subject:"\[PATCH v2\] xattr\: Enable security.capability in user namespaces"

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-26 Thread Mimi Zohar

On Tue, 2017-07-25 at 22:00 -0500, Serge E. Hallyn wrote: > On Fri, Jul 14, 2017 at 03:26:14PM -0400, Mimi Zohar wrote: > > On Fri, 2017-07-14 at 13:17 -0500, Eric W. Biederman wrote: > > > Which brings us to the semantic question of would it be nice to have > > > stacked IMA/EVM on the same file.

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-25 Thread Serge E. Hallyn

On Fri, Jul 14, 2017 at 03:26:14PM -0400, Mimi Zohar wrote: > On Fri, 2017-07-14 at 13:17 -0500, Eric W. Biederman wrote: > > Which brings us to the semantic question of would it be nice to have > > stacked IMA/EVM on the same file. > > > > I really don't think we do. I think allowing multiple ke

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-18 Thread Serge E. Hallyn

Quoting Eric W. Biederman (ebied...@xmission.com): > Stefan Berger writes: > > > On 07/18/2017 03:01 AM, James Morris wrote: > >> On Thu, 13 Jul 2017, Stefan Berger wrote: > >> > >>> A file shared by 2 containers, one mapping root to uid=1000, the other > >>> mapping > >>> root to uid=2000, will

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-18 Thread Stefan Berger

On 07/18/2017 10:57 AM, Vivek Goyal wrote: On Tue, Jul 18, 2017 at 09:21:22AM -0400, Stefan Berger wrote: On 07/18/2017 08:30 AM, Vivek Goyal wrote: On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote: On 07/18/2017 07:48 AM, Vivek Goyal wrote: On Mon, Jul 17, 2017 at 04:50:22PM -04

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-18 Thread Vivek Goyal

On Tue, Jul 18, 2017 at 09:21:22AM -0400, Stefan Berger wrote: > On 07/18/2017 08:30 AM, Vivek Goyal wrote: > > On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote: > > > On 07/18/2017 07:48 AM, Vivek Goyal wrote: > > > > On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote: > >

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-18 Thread Eric W. Biederman

Vivek Goyal writes: > On Tue, Jul 18, 2017 at 08:30:09AM -0400, Vivek Goyal wrote: >> On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote: >> > On 07/18/2017 07:48 AM, Vivek Goyal wrote: >> > > On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote: >> > > > On 07/17/2017 02:58 P

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-18 Thread Eric W. Biederman

Stefan Berger writes: > On 07/18/2017 03:01 AM, James Morris wrote: >> On Thu, 13 Jul 2017, Stefan Berger wrote: >> >>> A file shared by 2 containers, one mapping root to uid=1000, the other >>> mapping >>> root to uid=2000, will show these two xattrs on the host (init_user_ns) once >>> these co

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-18 Thread Stefan Berger

On 07/18/2017 08:30 AM, Vivek Goyal wrote: On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote: On 07/18/2017 07:48 AM, Vivek Goyal wrote: On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote: On 07/17/2017 02:58 PM, Vivek Goyal wrote: On Tue, Jul 11, 2017 at 11:05:11AM -04

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-18 Thread Vivek Goyal

On Tue, Jul 18, 2017 at 08:30:09AM -0400, Vivek Goyal wrote: > On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote: > > On 07/18/2017 07:48 AM, Vivek Goyal wrote: > > > On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote: > > > > On 07/17/2017 02:58 PM, Vivek Goyal wrote: > > >

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-18 Thread Vivek Goyal

On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote: > On 07/18/2017 07:48 AM, Vivek Goyal wrote: > > On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote: > > > On 07/17/2017 02:58 PM, Vivek Goyal wrote: > > > > On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote: > >

