From: "Seth Forshee (DigitalOcean)" <sforshee@kernel.org>
To: Christian Brauner <brauner@kernel.org>,
Seth Forshee <sforshee@kernel.org>,
Serge Hallyn <serge@hallyn.com>,
Paul Moore <paul@paul-moore.com>, Eric Paris <eparis@redhat.com>,
James Morris <jmorris@namei.org>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Jan Kara <jack@suse.cz>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Ondrej Mosnacek <omosnace@redhat.com>,
Casey Schaufler <casey@schaufler-ca.com>,
Mimi Zohar <zohar@linux.ibm.com>,
Roberto Sassu <roberto.sassu@huawei.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
Eric Snowberg <eric.snowberg@oracle.com>,
"Matthew Wilcox (Oracle)" <willy@infradead.org>,
Jonathan Corbet <corbet@lwn.net>,
Miklos Szeredi <miklos@szeredi.hu>,
Amir Goldstein <amir73il@gmail.com>
Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org, audit@vger.kernel.org,
selinux@vger.kernel.org, linux-integrity@vger.kernel.org,
linux-doc@vger.kernel.org, linux-unionfs@vger.kernel.org
Subject: [PATCH v2 00/25] fs: use type-safe uid representation for filesystem capabilities
Date: Wed, 21 Feb 2024 15:24:31 -0600 [thread overview]
Message-ID: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> (raw)
This series converts filesystem capabilities from passing around raw
xattr data to using a kernel-internal representation with type safe
uids, similar to the conversion done previously for posix ACLs.
Currently fscaps representations in the kernel have two different
instances of unclear or confused types:
- fscaps are generally passed around in the raw xattr form, with the
rootid sometimes containing the user uid value and at other times
containing the filesystem value.
- The existing kernel-internal representation of fscaps,
cpu_vfs_cap_data, uses the kuid_t type, but the value stored is
actually a vfsuid.
This series eliminates this confusion by converting the xattr data to
the kernel representation near the userspace and filesystem boundaries,
using the kernel representation within the vfs and commoncap code. The
internal representation is renamed to vfs_caps to reflect this broader
use, and the rootid is changed to a vfsuid_t to correctly identify the
type of uid which it contains.
New vfs interfaces are added to allow for getting and setting fscaps
using the kernel representation. This requires the addition of new inode
operations to allow overlayfs to handle fscaps properly; all other
filesystems fall back to a generic implementation. The top-level vfs
xattr interfaces will now reject fscaps xattrs, though the lower-level
interfaces continue to accept them for reading and writing the raw xattr
data.
Based on previous feedback, new security hooks are added for fscaps
operations. These are really only needed for EVM, and the selinux and
smack implementations just peform the same operations that the
equivalent xattr hooks would have done. Note too that this has not yet
been updated based on the changes to make EVM into an LSM.
The remainder of the changes are preparatory work, addition of helpers
for converting between the xattr and kernel fscaps representation, and
various updates to use the kernel representation and new interfaces.
I have tested this code with xfstests, ltp, libcap2, and libcap-ng with
no regressions found.
To: Christian Brauner <brauner@kernel.org>
To: Serge Hallyn <serge@hallyn.com>
To: Paul Moore <paul@paul-moore.com>
To: Eric Paris <eparis@redhat.com>
To: James Morris <jmorris@namei.org>
To: Alexander Viro <viro@zeniv.linux.org.uk>
To: Miklos Szeredi <miklos@szeredi.hu>
To: Amir Goldstein <amir73il@gmail.com>
Cc: <linux-kernel@vger.kernel.org>
Cc: <linux-fsdevel@vger.kernel.org>
Cc: <linux-security-module@vger.kernel.org>
Cc: <audit@vger.kernel.org>
Cc: <linux-unionfs@vger.kernel.org>
Signed-off-by: Seth Forshee (DigitalOcean) <sforshee@kernel.org>
--- Changes in v2:
- Documented new inode operations in
Documentation/filesystems/{vfs,locking}.rst.
- Changed types for sizes in function arguments and return values to
size_t/ssize_t.
