Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp48577pxy; Wed, 21 Apr 2021 18:07:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzFdIW4ejHeZrzwtCSIQ44+jUUN+Edn1YsOfurMjJZfXo9X2Ah/LII6LoqTN0/6vQLt3gr5 X-Received: by 2002:a17:90a:628c:: with SMTP id d12mr15110846pjj.160.1619053662604; Wed, 21 Apr 2021 18:07:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619053662; cv=none; d=google.com; s=arc-20160816; b=mgpwi8xX22stsAkYhgUcGt6VabyxKmdz7nS8nskNRw0aV3AGrpiHxmER6DxZiVKC/3 50Y9WQVAsbnACnTvOC7zehpjuVqhlx63297lx2pkQTyxCFbcQbGUFvbjcd0uk319lm5F r0Z3kqSPccvlof1/IVMlI9xr4sKVn6OM5SnLyklJdMAWBvACJr5XhtVZJNBuu3inMm22 hJROH4ardeWiC8bNV7IOirkbw/Obx0QzDma/UuQv4KiZmfPvDZt3wwbpqkjm2VI8j3wG KBzTHuOD/phuqSqGNZYOu96DD2qH9gvfSXgUqv0uzHJIjDtfOqwBRjkQqjDhqa/Umx+L pToA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=y5rB5hdeendPXtZ8kWukMNJqwT+C7isho8ILaV2Ei6o=; b=RuAqBtFB7np6/tWE/Nx3oyJpHsK8QyaB4Hp8g745G/wr+YxCU90OXcdFF8qiDmhju7 hmUKy7SHTf6qN1J95zN03PhIQygvl5TKLLBG2uTtixttS7jhX+W8E67OPExSi3h20q1O 7rC5FkpbUlj3H99C4BPYJblia+rp5cwWZjICVxFQ8MXnICd5Sq4RYV7f9IQj0AvkxRav IsJGvs8viIa4fmvCnPdwwUXn5SA1E0lZ0hrvAKwYIqJg2NpNe2rDeKZt3sUVXp4J9NeZ jAzpsDzXDMMoPIytpJ0pvPGQ1cpBijqphhKYP6rfjE+BCVetYBDjf54kiQ9zu2feZVhe 3P7g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@arista.com header.s=google header.b=Fju+oMaW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m16si1316543pgu.349.2021.04.21.18.07.30; Wed, 21 Apr 2021 18:07:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@arista.com header.s=google header.b=Fju+oMaW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241415AbhDUR1w (ORCPT + 99 others); Wed, 21 Apr 2021 13:27:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41022 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240745AbhDUR1w (ORCPT ); Wed, 21 Apr 2021 13:27:52 -0400 Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B4679C06174A for ; Wed, 21 Apr 2021 10:27:18 -0700 (PDT) Received: by mail-wr1-x434.google.com with SMTP id w4so38443599wrt.5 for ; Wed, 21 Apr 2021 10:27:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=y5rB5hdeendPXtZ8kWukMNJqwT+C7isho8ILaV2Ei6o=; b=Fju+oMaW0JZE6NP+ZWRAXWvRXIbNMJ9AkdGWpnEpT9MFfQHRXAG+fvbY6kVNCuMvmv LojzxCPUkXSZnjVfw3UvD7H4ysLctuaUpYoHZ/9dwKF5gzsUpBpIPzwOVx7YB7ZzREFS lkcuBdEi6ByJEScWZxyesm7cbHU2sFimUGBSnsQTWP2JecS3Y2ig6fPqejI1iGujBQNq OFhCdy8aLJe/HGzUTxD2HQV0nZcpLpRH64kdNBmgML8Zphob/Xf6HbNgTUZ9kGUerWpb 2SZZFRJuzVDmvASSSVdqdSbg//3smMc1lo3PZ7NQaF3noICRnSBSfeo4lk742ndCMj0o +e/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=y5rB5hdeendPXtZ8kWukMNJqwT+C7isho8ILaV2Ei6o=; b=bnuIAeYOlCdrqOt6ggYwwOKxpsUsJdjxbB22VfGWwC2kxk5Mda3/AXn6ekDew7hrWZ Dzb1Camjr33riv5Fx+qsPL2ZcoHYV2AeK8V8E7KiO2O8LQScTAnW1I+ZL1IRqON6HPM5 bAwxegwm3kzOS4ifdtT19euL/nFOelM1YA4eAL6n7NepYUCHcqWlwYpxL0l2ClpYmOwk KOAmEz2ms3j9kp4lSlpGO1I6Gcy8QjuAcFg+TQHyTwr/mEnx3rG6rNhc4tCUP2zGxMsG vMl+XOBdIKocd0h4Dg+p9rh4711uo4QH8Osa0W7t1ss9ghEPwT/QOanxR03ugJQy7z6l u1eQ== X-Gm-Message-State: AOAM530DZx2pWfMXR3oPGLr4C99qPKtHSeXqpvdv8+b1+3glRfFhzR33 L1VlMlkxyYz+5Hpxenm/ptdycQ== X-Received: by 2002:a5d:528a:: with SMTP id c10mr6127292wrv.333.1619026037338; Wed, 21 Apr 2021 10:27:17 -0700 (PDT) Received: from snaipe-arista.infra.corp.arista.io (188-141-36-148.dynamic.upc.ie. [188.141.36.148]) by smtp.gmail.com with ESMTPSA id m15sm110805wrx.32.2021.04.21.10.27.