Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp3662013pxu;
        Sun, 11 Oct 2020 19:15:50 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyGWuTheQ6s+gn1Oabdc0qSIaYS1AvDv/BC3YuuXRJgFxLElTWgsJt/SHP926e59CW3yYCo
X-Received: by 2002:a17:907:4365:: with SMTP id nd5mr26577908ejb.56.1602468950679;
        Sun, 11 Oct 2020 19:15:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1602468950; cv=none;
        d=google.com; s=arc-20160816;
        b=C6HT53f0sBO6uFVHxW04GRctq7o18T0xFGJMx6tqrYc4gbY5sqxyDUWc2PeMn8/gZl
         nZIrd/HhgxYTJ0e/J/KkXmtCnHgtOjnTMRQBO7jI+Ya6oLaQkZGTd6V3j9U5E3PWkJhw
         1X85KTXxYqlQzD5Jopa8zGZKZZsDbodL2en3DUjuejNs63ZnzQ84JY1VoTv2EsH98LJg
         Ij7ywZdsG1h+017EqGnoQA88f/LTZy0ylFQzzABqbL9PGsCRDaHOPXHQFk8fWTw3Z0Ar
         WTgpfQRUhTDhXM1lKHyUisAeVzXXTOPIljvfqBDM9NkoZ8AUJhuwn3ZZ+3+L0XQSU9T8
         Z5+Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date;
        bh=uIIgPILalSxxn328EMkRMAUkv5r+3Q5lNRqsXSf3/h0=;
        b=s9NY3aHaJD5HBuj8i55NyvhpobAltQEB61jvDDZSQucD0Xf6NIW1Cxafabm7F1qQYo
         XDpySSn4U1P139AXanmPXUHaFSXl9KfL3ohcZh+93C8olSpoxCGLN3HMScTqYv8drPRE
         5qWf7faioB0wPonSJTsX1Mf4zQbUw2Vsj4uy+0SDdjkIMwR5BcP86HJCepetIxEvjaYo
         2oBgz0LLqXeqLv0NFqrWqKvTjmdXL9piQplIYioHWmJkdZhdGlbR3WWcp7igsjtUd6Ru
         7IJkakIuSwp7USomrL6epw3ZTBgW2LcGuqql8gS8ATZq2R69KWO4TrH3B2MR0rKC9ECC
         8J1A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id m27si12012028eji.326.2020.10.11.19.15.28;
        Sun, 11 Oct 2020 19:15:50 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729458AbgJKUxV (ORCPT <rfc822;kerneldev.sdk@gmail.com>
        + 99 others); Sun, 11 Oct 2020 16:53:21 -0400
Received: from relay6-d.mail.gandi.net ([217.70.183.198]:53575 "EHLO
        relay6-d.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729321AbgJKUxV (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 11 Oct 2020 16:53:21 -0400
X-Originating-IP: 67.5.25.97
Received: from localhost (unknown [67.5.25.97])
        (Authenticated sender: josh@joshtriplett.org)
        by relay6-d.mail.gandi.net (Postfix) with ESMTPSA id 499F2C0004;
        Sun, 11 Oct 2020 20:53:08 +0000 (UTC)
Date:   Sun, 11 Oct 2020 13:53:06 -0700
From:   Josh Triplett <josh@joshtriplett.org>
To:     "Serge E. Hallyn" <serge@hallyn.com>
Cc:     Christian Brauner <christian.brauner@ubuntu.com>,
        containers@lists.linux-foundation.org,
        Alexander Mihalicyn <alexander@mihalicyn.com>,
        Mrunal Patel <mpatel@redhat.com>, Wat Lim <watl@google.com>,
        Aleksa Sarai <cyphar@cyphar.com>,
        Pavel Tikhomirov <ptikhomirov@virtuozzo.com>,
        Geoffrey Thomas <geofft@ldpreload.com>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        Joseph Christopher Sible <jcsible@cert.org>,
        =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= <mic@digikod.net>,
        Vivek Goyal <vgoyal@redhat.com>,
        Giuseppe Scrivano <gscrivan@redhat.com>,
        Andy Lutomirski <luto@amacapital.net>,
        Stephane Graber <stgraber@ubuntu.com>,
        Kees Cook <keescook@chromium.org>,
        Sargun Dhillon <sargun@sargun.me>, linux-kernel@vger.kernel.org
Subject: Re: LPC 2020 Hackroom Session: summary and next steps for isolated
 user namespaces
Message-ID: <20201011205306.GC17441@localhost>
References: <20200830143959.rhosiunyz5yqbr35@wittgenstein>
 <20201010042606.GA30062@mail.hallyn.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20201010042606.GA30062@mail.hallyn.com>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Oct 09, 2020 at 11:26:06PM -0500, Serge E. Hallyn wrote:
> > 3. Find a way to allow setgroups() in a user namespace while keeping
> >    in mind the case of groups used for negative access control.
> >    This was suggested by Josh Triplett and Geoffrey Thomas. Their idea was to
> >    investigate adding a prctl() to allow setgroups() to be called in a user
> >    namespace at the cost of restricting paths to the most restrictive
> >    permission. So if something is 0707 it needs to be treated as if it's 0000
> >    even though the caller is not in its owning group which is used for negative
> >    access control (how these new semantics will interact with ACLs will also
> >    need to be looked into).
> 
> I should probably think this through more, but for this problem, would it
> not suffice to add a new prevgroups grouplist to the struct cred, maybe
> struct group_info *locked_groups, and every time an unprivileged task creates
> a new user namespace, add all its current groups to this list?

So, effectively, you would be allowed to drop permissions, but
locked_groups would still be checked for restrictions?

That seems like it'd introduce a new level of complexity (a new facet of
permission) to manage. Not opposed, but it does seem more complex than
just opting out of using groups for negative permissions.