from mail-wr1-f65.google.com ([209.85.221.65]:42775 "EHLO mail-wr1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727698AbeHJSoa (ORCPT ); Fri, 10 Aug 2018 14:44:30 -0400 Received: by mail-wr1-f65.google.com with SMTP id e7-v6so8752980wrs.9 for ; Fri, 10 Aug 2018 09:14:00 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=+xKoRfcOtDffqSz8c9BxFksj6tfCBF5lL4B+vKlDaFs=; b=VIjBZCy51U4fivrYTsxQuh+mHVF/wUbh1XmxNtBf5gYsVxeX45DqDVWuUgxtdBTf8Z KJUvD/QnaiHJnN0enqD+AFVnS32c+836RFTtYIBSDanrr8icgUBVACmZm2FnZpJdc3uT Fn3+zMBd3Fgu5FwW/5MIICBMI5OUalvBFpKZMQvpTAFwTaAprlwurjIVXHzgB7SSqg2c 9yIXLRD77m0/yd/hCQPxEJ6sBOAECeuA+VPkfffpnOa2EziUXN2wk4Jz2ogqslL9Qjrw sAi4V0BVSWTJZxlxaaQMfk1K9J6Dic81DC6Ub4KDxXy75ZdVnmwrFnCTr9W4uP3Zennb rMOg== X-Gm-Message-State: AOUpUlE6gARWpFFtavbtiNlybzJTwVplFDatoaoctJ5Miv10C8axjgul Qfzh0ZxwntrkgMDBoj82EKfvmIRJndE= X-Google-Smtp-Source: AA+uWPw3UTzR+sMfmX/YIWmMzSfgdfWYh68/DMwzVZJ195ZinniSl26bSF5T7m00Yc5lcmZz9XYKug== X-Received: by 2002:adf:9f13:: with SMTP id l19-v6mr4713171wrf.206.1533917639295; Fri, 10 Aug 2018 09:13:59 -0700 (PDT) Received: from localhost.localdomain (u-082-c008.eap.uni-tuebingen.de. [134.2.82.8]) by smtp.gmail.com with ESMTPSA id m13-v6sm9987615wru.93.2018.08.10.09.13.58 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 10 Aug 2018 09:13:58 -0700 (PDT) From: Christian Brauner To: linux-security-module@vger.kernel.org, containers@lists.linux-foundation.org Cc: serge@hallyn.com, morgan@kernel.org, Christian Brauner Subject: [PATCH 7/9] cap_file: save rootid in _fcaps_save() Date: Fri, 10 Aug 2018 18:13:33 +0200 Message-Id: <20180810161335.27036-8-christian@brauner.io> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180810161335.27036-1-christian@brauner.io> References: <20180810161335.27036-1-christian@brauner.io> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP When the kernel supports namespaced file capabilites (VFS_REVISION_3) it will take a struct vfs_ns_cap_data that will contain an additional rootid field recording a rootid. It can be used to set the rootid of a target user namespace as seen in the current user namespace. This allows a user namespace to set file capabilities in lieu of another user namespace. Signed-off-by: Christian Brauner Reviewed-by: Serge Hallyn --- libcap/cap_file.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libcap/cap_file.c b/libcap/cap_file.c index 7acd60c..57c6e3f 100644 --- a/libcap/cap_file.c +++ b/libcap/cap_file.c @@ -197,6 +197,13 @@ static int _fcaps_save(struct vfs_cap_data *rawvfscap, cap_t cap_d, int *bytes_p } } +#ifdef VFS_CAP_REVISION_3 + /* The kernel expects the rootid to be a _le32. In case we're on a big + * endian machine we need to fix this up. + */ + rawvfscap->rootid = FIXUP_32BITS(cap_d->rootid); +#endif + if (eff_not_zero == 0) { rawvfscap->magic_etc = FIXUP_32BITS(magic); } else { From patchwork Fri Aug 10 16:13:34 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Brauner X-Patchwork-Id: 10562939 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id F0BFF90E3 for ; Fri, 10 Aug 2018 16:14:04 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DFDCC2BDC0 for ; Fri, 10 Aug 2018 16:14:04 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D3D8B2BDBA; Fri, 10 Aug 2018 16:14:04 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C05032BDC0 for ; Fri, 10 Aug 2018 16:14:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727698AbeHJSob (ORCPT ); Fri, 10 Aug 2018 14:44:31 -0400 Received: from mail-wr1-f67.google.com ([209.85.221.67]:42779 "EHLO mail-wr1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728066AbeHJSob (ORCPT ); Fri, 10 Aug 2018 14:44:31 -0400 Received: by mail-wr1-f67.google.com with SMTP id e7-v6so8753031wrs.9 for ; Fri, 10 Aug 2018 09:14:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=oXzwaL2WsWN9TbYO7p8Ohzu/SWnflccC2NbbaVHA3iA=; b=SpGlshvaCEzqX/IG5/34EqWXhNBtWJu8AVjD28VmulnfbceIS1PowPbMRdTNOx+5mQ 