Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp4360134yba; Wed, 17 Apr 2019 09:49:54 -0700 (PDT) X-Google-Smtp-Source: APXvYqxfkxgot12iv0foQ8B85j3iOI+KB7WdTkpie8UKlAm54vsgTp9mGVqpHphHDu1cymgHFZas X-Received: by 2002:a17:902:854c:: with SMTP id d12mr43548943plo.150.1555519794687; Wed, 17 Apr 2019 09:49:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555519794; cv=none; d=google.com; s=arc-20160816; b=bWwyHZfMw/niMztvnGaE/TY5L8CVv24IUKmFn/prNrYf1fpI4NjbwUsmpk3NMk0BaC 2Ti4SctPgU6SL8kmLpYe5stmXTRpkLiTeTAr8vST1tIi26D093SzJM/enCATJo3w2zzQ esBJeeJEE2cWDYQBeSduMn10h1wXln49kCeT0UMMGuci781C7WO3gEseTwsov8GuLOiL JqMLuEaviV031WwSf5CPJVwRoOj3g0aFVTqB0D+HKYEvkgDXYzznEhkKDXR912soZeJ3 pnBt+7cm2K/Q+oOaqHnhFcTxYFp8lDt/6QjAsoC91kmCWA+JJgevIYJltV9svaaBIrKf JbVQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature; bh=C2UyvVFvQC92KV1X271Qlc1j2PEBuyGtbodh1E8s1Kk=; b=vsM/BMGz33pWdciGPprPQrzPlOxiwOf22uFFqrU/sVu7GeWFpiqTFOOPZbgGYEvl+u YVZ6YHslGvb41eTJ54xG+BhdBL7DxVp8TUrVaOW0A8Me/gjIMk6VWkCC6yydf7Xup/kp jTsu/XMCe2ULN7uimHqQIOTIegzjbrOqgCNqbnFRnvE3hRKkUyQ1Dhi/DN9h8LrCXF15 +Bc2aqT0KviqSdO6uL+CdY18k6GTCmHuNlcdc6ajuVZFdUgLHv75glJ7Im95CwSv/GHV E2mwTtGBa2sDZqk1FPVtONWiT8CcLxEDSKM0t6RbfbNkp4Dmp6DUKgbqypNEl55oBDav JFug== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=nPHsuwVc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f8si39158097pgu.482.2019.04.17.09.49.39; Wed, 17 Apr 2019 09:49:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=nPHsuwVc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732897AbfDQQr5 (ORCPT + 99 others); Wed, 17 Apr 2019 12:47:57 -0400 Received: from mail-pf1-f196.google.com ([209.85.210.196]:44444 "EHLO mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730258AbfDQQr5 (ORCPT ); Wed, 17 Apr 2019 12:47:57 -0400 Received: by mail-pf1-f196.google.com with SMTP id y13so12351141pfm.11 for ; Wed, 17 Apr 2019 09:47:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=C2UyvVFvQC92KV1X271Qlc1j2PEBuyGtbodh1E8s1Kk=; b=nPHsuwVccflV0I7Ei/7HiN9YtqULsiUtd89/U0IOdLzro9bQUvqGJX6XccmcQCzSl2 QbSkslLQ11/gVWA3L+eHoEJRRk/tUv0wdD2iqZFSyAADORTo39Ed2RI8LmDVF8o3+UfX +k1ZTNjC7qOlfA9fyg6Z/n0NTWrn/L+vL+V/y6AVNvC6iqcuUTFYXD7N56k3c4H+8TkP vPFYMEPZQERKcBvgZBZ52wS4oORKnWcCl3QQyEtRTHZzfiexuifjF6QNoV10kBKlyc0C 0EP4NKZvXs3gpTju/aGVi9wZND5SHcsV0k0haK5ynbKUq2YcrUd90VlVN6CsVqrjQx8r OTCA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=C2UyvVFvQC92KV1X271Qlc1j2PEBuyGtbodh1E8s1Kk=; b=IiXOleOhKM3OqtoYQbazZAIzzdM0hN1odmj4M8Fj4wcdHgQtJCdBcpcoGfaupEIive 9YiXEQKpXYIBJL95DSkYI3SDWlcbL7ar7E13lrIwQzZme4a2WS/vcmAyVZu4mdSZpy4f mMBy4nG/sa1vdHhw3LwcKlughftZnCAYlSy0PKf6f6anzFSBVBvaW/55E3xRFo+fY7Tw pfZrhPdO7ValtoZxab8GdrJuYo5SK1XrGAHov8+ZO2K0zGPtA/JjE0VnmWvZpMmDgDNw