Home » Mailing lists » Devel » userns: targeted capabilities v5
| Re: [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace [message #41864 is a reply to message #41860] |
Wed, 23 February 2011 21:21   |
ebiederm
Messages: 1354
Registered: February 2006
|
Senior Member |
|
|
David Howells <dhowells@redhat.com> writes:
> Serge E. Hallyn <serge@hallyn.com> wrote:
>
>> struct uts_namespace {
>> struct kref kref;
>> struct new_utsname name;
>> + struct user_namespace *user_ns;
>> };
>
> If a uts_namespace belongs to a user_namespace, should CLONE_NEWUSER then
> imply CLONE_NEWUTS?
>
> Or is uts_namespace::user_ns more an implication that the set of users in
> user_namespace are the only ones authorised to alter the uts data.
The later.
> I presume that the uts_namespace of a process must be owned by one of the
> user_namespaces in the alternating inheritance chain of namespaces and their
> creators leading from current_user_ns() to init_user_ns.
>
> With that in mind, looking at patch 3:
>
> - if (!capable(CAP_SYS_ADMIN))
> + if (!ns_capable(current->nsproxy->uts_ns->user_ns, CAP_SYS_ADMIN))
>
> what is it you're actually asking? I presume it's 'does this user have
> CAP_SYS_ADMIN capability over objects belonging to the uts_namespace's
> user_namespace?'
Yes.
> So, to look at the important bit of patch 2:
>
> -int cap_capable(struct task_struct *tsk, const struct cred *cred, int cap,
> - int audit)
> +int cap_capable(struct task_struct *tsk, const struct cred *cred,
> + struct user_namespace *targ_ns, int cap, int audit)
> {
> - return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
> + for (;;) {
> + /* The creator of the user namespace has all caps. */
> + if (targ_ns != &init_user_ns && targ_ns->creator == cred->user)
> + return 0;
> +
> + /* Do we have the necessary capabilities? */
> + if (targ_ns == cred->user->user_ns)
> + return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
> +
> + /* Have we tried all of the parent namespaces? */
> + if (targ_ns == &init_user_ns)
> + return -EPERM;
> +
> + /* If you have the capability in a parent user ns you have it
> + * in the over all children user namespaces as well, so see
> + * if this process has the capability in the parent user
> + * namespace.
> + */
> + targ_ns = targ_ns->creator->user_ns;
> + }
> +
> + /* We never get here */
> + return -EPERM;
> }
>
> On entry, as we're called from ns_capable(), cred->user is the user that the
> current process is running as, and, as such, may be in a separate namespace
> from uts_namespace - which may itself be in a separate namespace from
> init_user_ns.
>
> So, assume for the sake of argument that there are three user_namespaces along
> the chain from the calling process to the root, and that the uts_namespace
> belongs to the middle one.
So we have the nested stack of:
user_ns3->creator->user_ns == user_ns2
user_ns2->creator->user_ns == &init_user_ns
uts_ns2->user_ns == user_ns2
>
> if (targ_ns != &init_user_ns && targ_ns->creator == cred->user)
> return 0;
>
> Can never match because targ_ns->creator cannot be cred->user; even if the
> uts_namespace belongs to our namespace, given that the creator lies outside
> our namespace.
Initially we come in with targ_ns == user_ns2 and cred->user->user_ns in
one of (user_ns3, user_ns2, or &init_user_ns).
targ_ns takes on values user_ns2 and &init_user_ns.
So when targ_ns becomes &init_user_ns. If the user in question is
uts_ns2->user_ns->creator. This check will indeed match.
> if (targ_ns == cred->user->user_ns)
> return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
>
> Can only match if we are in the target user_namespace (ie. the one to which
> uts_namespace belongs), whether or not we have CAP_SYS_ADMIN.
As before targ_ns takes on values of user_ns2 and &init_user_ns.
Which means this check will match if we have CAP_SYS_ADMIN in
&init_user_ns or in user_ns2.
> Which means that unless the uts_namespace belongs to our user_namespace, we
> cannot change it. Is that correct?
No. If you are root in a parent namespace you can also change it.
> So ns_capable() restricts you to only doing interesting things to objects that
> belong to a user_namespace if they are in your own user_namespace. Is that
> correct?
No. Root outside your user namespace is also allowed to do interesting
things.
> If that is so, is the loop required for ns_capable()?
Yes.
