Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp3222123ybc; Mon, 18 Nov 2019 11:32:58 -0800 (PST) X-Google-Smtp-Source: APXvYqwsBV/CdlzneKtpcW83gKZWSgggT1WJF5EKsv45ccNuJgthD1kvKH2LfUIdtA9zQ0apZfbb X-Received: by 2002:a17:906:6b01:: with SMTP id q1mr28781934ejr.162.1574105578301; Mon, 18 Nov 2019 11:32:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574105578; cv=none; d=google.com; s=arc-20160816; b=HM23Nx4OixumeGOLkoMQopmKP1/ZuJlArOjyj1OBsfjfS/n2Mz9jSfiQsDTiz2oxTf r7Dg1m1eMZmLICmCTuZodPg86kgiD5WqUe1mJ0taaHO+zwO+GcRyVqm7Tl8AtIj+tVOm EW6Ma9Tb5kDD1C2rRZ1IeD4E6IHkaAbHaRNc1cxSQV4H6Gl6YSMJbhTBq7bCYqiE8t47 v+ztU4+63wIP6B8dILXIiXqbCxsowJssF24zJ5cklzo5hPLHyo9tLsvQOEMyJrsXPyVL weZ6stnKH3+ZjO+RcmsEkvgGOc8W/JsfMNGfJh0Ik5KrvmtBiRp3R+m49DYEXp3Dw/Xv maeQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=lkip5tRvw12bpfehhEr6pH72dcrY21taqVrxtTzIpV4=; b=MLy7oocjktzVL7O7xo84fHpXXI89INj+f+IGEaMm0TtXsXgnZ4fVWhgTxAMSbHqlCr wzqVHyMmgK4V5yACcpkM8s15gUAoBxuUMClsP+FoKlmr3W/uKjlNjrIVsrosqq8hwW3I pvhvizve0nqwYZhJuqUTsp3A71nTHa8exo7gM1/mbrZiZuHFCAy2U/QrROdGHfVsDFtz z5HGwrt7DMZWgShQM6I6IpI7jNHCSu/3JtuJ5FtwT89K2dKfYckMJTZxnX51mLYqxBCe TDkvTE4wwFbD1TphjDVb9i2idWGJbELgjwH+0iHU2dqBDFC9lJAWd/I7Vg2r5dB1AO6M W3Xg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=K5edr+xe; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v4si12099225ejx.132.2019.11.18.11.32.33; Mon, 18 Nov 2019 11:32:58 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=K5edr+xe; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726748AbfKRTbX (ORCPT + 99 others); Mon, 18 Nov 2019 14:31:23 -0500 Received: from mail-oi1-f195.google.com ([209.85.167.195]:36136 "EHLO mail-oi1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726435AbfKRTbX (ORCPT ); Mon, 18 Nov 2019 14:31:23 -0500 Received: by mail-oi1-f195.google.com with SMTP id j7so16441323oib.3 for ; Mon, 18 Nov 2019 11:31:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lkip5tRvw12bpfehhEr6pH72dcrY21taqVrxtTzIpV4=; b=K5edr+xedFq5I4V/ASDZBcAzez637Hy6MHbuKWYWMplzF7Q96rNQJihqBuir4XV1FC bFEONPEMKWyPnaQZfdEVjnGHRw0gPHwA0Ll7tGFQQYu8bA75cXdCMZN/RWWmaf9xjOoo Nu7nTA0vyhxsK8GdZ1PjZmr2wFC0OzYxaltsU8gmgABemah1g8Or1M+RgmIlSMiHtrIa UGYBLBhpTsARKd0lf4PKdT6pdLOt8328tuV3E8nNHTrwcWJXRyPzOOvDrx1wg61zeGZQ aZEyBbrjy6ZeR4S7NCuSpTElcWb270L1oZc4DQe734W0vHnVCWNgJS9J4vmPKHmhsaff nWhQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lkip5tRvw12bpfehhEr6pH72dcrY21taqVrxtTzIpV4=; b=lNpcxcXRbo96qFz48Wa7vJmRl8ZnInO4OyHwqMWC+I1lCBqYgv4k6wtEFjyk8GqomZ cOzjd9DOWqXEeIp9St9Bqc8GEq2f78FlO2JKpHsLCYDwzFY/6mk+WjGxL2cOvB329Zac GBXoPnLp2MMkMuD6EZl8nO8F4Xz+Dpr7oi0h5aIa9W7VBav8qa+LvJ0JIKhiFcEB7Yvd n+BQOmIIIiNpGER1m/qdMcYUYgmvOmPEyfOAOVmPsx99tg3Kk7ftMYJTZIceACilAg6m sRgEyTYLWNhJFQcZu659VE5B41IiTYf45lwpM+pJYhseUGC83Wzo/YDW2vey8ClQewCt ROZQ== X-Gm-Message-State: APjAAAUOjWS/u3kB0c6UykZwlRhNBx4qu/m3SlC3Wwu7ne/eZPpUox1m ow9D3s5T2MoDSMJPTFIS3Lm71qdYF+4B3ReLOOHJMw== X-Received: by 2002:a05:6808:9a1:: with SMTP id e1mr494893oig.175.1574105480391; Mon, 18 Nov 2019 11:31:20 -0800 (PST) MIME-Version: 1.0 References: <1574096478-11520-1-git-send-email-prakash.sangappa@oracle.com> <1574096478-11520-2-git-send-email-prakash.sangappa@oracle.com> In-Reply-To: <1574096478-11520-2-git-send-email-prakash.sangappa@oracle.com> From: Jann Horn Date: Mon, 18 Nov 2019 20:30:54 +0100 Message-ID: Subject: Re: [RESEND RFC PATCH 1/1] Selectively allow CAP_SYS_NICE capability inside user namespaces To: Prakash Sangappa Cc: kernel list , Linux API , "Eric W. Biederman" , Thomas Gleixner , Peter Zijlstra , "Serge E. Hallyn" , Christian Brauner Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Nov 18, 2019 at 6:04 PM Prakash Sangappa wrote: > Allow CAP_SYS_NICE to take effect for processes having effective uid of a > root user from init namespace. [...] > @@ -4548,6 +4548,8 @@ int can_nice(const struct task_struct *p, const int nice) > int nice_rlim = nice_to_rlimit(nice); > > return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) || > + (ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE) && > + uid_eq(current_euid(), GLOBAL_ROOT_UID)) || > capable(CAP_SYS_NICE)); I very strongly dislike tying such a feature to GLOBAL_ROOT_UID. Wouldn't it be better to control this through procfs, similar to uid_map and gid_map? If you really need an escape hatch to become privileged outside a user namespace, then I'd much prefer a file "cap_map" that lets someone with appropriate capabilities in the outer namespace write a bitmask of capabilities that should have effect outside the container, or something like that. And limit that to bits where that's sane, like CAP_SYS_NICE. If we tie features like this to GLOBAL_ROOT_UID, more people are going to run their containers with GLOBAL_ROOT_UID. Which is a terrible, terrible idea. GLOBAL_ROOT_UID gives you privilege over all sorts of files that you shouldn't be able to access, and only things like mount namespaces and possibly LSMs prevent you from exercising that privilege. GLOBAL_ROOT_UID should only ever be given to processes that you trust completely.