[PATCH 04/19] selinux: Add support for unprivileged mounts from user namespaces

2015-12-02 Thread Seth Forshee
Security labels from unprivileged mounts in user namespaces must be ignored. Force superblocks from user namespaces whose labeling behavior is to use xattrs to use mountpoint labeling instead. For the mountpoint label, default to converting the current task context into a form suitable for file obj

[PATCH 15/19] capabilities: Allow privileged user in s_user_ns to set file caps

2015-12-02 Thread Seth Forshee
A privileged user in a super block's s_user_ns is privileged towards that file system and thus should be allowed to set file capabilities. The file capabilities will not be trusted outside of s_user_ns, so an unprivileged user cannot use this to gain privileges in a user namespace where they are no

[PATCH 19/19] fuse: Allow user namespace mounts

2015-12-02 Thread Seth Forshee
Signed-off-by: Seth Forshee --- fs/fuse/inode.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c index ea61a7639a8e..ffce4354563e 100644 --- a/fs/fuse/inode.c +++ b/fs/fuse/inode.c @@ -1233,7 +1233,7 @@ static void fuse_kill_sb_anon(struct

[PATCH 18/19] fuse: Restrict allow_other to the superblock's namespace or a descendant

2015-12-02 Thread Seth Forshee
Unprivileged users are normally restricted from mounting with the allow_other option by system policy, but this could be bypassed for a mount done with user namespace root permissions. In such cases allow_other should not allow users outside the userns to access the mount as doing so would give the

[PATCH 16/19] fuse: Add support for pid namespaces

2015-12-02 Thread Seth Forshee
If the userspace process servicing fuse requests is running in a pid namespace then pids passed via the fuse fd need to be translated relative to that namespace. Capture the pid namespace in use when the filesystem is mounted and use this for pid translation. Since no use case currently exists for

[PATCH 17/19] fuse: Support fuse filesystems outside of init_user_ns

2015-12-02 Thread Seth Forshee
Update fuse to translate uids and gids to/from the user namspace of the process servicing requests on /dev/fuse. Any ids which do not map into the namespace will result in errors. inodes will also be marked bad when unmappable ids are received from the userspace fuse process. Currently no use case

[PATCH 11/19] fs: Ensure the mounter of a filesystem is privileged towards its inodes

2015-12-02 Thread Seth Forshee
The mounter of a filesystem should be privileged towards the inodes of that filesystem. Extend the checks in inode_owner_or_capable() and capable_wrt_inode_uidgid() to permit access by users priviliged in the user namespace of the inode's superblock. Signed-off-by: Seth Forshee --- fs/inode.c

[PATCH 14/19] fs: Permit FIBMAP for users with CAP_SYS_RAWIO in s_user_ns

2015-12-02 Thread Seth Forshee
Signed-off-by: Seth Forshee --- fs/ioctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ioctl.c b/fs/ioctl.c index 5d01d2638ca5..45c371bed7ee 100644 --- a/fs/ioctl.c +++ b/fs/ioctl.c @@ -55,7 +55,7 @@ static int ioctl_fibmap(struct file *filp, int __user *p) /* d

[PATCH 08/19] cred: Reject inodes with invalid ids in set_create_file_as()

2015-12-02 Thread Seth Forshee
Using INVALID_[UG]ID for the LSM file creation context doesn't make sense, so return an error if the inode passed to set_create_file_as() has an invalid id. Signed-off-by: Seth Forshee --- kernel/cred.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/cred.c b/kernel/cred.c index 711

[PATCH 09/19] fs: Refuse uid/gid changes which don't map into s_user_ns

2015-12-02 Thread Seth Forshee
Add checks to inode_change_ok to verify that uid and gid changes will map into the superblock's user namespace. If they do not fail with -EOVERFLOW. This cannot be overriden with ATTR_FORCE. Signed-off-by: Seth Forshee --- fs/attr.c | 11 +++ 1 file changed, 11 insertions(+) diff --git

[PATCH 12/19] fs: Don't remove suid for CAP_FSETID in s_user_ns

2015-12-02 Thread Seth Forshee
Expand the check in should_remove_suid() to keep privileges for CAP_FSETID in s_user_ns rather than init_user_ns. Signed-off-by: Seth Forshee --- fs/inode.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/inode.c b/fs/inode.c index 01c036fe1950..3e7c74da9304 100644 --- a

[PATCH 10/19] fs: Update posix_acl support to handle user namespace mounts

2015-12-02 Thread Seth Forshee
ids in on-disk ACLs should be converted to s_user_ns instead of init_user_ns as is done now. This introduces the possibility for id mappings to fail, and when this happens syscalls will return EOVERFLOW. Signed-off-by: Seth Forshee --- fs/posix_acl.c | 67 +++

[PATCH 13/19] fs: Allow superblock owner to access do_remount_sb()

2015-12-02 Thread Seth Forshee
Superblock level remounts are currently restricted to global CAP_SYS_ADMIN, as is the path for changing the root mount to read only on umount. Loosen both of these permission checks to also allow CAP_SYS_ADMIN in any namespace which is privileged towards the userns which originally mounted the file

