Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp5516768pxb; Mon, 7 Feb 2022 03:59:49 -0800 (PST) X-Google-Smtp-Source: ABdhPJwirpbgxT1zVZ5Ny47JZ88Py/5wV4QCDSu4VvkiTH+QLXHGDbXqAXLssCOMBajrVUmEPXlf X-Received: by 2002:a17:906:f156:: with SMTP id gw22mr7204056ejb.321.1644235189366; Mon, 07 Feb 2022 03:59:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644235189; cv=none; d=google.com; s=arc-20160816; b=hFqeOUwaVzQMjICYN01OQHlQvAeCqkIlgmVSrvc6hOAnIJT171GhD35sWqvwx84fIJ 99lpXZqA8C+Q4C3BcsyORqnr1pp9dILIyYrz1ralm0hkLp3WbptN//jmHmjVt3vUN2kq WtoG7Jg7x3HqrWwQQzo99+vN20GNGSZykKIBzaj+TGxjjPgFpyL1rm9PsDJXP1B5YCEU QjtKLnw5/hHZIIv2uShyQJuMZ9oDXmCHW5xI+2NjOPhxrp8tD5aV9F2LPCIdEK0TvNu+ 1+hg/ocvBrngyTUvQV1rWuHVT7tfuPIUeGoaOogaoERbA/L0gKS3pWXaVIZVBSaMFxmJ xXcw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :organization:references:in-reply-to:message-id:subject:cc:to:from :date; bh=lQHaIn/NteeUp/tposHWf8L4wL/25Ul0caw9WwRSxcY=; b=BZ/Mkqic/EZnIwfBAE5OXzUYl79AVf0vviiWABy4nVszbsB7ZLrJMu2oxK1b6wdFoB /gx/S2vx8H6bKRg8C950ln9tgXphfhezLaXJ/ERwwJvPSQCWkO7sSuqQuRZYNY+MsOlu l6xtSTnXHz43FDXvsmAJEPOzYJIaJEK4D/Vx2bpTG1dzczHF4eSYbkAW7hpSupe1y+Ku gMQ9e/Kr0Xl+qSPrHuBC1T8Ow5V2dE45CvVXK+WwM/Y8tY6Qp9Yi+ZYC4sLfIPE1sHxv 8//KdiIkYp1d+nSSe1Kcn/HWwe6+qI/GYYooCmeNCSnN9YxingzF/WCXWz1M6zNn8iPI d0DQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id du8si7357138ejc.413.2022.02.07.03.59.25; Mon, 07 Feb 2022 03:59:49 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1358276AbiBDK0T convert rfc822-to-8bit (ORCPT + 99 others); Fri, 4 Feb 2022 05:26:19 -0500 Received: from vmicros1.altlinux.org ([194.107.17.57]:36420 "EHLO vmicros1.altlinux.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229851AbiBDK0S (ORCPT ); Fri, 4 Feb 2022 05:26:18 -0500 Received: from imap.altlinux.org (imap.altlinux.org [194.107.17.38]) by vmicros1.altlinux.org (Postfix) with ESMTP id 3CAE272C905; Fri, 4 Feb 2022 13:26:17 +0300 (MSK) Received: from tower (46-138-221-29.dynamic.spd-mgts.ru [46.138.221.29]) by imap.altlinux.org (Postfix) with ESMTPSA id 0A8684A46F0; Fri, 4 Feb 2022 13:26:17 +0300 (MSK) Date: Fri, 4 Feb 2022 13:26:16 +0300 From: "Anton V. Boyarshinov" To: Christian Brauner Cc: viro@zeniv.linux.org.uk, linux-fsdevel@vger.kernel.org, ebiederm@xmission.com, legion@kernel.org, ldv@altlinux.org, linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, Christoph Hellwig , Linus Torvalds Subject: Re: [PATCH] Add ability to disallow idmapped mounts Message-ID: <20220204132616.28de9c4a@tower> In-Reply-To: <20220204094515.6vvxhzcyemvrb2yy@wittgenstein> References: <20220204065338.251469-1-boyarsh@altlinux.org> <20220204094515.6vvxhzcyemvrb2yy@wittgenstein> Organization: ALT Linux X-Mailer: Claws Mail 3.18.0 (GTK+ 2.24.33; x86_64-alt-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org В Fri, 4 Feb 2022 10:45:15 +0100 Christian Brauner пишет: > If you want to turn off idmapped mounts you can already do so today via: > echo 0 > /proc/sys/user/max_user_namespaces It turns off much more than idmapped mounts only. More fine grained control seems better for me. > They can neither > be created as an unprivileged user nor can they be created inside user > namespaces. But actions of fully privileged user can open non-obvious ways to privilege escalation.