qTWetcBb1ejIK09z6hJ6Tt8wFxAuNDnidjFD7ZwJJKDNwXx0lJ4DNbuZysetY1bjRXer CJEw== X-Gm-Message-State: APjAAAW3SCgBwwi8QAPQeV1IMwqOBlw1AOm6xTyxq6P+AN1f18CFuEhO FAUnO2uScfcXC9rLbEj6ew7wlQ== X-Received: by 2002:a63:5621:: with SMTP id k33mr730424pgb.437.1555519676233; Wed, 17 Apr 2019 09:47:56 -0700 (PDT) Received: from ?IPv6:2601:646:c200:1ef2:a0ed:a1f7:629a:b372? ([2601:646:c200:1ef2:a0ed:a1f7:629a:b372]) by smtp.gmail.com with ESMTPSA id v6sm71148466pgv.92.2019.04.17.09.47.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 17 Apr 2019 09:47:55 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) Subject: Re: RFC: on adding new CLONE_* flags [WAS Re: [PATCH 0/4] clone: add CLONE_PIDFD] From: Andy Lutomirski X-Mailer: iPhone Mail (16E227) In-Reply-To: <87v9zc6cz2.fsf@oldenburg2.str.redhat.com> Date: Wed, 17 Apr 2019 09:46:49 -0700 Cc: Andy Lutomirski , Aleksa Sarai , "Enrico Weigelt, metux IT consult" , Christian Brauner , Linus Torvalds , Al Viro , Jann Horn , David Howells , Linux API , LKML , "Serge E. Hallyn" , Arnd Bergmann , "Eric W. Biederman" , Kees Cook , Thomas Gleixner , Michael Kerrisk , Andrew Morton , Oleg Nesterov , Joel Fernandes , Daniel Colascione Content-Transfer-Encoding: quoted-printable Message-Id: References: <20190414201436.19502-1-christian@brauner.io> <20190415195911.z7b7miwsj67ha54y@yavin> <87v9zc6cz2.fsf@oldenburg2.str.redhat.com> To: Florian Weimer Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Apr 17, 2019, at 5:19 AM, Florian Weimer wrote: >=20 > * Andy Lutomirski: >=20 >> I would personally *love* it if distros started setting no_new_privs >> for basically all processes. >=20 > Wouldn't no_new_privs inhibit all security transitions, including those > that reduce privileges? And therefore effectively reduce security? In principle, you still can reduce privileges with no_new_privs. SELinux ha= s a whole mechanism for privilege-reducing transitions on exec that works in= no_new_privs mode. Also, all the traditional privilege dropping techniques w= ork =E2=80=94 setresuid(), unshare(), etc are all unaffected. >=20 >> There seems to be some demand to be able to do large > parts of container setup using posix_spawn, so we'll probably add > support for things like writing to arbitrary files eventually. And of > course, proper error reporting, so that you can figure out which file > creation action failed. >=20 ISTM the way to handle this is to have a way to make a container, set it up,= and then clone/spawn into it. The current unshare() API is severely awkwar= d. Maybe the new better kernel spawn API shouldn=E2=80=99t support unshare-like= semantics at all and should instead work like setns().=