I suggest default settings meet this test: A Fedora vm booted directly via virtio FS (with virtiofs as root) running with SE enabled, with xattr 'on' and the host fs xattr capable like btrfs (Fedora default) -- does not generate SE linux denials or 'attribute not settable' complaints. In other words -- 'it just works'. At least in the default fedora at this time that is not the case.
HC On 11/11/20 7:54 AM, Miklos Szeredi wrote: > On Fri, Nov 6, 2020 at 6:18 PM Vivek Goyal <[email protected]> wrote: > >> I think it does not hurt to start passing FATTR_KILL_PRIV for chown() >> as well. In that case, server will always clear caps on chown but >> clear suid/sgid only if FATTR_KILL_PRIV is set. (Which will always >> be set). > Okay. > > More thoughts for FUSE_HANDLE_KILLPRIV_V2: > > - clear "security.capability" on write, truncate and chown unconditionally > - clear suid/sgid if > o setattr has FATTR_SIZE and FATTR_KILL_PRIV > o setattr has FATTR_UID or FATTR_GID > o open has O_TRUNC and FUSE_OPEN_KILL_PRIV > o write has FUSE_WRITE_KILL_PRIV > > Kernel has: > ATTR_KILL_PRIV -> clear "security.capability" > ATTR_KILL_SUID -> clear S_ISUID > ATTR_KILL_SGID -> clear S_ISGID if executable > > Fuse has: > FUSE_*KILL_PRIV -> clear S_ISUID and S_ISGID if executable > > So the fuse meaning of FUSE_*KILL_PRIV has a complementary meaning to > that of ATTR_KILL_PRIV, which is somewhat confusing. Also "PRIV" > implies all privileges, including "security.capability" but the fuse > ones relate to suid/sgid only. > > How about FUSE_*KILL_SUIDGID (FUSE_WRITE_KILL_SUIDGID being an alias > for FUSE_WRITE_KILL_PRIV)? > > Thanks, > Miklos > > > > >> So anything is fine. We just need to document it well. I think I will >> write it very clearly in qemu patch depending on what goes in kernel. >> >> Thanks >> Vivek >> > _______________________________________________ > Virtio-fs mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/virtio-fs > _______________________________________________ Virtio-fs mailing list [email protected] https://www.redhat.com/mailman/listinfo/virtio-fs