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-18 Thread Stefan Berger

On 07/18/2017 03:01 AM, James Morris wrote: On Thu, 13 Jul 2017, Stefan Berger wrote: A file shared by 2 containers, one mapping root to uid=1000, the other mapping root to uid=2000, will show these two xattrs on the host (init_user_ns) once these containers set xattrs on that file. I may be m

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-18 Thread Stefan Berger

On 07/18/2017 07:48 AM, Vivek Goyal wrote: On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote: On 07/17/2017 02:58 PM, Vivek Goyal wrote: On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote: [..] +/* + * xattr_list_userns_rewrite - Rewrite list of xattr names for user nam

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-18 Thread Vivek Goyal

On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote: > On 07/17/2017 02:58 PM, Vivek Goyal wrote: > > On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote: > > > > [..] > > > +/* > > > + * xattr_list_userns_rewrite - Rewrite list of xattr names for user > > > namespaces > > > +

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-18 Thread James Morris

On Thu, 13 Jul 2017, Stefan Berger wrote: > A file shared by 2 containers, one mapping root to uid=1000, the other mapping > root to uid=2000, will show these two xattrs on the host (init_user_ns) once > these containers set xattrs on that file. I may be missing something here, but what happens w

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-17 Thread Stefan Berger

On 07/17/2017 02:58 PM, Vivek Goyal wrote: On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote: [..] +/* + * xattr_list_userns_rewrite - Rewrite list of xattr names for user namespaces + * or determine needed size for attribute list + *

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-17 Thread Vivek Goyal

On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote: [..] > +/* > + * xattr_list_userns_rewrite - Rewrite list of xattr names for user > namespaces > + * or determine needed size for attribute list > + * in case size == 0 > + * > +

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-16 Thread Mimi Zohar

On Fri, 2017-07-14 at 19:02 -0500, Eric W. Biederman wrote: > Mimi Zohar writes: > > > On Fri, 2017-07-14 at 13:17 -0500, Eric W. Biederman wrote: > >> "Serge E. Hallyn" writes: > >> > >> > Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > >> >> On 07/14/2017 09:34 AM, Serge E. Hallyn wrote

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-15 Thread Stefan Berger

On 07/14/2017 07:41 PM, Eric W. Biederman wrote: Stefan Berger <"Stefan Bergerstefanb"@linux.vnet.ibm.com> writes: From: Stefan Berger This patch enables security.capability in user namespaces but also takes a more general approach to enabling extended attributes in user namespaces. The foll

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-14 Thread Eric W. Biederman

Mimi Zohar writes: > On Fri, 2017-07-14 at 13:17 -0500, Eric W. Biederman wrote: >> "Serge E. Hallyn" writes: >> >> > Quoting Stefan Berger (stef...@linux.vnet.ibm.com): >> >> On 07/14/2017 09:34 AM, Serge E. Hallyn wrote: >> >> >Quoting Stefan Berger (stef...@linux.vnet.ibm.com): >> >> >>On 07

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-14 Thread Eric W. Biederman

James Bottomley writes: > On Fri, 2017-07-14 at 16:03 -0400, Mimi Zohar wrote: >> On Fri, 2017-07-14 at 11:52 -0700, James Bottomley wrote: >> > >> > On Fri, 2017-07-14 at 14:48 -0400, Mimi Zohar wrote: >> > > >> > > The concern is with a shared filesystems. In that case, for IMA >> > > it wou

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-14 Thread Eric W. Biederman

Stefan Berger <"Stefan Bergerstefanb"@linux.vnet.ibm.com> writes: > From: Stefan Berger > > This patch enables security.capability in user namespaces but also > takes a more general approach to enabling extended attributes in user > namespaces. > > The following rules describe the approach using

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-14 Thread Eric W. Biederman

Theodore Ts'o writes: > On Fri, Jul 14, 2017 at 01:39:59PM -0700, James Bottomley wrote: >> but why? That's partly the point of all of this: some security. >> attributes can't be written by container root without some supervision >> (the capability ones are the hugely problematic ones from this

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-14 Thread Mimi Zohar

On Fri, 2017-07-14 at 13:39 -0700, James Bottomley wrote: > On Fri, 2017-07-14 at 16:03 -0400, Mimi Zohar wrote: > > On Fri, 2017-07-14 at 11:52 -0700, James Bottomley wrote: > > > > > > On Fri, 2017-07-14 at 14:48 -0400, Mimi Zohar wrote: > > > > > > > > The concern is with a shared filesystems.

