Re: [PATCH 1/1] simplified security.nscapability xattr

From: Jann Horn
Date: Sat May 07 2016 - 19:09:49 EST

On Tue, May 03, 2016 at 12:54:40AM -0500, Eric W. Biederman wrote:
> "Serge E. Hallyn" <serge@xxxxxxxxxx> writes:
> > Quoting Andrew G. Morgan (morgan@xxxxxxxxxx):
> >>
> >> I guess I'm confused how we have strayed so far that this isn't an obvious
> >> requirement. Uid=0 as being the root of privilege was the basic problem
> >> that capabilities were designed to change.
> >
> > The task executing the file can be any uid mapped into the namespace. The
> > file only has to be owned by the root of the user_ns. Which I agree is
> > unfortunate. We can work around it by putting the root uid into the xattr
> > itself (which still isn't orthogonal but allows the file to at least by
> > owned by non-root), but the problem then is that a task needs to know its
> > global root k_uid just to write the xattr.
> The root kuid is just make_kuids(user_ns, 0) so it is easy to find.
> It might be a hair better to use the userns->owner instead of the root
> uid. That would allow user namespaces without a mapped root to still
> use file capabilities.

Please don't do that. A user might want to create multiple containers with
isolated security properties, and in that case, it would be bad if binaries
that are capable in one container are also automatically valid in the user's
other containers.
Also, this would mean that in an owner!=root scenario, container root can't
setcap executables and needs to ask the administrator of the surrounding system
to do it.
(Of course, this could be worked around using a dummy userns layer between the
init ns and the container, but I don't like seeing new reasons for such a hack.)

Attachment: signature.asc
Description: Digital signature