[PATCH v6 0/3] IMA policy read/write and new IMA keyrings;

2015-12-02 Thread Petko Manolov
Difference since v5 of the patches: - better description of patch #3; - added missing IMA_DIGSIG_REQUIRED & IMA_PERMIT_DIRECTIO flags; This patch-set consists of three separate patches that do the following: 1) Allows multiple writes to the IMA policy. This is considered useful to do in a lon

[PATCH 06/19] Smack: Handle labels consistently in untrusted mounts

2015-12-02 Thread Seth Forshee
The SMACK64, SMACK64EXEC, and SMACK64MMAP labels are all handled differently in untrusted mounts. This is confusing and potentically problematic. Change this to handle them all the same way that SMACK64 is currently handled; that is, read the label from disk and check it at use time. For SMACK64 an

[PATCH 00/19] Support fuse mounts in user namespaces

2015-12-02 Thread Seth Forshee
These patches implement support for mounting filesystems in user namespaces using fuse. I've sent the full set of patches this time because I feel that previous discussions could have benefited from more context. I've also dropped any patches from my previous postings not specifically required for

[PATCH 03/19] fs: Treat foreign mounts as nosuid

2015-12-02 Thread Seth Forshee
From: Andy Lutomirski If a process gets access to a mount from a different user namespace, that process should not be able to take advantage of setuid files or selinux entrypoints from that filesystem. Prevent this by treating mounts from other mount namespaces and those not owned by current_use

[PATCH v6 2/3] Create IMA machine owner and blacklist keyrings;

2015-12-02 Thread Petko Manolov
This option creates IMA MOK and blacklist keyrings. IMA MOK is an intermediate keyring that sits between .system and .ima keyrings, effectively forming a simple CA hierarchy. To successfully import a key into .ima_mok it must be signed by a key which CA is in .system keyring. On turn any key that

[PATCH v6 1/3] IMA policy can now be updated multiple times.

2015-12-02 Thread Petko Manolov
The new rules get appended to the original policy, forming a queue. The new rules are first added to a temporary list, which on error get released without disturbing the normal IMA operations. On success both lists (the current policy and the new rules) are spliced. IMA policy reads are many orde

[PATCH v6 3/3] Allows reading back the current IMA policy.

2015-12-02 Thread Petko Manolov
It is often useful to be able to read back the IMA policy. It is even more important after introducing CONFIG_IMA_WRITE_POLICY. This option allows the root user to see the current policy rules. Signed-off-by: Zbigniew Jasinski Signed-off-by: Petko Manolov --- security/integrity/ima/Kconfig

[PATCH 01/19] block_dev: Support checking inode permissions in lookup_bdev()

2015-12-02 Thread Seth Forshee
When looking up a block device by path no permission check is done to verify that the user has access to the block device inode at the specified path. In some cases it may be necessary to check permissions towards the inode, such as allowing unprivileged users to mount block devices in user namespa

[PATCH 02/19] block_dev: Check permissions towards block device inode when mounting

2015-12-02 Thread Seth Forshee
Unprivileged users should not be able to mount block devices when they lack sufficient privileges towards the block device inode. Update blkdev_get_by_path() to validate that the user has the required access to the inode at the specified path. The check will be skipped for CAP_SYS_ADMIN, so privile

[PATCH 07/19] fs: Check for invalid i_uid in may_follow_link()

2015-12-02 Thread Seth Forshee
Filesystem uids which don't map into a user namespace may result in inode->i_uid being INVALID_UID. A symlink and its parent could have different owners in the filesystem can both get mapped to INVALID_UID, which may result in following a symlink when this would not have otherwise been permitted wh

[PATCH 05/19] userns: Replace in_userns with current_in_userns

2015-12-02 Thread Seth Forshee
All current callers of in_userns pass current_user_ns as the first argument. Simplify by replacing in_userns with current_in_userns which checks whether current_user_ns is in the namespace supplied as an argument. Signed-off-by: Seth Forshee Acked-by: James Morris --- fs/namespace.c

Re: [PATCH v6 0/3] IMA policy read/write and new IMA keyrings;

2015-12-02 Thread Mimi Zohar
On Wed, 2015-12-02 at 17:47 +0200, Petko Manolov wrote: > Difference since v5 of the patches: > > - better description of patch #3; > - added missing IMA_DIGSIG_REQUIRED & IMA_PERMIT_DIRECTIO flags; > > This patch-set consists of three separate patches that do the following: > > 1) Allows mult

Re: [RFC] KEYS: Exposing {a,}symmetric key ops to userspace and other bits

2015-12-02 Thread Mimi Zohar
On Sun, 2015-11-22 at 09:41 -0500, Mimi Zohar wrote: > On Fri, 2015-11-20 at 11:07 +, David Howells wrote: > > > > (*) Add Mimi's patches to allow keys/keyrings to be marked undeletable. > > This > > is for the purpose of creating blacklists and to prevent people from > > removing