Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp4327992yba;
        Tue, 9 Apr 2019 16:36:08 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzXt7/YIIbttzzXZtVaGnxSUE/Q9vBMFqsEvuixR1OAa6vqcEZbRET1JxYO+KVcW3BiC49k
X-Received: by 2002:a65:6545:: with SMTP id a5mr26712275pgw.264.1554852968254;
        Tue, 09 Apr 2019 16:36:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1554852968; cv=none;
        d=google.com; s=arc-20160816;
        b=FsN++eBhfP3IpZm9YzbXjr+hEcR3H63JUpZaLokuyTRXKwuRscnggPAKotLzIZxmvt
         nNCysUdleV+10uKuLQPvgBVcxLFHcdzCn553pUTzpGduzmIcx9GY7HErBlKRQ0tlumnu
         1v6LOxitU3qzokxbvLSou2qD4WdIMhpkxe4BcwhvhEqN12qmzq+BD3QFQiOMRG48AiyC
         haE+XeqRfDaG+wo4iuqPm9h+GZMc5Nl6SFj7uBHpvE0jAPZb2eOGWWWF5TPyTI5bOCBl
         O02/KVbl1C6mIoQOK1Md9v3OQU6WfsXwiN14LMzKtCj6mlx4Oq54/+DfMbrE9Q+U7U2D
         Vi6w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=gWeYLM3rxJzPGlnKtrpsD9DliBwRs8NRe3bcbb4uxqg=;
        b=DlARIb/he6lDWtL73Uj69m6pMeVdF3sgfQQU9bp4iUXFSI+A1yNv20DzXureAhTHUv
         Di+tOHKnyAjJkCW7j9Tly7qV/m03CtrzuBFkmTdxhJvT8x4Z2lCdKXmZOz8h/Du8D8uj
         qzZHXil8ehS8qBMVN8QognJVarQI8FEGauJxe76w55/mcQUf/8cevESFYKPK4T6q8Ksz
         D15IMD0zytJejF2TaOR74mTizboRbBqgEnJmC4VnMVXXhluRXt0MAWHI6PQb1p5WZyWE
         PUegv5zkKJsUoc6QoVHA/b/7eFJFhPz63g5InVgKJO5t6XnaP+OmjUM/w0yLn3F2y3En
         91tw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=XqVcx5wo;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c4si29249235pgq.439.2019.04.09.16.35.52;
        Tue, 09 Apr 2019 16:36:08 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=XqVcx5wo;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727047AbfDIXfJ (ORCPT <rfc822;414256we@gmail.com> + 99 others);
        Tue, 9 Apr 2019 19:35:09 -0400
Received: from mail-lj1-f195.google.com ([209.85.208.195]:43368 "EHLO
        mail-lj1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727011AbfDIXfJ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 9 Apr 2019 19:35:09 -0400
Received: by mail-lj1-f195.google.com with SMTP id f18so310362lja.10;
        Tue, 09 Apr 2019 16:35:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=gWeYLM3rxJzPGlnKtrpsD9DliBwRs8NRe3bcbb4uxqg=;
        b=XqVcx5wo8OBRGYaAwrpVdO+dFWVY+W61RR4oVH1KTrT5lDqDjLoSsEK/4YVexk8rBG
         fSE2DTB170CS2tjtlSHv/eu+qvLtVWYqhIPjoiXXsJ6SljtoiTDr55us1T6cn8TMaxx1
         6jGSiMeaRy7UKMixzWcgmthKN0BE2739sEVu6dOa3Vp0WYMHbocD3MS34ywc18f/irHH
         M0kDFhEI23uPhbzzqlMh08sXNeEdqdzCL3m9wNoJCfg9941ke6sgGic5WVhwE5gr6+VW
         f9mVFJR77+2r1hqcTGvk8MMPK1WdilWgCAZF0Jo5C5mDqtVMWffe+1Ry+rT4F7Vspfpa
         idWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=gWeYLM3rxJzPGlnKtrpsD9DliBwRs8NRe3bcbb4uxqg=;
        b=l0x0mj3Jt37N9CqBfSxRZaPHoYZFWMVE9lOXH036ADPhL5JEzt7K1EqDr9DmryN0f7
         hhU8MTKlL9AHLsa5jNfeotjQdAEKaEDz0lwc4YOe+He+jOlixV7CgZvVazOafZK04h/T
