Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp4892349pxu;
        Tue, 13 Oct 2020 09:29:39 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyCugjAr73Xfq0u+NbU+vdTc6zTroSBwNb34J08wpg5WIJt9d2bZLaLuewxzt8yaanE6mgI
X-Received: by 2002:a50:852a:: with SMTP id 39mr359881edr.63.1602606578821;
        Tue, 13 Oct 2020 09:29:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1602606578; cv=none;
        d=google.com; s=arc-20160816;
        b=kBW/TAktmVKbEL7Zv58tijRbF812uuRsnoIhJvwpxBvmDjUe4W7epXz6pTQsa/knI7
         ooqVY4X1Dmkz0l1gfF8nTPnvlChqzDez9fIt3RGzu4mlv9NVebWImzfsvyn73lAMosH8
         8CnNNsNYHoaVAkrCl70EcI6NI8B6VemTe44/Rdsj5WgHV4ozUFbuCD4pOek366qer9yY
         8Bpl5Tkjgb3vtfPJf6LkUM6u4yeDltVSj6yDSgqy/N74eeWn9AL0wgGOiBiqF+902mEt
         maXxtHIug6U54B3KO6PT1rPQXqM9pbVXxaEqIixYi8YpeJWa4lMIEAeTZrTWQla/KiCi
         pWVQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:user-agent:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date;
        bh=kY2giPxFia7NdGi/wv5fH3iD8Baz9WWJ02RsYujSGSQ=;
        b=iIWfniE9LDTiSoF+dtAU/S/OWjazkIiI3GFKWTlC594/JWBdwXf+KXCyDqHQyrnziE
         icxJCHxeeqO9dyZ4sAcE+QZhJfq7/VWDsn1pYlki0Scja3v8T/Q9tXB1DwasQDGpdKuW
         N4Raw33cURmnyFo6U9c0BJFf2CGCi8Ev705XvWJqKMeog40CML+h1ssQptuPbn4fQmgw
         NY7XvAp2cONrPtYj80mMUOjb+V0wAccBpXXvKhKN+ld1H+CiTAGqFlmJmJZGKaVlvDrc
         qfShx87PjT0/P3nowFKJNj4Jtdes2u9qI4yDZSTxpw9u67abAHGYObzd2bzG0dBMpgsy
         Ihnw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id l13si119252ejz.710.2020.10.13.09.29.15;
        Tue, 13 Oct 2020 09:29:38 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727710AbgJMMqw (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Tue, 13 Oct 2020 08:46:52 -0400
Received: from mail.hallyn.com ([178.63.66.53]:52004 "EHLO mail.hallyn.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727513AbgJMMqw (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 13 Oct 2020 08:46:52 -0400
Received: by mail.hallyn.com (Postfix, from userid 1001)
        id C03D02D5; Tue, 13 Oct 2020 07:46:50 -0500 (CDT)
Date:   Tue, 13 Oct 2020 07:46:50 -0500
From:   "Serge E. Hallyn" <serge@hallyn.com>
To:     Giuseppe Scrivano <gscrivan@redhat.com>
Cc:     Josh Triplett <josh@joshtriplett.org>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        Christian Brauner <christian.brauner@ubuntu.com>,
        containers@lists.linux-foundation.org,
        Alexander Mihalicyn <alexander@mihalicyn.com>,
        Mrunal Patel <mpatel@redhat.com>, Wat Lim <watl@google.com>,
        Aleksa Sarai <cyphar@cyphar.com>,
        Pavel Tikhomirov <ptikhomirov@virtuozzo.com>,
        Geoffrey Thomas <geofft@ldpreload.com>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        Joseph Christopher Sible <jcsible@cert.org>,
        =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= <mic@digikod.net>,
        Vivek Goyal <vgoyal@redhat.com>,
        Andy Lutomirski <luto@amacapital.net>,
        Stephane Graber <stgraber@ubuntu.com>,
        Kees Cook <keescook@chromium.org>,
        Sargun Dhillon <sargun@sargun.me>, linux-kernel@vger.kernel.org
Subject: Re: LPC 2020 Hackroom Session: summary and next steps for isolated
 user namespaces
Message-ID: <20201013124650.GA19668@mail.hallyn.com>
References: <20200830143959.rhosiunyz5yqbr35@wittgenstein>
 <20201010042606.GA30062@mail.hallyn.com>
 <20201011205306.GC17441@localhost>
 <87tuuzv0hl.fsf@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <87tuuzv0hl.fsf@redhat.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Oct 12, 2020 at 07:05:10PM +0200, Giuseppe Scrivano wrote:
> Josh Triplett <josh@joshtriplett.org> writes:
> 
> > On Fri, Oct 09, 2020 at 11:26:06PM -0500, Serge E. Hallyn wrote:
> >> > 3. Find a way to allow setgroups() in a user namespace while keeping
> >> >    in mind the case of groups used for negative access control.
> >> >    This was suggested by Josh Triplett and Geoffrey Thomas. Their idea was to
> >> >    investigate adding a prctl() to allow setgroups() to be called in a user
> >> >    namespace at the cost of restricting paths to the most restrictive
> >> >    permission. So if something is 0707 it needs to be treated as if it's 0000
> >> >    even though the caller is not in its owning group which is used for negative
> >> >    access control (how these new semantics will interact with ACLs will also
> >> >    need to be looked into).
> >> 
> >> I should probably think this through more, but for this problem, would it
> >> not suffice to add a new prevgroups grouplist to the struct cred, maybe
> >> struct group_info *locked_groups, and every time an unprivileged task creates
> >> a new user namespace, add all its current groups to this list?
> >
> > So, effectively, you would be allowed to drop permissions, but
> > locked_groups would still be checked for restrictions?
> >
> > That seems like it'd introduce a new level of complexity (a new facet of
> > permission) to manage. Not opposed, but it does seem more complex than
> > just opting out of using groups for negative permissions.
> 
> I have played with something similar in the past.  At that time I've
> discussed it only privately with Eric and we agreed it wasn't worth the
> extra complexity:
> 
> https://github.com/giuseppe/linux/commit/7e0701b389c497472d11fab8570c153a414050af

Hi, you linked the setgroups patch, but do you also have a link to the
attempt which you deemed was not worth it?

> instead of a prctl, I've added a new mode to /proc/PID/setgroups that
> allows setgroups in a userns locking the current gids.
> 
> What do you think about using /proc/PID/setgroups instead of a new
> prctl()?

It's better than not having it, but two concerns -

1. some userspace, especially testsuites, could become confused by the fact
that they can't drop groups no matter how hard they try, since these will all
still show up as regular groups.
2. whereas in my lockgroups proposal, lock_groups would only be taken into account
for permission denial, this proposal would count for permission grants too.  This
means that if I have a group which is permitted to read /foo/topsecret, and I
start a program in a new user namespace expecting it to drop that permission,
I can't have that, right?  The new program, will always have that permission?