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-14 Thread Theodore Ts'o

On Fri, Jul 14, 2017 at 01:39:59PM -0700, James Bottomley wrote: > but why? That's partly the point of all of this: some security. > attributes can't be written by container root without some supervision > (the capability ones are the hugely problematic ones from this point of > view), but for som

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-14 Thread James Bottomley

On Fri, 2017-07-14 at 16:03 -0400, Mimi Zohar wrote: > On Fri, 2017-07-14 at 11:52 -0700, James Bottomley wrote: > > > > On Fri, 2017-07-14 at 14:48 -0400, Mimi Zohar wrote: > > > > > > The concern is with a shared filesystems. In that case, for IMA > > > it would make sense to support a native

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-14 Thread Mimi Zohar

On Fri, 2017-07-14 at 11:52 -0700, James Bottomley wrote: > On Fri, 2017-07-14 at 14:48 -0400, Mimi Zohar wrote: > > The concern is with a shared filesystems. In that case, for IMA it > > would make sense to support a native and a namespace xattr. If due > > to xattr space limitations we have to

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-14 Thread Mimi Zohar

On Fri, 2017-07-14 at 15:29 -0400, Theodore Ts'o wrote: > On Fri, Jul 14, 2017 at 02:48:10PM -0400, Mimi Zohar wrote: > > > > If I'm understanding the discussion correctly, this isn't an issue for > > layered copy on write filesystems, as each fs layer could have it's > > own set of xattrs. The u

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-14 Thread Theodore Ts'o

On Fri, Jul 14, 2017 at 02:48:10PM -0400, Mimi Zohar wrote: > > If I'm understanding the discussion correctly, this isn't an issue for > layered copy on write filesystems, as each fs layer could have it's > own set of xattrs. The underlying and layered xattrs should be able > to co-exist. Use th

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-14 Thread Mimi Zohar

On Fri, 2017-07-14 at 13:17 -0500, Eric W. Biederman wrote: > "Serge E. Hallyn" writes: > > > Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > >> On 07/14/2017 09:34 AM, Serge E. Hallyn wrote: > >> >Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > >> >>On 07/13/2017 08:38 PM, Eric W. Bi

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-14 Thread Stefan Berger

On 07/14/2017 01:36 PM, Eric W. Biederman wrote: Stefan Berger writes: On 07/14/2017 09:34 AM, Serge E. Hallyn wrote: Quoting Stefan Berger (stef...@linux.vnet.ibm.com): On 07/13/2017 08:38 PM, Eric W. Biederman wrote: Stefan Berger writes: On 07/13/2017 01:49 PM, Eric W. Biederman wrote

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-14 Thread Eric W. Biederman

Stefan Berger writes: > On 07/14/2017 09:34 AM, Serge E. Hallyn wrote: >> Quoting Stefan Berger (stef...@linux.vnet.ibm.com): >>> On 07/13/2017 08:38 PM, Eric W. Biederman wrote: Stefan Berger writes: > On 07/13/2017 01:49 PM, Eric W. Biederman wrote: > >> My big question r

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-14 Thread James Bottomley

On Fri, 2017-07-14 at 14:48 -0400, Mimi Zohar wrote: > The concern is with a shared filesystems. In that case, for IMA it > would make sense to support a native and a namespace xattr. If due > to xattr space limitations we have to limit the number of xattrs, > then we should limit it to two - a n