         J3mZzgO6KTYBVkp/Muineci58QAjMByxmnyuR3IdA/rysy0aUU/dgWWTcJj7ZX7QJ3Cs
         clhLYH02iiEXK0UAysGilqunAuiYOMKjUiWwk52pWiPHClTwqIW07WDhSl3fGGQG2bgA
         0scztHKclm3MZ8k7njxo87O40qh1pvf/3GkPWKktOH8uFRV8pWnqEpVGCqeiEvrrzf/a
         /LYQ==
X-Gm-Message-State: APjAAAWnEH8sXm5G0l4d82BL+ba0h5Xz+4NB/8np4nKDQpJnRjyrToPo
        dfXov5XAfgk4lbc4CEOqBgYB1D+3n9dOpUHa88k=
X-Received: by 2002:a2e:808e:: with SMTP id i14mr22176366ljg.103.1554852906651;
 Tue, 09 Apr 2019 16:35:06 -0700 (PDT)
MIME-Version: 1.0
References: <cover.1554485409.git.rdna@fb.com> <CAG48ez2D=fUX6_MDf5WD39av65FSQ1OF7v7gG5pqZLqgU9RAUw@mail.gmail.com>
 <20190409230432.GA59615@rdna-mbp> <CAG48ez0-B_m6ruMiMp+hVgxmw1dZVtiKGqPWtaFP5esOQTjr9A@mail.gmail.com>
In-Reply-To: <CAG48ez0-B_m6ruMiMp+hVgxmw1dZVtiKGqPWtaFP5esOQTjr9A@mail.gmail.com>
From:   Alexei Starovoitov <alexei.starovoitov@gmail.com>
Date:   Tue, 9 Apr 2019 16:34:55 -0700
Message-ID: <CAADnVQ+88HOEM+aJycPd_dWu=rizeNMfQucC+f5refHOTepBGQ@mail.gmail.com>
Subject: Re: [PATCH v3 bpf-next 00/21] bpf: Sysctl hook
To:     Jann Horn <jannh@google.com>
Cc:     Andrey Ignatov <rdna@fb.com>,
        Network Development <netdev@vger.kernel.org>,
        Alexei Starovoitov <ast@kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Roman Gushchin <guro@fb.com>, Kernel Team <Kernel-team@fb.com>,
        Luis Chamberlain <mcgrof@kernel.org>,
        Kees Cook <keescook@chromium.org>,
        Alexey Dobriyan <adobriyan@gmail.com>,
        kernel list <linux-kernel@vger.kernel.org>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>,
        linux-security-module <linux-security-module@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Apr 9, 2019 at 4:22 PM Jann Horn <jannh@google.com> wrote:
>
> But there's a reason why user namespaces are all-or-nothing on these
> things. If the kernel does not explicitly make a sysctl available to a
> container, the sysctl has global effects, and therefore probably
> shouldn't be exposed to anything other than someone with
> administrative privileges across the whole system. If the kernel does
> make it available to a container, the sysctl's effects are limited to
> the container (or otherwise it's a kernel bug).
>
> Can you give examples of sysctls that you want to permit using from
> containers, that wouldn't be accessible in a user namespace?

I think this discussion has started with incorrect
assumptions about the goal of the patch set.
There is no _security_ part here.
The sysctl hook is to prevent silly things to be done by chef
and apps. Most interesting sysctls need root anyway.
The root can detach all progs and do its thing.
Consider tcp_mem sysctl. We've seen it's been misconfigured
and caused performance issues. bpf prog can track what is
being written, alarm, etc.
User namespaces are not applicable here.