[PATCH v6 09/40] xattr: handle idmapped mounts
David Howells
dhowells at redhat.com
Wed Mar 3 14:45:07 UTC 2021
Christian Brauner <christian.brauner at ubuntu.com> wrote:
> In order to answer this more confidently I need to know a bit more about
> how cachefiles are supposed to work.
>
> From what I gather here it seemed what this code is trying to set here
> is an internal "CacheFiles.cache" extended attribute on the indode. This
> extended attribute doesn't store any uids and gids or filesystem
> capabilities so the user namespace isn't relevant for that since there
> doesn't need to be any conversion.
>
> What I need to know is what information do you use for cachefiles to
> determine whether someone can set that "Cachefiles.cache" extended
> attribute on the inode:
> - Is it the mnt_userns of a/the mount of the filesystem you're caching for?
> - The mnt_userns of the mnt of struct cachefiles_cache?
> - Or the stashed or current creds of the caller?
Mostly it's about permission checking. The cache driver wants to do accesses
onto the files in cache using the context of whatever process writes the
"bind" command to /dev/cachefiles, not the context of whichever process issued
a read or write, say, on an NFS file that is being cached.
This causes standard UNIX perm checking, SELinux checking, etc. all to be
switched to the appropriate context. It also controls what appears in the
audit logs.
There is an exception to this: It also governs the ownership of new files and
directories created in the cache and what security labels will be set on them.
Quite possibly this doesn't matter for the xattr stuff. It's hard to tell
since we use user namespaces to convey so many different things at different
times.
David
More information about the Linux-security-module-archive
mailing list