5IX9aIf2Nwtq5rPZoAM5p2Rbbh3wVvuJ7aCxbCm3V92Te3ffLFwUf7Lq5ZH6ooA27Fij Z9tSJ5bcMkGxCF8c2bBcu9EwIMj75dm3CXvwQlBrbep9wD4EJ4eeEaWE5l37TfMwUzvT pXk+D6zQA+C5vkmtaQl6SI7LBXQVJFBZ6K6opzZCzH3XWQRT2PYd2C1h6nFUUGHIohZ0 1RH++zP0YvN3W+zLMHR2f1zUW8KzBjjv6p4JjO8uY+gL09IQJClLyDZydP6xNQ125uGS SehA== X-Gm-Message-State: AOUpUlG6N9NFudjqXqMk8oUQlomh2aKVpfPD3nvg3068sUujls2cJG8J A1mJcDyVZvo6urS82pNuxXQeABeJX/M= X-Google-Smtp-Source: AA+uWPxVPwpcYewiiNktQ4mo4PC0RATO2Wi25TNDYM4mSj69Ot5jdOzIkY4halow3hTHtgaJygWkTg== X-Received: by 2002:adf:e642:: with SMTP id b2-v6mr4981494wrn.254.1533917640486; Fri, 10 Aug 2018 09:14:00 -0700 (PDT) Received: from localhost.localdomain (u-082-c008.eap.uni-tuebingen.de. [134.2.82.8]) by smtp.gmail.com with ESMTPSA id m13-v6sm9987615wru.93.2018.08.10.09.13.59 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 10 Aug 2018 09:13:59 -0700 (PDT) From: Christian Brauner To: linux-security-module@vger.kernel.org, containers@lists.linux-foundation.org Cc: serge@hallyn.com, morgan@kernel.org, Christian Brauner Subject: [PATCH 8/9] cap_file: handle run- vs buildtime vfs cap support Date: Fri, 10 Aug 2018 18:13:34 +0200 Message-Id: <20180810161335.27036-9-christian@brauner.io> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180810161335.27036-1-christian@brauner.io> References: <20180810161335.27036-1-christian@brauner.io> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP If libcap was compiled on a kernel supporting VFS_CAP_REVISION_3 but running on a kernel that does not support VFS_CAP_REVISION_3 we should always pass down a legacy struct vfs_cap_data if the rootid is 0. On kernels supporting VFS_CAP_REVISION_3 the kernel will take care of translating it from VFS_CAP_REVISION_2 to a VFS_CAP_REVISION_3 version. We can elegantly handle both cases by setting magic to VFS_CAP_REVISION_2 and only passing down XATTR_CAPS_SZ_2 bytes which will leave out the rootid field. If the rootid field is not 0 then we will pass down the VFS_CAP_REVISION_3 and XATTR_CAPS_SZ_3. On kernels supporting VFS_CAP_REVISION_3 this will succeed on kernels not supporting VFS_CAP_REVISION_3 this will fail. The failure on kernels not supporting VFS_CAP_REVISION_3 is wanted since the user explicitly requested an unprivileged file capability but the kernel does not actually support it. So fail hard. Signed-off-by: Christian Brauner Reviewed-by: Serge Hallyn --- libcap/cap_file.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/libcap/cap_file.c b/libcap/cap_file.c index 57c6e3f..a1f3891 100644 --- a/libcap/cap_file.c +++ b/libcap/cap_file.c @@ -202,6 +202,24 @@ static int _fcaps_save(struct vfs_cap_data *rawvfscap, cap_t cap_d, int *bytes_p * endian machine we need to fix this up. */ rawvfscap->rootid = FIXUP_32BITS(cap_d->rootid); + if (rawvfscap->rootid == 0) { + /* If libcap was compiled on a kernel supporting VFS_CAP_REVISION_3 but + * running on a kernel that does not support VFS_CAP_REVISION_3 we + * should always pass down a legacy struct vfs_cap_data if the rootid is + * 0. On kernels supporting VFS_CAP_REVISION_3 the kernel will take care + * of translating it from VFS_CAP_REVISION_2 to a VFS_CAP_REVISION_3 + * version. We can elegantly handle both cases by setting magic to + * VFS_CAP_REVISION_2 and only passing down XATTR_CAPS_SZ_2 bytes which + * will leave out the rootid field. If the rootid field is not 0 then + * we will pass down the VFS_CAP_REVISION_3 and XATTR_CAPS_SZ_3. On + * kernels supporting VFS_CAP_REVISION_3 this will succeed on kernels + * not supporting VFS_CAP_REVISION_3 this will fail. The failure on kernels + * not supporting VFS_CAP_REVISION_3 is wanted since the user explicitly + * requested an unprivileged file capability but the kernel does not + * actually support it. So fail hard. */ + magic = VFS_CAP_REVISION_2; + *bytes_p = XATTR_CAPS_SZ_2; + } #endif if (eff_not_zero == 0) { From patchwork Fri Aug 10 16:13:35 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Brauner