On Fri, Nov 21, 2014 at 10:14 AM, Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote: > - Tweak the file capability code to look at s_user_ns and treat it > properly. > > - Tweak the security checks to allow setting file capabilities and > other security xattrs if we have the appropriate capabilities in > s_user_ns. > Thinking about this some more, what do you mean by tweaking the file capability code to look at s_user_ns and treat it properly? I think that the semantics should be that cap_inode_setxattr should check ns_capable wrt s_user_ns, but that the fscap *consumer* should check the mount as in my may_suid patch (and maybe also check s_user_ns). There is legacy code that starts a FUSE server as global root, mounts the thing in a mount namespace belonging to an unprivileged user ns, and (I think) hands the /dev/fuse fd to that unprivileged code. Without the mount ns check, that FUSE server can take over the system. With the mount ns check, it's safe. --Andy > > When those bits are done we can tweak the fuse patches to also set > s_user_ns. > > As for MNT_NO_SUID if fuse wants to enforce that in some way. I don't > particularly care, but I don't think that makes sense as a vfs property. > > Eric -- Andy Lutomirski AMA Capital Management, LLC -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
