Re: [PATCH 05/10] user namespace: clamp down users of cap_raised

From: Serge E. Hallyn
Date: Mon Oct 24 2011 - 23:10:22 EST

Next message: Ingo Molnar: "Re: [GIT PULL 0/4] perf/core fixes and improvements"
Previous message: Ike Panhc: "Re: [PATCH] acer-wmi: blacklist Thinkpad edge E520"
In reply to: Andrew G. Morgan: "Re: [PATCH 05/10] user namespace: clamp down users of cap_raised"
Next in thread: Eric Paris: "Re: [PATCH 05/10] user namespace: clamp down users of cap_raised"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quoting Andrew G. Morgan (morgan@xxxxxxxxxx):
> On Mon, Oct 24, 2011 at 10:28 AM, Serge E. Hallyn
> <serge.hallyn@xxxxxxxxxxxxx> wrote:
> > Quoting Andrew G. Morgan (morgan@xxxxxxxxxx):
> >> Serge,
> >>
> >> It seems as if this whole thing is really idiomatic. How about?
> >>
> >> #define IN_ROOT_USER_NS_CAPABLE(cap) \
> >> ((current_user_ns() == &init_user_ns) && cap_raised(current_cap(), cap))
> >
> > My objection to this was that it seems to encourage others to use it :) I'm
> > not sure we want that. Also, IN_ROOT_USER_NS seems more generally useful.
>
> What is driving the choice of when its appropriate? How can a

I'd like to say it's never appropriate. The reason is that it bypasses
the whole security_ops->capable() sequence, so for instance SELinux is
kept in the dark.

> developer determine this? If you make it hard, presumably folk won't
> do it by default, but will that create a burdon on others to go round
> patching things like this up?
>
> > But if I'm the only one who feels this way I'll go ahead and do it...
>
> I'm more of a optimize for a human to read the source code (ie. debug
> a problem) kind of person. If IN_ROOT_USER_NS is useful, you could
> always define IN_ROOT_USER_NS_CAPABLE in terms of IN_ROOT_USER_NS &&

My other objection is that, in contrast to IN_ROOT_USER_NS(), which is
very clear, IN_ROOT_USER_NS_CAPABLE() is not as helpful. I'm sure a
better name is out there somewhere, though.

> ... and provide both.
>
> I guess I'm unclear, however, when you want developers to use one or
> the other variant of the basic capable() functionality. Since I'm not
> clear, I'm suspecting this is a fragile situation.

I think only security code (LSMs) should be using cap_raised directly.
Everything else should go through the capable()/has_capability() family
of functions. Which, incidentally, have been (or are about to be) made
less of a mess and thus less fragile by Eric Paris' patchset starting at
http://www.spinics.net/linux/fedora/linux-security-module/msg11896.html

-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ingo Molnar: "Re: [GIT PULL 0/4] perf/core fixes and improvements"
Previous message: Ike Panhc: "Re: [PATCH] acer-wmi: blacklist Thinkpad edge E520"
In reply to: Andrew G. Morgan: "Re: [PATCH 05/10] user namespace: clamp down users of cap_raised"
Next in thread: Eric Paris: "Re: [PATCH 05/10] user namespace: clamp down users of cap_raised"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]