- Renamed flags arguments to setxattr_flags for clarity.
- Removed memory allocation when reading fscaps xattrs.
- Updated get_vfs_caps_from_disk() to use vfs_get_fscaps() and updated
comments to explain how these functions are different.
- Updates/fixes to kernel-doc comments.
- Remove unnecessary type cast.
- Rename __vfs_{get,remove}_fscaps() to vfs_{get,remove}_fscaps_nosec().
- Add missing fsnotify_xattr() call in vfs_set_fscaps().
- Add fscaps security hooks along with appropriate handlers in selinux,
smack, and evm.
- Remove remove_fscaps inode op in favor of passing NULL to set_fscaps.
- Added static asserts for compatibility of vfs_cap_data and
vfs_ns_cap_data.
- ovl: remove unnecessary check around ovl_copy_up(), and add check
before copyint up fscaps for removal that the fscaps actually exist on
the lower inode.
- ovl: install fscaps handlers for all inode types
- Add is_fscaps_xattr() helper and use it in place of open-coded strcmps
- Link to v1: https://lore.kernel.org/r/20231129-idmap-fscap-refactor-v1-0-da5a26058a5b@kernel.org
---
Seth Forshee (DigitalOcean) (25):
mnt_idmapping: split out core vfs[ug]id_t definitions into vfsid.h
mnt_idmapping: include cred.h
capability: add static asserts for comapatibility of vfs_cap_data and vfs_ns_cap_data
capability: rename cpu_vfs_cap_data to vfs_caps
capability: use vfsuid_t for vfs_caps rootids
capability: provide helpers for converting between xattrs and vfs_caps
capability: provide a helper for converting vfs_caps to xattr for userspace
xattr: add is_fscaps_xattr() helper
commoncap: use is_fscaps_xattr()
xattr: use is_fscaps_xattr()
security: add hooks for set/get/remove of fscaps
selinux: add hooks for fscaps operations
smack: add hooks for fscaps operations
evm: add support for fscaps security hooks
security: call evm fscaps hooks from generic security hooks
fs: add inode operations to get/set/remove fscaps
fs: add vfs_get_fscaps()
fs: add vfs_set_fscaps()
fs: add vfs_remove_fscaps()
ovl: add fscaps handlers
ovl: use vfs_{get,set}_fscaps() for copy-up
fs: use vfs interfaces for capabilities xattrs
commoncap: remove cap_inode_getsecurity()
commoncap: use vfs fscaps interfaces
vfs: return -EOPNOTSUPP for fscaps from vfs_*xattr()
Documentation/filesystems/locking.rst | 4 +
Documentation/filesystems/vfs.rst | 17 ++
MAINTAINERS | 1 +
fs/overlayfs/copy_up.c | 72 ++---
fs/overlayfs/dir.c | 2 +
fs/overlayfs/inode.c | 72 +++++
fs/overlayfs/overlayfs.h | 5 +
fs/xattr.c | 280 +++++++++++++++++-
include/linux/capability.h | 23 +-
include/linux/evm.h | 39 +++
include/linux/fs.h | 12 +
include/linux/lsm_hook_defs.h | 7 +
include/linux/mnt_idmapping.h | 67 +----
include/linux/security.h | 38 ++-
include/linux/vfsid.h | 74 +++++
include/linux/xattr.h | 5 +
include/uapi/linux/capability.h | 13 +
kernel/auditsc.c | 9 +-
security/commoncap.c | 529 ++++++++++++++++++----------------
security/integrity/evm/evm_main.c | 60 ++++
security/security.c | 80 +++++
security/selinux/hooks.c | 26 ++
