Menu
▾
▴
Re: [Linux-ima-user] [PATCH 0/1] EVM/IMA xattr hardening and unprivileged user ns mounts
|
From: Mimi Z. <zo...@li...> - 2016-09-06 21:29:10
|
On Tue, 2016-09-06 at 15:52 -0500, Seth Forshee wrote: > On Tue, Sep 06, 2016 at 04:00:32PM -0400, Mimi Zohar wrote: > > On Thu, 2016-09-01 at 08:22 -0500, Seth Forshee wrote: > > > > > I've been reading back through all of this, and I'm not sure any > > > conclusion was reached. > > > > > For my part, I'm uneasy about writing out hmacs to mounts from a > > > non-root user. So I'll make a proposal - let's not read or write EVM or > > > IMA xattrs for filesystems from non-init user namespace, essentially > > > behaving as though they don't support xattrs. Something like the > > > (untested) patch below. > > > > This really doesn't sound like the right long term solution. > > I'm not proposing this for a long term solution. I just haven't seen > that anyone has a real use case in mind yet for using the integrity > subsystem with these mounts and that it might be better to wait and > decide exactly how it should behave until someone does. In the mean time > I'm just trying to ensure there won't be vulnerabilities to exploit. The main use case will be installing/updating packages within a container and writing the corresponding file signatures. Unfortunately, we're not there yet. > > The kernel, as well as root in the namespace, should write the EVM and > > IMA security xattrs, as long as their usage is limited to the uid/gid > > associated with that user_ns namespace. > > But keep in mind that the uid mapping doesn't get written out to disk. > If I create a file owned by uid 0 in my namespace (let's say that maps > to uid 1000 in init_user_ns) then uid 0 is what will be written to the > inode on disk. oh! > Based on my understanding of what you said previously, this means that I > could create a file in my filesystem as root in my user ns and write out > a security.capability xattr, and the kernel would then write out an EVM > xattr with a valid signature. If I can then manage to get that file > mounted in init_user_ns the kernel will be owned by real root and the > kernel will see a valid signature for the capability xattr. I see. > Granted, this scenario is problematic even without EVM, but it seems > like specifically the kind of thing someone might use EVM to protect > against. Agreed. Mimi |
