Re: [PATCH v4 17/21] capabilities: Allow privileged user in s_user_ns to set security.* xattrs
From: James Morris
Date: Wed Apr 27 2016 - 03:22:55 EST
On Tue, 26 Apr 2016, Seth Forshee wrote:
> A privileged user in s_user_ns will generally have the ability to
> manipulate the backing store and insert security.* xattrs into
> the filesystem directly. Therefore the kernel must be prepared to
> handle these xattrs from unprivileged mounts, and it makes little
> sense for commoncap to prevent writing these xattrs to the
> filesystem. The capability and LSM code have already been updated
> to appropriately handle xattrs from unprivileged mounts, so it
> is safe to loosen this restriction on setting xattrs.
>
> The exception to this logic is that writing xattrs to a mounted
> filesystem may also cause the LSM inode_post_setxattr or
> inode_setsecurity callbacks to be invoked. SELinux will deny the
> xattr update by virtue of applying mountpoint labeling to
> unprivileged userns mounts, and Smack will deny the writes for
> any user without global CAP_MAC_ADMIN, so loosening the
> capability check in commoncap is safe in this respect as well.
>
> Signed-off-by: Seth Forshee <seth.forshee@xxxxxxxxxxxxx>
> Acked-by: Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx>
Acked-by: James Morris <james.l.morris@xxxxxxxxxx>
--
James Morris
<jmorris@xxxxxxxxx>