Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp516685rwe; Fri, 26 Aug 2022 09:05:42 -0700 (PDT) X-Google-Smtp-Source: AA6agR6uc/hhknfg54Y3MRo9/8ayk5Idm6uvqAW4JtZwg2+6q9kcwTw1cnCnbaoaz9TZQjhgwshJ X-Received: by 2002:a17:902:d484:b0:171:3cbc:7c6 with SMTP id c4-20020a170902d48400b001713cbc07c6mr4218825plg.85.1661529942640; Fri, 26 Aug 2022 09:05:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661529942; cv=none; d=google.com; s=arc-20160816; b=CS9Zzxv5i36Lc2drVyKNtamiI4TP8WAjLNl9vRrf/Qt9mUEUB/955QPXHWfaWoYbjv pBk9aFto5tNhC2wAE0vcvzSPiFWGcuHTcrjLmCbKoOtbyzVZT48uFDXRsnW8mwJgUDO9 eYgIvmPoTRq2OF4vRZCgNtIet70WipKA2JA38HiFwI4yOSYfkiacqhRIGLQY23MgwDi8 p7IictVM8Hpu4zbSxokKzhO/P/8mCKsmaxXzw7JZj+oWx/FnRO5ZkhYE9/V2Od48bkGm 3Ccjk8HKn8LDT3OD/VV0EHg3hBdP7JHzSudpbJUpoQSpFVWYPWWKShoAAD8bbx/2NnuQ 2CYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=5x4IUTuaw/SGtFkyROuITJksTS3chpRQ3gwVJfsTZNU=; b=cLCCn0bYWWSKx+cIv2oceRIDy3fPMHYWjK6h2AC2lU0URQIn1ZKtsaYvKgNaZ1ma2y YZOCBk6954iJVWOqmzB8XTVMFuhYV3lVDXOxyHwmEEO0Y5R1wKObHwfgp3BNpxJRpEXb jmFsmY7VPyurle1vRyfB5KSGAsYqi82GFP7pvBiMY+dCqV2sXgufFuPpuOxe3dnUVyCp Z/q9UThyTmXcXGVPUe2qr8NiWqziNKcR898rGORzfm9bH629ybc6vApwW0iJC400y4KB lwNJfXohfJnw4exu32xFv1y8gJJ9afGx4pWvQW1lmEEEW8fGmFyQOIB+ziLoUn0AWs8g 67Aw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y7-20020a63de47000000b0042a59edc558si1968312pgi.244.2022.08.26.09.05.31; Fri, 26 Aug 2022 09:05:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344469AbiHZP1K (ORCPT + 99 others); Fri, 26 Aug 2022 11:27:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38864 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344434AbiHZP0r (ORCPT ); Fri, 26 Aug 2022 11:26:47 -0400 Received: from mail.hallyn.com (mail.hallyn.com [178.63.66.53]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A7369C121E; Fri, 26 Aug 2022 08:23:21 -0700 (PDT) Received: by mail.hallyn.com (Postfix, from userid 1001) id C68EB77A; Fri, 26 Aug 2022 10:23:19 -0500 (CDT) Date: Fri, 26 Aug 2022 10:23:19 -0500 From: "Serge E. Hallyn" To: "Eric W. Biederman" Cc: Paul Moore , "Serge E. Hallyn" , Linus Torvalds , Frederick Lawler , kpsingh@kernel.org, revest@chromium.org, jackmanb@chromium.org, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kafai@fb.com, songliubraving@fb.com, yhs@fb.com, john.fastabend@gmail.com, jmorris@namei.org, stephen.smalley.work@gmail.com, eparis@parisplace.org, shuah@kernel.org, brauner@kernel.org, casey@schaufler-ca.com, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, kernel-team@cloudflare.com, cgzones@googlemail.com, karl@bigbadwolfsecurity.com, tixxdz@gmail.com Subject: Re: [PATCH v5 0/4] Introduce security_create_user_ns() Message-ID: <20220826152319.GA12466@mail.hallyn.com> References: <871qte8wy3.fsf@email.froward.int.ebiederm.org> <8735du7fnp.fsf@email.froward.int.ebiederm.org> <87tu6a4l83.fsf@email.froward.int.ebiederm.org> <20220818140521.GA1000@mail.hallyn.com> <20220819144537.GA16552@mail.hallyn.com> <875yigp4tp.fsf@email.froward.int.ebiederm.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <875yigp4tp.fsf@email.froward.int.ebiederm.org> User-Agent: Mutt/1.9.4 (2018-02-28) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Aug 25, 2022 at 01:15:46PM -0500, Eric W. Biederman wrote: > Paul Moore writes: > > > On Fri, Aug 19, 2022 at 10:45 AM Serge E. Hallyn wrote: > >> I am hoping we can come up with > >> "something better" to address people's needs, make everyone happy, and > >> bring forth world peace. Which would stack just fine with what's here > >> for defense in depth. > >> > >> You may well not be interested in further work, and that's fine. I need > >> to set aside a few days to think on this. > > > > I'm happy to continue the discussion as long as it's constructive; I > > think we all are. My gut feeling is that Frederick's approach falls > > closest to the sweet spot of "workable without being overly offensive" > > (*cough*), but if you've got an additional approach in mind, or an > > alternative approach that solves the same use case problems, I think > > we'd all love to hear about it. > > I would love to actually hear the problems people are trying to solve so > that we can have a sensible conversation about the trade offs. > > As best I can tell without more information people want to use > the creation of a user namespace as a signal that the code is > attempting an exploit. I don't think that's it at all. I think the problem is that it seems you can pretty reliably get a root shell at some point in the future by creating a user namespace, leaving it open for a bit, and waiting for a new announcement of the latest netfilter or whatever exploit that requires root in a user namespace. Then go back to your userns shell and run the exploit. So i was hoping we could do something more targeted. Be it splitting off the ability to run code under capable_ns code from uid mapping (to an extent), or maybe some limited-livepatch type of thing where certain parts of code become inaccessible to code in a non-init userns after some sysctl has been toggled, or something cooloer that I've failed to think of. -serge