security/smack/smack_lsm.c | 71 +++++
23 files changed, 1144 insertions(+), 362 deletions(-)
---
base-commit: 841c35169323cd833294798e58b9bf63fa4fa1de
change-id: 20230512-idmap-fscap-refactor-63b61fa0a36f
Best regards,
--
Seth Forshee (DigitalOcean) <sforshee@kernel.org>
next reply other threads:[~2024-02-21 21:25 UTC|newest]
Thread overview: 87+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-21 21:24 Seth Forshee (DigitalOcean) [this message]
2024-02-21 21:24 ` [PATCH v2 01/25] mnt_idmapping: split out core vfs[ug]id_t definitions into vfsid.h Seth Forshee (DigitalOcean)
2024-02-22 14:09 ` Christian Brauner
2024-02-21 21:24 ` [PATCH v2 02/25] mnt_idmapping: include cred.h Seth Forshee (DigitalOcean)
2024-02-22 14:12 ` Christian Brauner
2024-02-21 21:24 ` [PATCH v2 03/25] capability: add static asserts for comapatibility of vfs_cap_data and vfs_ns_cap_data Seth Forshee (DigitalOcean)
2024-02-22 14:23 ` Christian Brauner
2024-02-21 21:24 ` [PATCH v2 04/25] capability: rename cpu_vfs_cap_data to vfs_caps Seth Forshee (DigitalOcean)
2024-02-21 21:24 ` [PATCH v2 05/25] capability: use vfsuid_t for vfs_caps rootids Seth Forshee (DigitalOcean)
2024-02-22 14:25 ` Christian Brauner
2024-02-21 21:24 ` [PATCH v2 06/25] capability: provide helpers for converting between xattrs and vfs_caps Seth Forshee (DigitalOcean)
2024-02-22 15:20 ` Christian Brauner
2024-02-22 15:38 ` Seth Forshee (DigitalOcean)
2024-02-23 8:08 ` Christian Brauner
2024-03-01 16:30 ` Roberto Sassu
2024-03-01 19:00 ` Seth Forshee (DigitalOcean)
2024-03-04 8:33 ` Roberto Sassu
2024-03-04 14:24 ` Seth Forshee (DigitalOcean)
2024-02-21 21:24 ` [PATCH v2 07/25] capability: provide a helper for converting vfs_caps to xattr for userspace Seth Forshee (DigitalOcean)
2024-02-22 15:22 ` Christian Brauner
2024-02-21 21:24 ` [PATCH v2 08/25] xattr: add is_fscaps_xattr() helper Seth Forshee (DigitalOcean)
2024-02-23 8:09 ` Christian Brauner
2024-02-21 21:24 ` [PATCH v2 09/25] commoncap: use is_fscaps_xattr() Seth Forshee (DigitalOcean)
2024-02-23 8:10 ` Christian Brauner
2024-02-21 21:24 ` [PATCH v2 10/25] xattr: " Seth Forshee (DigitalOcean)
2024-02-23 8:10 ` Christian Brauner
2024-02-21 21:24 ` [PATCH v2 11/25] security: add hooks for set/get/remove of fscaps Seth Forshee (DigitalOcean)
2024-02-21 23:31 ` Paul Moore
2024-02-22 0:07 ` Seth Forshee (DigitalOcean)
2024-02-23 8:23 ` Christian Brauner
2024-03-01 15:59 ` Roberto Sassu
2024-03-01 18:50 ` Seth Forshee (DigitalOcean)
2024-02-21 21:24 ` [PATCH v2 12/25] selinux: add hooks for fscaps operations Seth Forshee (DigitalOcean)
2024-02-21 23:38 ` Paul Moore
2024-02-22 0:10 ` Seth Forshee (DigitalOcean)
2024-02-22 0:19 ` Paul Moore
2024-02-22 0:28 ` Seth Forshee (DigitalOcean)
2024-02-21 21:24 ` [PATCH v2 13/25] smack: " Seth Forshee (DigitalOcean)
2024-02-21 22:52 ` Casey Schaufler
2024-02-22 0:11 ` Seth Forshee (DigitalOcean)
2024-02-21 21:24 ` [PATCH v2 14/25] evm: add support for fscaps security hooks Seth Forshee (DigitalOcean)
