Thread (30 messages) 30 messages, 6 authors, 2021-07-01

Re: [RFC PATCH 0/1] xattr: Allow user.* xattr on symlink/special files if caller has CAP_SYS_RESOURCE

From: Vivek Goyal <vgoyal@redhat.com>
Date: 2021-06-29 15:20:14
Also in: linux-fsdevel, lkml, selinux

On Tue, Jun 29, 2021 at 07:38:15AM -0700, Casey Schaufler wrote:

[..]
quoted
quoted
quoted
quoted
User xattrs are less protected than security xattrs. You are exposing the
security xattrs on the guest to the possible whims of a malicious, unprivileged
actor on the host. All it needs is the right UID.
Yep, we realise that; but when you're mainly interested in making sure
the guest can't attack the host, that's less worrying.
That's uncomfortable.
Why exactly?
If a mechanism is designed with a known vulnerability you
fail your validation/evaluation efforts.
We are working with the constraint that shared directory should not be
accessible to unpriviliged users on host. And with that constraint, what
you are referring to is not a vulnerability.
Your mechanism is
less general because other potential use cases may not be
as cavalier about the vulnerability.
Prefixing xattrs with "user.virtiofsd" is just one of the options.
virtiofsd has the capability to prefix "trusted.virtiofsd" as well.
We have not chosen that because we don't want to give it CAP_SYS_ADMIN.

So other use cases which don't like prefixing "user.virtiofsd", can
give CAP_SYS_ADMIN and work with it.
I think that you can
approach this differently, get a solution that does everything
you want, and avoid the known problem.
What's the solution? Are you referring to using "trusted.*" instead? But
that has its own problem of giving CAP_SYS_ADMIN to virtiofsd.

Thanks
Vivek
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help