Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S933817AbcCISOs (ORCPT <rfc822;w@1wt.eu>);
	Wed, 9 Mar 2016 13:14:48 -0500
Received: from mail-io0-f172.google.com ([209.85.223.172]:33536 "EHLO
	mail-io0-f172.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S933549AbcCISOk (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Wed, 9 Mar 2016 13:14:40 -0500
MIME-Version: 1.0
In-Reply-To: <CALCETrU4+zTKABz1foEA=an3XYbe_UXxn_w9=1GjVzMe5DXXPw@mail.gmail.com>
References: <CALCETrU4+zTKABz1foEA=an3XYbe_UXxn_w9=1GjVzMe5DXXPw@mail.gmail.com>
Date: Wed, 9 Mar 2016 10:14:39 -0800
X-Google-Sender-Auth: Q_BlcQDO3MX4noDpaBlrlS9DCVE
Message-ID: <CAGXu5jLB5==RAs9YrsPi4m6ZBPn3UtbCzagu_+gr-rtSgKzB1Q@mail.gmail.com>
Subject: Re: Thoughts on tightening up user namespace creation
From: Kees Cook <keescook@chromium.org>
To: Andy Lutomirski <luto@amacapital.net>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        Linux Containers <containers@lists.linux-foundation.org>,
        Alexander Larsson <alexl@redhat.com>,
        Colin Walters <walters@verbum.org>,
        Serge Hallyn <serge.hallyn@ubuntu.com>,
        Stephane Graber <stgraber@ubuntu.com>,
        Seth Forshee <seth.forshee@canonical.com>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1404
Lines: 39

On Mon, Mar 7, 2016 at 9:15 PM, Andy Lutomirski <luto@amacapital.net> wrote:
> Hi all-
>
> There are several users and distros that are nervous about user
> namespaces from an attack surface point of view.
>
>  - RHEL and Arch have userns disabled.
>
>  - Ubuntu requires CAP_SYS_ADMIN
>
>  - Kees periodically proposes to upstream some sysctl to control
> userns creation.

And here's another ring0 escalation flaw, made available to
unprivileged users because of userns:

https://code.google.com/p/google-security-research/issues/detail?id=758

> I think there are three main types of concerns.  First, there might be
> some as-yet-unknown semantic issues that would allow privilege
> escalation by users who create user namespaces and then confuse
> something else in the system.  Second, enabling user namespaces
> exposes a lot of attack surface to unprivileged users.  Third,
> allowing tasks to create user namespaces exposes the kernel to various
> resource exhaustion attacks that wouldn't be possible otherwise.
>
> Since I doubt we'll ever fully address the attack surface issue at
> least, would it make sense to try to come up with an upstreamable way
> to limit who can create new user namespaces and/or do various
> dangerous things with them?

The change in attack surface is _substantial_. We must have a way to
globally disable userns.

-Kees

-- 
Kees Cook
Chrome OS & Brillo Security