> Looking further at patch 2:
>
> #define nsown_capable(cap) (ns_capable(current_user_ns(), (cap)))
>
> Given what I've said above, I presume the loop isn't necessary here either.
>
>
> I think you're using ns_capable() in two different ways:
>
> (1) You're using it to see if a process has power over its descendents in a
> user_namespace that can be traced back to a clone() that it did with
> CLONE_NEWUSER.
>
> For example, automatically granting a process permission to kill
> descendents in a namespace it created.
>
> (2) You're using it to see if a process can access objects that might be
> outside its own user_namespace.
>
> For example, setting the hostname.
>
> Is it worth giving two different interfaces to make this clearer (even if they
> actually do the same thing)?
>
>
> Sorry if this seems rambly, but I'm trying to get my head round your
> code.
I am all for making that loop a little clearer, because it is something
you have to pause and think about to understand but so far I don't think
the loop is wrong, and it is simple.
Eric
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containe rs
|
|
|
|
 |
|
userns: targeted capabilities v5
By: serge on Thu, 17 February 2011 15:02 |
|
|
[PATCH 2/9] security: Make capabilities relative to the user namespace.
By: serge on Thu, 17 February 2011 15:03 |
|
|
Re: [PATCH 2/9] security: Make capabilities relative to the user namespace.
By: ebiederm on Fri, 18 February 2011 03:46 |
|
|
Re: [PATCH 2/9] security: Make capabilities relative to the user namespace.
|
|
|
Re: [PATCH 2/9] security: Make capabilities relative to the user namespace.
By: akpm on Fri, 18 February 2011 23:59 |
|
|
Re: [PATCH 2/9] security: Make capabilities relative to the user namespace.
|
|
|
Re: [PATCH 2/9] security: Make capabilities relative to the user namespace.
By: serge on Wed, 23 February 2011 13:43 |
|
|
Re: [PATCH 2/9] security: Make capabilities relative to the user namespace.
|
|
|
Re: [PATCH 2/9] security: Make capabilities relative to the user namespace.
|
|
|
[PATCH 9/9] userns: check user namespace for task->file uid equivalence checks
By: serge on Thu, 17 February 2011 15:04 |
|
|
Re: [PATCH 9/9] userns: check user namespace for task->file uid equivalence checks
By: ebiederm on Fri, 18 February 2011 01:29 |
|
|
Re: [PATCH 9/9] userns: check user namespace for task->file uid equivalence checks
By: akpm on Fri, 18 February 2011 23:59 |
|
|
Re: [PATCH 9/9] userns: check user namespace for task->file uid equivalence checks
By: serge on Thu, 24 February 2011 03:24 |
|
|
Re: [PATCH 9/9] userns: check user namespace for task->file uid equivalence checks
By: akpm on Thu, 24 February 2011 05:08 |
|
|
Re: [PATCH 9/9] userns: check user namespace for task->file uid equivalence checks
|
|
|
[PATCH 7/9] add a user namespace owner of ipc ns
By: serge on Thu, 17 February 2011 15:03 |
|
|
Re: [PATCH 7/9] add a user namespace owner of ipc ns
By: ebiederm on Fri, 18 February 2011 03:19 |
|
|
Re: [PATCH 7/9] add a user namespace owner of ipc ns
By: akpm on Fri, 18 February 2011 23:59 |
|
|
Re: [PATCH 7/9] add a user namespace owner of ipc ns
|
|
|
[PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
By: serge on Thu, 17 February 2011 15:02 |
|
|
Re: [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
By: ebiederm on Fri, 18 February 2011 03:31 |
|
|
Re: [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
|
|
|
Re: [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
By: akpm on Fri, 18 February 2011 23:59 |
|
|
Re: [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
|
|
|
Re: [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
By: ebiederm on Wed, 23 February 2011 21:21 |
|
|
Re: [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
|
|
|
Re: [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
