[PATCH 06/19] Smack: Handle labels consistently in untrusted mounts

The SMACK64, SMACK64EXEC, and SMACK64MMAP labels are all handled differently in untrusted mounts. This is confusing and potentically problematic. Change this to handle them all the same way that SMACK64 is currently handled; that is, read the label from disk and check it at use time. For SMACK64

[PATCH v6 0/3] IMA policy read/write and new IMA keyrings;

Difference since v5 of the patches: - better description of patch #3; - added missing IMA_DIGSIG_REQUIRED & IMA_PERMIT_DIRECTIO flags; This patch-set consists of three separate patches that do the following: 1) Allows multiple writes to the IMA policy. This is considered useful to do in a

[PATCH 12/19] fs: Don't remove suid for CAP_FSETID in s_user_ns

Expand the check in should_remove_suid() to keep privileges for CAP_FSETID in s_user_ns rather than init_user_ns. Signed-off-by: Seth Forshee --- fs/inode.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/inode.c b/fs/inode.c index

[PATCH 10/19] fs: Update posix_acl support to handle user namespace mounts

ids in on-disk ACLs should be converted to s_user_ns instead of init_user_ns as is done now. This introduces the possibility for id mappings to fail, and when this happens syscalls will return EOVERFLOW. Signed-off-by: Seth Forshee --- fs/posix_acl.c

[PATCH 08/19] cred: Reject inodes with invalid ids in set_create_file_as()

Using INVALID_[UG]ID for the LSM file creation context doesn't make sense, so return an error if the inode passed to set_create_file_as() has an invalid id. Signed-off-by: Seth Forshee --- kernel/cred.c | 2 ++ 1 file changed, 2 insertions(+) diff --git

[PATCH 09/19] fs: Refuse uid/gid changes which don't map into s_user_ns

Add checks to inode_change_ok to verify that uid and gid changes will map into the superblock's user namespace. If they do not fail with -EOVERFLOW. This cannot be overriden with ATTR_FORCE. Signed-off-by: Seth Forshee --- fs/attr.c | 11 +++ 1 file changed,

[PATCH 13/19] fs: Allow superblock owner to access do_remount_sb()

Superblock level remounts are currently restricted to global CAP_SYS_ADMIN, as is the path for changing the root mount to read only on umount. Loosen both of these permission checks to also allow CAP_SYS_ADMIN in any namespace which is privileged towards the userns which originally mounted the

[PATCH 17/19] fuse: Support fuse filesystems outside of init_user_ns

Update fuse to translate uids and gids to/from the user namspace of the process servicing requests on /dev/fuse. Any ids which do not map into the namespace will result in errors. inodes will also be marked bad when unmappable ids are received from the userspace fuse process. Currently no use

[PATCH 18/19] fuse: Restrict allow_other to the superblock's namespace or a descendant

Unprivileged users are normally restricted from mounting with the allow_other option by system policy, but this could be bypassed for a mount done with user namespace root permissions. In such cases allow_other should not allow users outside the userns to access the mount as doing so would give

[PATCH 04/19] selinux: Add support for unprivileged mounts from user namespaces

Security labels from unprivileged mounts in user namespaces must be ignored. Force superblocks from user namespaces whose labeling behavior is to use xattrs to use mountpoint labeling instead. For the mountpoint label, default to converting the current task context into a form suitable for file

[PATCH v6 1/3] IMA policy can now be updated multiple times.

The new rules get appended to the original policy, forming a queue. The new rules are first added to a temporary list, which on error get released without disturbing the normal IMA operations. On success both lists (the current policy and the new rules) are spliced. IMA policy reads are many

[PATCH v6 3/3] Allows reading back the current IMA policy.

It is often useful to be able to read back the IMA policy. It is even more important after introducing CONFIG_IMA_WRITE_POLICY. This option allows the root user to see the current policy rules. Signed-off-by: Zbigniew Jasinski Signed-off-by: Petko Manolov

[PATCH 01/19] block_dev: Support checking inode permissions in lookup_bdev()

When looking up a block device by path no permission check is done to verify that the user has access to the block device inode at the specified path. In some cases it may be necessary to check permissions towards the inode, such as allowing unprivileged users to mount block devices in user

[PATCH 02/19] block_dev: Check permissions towards block device inode when mounting

Unprivileged users should not be able to mount block devices when they lack sufficient privileges towards the block device inode. Update blkdev_get_by_path() to validate that the user has the required access to the inode at the specified path. The check will be skipped for CAP_SYS_ADMIN, so

[PATCH 05/19] userns: Replace in_userns with current_in_userns

All current callers of in_userns pass current_user_ns as the first argument. Simplify by replacing in_userns with current_in_userns which checks whether current_user_ns is in the namespace supplied as an argument. Signed-off-by: Seth Forshee Acked-by: James Morris

[PATCH 11/19] fs: Ensure the mounter of a filesystem is privileged towards its inodes

The mounter of a filesystem should be privileged towards the inodes of that filesystem. Extend the checks in inode_owner_or_capable() and capable_wrt_inode_uidgid() to permit access by users priviliged in the user namespace of the inode's superblock. Signed-off-by: Seth Forshee

Re: [RFC] KEYS: Exposing {a,}symmetric key ops to userspace and other bits

On Sun, 2015-11-22 at 09:41 -0500, Mimi Zohar wrote: > On Fri, 2015-11-20 at 11:07 +, David Howells wrote: > > > > (*) Add Mimi's patches to allow keys/keyrings to be marked undeletable. > > This > > is for the purpose of creating blacklists and to prevent people from > >

Re: [PATCH v6 0/3] IMA policy read/write and new IMA keyrings;

On Wed, 2015-12-02 at 17:47 +0200, Petko Manolov wrote: > Difference since v5 of the patches: > > - better description of patch #3; > - added missing IMA_DIGSIG_REQUIRED & IMA_PERMIT_DIRECTIO flags; > > This patch-set consists of three separate patches that do the following: > > 1) Allows