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 Apr 2021 10:27:17 -0700 (PDT) From: Snaipe To: gscrivan@redhat.com Cc: alexander@mihalicyn.com, christian.brauner@ubuntu.com, containers@lists.linux-foundation.org, cyphar@cyphar.com, ebiederm@xmission.com, geofft@ldpreload.com, jcsible@cert.org, josh@joshtriplett.org, keescook@chromium.org, linux-kernel@vger.kernel.org, luto@amacapital.net, mic@digikod.net, mpatel@redhat.com, ptikhomirov@virtuozzo.com, sargun@sargun.me, serge@hallyn.com, stgraber@ubuntu.com, vgoyal@redhat.com, watl@google.com, Snaipe Subject: Re: LPC 2020 Hackroom Session: summary and next steps for isolated user namespaces Date: Wed, 21 Apr 2021 19:27:14 +0200 Message-Id: <20210421172714.912119-1-snaipe@arista.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <87ft6act3c.fsf@redhat.com> References: <87ft6act3c.fsf@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org "Giuseppe Scrivano" writes: >>> >> instead of a prctl, I've added a new mode to /proc/PID/setgroups that >>> >> allows setgroups in a userns locking the current gids. >>> >> >>> >> What do you think about using /proc/PID/setgroups instead of a new >>> >> prctl()? >>> > >>> > It's better than not having it, but two concerns - >>> > >>> > 1. some userspace, especially testsuites, could become confused by the fact >>> > that they can't drop groups no matter how hard they try, since these will all >>> > still show up as regular groups. >>> >>> I forgot to send a link to a second patch :-) that completes the feature: >>> https://github.com/giuseppe/linux/commit/1c5fe726346b216293a527719e64f34e6297f0c2 >>> >>> When the new mode is used, the gids that are not known in the userns do >>> not show up in userspace. >> >> Ah, right - and of course those gids better not be mapped into the namespace :) >> >> But so, this is the patch you said you agreed was not worth the extra >> complexity? > > yes, these two patches are what looked too complex at that time. The > problem still exists though, we could perhaps reconsider if the > extra-complexity is acceptable to address it. Hey Folks, sorry for necro-bumping, but I've found this discussion while searching for this specific issue, and it seems like the most recent relevant discussion on the matter. I'd like to chime in with our personal experience. We have a tool[1] that allows unprivileged use of namespaces (when using a userns, which is the default). The primary use-case of said tool is lightweight containerization, but we're also using it for other mundane usages, like a better substitute for fakeroot to build and package privileged software (e.g. sudo or ping, which needs to be installed with special capabilities) unprivileged, or to copy file trees that are owned by the user or sub-ids. For the first use-case, it's always safe to drop unmapped groups, because the target rootfs is always owned by the user or its sub-ids. For the other use-cases, this is more problematic, as you're all well-aware of. Our position right now is that the tool will always allow setgroups in user namespace, and that it's not safe to use on systems that rely on negative access groups. I think that something that's not mentioned is that if a user setgroups to a fixed list of subgids, dropping all unmapped gids, they don't just gain the ability to access these negative-access files, they also lose legitimate access to files that their unmapped groups allow them to access. This is fine for our first use-case, but a bit surprising for the second one -- and since setgroups never lets us keep unmapped gids, we have no way to keep these desired groups. From a first glance, a sysctl that explicitly controls that would not address the above problem, but keeping around the original group list of the owner of the user ns would have the desired semantics. Giuseppe's patch seems to address this use case, which would personally make me very happy. [1]: https://github.com/aristanetworks/bst -- Snaipe