Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S933642AbcCITVT (ORCPT <rfc822;w@1wt.eu>);
	Wed, 9 Mar 2016 14:21:19 -0500
Received: from h2.hallyn.com ([78.46.35.8]:35284 "EHLO h2.hallyn.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1753754AbcCITVF (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Wed, 9 Mar 2016 14:21:05 -0500
Date: Wed, 9 Mar 2016 13:21:03 -0600
From: "Serge E. Hallyn" <serge@hallyn.com>
To: Colin Walters <walters@verbum.org>
Cc: Kees Cook <keescook@chromium.org>, Andy Lutomirski <luto@amacapital.net>,
        linux-kernel@vger.kernel.org,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        Linux Containers <containers@lists.linux-foundation.org>,
        Alexander Larsson <alexl@redhat.com>,
        Serge Hallyn <serge.hallyn@ubuntu.com>,
        Stephane Graber <stgraber@ubuntu.com>,
        Seth Forshee <seth.forshee@canonical.com>
Subject: Re: Thoughts on tightening up user namespace creation
Message-ID: <20160309192103.GA2523@mail.hallyn.com>
References: <CALCETrU4+zTKABz1foEA=an3XYbe_UXxn_w9=1GjVzMe5DXXPw@mail.gmail.com>
 <CAGXu5jLB5==RAs9YrsPi4m6ZBPn3UtbCzagu_+gr-rtSgKzB1Q@mail.gmail.com>
 <1457549467.650797.544465346.49653120@webmail.messagingengine.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1457549467.650797.544465346.49653120@webmail.messagingengine.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1979
Lines: 46

Quoting Colin Walters (walters@verbum.org):
> On Wed, Mar 9, 2016, at 01:14 PM, Kees Cook wrote:
> > On Mon, Mar 7, 2016 at 9:15 PM, Andy Lutomirski <luto@amacapital.net> wrote:
> > > Hi all-
> > >
> > > There are several users and distros that are nervous about user
> > > namespaces from an attack surface point of view.
> > >
> > >  - RHEL and Arch have userns disabled.
> > >
> > >  - Ubuntu requires CAP_SYS_ADMIN
> > >
> > >  - Kees periodically proposes to upstream some sysctl to control
> > > userns creation.
> > 
> > And here's another ring0 escalation flaw, made available to
> > unprivileged users because of userns:
> > 
> > https://code.google.com/p/google-security-research/issues/detail?id=758
> 
> Looks like Andy won't have to eat his hat ;)
> 
> > The change in attack surface is _substantial_. We must have a way to
> > globally disable userns.
> 
> No one would object if it was enabled but only accessible to
> CAP_SYS_ADMIN though, right?  This could be useful for 

I think that would be terrible.  I'd have to expose all of CAP_SYS_ADMIN
to allow use of CLONE_NEWUSER.  I'd be more interested in a new CAP_NEWUSER
capability.  Then systems wanting to support unprivileged users doing user
namespaces could set a pam module giving certain users that cap in pI, and
set it on fI on their container managers.  Userspace has to give access to
mapped uids through /etc/subuid too, so it's not *so* huge added hurdle.
Well that's not quite true - with empty subuid, users can create a userns
with no mapped userids which in itself is useful for sandboxing.

The biggest problem with a CAP_NEWUSER would be that it's more inherently
permanent than a new sysctl.  The increase in attack surface is real, but
over time I'd like to think that we will have dealt with it and should be
able to make CLONE_NEWUSER unprivileged.  Because what we have is an
implementation issue (not in user namespaces), not a design issue.

And I do agree the issue is real.

-serge