2024-03-01 9:19 ` Roberto Sassu
2024-03-01 12:54 ` Christian Brauner
2024-03-01 13:19 ` Roberto Sassu
2024-03-01 13:39 ` Christian Brauner
2024-03-01 14:39 ` Seth Forshee (DigitalOcean)
2024-03-01 15:04 ` Roberto Sassu
2024-03-04 15:01 ` Roberto Sassu
2024-02-21 21:24 ` [PATCH v2 15/25] security: call evm fscaps hooks from generic " Seth Forshee (DigitalOcean)
2024-02-21 23:43 ` Paul Moore
2024-02-22 0:20 ` Seth Forshee (DigitalOcean)
2024-02-22 0:37 ` Paul Moore
2024-02-21 21:24 ` [PATCH v2 16/25] fs: add inode operations to get/set/remove fscaps Seth Forshee (DigitalOcean)
2024-02-23 8:25 ` Christian Brauner
2024-02-21 21:24 ` [PATCH v2 17/25] fs: add vfs_get_fscaps() Seth Forshee (DigitalOcean)
2024-02-23 8:28 ` Christian Brauner
2024-02-21 21:24 ` [PATCH v2 18/25] fs: add vfs_set_fscaps() Seth Forshee (DigitalOcean)
2024-02-23 8:38 ` Christian Brauner
2024-02-21 21:24 ` [PATCH v2 19/25] fs: add vfs_remove_fscaps() Seth Forshee (DigitalOcean)
2024-02-23 8:40 ` Christian Brauner
2024-02-21 21:24 ` [PATCH v2 20/25] ovl: add fscaps handlers Seth Forshee (DigitalOcean)
2024-02-23 9:04 ` Christian Brauner
2024-02-27 13:28 ` Amir Goldstein
2024-02-27 14:57 ` Seth Forshee (DigitalOcean)
2024-02-21 21:24 ` [PATCH v2 21/25] ovl: use vfs_{get,set}_fscaps() for copy-up Seth Forshee (DigitalOcean)
2024-02-21 21:24 ` [PATCH v2 22/25] fs: use vfs interfaces for capabilities xattrs Seth Forshee (DigitalOcean)
2024-02-21 21:24 ` [PATCH v2 23/25] commoncap: remove cap_inode_getsecurity() Seth Forshee (DigitalOcean)
2024-02-21 21:24 ` [PATCH v2 24/25] commoncap: use vfs fscaps interfaces Seth Forshee (DigitalOcean)
2024-03-04 10:19 ` Roberto Sassu
2024-03-04 15:31 ` Seth Forshee (DigitalOcean)
2024-03-04 16:17 ` Roberto Sassu
2024-03-04 16:56 ` Seth Forshee (DigitalOcean)
2024-03-05 9:12 ` Christian Brauner
2024-03-05 12:46 ` Roberto Sassu
2024-03-05 16:26 ` Christian Brauner
2024-03-05 16:35 ` Roberto Sassu
2024-03-05 17:03 ` Seth Forshee (DigitalOcean)
2024-03-05 17:08 ` Roberto Sassu
2024-03-05 17:11 ` Roberto Sassu
2024-03-05 20:17 ` Seth Forshee (DigitalOcean)
2024-03-06 8:30 ` Roberto Sassu
2024-03-06 2:17 ` Mimi Zohar
2024-03-06 8:25 ` Roberto Sassu
2024-03-06 12:56 ` Mimi Zohar
2024-02-21 21:24 ` [PATCH v2 25/25] vfs: return -EOPNOTSUPP for fscaps from vfs_*xattr() Seth Forshee (DigitalOcean)
2024-02-22 15:27 ` [PATCH v2 00/25] fs: use type-safe uid representation for filesystem capabilities Christian Brauner
2024-02-22 16:28 ` Seth Forshee (DigitalOcean)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org \
--to=sforshee@kernel.org \
--cc=amir73il@gmail.com \
--cc=audit@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=corbet@lwn.net \
--cc=dmitry.kasatkin@gmail.com \
--cc=eparis@redhat.com \
--cc=eric.snowberg@oracle.com \
--cc=jack@suse.cz \
--cc=jmorris@namei.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=stephen.smalley.work@gmail.com \
--cc=viro@zeniv.linux.org.uk \
--cc=willy@infradead.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).