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-14 Thread Mimi Zohar

On Fri, 2017-07-14 at 12:35 -0500, Serge E. Hallyn wrote: > Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > > On 07/14/2017 09:34 AM, Serge E. Hallyn wrote: > > >Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > > >>On 07/13/2017 08:38 PM, Eric W. Biederman wrote: > > >>>Stefan Berger wr

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-14 Thread Eric W. Biederman

"Serge E. Hallyn" writes: > Quoting Stefan Berger (stef...@linux.vnet.ibm.com): >> On 07/14/2017 09:34 AM, Serge E. Hallyn wrote: >> >Quoting Stefan Berger (stef...@linux.vnet.ibm.com): >> >>On 07/13/2017 08:38 PM, Eric W. Biederman wrote: >> >>>Stefan Berger writes: >> >>> >> On 07/13/2017

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-14 Thread Serge E. Hallyn

Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > On 07/14/2017 09:34 AM, Serge E. Hallyn wrote: > >Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > >>On 07/13/2017 08:38 PM, Eric W. Biederman wrote: > >>>Stefan Berger writes: > >>> > On 07/13/2017 01:49 PM, Eric W. Biederman wrote: >

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-14 Thread Stefan Berger

On 07/14/2017 09:34 AM, Serge E. Hallyn wrote: Quoting Stefan Berger (stef...@linux.vnet.ibm.com): On 07/13/2017 08:38 PM, Eric W. Biederman wrote: Stefan Berger writes: On 07/13/2017 01:49 PM, Eric W. Biederman wrote: My big question right now is can you implement Ted's suggested restrict

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-14 Thread Serge E. Hallyn

Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > On 07/13/2017 08:38 PM, Eric W. Biederman wrote: > >Stefan Berger writes: > > > >>On 07/13/2017 01:49 PM, Eric W. Biederman wrote: > >> > >>>My big question right now is can you implement Ted's suggested > >>>restriction. Only one security.foo

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-14 Thread Stefan Berger

On 07/14/2017 08:04 AM, Eric W. Biederman wrote: Stefan Berger writes: On 07/13/2017 08:38 PM, Eric W. Biederman wrote: Stefan Berger writes: On 07/13/2017 01:49 PM, Eric W. Biederman wrote: My big question right now is can you implement Ted's suggested restriction. Only one security.fo

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-14 Thread Eric W. Biederman

Stefan Berger writes: > On 07/13/2017 08:38 PM, Eric W. Biederman wrote: >> Stefan Berger writes: >> >>> On 07/13/2017 01:49 PM, Eric W. Biederman wrote: >>> My big question right now is can you implement Ted's suggested restriction. Only one security.foo or secuirty.foo@... attribute

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-14 Thread Stefan Berger

On 07/13/2017 08:38 PM, Eric W. Biederman wrote: Stefan Berger writes: On 07/13/2017 01:49 PM, Eric W. Biederman wrote: My big question right now is can you implement Ted's suggested restriction. Only one security.foo or secuirty.foo@... attribute ? We need to raw-list the xattrs and do th

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-13 Thread Eric W. Biederman

Stefan Berger writes: > On 07/13/2017 01:49 PM, Eric W. Biederman wrote: > > > My big question right now is can you implement Ted's suggested > > restriction. Only one security.foo or secuirty.foo@... attribute ? > We need to raw-list the xattrs and do the check before writing them. I am > fai

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-13 Thread Serge E. Hallyn

Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > For virtualizing the xattrs on the 'value' side I was looking for > whether there's something like a 'wrapper' structure around the > actual value of the xattr so that that wrapper could be extended to > support different values at different uid

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-13 Thread Eric W. Biederman

"Serge E. Hallyn" writes: > Quoting Eric W. Biederman (ebied...@xmission.com): >> Stefan Berger writes: >> >> > On 07/13/2017 01:14 PM, Eric W. Biederman wrote: >> >> Theodore Ts'o writes: >> >> >> >>> On Thu, Jul 13, 2017 at 07:11:36AM -0500, Eric W. Biederman wrote: >> The concise summa

