Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp4126676pxu; Mon, 12 Oct 2020 10:07:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz5vDqpf93tjitTA3t5HXgq7TRVtztsuU+arOWeFovHnFhuod9IODkm/nAy/HUShJ75/3v7 X-Received: by 2002:a05:6402:13d7:: with SMTP id a23mr14862455edx.352.1602522474612; Mon, 12 Oct 2020 10:07:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1602522474; cv=none; d=google.com; s=arc-20160816; b=uXtLzXzmZYsQBLkMAx4flBAkGQx9xNdgRTZTqxihCoWLJlrrzCpXLOcFR/IsGkrymy GkB9oyX7dLFZp2dwnBezS5ziCW6lEgsn78gkL9gAV/yFb7T4kO8Pbhr4Nn/lNEkKZR0c dxQQYQna89uQO660wHA+DXV7aifBO6DDcYynvHnOBGt0VLLPxHOCmUghVJ1ViGaa5V1F hD4ndbcXRJamYY1dvD6sh4/rwVbshIL4t4VRTEeFUZQ8OEr9pQ5jTQd2RRIMcupfYVm8 QBI7WmOClmRfX1qtm1WP68KpbGbizGEbcVxvEhmygAp+WPwUghGWVCuKDjX8iuFAf458 rC6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:message-id:in-reply-to :date:references:subject:cc:to:from:dkim-signature; bh=48/p/swHiO9g9EftOv4fYGSl8TGG6SINHcN0wha0CCE=; b=ZOk6uipxrCEy3/KOqw9eKKvhvOtmhr/L8GApPYbqswHj/eYPGM3TrwUaQa8VS6ApdF WV04cdPhmDKbuRezNipeAZaG1WXGdnBqFvzNCtI0oekzV6SvcDu6Gm3HMNCA8bM8nLlm ulWcXMzkD1j5OTrW1VDr2uwUvCTYodtnW4GUwmUmApQPrJJzQkFmJLXXvR8gdnDfIeE5 ulmUggJQw39D1+LJFymPgvdLARoKss083BBYa8L/lA0SN54tiSeRr7r/EY1wTfmcob63 1sqHOs3QNJ/S9LypnrtcN0o8H2jM8Lq6hqdNhuV2vANeZXY15BcjPdA68mnuIiIKfn9y NjtA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=GJGhHjLr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f6si12799674edy.198.2020.10.12.10.07.28; Mon, 12 Oct 2020 10:07:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=GJGhHjLr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2403970AbgJLRFW (ORCPT + 99 others); Mon, 12 Oct 2020 13:05:22 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:20335 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2403931AbgJLRFW (ORCPT ); Mon, 12 Oct 2020 13:05:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1602522321; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=48/p/swHiO9g9EftOv4fYGSl8TGG6SINHcN0wha0CCE=; b=GJGhHjLr1bv8wtcQ82Ho+G+WFB2gHcACTXohCMdYjeW3RysZd10UVay7h6XMcl5+HCJt/F y4GDPRqnA8o7CMU6EkDxM7OV8SzYOUay1KAx+uWDOV6LCli0FuymM3tNCMfKdps+SLHRj8 Ytb4aS2sy1fBXjl52OIivMK9SANncRU= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-429-l02HyH2QMNmHeMm_ZtZX9A-1; Mon, 12 Oct 2020 13:05:16 -0400 X-MC-Unique: l02HyH2QMNmHeMm_ZtZX9A-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 4FEC3ADC26; Mon, 12 Oct 2020 17:05:13 +0000 (UTC) Received: from localhost (ovpn-114-124.ams2.redhat.com [10.36.114.124]) by smtp.corp.redhat.com (Postfix) with ESMTPS id D2B322C31E; Mon, 12 Oct 2020 17:05:11 +0000 (UTC) From: Giuseppe Scrivano To: Josh Triplett Cc: "Serge E. Hallyn" , Christian Brauner , containers@lists.linux-foundation.org, Alexander Mihalicyn , Mrunal Patel , Wat Lim , Aleksa Sarai , Pavel Tikhomirov , Geoffrey Thomas , "Eric W. Biederman" , Joseph Christopher Sible , =?utf-8?Q?Micka=C3=ABl_Sala=C3=BCn?= , Vivek Goyal , Andy Lutomirski , Stephane Graber , Kees Cook , Sargun Dhillon , linux-kernel@vger.kernel.org Subject: Re: LPC 2020 Hackroom Session: summary and next steps for isolated user namespaces References: <20200830143959.rhosiunyz5yqbr35@wittgenstein> <20201010042606.GA30062@mail.hallyn.com> <20201011205306.GC17441@localhost> Date: Mon, 12 Oct 2020 19:05:10 +0200 In-Reply-To: <20201011205306.GC17441@localhost> (Josh Triplett's message of "Sun, 11 Oct 2020 13:53:06 -0700") Message-ID: <87tuuzv0hl.fsf@redhat.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Josh Triplett writes: > On Fri, Oct 09, 2020 at 11:26:06PM -0500, Serge E. Hallyn wrote: >> > 3. Find a way to allow setgroups() in a user namespace while keeping >> > in mind the case of groups used for negative access control. >> > This was suggested by Josh Triplett and Geoffrey Thomas. Their idea was to >> > investigate adding a prctl() to allow setgroups() to be called in a user >> > namespace at the cost of restricting paths to the most restrictive >> > permission. So if something is 0707 it needs to be treated as if it's 0000 >> > even though the caller is not in its owning group which is used for negative >> > access control (how these new semantics will interact with ACLs will also >> > need to be looked into). >> >> I should probably think this through more, but for this problem, would it >> not suffice to add a new prevgroups grouplist to the struct cred, maybe >> struct group_info *locked_groups, and every time an unprivileged task creates >> a new user namespace, add all its current groups to this list? > > So, effectively, you would be allowed to drop permissions, but > locked_groups would still be checked for restrictions? > > That seems like it'd introduce a new level of complexity (a new facet of > permission) to manage. Not opposed, but it does seem more complex than > just opting out of using groups for negative permissions. I have played with something similar in the past. At that time I've discussed it only privately with Eric and we agreed it wasn't worth the extra complexity: https://github.com/giuseppe/linux/commit/7e0701b389c497472d11fab8570c153a414050af instead of a prctl, I've added a new mode to /proc/PID/setgroups that allows setgroups in a userns locking the current gids. What do you think about using /proc/PID/setgroups instead of a new prctl()? Giuseppe