By: ebiederm on Wed, 23 February 2011 23:54 |
|
|
[PATCH 3/9] allow sethostname in a container
By: serge on Thu, 17 February 2011 15:03 |
|
|
Re: [PATCH 3/9] allow sethostname in a container
By: ebiederm on Fri, 18 February 2011 03:05 |
|
|
Re: [PATCH 3/9] allow sethostname in a container
|
|
|
[PATCH 4/9] allow killing tasks in your own or child userns
By: serge on Thu, 17 February 2011 15:03 |
|
|
Re: [PATCH 4/9] allow killing tasks in your own or child userns
By: ebiederm on Fri, 18 February 2011 03:00 |
|
|
Re: [PATCH 4/9] allow killing tasks in your own or child userns
By: akpm on Fri, 18 February 2011 23:59 |
|
|
Re: [PATCH 4/9] allow killing tasks in your own or child userns
By: serge on Thu, 24 February 2011 00:48 |
|
|
Re: [PATCH 4/9] allow killing tasks in your own or child userns
By: akpm on Thu, 24 February 2011 00:54 |
|
|
Re: [PATCH 4/9] allow killing tasks in your own or child userns
|
|
|
[PATCH 6/9] user namespaces: convert all capable checks in kernel/sys.c
By: serge on Thu, 17 February 2011 15:03 |
|
|
Re: [PATCH 6/9] user namespaces: convert all capable checks in kernel/sys.c
By: ebiederm on Fri, 18 February 2011 01:57 |
|
|
Re: [PATCH 6/9] user namespaces: convert all capable checks in kernel/sys.c
By: akpm on Fri, 18 February 2011 23:59 |
|
|
Re: [PATCH 6/9] user namespaces: convert all capable checks in kernel/sys.c
By: akpm on Sat, 19 February 2011 00:01 |
|
|
Re: [PATCH 6/9] user namespaces: convert all capable checks in kernel/sys.c
|
|
|
[PATCH 5/9] Allow ptrace from non-init user namespaces
By: serge on Thu, 17 February 2011 15:03 |
|
|
Re: [PATCH 5/9] Allow ptrace from non-init user namespaces
By: ebiederm on Fri, 18 February 2011 02:59 |
|
|
Re: [PATCH 5/9] Allow ptrace from non-init user namespaces
By: serge on Fri, 18 February 2011 04:36 |
|
|
[PATCH] userns: ptrace: incorporate feedback from Eric
By: serge on Thu, 24 February 2011 00:49 |
|
|
Re: [PATCH] userns: ptrace: incorporate feedback from Eric
By: akpm on Thu, 24 February 2011 00:56 |
|
|
Re: [PATCH] userns: ptrace: incorporate feedback from Eric
By: serge on Thu, 24 February 2011 03:15 |
|
|
Re: [PATCH 5/9] Allow ptrace from non-init user namespaces
By: akpm on Fri, 18 February 2011 23:59 |
|
|
Re: [PATCH 5/9] Allow ptrace from non-init user namespaces
By: serge on Thu, 24 February 2011 00:43 |
|
|
Re: [PATCH 5/9] Allow ptrace from non-init user namespaces
|
|
|
Re: [PATCH 5/9] Allow ptrace from non-init user namespaces
|
|
|
Re: [PATCH 5/9] Allow ptrace from non-init user namespaces
|
|
|
[PATCH 8/9] user namespaces: convert several capable() calls
By: serge on Thu, 17 February 2011 15:03 |
|
|
Re: [PATCH 8/9] user namespaces: convert several capable() calls
By: ebiederm on Fri, 18 February 2011 01:51 |
|
|
Re: [PATCH 8/9] user namespaces: convert several capable() calls
|
|
|
Re: userns: targeted capabilities v5
By: akpm on Fri, 18 February 2011 00:21 |
|
|
Re: userns: targeted capabilities v5
By: ebiederm on Fri, 18 February 2011 03:53 |
|
|
Re: userns: targeted capabilities v5
By: serge on Fri, 18 February 2011 04:28 |
|
|
User namespaces and keys
|
|
|
Re: User namespaces and keys
By: serge on Wed, 23 February 2011 13:58 |
|
|
Re: User namespaces and keys
By: ebiederm on Wed, 23 February 2011 14:46 |
|
|
Re: User namespaces and keys
|
|
|
Re: User namespaces and keys
By: ebiederm on Wed, 23 February 2011 15:45 |
|
|
Re: User namespaces and keys
|
|
|
Re: User namespaces and keys
|
|
|
Re: User namespaces and keys
By: ebiederm on Wed, 23 February 2011 20:55 |
|
|
Re: User namespaces and keys
|
|
|
Re: User namespaces and keys
By: ebiederm on Thu, 24 February 2011 06:56 |
Goto Forum:
Current Time: Tue Oct 07 08:36:34 GMT 2025
Total time taken to generate the page: 0.18754 seconds
|
OpenVZ Forum
Members
Search
Help
Register
Login
Home
