Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp3556989pxb; Fri, 4 Feb 2022 11:01:49 -0800 (PST) X-Google-Smtp-Source: ABdhPJyljBqf7jcqCvL6vsz05y5OPFA28MzEqKAUY2cYytUC2j+SV1nGQ1rtZRqcl33OhuStjZGn X-Received: by 2002:a05:6402:787:: with SMTP id d7mr558804edy.390.1644001309515; Fri, 04 Feb 2022 11:01:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644001309; cv=none; d=google.com; s=arc-20160816; b=FKG2pPVol7TUc8/Xfb1PJMscSSE+ebaZFHQHe5PW5hCuD0gbHGWqzkgPkcz5G4my3K i8JJGYzuvYcNd1bDHzBbWN2gM+aK9PhGlULElb4l0Fu7E8beSFapvS6lfkcI0m7Mu0mi S0rKia12hvINAoMXxw+tVD7JyzIjCsHOXHhXUSb5rcNUUvApckzOQSK5cwYD7N5juA3W cs7/C5rLmKf+q/g5h1YpWGwB4tD5XLeoLeafJ3uCoayuhXSOCJFZNqNlu2LtgmTi9/gp HVS254DRivj/cE85f5ybCGqigFt3bwT65bERKA+jCzxX0e8KcDN0D/JNqW2dkyOY8T9n tGwQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=gQ70maaDQoOgwqcmWIHZ97QSj+eus6hl4cvgAQTbi5M=; b=vAbub3oKKTl35kzlEypIRaf8s7H2YRIHj7EY942IUmXkchA473S/5VL0AiESTDUyFs 8J5PfQMOLmqjByvT1XAt2suh5Y26T28Lcb23ec2c2ocZDtP7sBDSx0qqd5rBzrBCT4u6 aS4DFlL9yf7HEZsdA1Bp0zfuy+oPOateZdag+IdSbW1wvcMz70W3RlN4ca7tZ1HfX128 QGQ5XHbFWDsrO7Z0ReSmCIlYX3dHZvFiv1GKOmo0XM9h1T9Qnnsn5Am13TvNaXR5bv0H G9lPjsxuiheJIuNLQAdG073MuYgAZI0Vb4kc1kQKpEHK5fYzk823rFJSvM9KPcmJPYDm UD3A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=VdXT7cfX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i32si1561883eda.558.2022.02.04.11.01.24; Fri, 04 Feb 2022 11:01:49 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=VdXT7cfX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1357774AbiBDJpZ (ORCPT + 99 others); Fri, 4 Feb 2022 04:45:25 -0500 Received: from ams.source.kernel.org ([145.40.68.75]:36316 "EHLO ams.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1357552AbiBDJpX (ORCPT ); Fri, 4 Feb 2022 04:45:23 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id B8857B836FB; Fri, 4 Feb 2022 09:45:22 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1BE29C004E1; Fri, 4 Feb 2022 09:45:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1643967921; bh=Mb1R1CEJLIUyU5wYRD8/Qpqu3jJJ3pUvR4P+L2WzG/I=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=VdXT7cfXmWgRTGFrFK4UYDPtnMEiXnlrLID8e4DhBOmtkMoQoR1WrWRLjL6qE7/gy Vkyfh3bMBU1+zJL5PfximPP4YzMgQgKH/rMGPEkHjVWhp3FcOTy0iRDMWkQwMLXdTa FH4XnQFfBaba0OyF9OAof5Jf50zRKMQll7uoptUeIpZaA1ZKZ4b8U7u7sa1CPZ+28o 85G6lbAIBHg6N5y5pgXEIB+2YZORRMjC5ZuKQ+HluxrBRuI2FoHI2kzxpFjUBRrrHB arxN5jZ0BaWG2sS0dSQvWzyohvvvbF8NrHuS9e5sT80CLx1esKSjW8gVU5JeLOziPS 1XXWcXMno00GQ== Date: Fri, 4 Feb 2022 10:45:15 +0100 From: Christian Brauner To: "Anton V. Boyarshinov" Cc: viro@zeniv.linux.org.uk, linux-fsdevel@vger.kernel.org, ebiederm@xmission.com, legion@kernel.org, ldv@altlinux.org, linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, Christoph Hellwig , Linus Torvalds Subject: Re: [PATCH] Add ability to disallow idmapped mounts Message-ID: <20220204094515.6vvxhzcyemvrb2yy@wittgenstein> References: <20220204065338.251469-1-boyarsh@altlinux.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20220204065338.251469-1-boyarsh@altlinux.org> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Feb 04, 2022 at 09:53:38AM +0300, Anton V. Boyarshinov wrote: > Idmapped mounts may have security implications [1] and have > no knobs to be disallowed at runtime or compile time. > > This patch adds a sysctl and a config option to set its default value. > > [1] https://lore.kernel.org/all/m18s7481xc.fsf@fess.ebiederm.org/ > > Based on work from Alexey Gladkov . > > Signed-off-by: Anton V. Boyarshinov > --- Thank your for the general idea, Anton. If you want to turn off idmapped mounts you can already do so today via: echo 0 > /proc/sys/user/max_user_namespaces Aside from that, idmapped mounts can only be created by fully privileged users on the host for a selected number of filesystems. They can neither be created as an unprivileged user nor can they be created inside user namespaces. I appreciate the worry. Any new feature may have security implications and bugs. In addition, we did address these allegations multiple times already (see [1], [2], [3], [4], [5]). As the author/maintainer of this feature, Nacked-by: Christian Brauner [1]: https://lore.kernel.org/lkml/20210213130042.828076-1-christian.brauner@ubuntu.com/T/#m3a9df31aa183e8797c70bc193040adfd601399ad [2]: https://lore.kernel.org/lkml/m1r1ifzf8x.fsf@fess.ebiederm.org [3]: https://lore.kernel.org/lkml/20210213130042.828076-1-christian.brauner@ubuntu.com/T/#m59cdad9630d5a279aeecd0c1f117115144bc15eb [4]: https://lore.kernel.org/lkml/20210510125147.tkgeurcindldiwxg@wittgenstein [5]: https://lore.kernel.org/linux-fsdevel/CAHrFyr4AYi_gad7LQ-cJ9Peg=Gt73Sded8k_ZHeRZz=faGzpQA@mail.gmail.com