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-13 Thread Serge E. Hallyn

Quoting Eric W. Biederman (ebied...@xmission.com): > Stefan Berger writes: > If you don't care about the ownership of the files, and read only is > acceptable, and you still don't want to give these executables > capabilities in the initial user namespace. What you can do is > make everything own

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-13 Thread Serge E. Hallyn

Quoting Theodore Ts'o (ty...@mit.edu): > On Thu, Jul 13, 2017 at 07:11:36AM -0500, Eric W. Biederman wrote: > > The concise summary: > > > > Today we have the xattr security.capable that holds a set of > > capabilities that an application gains when executed. AKA setuid root exec > > without actu

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-13 Thread Serge E. Hallyn

Quoting Eric W. Biederman (ebied...@xmission.com): > Stefan Berger writes: > > > On 07/13/2017 01:14 PM, Eric W. Biederman wrote: > >> Theodore Ts'o writes: > >> > >>> On Thu, Jul 13, 2017 at 07:11:36AM -0500, Eric W. Biederman wrote: > The concise summary: > > Today we have the x

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-13 Thread Serge E. Hallyn

Quoting Theodore Ts'o (ty...@mit.edu): > On Thu, Jul 13, 2017 at 12:39:10PM -0500, Eric W. Biederman wrote: > > > Can you define what 'scalable' means for you in this context? > > > From what I can see sharing a filesystem between multiple containers > > > doesn't 'scale well' for virtualizing the

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-13 Thread Theodore Ts'o

On Thu, Jul 13, 2017 at 12:39:10PM -0500, Eric W. Biederman wrote: > > Can you define what 'scalable' means for you in this context? > > From what I can see sharing a filesystem between multiple containers > > doesn't 'scale well' for virtualizing the xattrs primarily because of > > size limitation

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-13 Thread Eric W. Biederman

Stefan Berger writes: > On 07/13/2017 01:14 PM, Eric W. Biederman wrote: >> Theodore Ts'o writes: >> >>> On Thu, Jul 13, 2017 at 07:11:36AM -0500, Eric W. Biederman wrote: The concise summary: Today we have the xattr security.capable that holds a set of capabilities that an a

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-13 Thread Eric W. Biederman

Stefan Berger writes: > On 07/13/2017 12:40 PM, Theodore Ts'o wrote: >> On Thu, Jul 13, 2017 at 07:11:36AM -0500, Eric W. Biederman wrote: >>> The concise summary: >>> >>> Today we have the xattr security.capable that holds a set of >>> capabilities that an application gains when executed. AKA s

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-13 Thread Stefan Berger

On 07/13/2017 01:14 PM, Eric W. Biederman wrote: Theodore Ts'o writes: On Thu, Jul 13, 2017 at 07:11:36AM -0500, Eric W. Biederman wrote: The concise summary: Today we have the xattr security.capable that holds a set of capabilities that an application gains when executed. AKA setuid root e

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-13 Thread Eric W. Biederman

Theodore Ts'o writes: > On Thu, Jul 13, 2017 at 07:11:36AM -0500, Eric W. Biederman wrote: >> The concise summary: >> >> Today we have the xattr security.capable that holds a set of >> capabilities that an application gains when executed. AKA setuid root exec >> without actually being setuid ro

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-13 Thread Stefan Berger

On 07/13/2017 12:40 PM, Theodore Ts'o wrote: On Thu, Jul 13, 2017 at 07:11:36AM -0500, Eric W. Biederman wrote: The concise summary: Today we have the xattr security.capable that holds a set of capabilities that an application gains when executed. AKA setuid root exec without actually being se

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-13 Thread Theodore Ts'o

On Thu, Jul 13, 2017 at 07:11:36AM -0500, Eric W. Biederman wrote: > The concise summary: > > Today we have the xattr security.capable that holds a set of > capabilities that an application gains when executed. AKA setuid root exec > without actually being setuid root. > > User namespaces have t

