Re: [PATCH v2] xattr: Enable security.capability in user namespaces

From: Stefan Berger
Date: Sat Jul 15 2017 - 17:28:09 EST

On 07/14/2017 07:41 PM, Eric W. Biederman wrote:
Stefan Berger <"Stefan Bergerstefanb"> writes:

From: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>

This patch enables security.capability in user namespaces but also
takes a more general approach to enabling extended attributes in user

The following rules describe the approach using as a
'user namespace enabled' extended attribute:

Reading of extended attributes:

1a) Reading from a user namespace will read<uid> of the parent user namespace instead with uid
being the mapping of root in that parent user namespace. An
exception is if root is mapped to uid 0 on the host, and in this case
we will read directly.
--> reading will read for uid
mapping of root to 1000.

1b) If<uid> is not available, the of the
parent namespace is tried to be read. This procedure is repeated up to
the init user namespace. This step only applies for reading of extended
attributes and provides the same behavior as older system where the
host's extended attributes applied to user namespaces.

2) All<uid> with valid uid mapping in the user namespace
can be read. The uid within the user namespace will be mapped to the
corresponding uid on the host and that uid will be used in the name of
the extended attribute.
-> reading will read for uid
mapping of root to 1000, size of at least 2.

All<uid> can be read (by root) on the host with values
of <uid> also being subject to checking for valid mappings.

3) No other* can be read.

The same rules for reading apply to writing and removing of user
namespace enabled extended attributes.

When listing extended attributes of a file, only those are presented
to the user namespace that have a valid mapping. Besides that, names
of the extended attributes are adjusted to represent the mapping.
This means that if root is mapped to uid 1000 on the host, the will be listed as in the user
namespace, becomes and so on.

Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
Signed-off-by: Serge Hallyn <serge@xxxxxxxxxx>
Reviewed-by: Serge Hallyn <serge@xxxxxxxxxx>
fs/xattr.c | 509 +++++++++++++++++++++++++++++++++++++++++++++--
security/commoncap.c | 36 +++-
security/selinux/hooks.c | 9 +-
3 files changed, 523 insertions(+), 31 deletions(-)
I am just going to quickly and publicly point out that as designed this
patch breaks evm inode metadata signing. As evm_config_xattrnames is not

While not completely insurmountable that seems like a strong limitation of
this design.

EVM could be converted to get the list of xattrs and prefix-compare it against the evm_config_xattrnames to do what it does now.