X-Patchwork-Id: 10562941 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 57E8414E2 for ; Fri, 10 Aug 2018 16:14:05 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4808F2BC6E for ; Fri, 10 Aug 2018 16:14:05 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3C8AA2BDC0; Fri, 10 Aug 2018 16:14:05 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D6F102BC6E for ; Fri, 10 Aug 2018 16:14:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728066AbeHJSod (ORCPT ); Fri, 10 Aug 2018 14:44:33 -0400 Received: from mail-wm0-f49.google.com ([74.125.82.49]:39654 "EHLO mail-wm0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729201AbeHJSoc (ORCPT ); Fri, 10 Aug 2018 14:44:32 -0400 Received: by mail-wm0-f49.google.com with SMTP id q8-v6so2476439wmq.4 for ; Fri, 10 Aug 2018 09:14:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=5aT6bK3HStGldXoEBJCiy+2H6qBy1y2RG4MupsJ1cX4=; b=QIIqCTrOwDHYuKmz/ezKnjvbcBKxPq83RDOgWS8juDuN0FeV1hwfSd6L8Bh0Ma3ir2 35Qs2PleBcvFM1kGc/YiEFbST45eY9GZFbSRRGlXHUUFXPBuE+9hsqqGsp5o2Xm69Xm0 uzzJxPDzKRy52ilVl/+CTxsh5JeZoJT0d1mLzFsVhp2oZbEvknjU5KaId85cPleFt7sa QRYGaYBMXCtqZBsJX2PvV3GlUor/Wp1oySppdUdr0XB2tenaTgGnUJF/LTKstUeig3h8 B2Ev1lNZ6+gRyvwKIhXNLGy7AFzL+lOEi0w+nxRmx8PZShIsnFQeXmjmNLMabtlYKPgl 8OAQ== X-Gm-Message-State: AOUpUlE7KyJbr7d76y273c9bGCrpLavAr+4yNQUK7ycllZvBWoMQoz1Q Dot93kSU3TAbUvS/G8Uu0RvmVoqThdE= X-Google-Smtp-Source: AA+uWPwL8eRDuXZuIWlW4L0y9ATLFcPHi+vckcGQJZj/wkoxZePJ4wCE/Lv0lVD8npRBit/GsnP6hQ== X-Received: by 2002:a1c:2094:: with SMTP id g142-v6mr1801828wmg.144.1533917641491; Fri, 10 Aug 2018 09:14:01 -0700 (PDT) Received: from localhost.localdomain (u-082-c008.eap.uni-tuebingen.de. [134.2.82.8]) by smtp.gmail.com with ESMTPSA id m13-v6sm9987615wru.93.2018.08.10.09.14.00 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 10 Aug 2018 09:14:00 -0700 (PDT) From: Christian Brauner To: linux-security-module@vger.kernel.org, containers@lists.linux-foundation.org Cc: serge@hallyn.com, morgan@kernel.org, Christian Brauner Subject: [PATCH 9/9] capability: add cap_set_nsowner() Date: Fri, 10 Aug 2018 18:13:35 +0200 Message-Id: <20180810161335.27036-10-christian@brauner.io> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180810161335.27036-1-christian@brauner.io> References: <20180810161335.27036-1-christian@brauner.io> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP cap_set_nsowner() allows to set the rootid of file capability sets. It can be used to set the rootid of a target user namespace as seen in the current user namespace. This allows a user namespace to set file capabilities in lieu of another user namespace. Signed-off-by: Christian Brauner Reviewed-by: Serge Hallyn --- libcap/cap_file.c | 16 ++++++++++++++++ libcap/include/sys/capability.h | 1 + 2 files changed, 17 insertions(+) diff --git a/libcap/cap_file.c b/libcap/cap_file.c index a1f3891..9a1643c 100644 --- a/libcap/cap_file.c +++ b/libcap/cap_file.c @@ -384,6 +384,16 @@ int cap_set_file(const char *filename, cap_t cap_d) return setxattr(filename, XATTR_NAME_CAPS, &rawvfscap, sizeofcaps, 0); } +/* + * Set rootid for the file capability sets. + */ + +int cap_set_nsowner(cap_t cap_d, uid_t rootid) +{ + cap_d->rootid = rootid; + return 0; +} + #else /* ie. ndef VFS_CAP_U32 */ cap_t cap_get_fd(int fildes) @@ -416,4 +426,10 @@ int cap_set_file(const char *filename, cap_t cap_d) return -1; } +void cap_set_nsowner(cap_t cap_d, uid_t rootid) +{ + errno = EINVAL; + return -1; +} + #endif /* def VFS_CAP_U32 */ diff --git a/libcap/include/sys/capability.h b/libcap/include/sys/capability.h index 42d8154..a9515b6 100644 --- a/libcap/include/sys/capability.h +++ b/libcap/include/sys/capability.h @@ -85,6 +85,7 @@ extern cap_t cap_get_file(const char *); extern uid_t cap_get_nsowner(cap_t); extern int cap_set_fd(int, cap_t); extern int cap_set_file(const char *, cap_t); +extern int cap_set_nsowner(cap_t, uid_t); /* libcap/cap_proc.c */ extern cap_t cap_get_proc(void);