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-13 Thread Eric W. Biederman

Theodore Ts'o writes: > I'm really confused what problem that is trying to be solved, here, > but it **feels** really, really wrong. > > Why do we need to store all of this state on a per-file basis, instead > of some kind of per-file system or per-container data structure? > > And how many of th

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-12 Thread Serge E. Hallyn

Quoting Theodore Ts'o (ty...@mit.edu): > I'm really confused what problem that is trying to be solved, here, > but it **feels** really, really wrong. Hi, The intro to my original patch might help (or maybe not), as it has a different motivating text: http://lkml.org/lkml/2016/11/19/158 We want

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-12 Thread Theodore Ts'o

I'm really confused what problem that is trying to be solved, here, but it **feels** really, really wrong. Why do we need to store all of this state on a per-file basis, instead of some kind of per-file system or per-container data structure? And how many of these security.foo@uid=bar xattrs do y

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-12 Thread Serge E. Hallyn

Quoting Eric W. Biederman (ebied...@xmission.com): > James Morris writes: > > > On Wed, 12 Jul 2017, Serge E. Hallyn wrote: > > > >> Quoting Eric W. Biederman (ebied...@xmission.com): > >> > Stefan Berger <"Stefan Bergerstefanb"@linux.vnet.ibm.com> writes: > >> > > Signed-off-by: Stefan Berger >

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-12 Thread Stefan Berger

On 07/12/2017 07:13 PM, Eric W. Biederman wrote: "Serge E. Hallyn" writes: Quoting Eric W. Biederman (ebied...@xmission.com): Stefan Berger <"Stefan Bergerstefanb"@linux.vnet.ibm.com> writes: Signed-off-by: Stefan Berger Signed-off-by: Serge Hallyn Reviewed-by: Serge Hallyn It doesn't lo

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-12 Thread Serge E. Hallyn

Quoting Eric W. Biederman (ebied...@xmission.com): > "Serge E. Hallyn" writes: > > > Quoting Eric W. Biederman (ebied...@xmission.com): > >> Stefan Berger <"Stefan Bergerstefanb"@linux.vnet.ibm.com> writes: > >> > Signed-off-by: Stefan Berger > >> > Signed-off-by: Serge Hallyn > >> > Reviewed-b

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-12 Thread Eric W. Biederman

James Morris writes: > On Wed, 12 Jul 2017, Serge E. Hallyn wrote: > >> Quoting Eric W. Biederman (ebied...@xmission.com): >> > Stefan Berger <"Stefan Bergerstefanb"@linux.vnet.ibm.com> writes: >> > > Signed-off-by: Stefan Berger >> > > Signed-off-by: Serge Hallyn >> > > Reviewed-by: Serge Hall

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-12 Thread Eric W. Biederman

"Serge E. Hallyn" writes: > Quoting Eric W. Biederman (ebied...@xmission.com): >> Stefan Berger <"Stefan Bergerstefanb"@linux.vnet.ibm.com> writes: >> > Signed-off-by: Stefan Berger >> > Signed-off-by: Serge Hallyn >> > Reviewed-by: Serge Hallyn >> >> It doesn't look like this is coming throu

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-12 Thread James Morris

On Wed, 12 Jul 2017, Serge E. Hallyn wrote: > Quoting Eric W. Biederman (ebied...@xmission.com): > > Stefan Berger <"Stefan Bergerstefanb"@linux.vnet.ibm.com> writes: > > > Signed-off-by: Stefan Berger > > > Signed-off-by: Serge Hallyn > > > Reviewed-by: Serge Hallyn > > > > It doesn't look li

