Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp3662013pxu; Sun, 11 Oct 2020 19:15:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyGWuTheQ6s+gn1Oabdc0qSIaYS1AvDv/BC3YuuXRJgFxLElTWgsJt/SHP926e59CW3yYCo X-Received: by 2002:a17:907:4365:: with SMTP id nd5mr26577908ejb.56.1602468950679; Sun, 11 Oct 2020 19:15:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1602468950; cv=none; d=google.com; s=arc-20160816; b=C6HT53f0sBO6uFVHxW04GRctq7o18T0xFGJMx6tqrYc4gbY5sqxyDUWc2PeMn8/gZl nZIrd/HhgxYTJ0e/J/KkXmtCnHgtOjnTMRQBO7jI+Ya6oLaQkZGTd6V3j9U5E3PWkJhw 1X85KTXxYqlQzD5Jopa8zGZKZZsDbodL2en3DUjuejNs63ZnzQ84JY1VoTv2EsH98LJg Ij7ywZdsG1h+017EqGnoQA88f/LTZy0ylFQzzABqbL9PGsCRDaHOPXHQFk8fWTw3Z0Ar WTgpfQRUhTDhXM1lKHyUisAeVzXXTOPIljvfqBDM9NkoZ8AUJhuwn3ZZ+3+L0XQSU9T8 Z5+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=uIIgPILalSxxn328EMkRMAUkv5r+3Q5lNRqsXSf3/h0=; b=s9NY3aHaJD5HBuj8i55NyvhpobAltQEB61jvDDZSQucD0Xf6NIW1Cxafabm7F1qQYo XDpySSn4U1P139AXanmPXUHaFSXl9KfL3ohcZh+93C8olSpoxCGLN3HMScTqYv8drPRE 5qWf7faioB0wPonSJTsX1Mf4zQbUw2Vsj4uy+0SDdjkIMwR5BcP86HJCepetIxEvjaYo 2oBgz0LLqXeqLv0NFqrWqKvTjmdXL9piQplIYioHWmJkdZhdGlbR3WWcp7igsjtUd6Ru 7IJkakIuSwp7USomrL6epw3ZTBgW2LcGuqql8gS8ATZq2R69KWO4TrH3B2MR0rKC9ECC 8J1A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m27si12012028eji.326.2020.10.11.19.15.28; Sun, 11 Oct 2020 19:15:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729458AbgJKUxV (ORCPT + 99 others); Sun, 11 Oct 2020 16:53:21 -0400 Received: from relay6-d.mail.gandi.net ([217.70.183.198]:53575 "EHLO relay6-d.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729321AbgJKUxV (ORCPT ); Sun, 11 Oct 2020 16:53:21 -0400 X-Originating-IP: 67.5.25.97 Received: from localhost (unknown [67.5.25.97]) (Authenticated sender: josh@joshtriplett.org) by relay6-d.mail.gandi.net (Postfix) with ESMTPSA id 499F2C0004; Sun, 11 Oct 2020 20:53:08 +0000 (UTC) Date: Sun, 11 Oct 2020 13:53:06 -0700 From: Josh Triplett To: "Serge E. Hallyn" Cc: Christian Brauner , containers@lists.linux-foundation.org, Alexander Mihalicyn , Mrunal Patel , Wat Lim , Aleksa Sarai , Pavel Tikhomirov , Geoffrey Thomas , "Eric W. Biederman" , Joseph Christopher Sible , =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= , Vivek Goyal , Giuseppe Scrivano , Andy Lutomirski , Stephane Graber , Kees Cook , Sargun Dhillon , linux-kernel@vger.kernel.org Subject: Re: LPC 2020 Hackroom Session: summary and next steps for isolated user namespaces Message-ID: <20201011205306.GC17441@localhost> References: <20200830143959.rhosiunyz5yqbr35@wittgenstein> <20201010042606.GA30062@mail.hallyn.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20201010042606.GA30062@mail.hallyn.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Oct 09, 2020 at 11:26:06PM -0500, Serge E. Hallyn wrote: > > 3. Find a way to allow setgroups() in a user namespace while keeping > > in mind the case of groups used for negative access control. > > This was suggested by Josh Triplett and Geoffrey Thomas. Their idea was to > > investigate adding a prctl() to allow setgroups() to be called in a user > > namespace at the cost of restricting paths to the most restrictive > > permission. So if something is 0707 it needs to be treated as if it's 0000 > > even though the caller is not in its owning group which is used for negative > > access control (how these new semantics will interact with ACLs will also > > need to be looked into). > > I should probably think this through more, but for this problem, would it > not suffice to add a new prevgroups grouplist to the struct cred, maybe > struct group_info *locked_groups, and every time an unprivileged task creates > a new user namespace, add all its current groups to this list? So, effectively, you would be allowed to drop permissions, but locked_groups would still be checked for restrictions? That seems like it'd introduce a new level of complexity (a new facet of permission) to manage. Not opposed, but it does seem more complex than just opting out of using groups for negative permissions.