Re: [PATCH 0/2] Add further ioctl() operations for namespace discovery
From: Michael Kerrisk (man-pages) <hidden>
Date: 2016-12-21 09:53:06
Also in:
linux-fsdevel, lkml
Hi Eric, On 12/21/2016 01:17 AM, Eric W. Biederman wrote:
"Michael Kerrisk (man-pages)" [off-list ref] writes:quoted
Hi Eric, On 12/20/2016 09:22 PM, Eric W. Biederman wrote:quoted
"Michael Kerrisk (man-pages)" [off-list ref] writes:quoted
Hello Eric, On 12/19/2016 11:53 PM, Eric W. Biederman wrote:quoted
"Michael Kerrisk (man-pages)" [off-list ref] writes:quoted
Eric,
[...]
quoted
quoted
quoted
3. NS_GET_NSTYPE and NS_GET_CREATOR_UID solve my problem, but obviously your idea would make life simpler for user space. Am I correct to understand that you mean an API that takes three pieces of info: a PID, a capability, and an fd referring to a /proc/PID/ns/xxx, and tells us whether PID has the specified capability for operations in the specified namespace?Something like that. But yes something we can wire up to ns_capable_noaudit and be told the result.Yes, that was my line of thinking also. It seems to me that to prevent information leaks, we also should check that the caller has some suitable capability in the target namespace, right? (I presume a ptrace_may_access() check.)Well over the target process but yes.quoted
quoted
That will let the LSMs and any future kerel changes have their say, without any extra maintenance burden in the kernel.Yes.quoted
What I really don't want is for userspace to start depending on the current formula being the only factors that say if it has a capabliltiy in a certain situation because in practice that just isn't true. Permission checks just keep evoloving in the kernel.This was the bit I hadn't really considered when I first started down this path, but I started to see the light a bit already today, but didn't have it so crisply in my mind as you just said it there. So, we have two ioctls already in 4.9, I proposed two more. And then we have this fifth operation. Should we have an nsctl(2)?I would rather move the other direction and have a system call.
Okay -- I'll give that a some thought.
quoted
In the meantime, here's something I hacked together. I know it needs work, but I just want to check whether it's the direction that you were meaning in terms of the checks. It's done as an ioctl() (structure hard coded in place while I play about, and some names and types should certainly be better). Leaving aside the messy bits, is the below roughly the kind of checking you expect to be embodied in this operation?Yes. It probably nees u32 instead of long, or eles we need to have a compat version for 32bit OS's.
Yes.
Now the question becomes who are the users of this? Because it just occurred to me that we now have an interesting complication. Userspace extending the meaning of the capability bits, and using to protect additional things. Ugh. That could be a maintenance problem of another flavor. Definitely not my favorite.
I don't follow you here. Could you say some more about what you mean?
The access system is limited to asking about yourself, and to asking very specific questions. If our new operation did something similar and only allowed asking about yourself, and a capablity I would find it less scary,
Okay. But that's a less interesting operation from my point of view. I mean: one way of knowing if we have permission to do an operation is to try to do it.
and I am wondering if it would be possible to ask not about a capability but an operation that the capability guards such as chroot. Implementing target operations instead of target capabilities would be a bit trickier to implement (as it requires factoring out the permission checks) but it may be much more useful in the long run.
But, would this not mean factoring out the permission checks on a per operation basis? (There are of courses hundreds of such checks.)
So why are we asking the questions about what permissions a process has?
My main interest here is monitoring/discovery/debugging on a running system. NS_GET_PARENT, NS_GET_USERNS, NS_GET_CREATOR_UID, and NS_GET_NSTYPE provide most of what I'd like to see. Being able to ask "does this process have permissions in that namespace?" would be nice to have in terms of understanding/debugging a system. Cheers, Michael -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/