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-12 Thread Stefan Berger

On 07/12/2017 01:53 PM, Vivek Goyal wrote: On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote: [..] @@ -301,14 +721,39 @@ ssize_t __vfs_getxattr(struct dentry *dentry, struct inode *inode, const char *name, void *value, size_t size) { - const struct xattr_han

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-12 Thread Vivek Goyal

On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote: [..] > @@ -301,14 +721,39 @@ ssize_t > __vfs_getxattr(struct dentry *dentry, struct inode *inode, const char *name, > void *value, size_t size) > { > - const struct xattr_handler *handler; > + const struct xattr_

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-12 Thread Serge E. Hallyn

Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > On 07/11/2017 11:45 PM, Serge E. Hallyn wrote: > >Quoting Stefan Berger (Stefan bergerstef...@linux.vnet.ibm.com): > >>+/* > >>+ * xattr_list_userns_rewrite - Rewrite list of xattr names for user > >>namespaces > >>+ *

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-12 Thread Serge E. Hallyn

Quoting Eric W. Biederman (ebied...@xmission.com): > Stefan Berger <"Stefan Bergerstefanb"@linux.vnet.ibm.com> writes: > > Signed-off-by: Stefan Berger > > Signed-off-by: Serge Hallyn > > Reviewed-by: Serge Hallyn > > It doesn't look like this is coming through Serge so I don't see how > the Si

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-12 Thread Eric W. Biederman

Stefan Berger <"Stefan Bergerstefanb"@linux.vnet.ibm.com> writes: > From: Stefan Berger > > This patch enables security.capability in user namespaces but also > takes a more general approach to enabling extended attributes in user > namespaces. > > The following rules describe the approach using

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-12 Thread Stefan Berger

On 07/11/2017 11:45 PM, Serge E. Hallyn wrote: Quoting Stefan Berger (Stefan bergerstef...@linux.vnet.ibm.com): +/* + * xattr_list_userns_rewrite - Rewrite list of xattr names for user namespaces + * or determine needed size for attribute list + *

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-12 Thread James Morris

On Tue, 11 Jul 2017, Stefan Berger wrote: > + buflen = sizeof("@uid=") - 1 + sizeof("4294967295") - 1 + 1; Why not strlen() here? -- James Morris

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-11 Thread Serge E. Hallyn

Quoting Stefan Berger (Stefan bergerstef...@linux.vnet.ibm.com): > +/* > + * xattr_list_userns_rewrite - Rewrite list of xattr names for user > namespaces > + * or determine needed size for attribute list > + * in case size == 0 > + * > + * I

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-11 Thread Serge E. Hallyn

Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > On 07/11/2017 01:12 PM, Serge E. Hallyn wrote: > >>diff --git a/fs/xattr.c b/fs/xattr.c > >>index 464c94b..eacad9e 100644 > >>--- a/fs/xattr.c > >>+++ b/fs/xattr.c > >>@@ -133,20 +133,440 @@ xattr_permission(struct inode *inode, const char > >>

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-11 Thread Stefan Berger

On 07/11/2017 01:12 PM, Serge E. Hallyn wrote: Quoting Stefan Berger (Stefan bergerstef...@linux.vnet.ibm.com): er.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 19839 Lines: 700 X-UID: 24770 Status: RO From: Stefan Berger This patch enables security.capability in us

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-11 Thread Serge E. Hallyn

Quoting Stefan Berger (Stefan bergerstef...@linux.vnet.ibm.com): > er.kernel.org> > X-Mailing-List: linux-kernel@vger.kernel.org > Content-Length: 19839 > Lines: 700 > X-UID: 24770 > Status: RO > > From: Stefan Berger > > This patch enables securi

[PATCH v2] xattr: Enable security.capability in user namespaces

2017-07-11 Thread Stefan Berger

From: Stefan Berger This patch enables security.capability in user namespaces but also takes a more general approach to enabling extended attributes in user namespaces. The following rules describe the approach using security.foo as a 'user namespace enabled' extended attribute: Reading of exte

75 matches

Mail list logo