Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Message-ID: <7856c4c7-2055-1288-049c-043055c6d2c2@oracle.com>
Date:   Thu, 6 Oct 2022 11:16:11 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.2.2
Subject: Re: [PATCH v2] capabilities: new kernel.ns_modules_allowed sysctl
Content-Language: en-US
To:     "Serge E. Hallyn" <serge@hallyn.com>
Cc:     linux-kernel@vger.kernel.org,
        Thadeu Lima de Souza Cascardo <cascardo@canonical.com>,
        Eric Biederman <ebiederm@xmission.com>,
        Kees Cook <keescook@chromium.org>,
        linux-hardening@vger.kernel.org, John Haxby <john.haxby@oracle.com>
References: <20220815082753.6088-1-vegard.nossum@oracle.com>
 <20220815155034.GB20944@mail.hallyn.com>
From:   Vegard Nossum <vegard.nossum@oracle.com>
In-Reply-To: <20220815155034.GB20944@mail.hallyn.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?Z0VISHJ6dTNNUStpeHFtZ2huOW44aGd6Y0dXTmZNUzUxbDJkVHVVSnVtNy9l?=
 =?utf-8?B?ZXFzWVJPNVJXZVBBVkhjb29BdlpSZS82TTBqK1JCaExKNGJrS2ZETWdnSGlw?=
 =?utf-8?B?bXduR1l1ZFEzeW5CeEFmeGpYNW01QXBta2gxVllrRWkxQ1lva1BUT2wrM2lE?=
 =?utf-8?B?WlNaV29nWitmVC9vYVY0WHBBU01OYzdWd1pwTytxREd5cTY3dkN6bUNCc1hC?=
 =?utf-8?B?RXZENVY4SHFPZWl0b0d4VkhTdWlDVHlyWmJOMkN4K3BmeFhnS2xobGZqRVJU?=
 =?utf-8?B?U0hQalVpWVpVS0dWd2ZpUGNubXc4dlc5TkxwV0d6VlZEVmFIN3h2WlAvbHZH?=
 =?utf-8?B?NFpYOXBBZVB1bU56OFJLenRhUTlOYUIwU1hyQjhZcVdHb1pRRGZnQUVadjQ1?=
 =?utf-8?B?eEdyUWp0QmJuT0tPZDcwdXduOW1ZSnJWRkJXdVdGRnRlUkRtS2R0ZWYxVkYw?=
 =?utf-8?B?bkxHUnF2eWRzdFZobit5eE5STDBnQzF3MS9ncnBNTWlNY2J6ZjZndjEyNzBh?=
 =?utf-8?B?cjk0bVZmOXRGemNjL1h0MHYranFXQWRCMWU4dGx2TTl5Y2xkcmV4VS9qV0o0?=
 =?utf-8?B?ZDByM3NuT25raFN0L24xNkd0ZzEwZWl2MkI0b2RaTC9PdGFRY3ZCSFFvWThO?=
 =?utf-8?B?UEpMbDNkd0RSZ0ZLeUFDOWdxKzQxTkJJbWJpU1puTEY1NncvU3RiQll1T1Bz?=
 =?utf-8?B?SGtPR3JNRFRvUEJjT0w5WjQ4YzEyYk9uVWlhUFA4NFF2d21XTWJETjEvQ0N4?=
 =?utf-8?B?dHdTaklNWFMvZFhmSGozZGJEL2toY1NIN1RicjhWeVZucG1Ob05xR3pNa0pl?=
 =?utf-8?B?cFltUnRBZ1ljaXVMQmVOKzBpbk95UldjVEgzK0hmcEpsOUl4LzVpWWlCVTlD?=
 =?utf-8?B?b1Zlc29la2JUUUJIYW9hbWxJNnNXd0QyQVJpY0FkelFRU1hKY0cwbnBzeTlu?=
 =?utf-8?B?RHRkbFMxKzBuRnBFaXpKcEpzL3FVUnpab3lVRkM2T2MzdjhXUHNSVlExalRU?=
 =?utf-8?B?aWUwVFNJTTV1K1pBWmNac0FQYXBQS2o1YTVvUkEwOEJkcnZsU3pCYjJPNm1U?=
 =?utf-8?B?ZXdkaVpwTldLV2I0ME9Ib09FWVZTdFhPZ0R2RlZZMGY2MGNyenkrMFkvNkZl?=
 =?utf-8?B?eE9mOUt5VURmUU9BVTI5Ym16VWFqenNjNVUrYkN2RkFyeHVNTm5ndHBLVkkr?=
 =?utf-8?B?amgybmlhVWt6VCtEMURFV3U5S1BPcDRNalE4enRaR2VkYjVJcEl4ckVTRnh3?=
 =?utf-8?B?OWJzbjNLQ1A3UEt5UWpTajV4QTFzV1ZrTGFMbjJCRUc2elkrbi9SL00zSHVO?=
 =?utf-8?B?cVVic043MEpFMlZVZVhyUmxtTnpJQkdrTW5mV2g4SU5EV2N6aTNpdGx0aGx0?=
 =?utf-8?B?KzJRVG53RVBqYi9aN3B2RW1ublhjVXZqZGQzVTlCSFB3QWU0YjEwV3VnOXhQ?=
 =?utf-8?B?Qk9VWW11ZWxPTFVDeDhqVXBma0hXU0NBTUp5STJkT3FjbzRLd2d4Mm9acEpa?=
 =?utf-8?B?MGtRV0s2QTVkd09wNFdzOWZicU4rQjVxKzAwR212S2F4V0ZnQ0VZeFk0cE80?=
 =?utf-8?B?WmZuWE9ocUViY2xQSWg3bDE2UU5vcDlpaC94VXZ4c3Qxbys2OFhFQ2x2SUkw?=
 =?utf-8?B?QVdacFJ1L1FET0p4UXU0MDFQM01mUDc3bjNQSTljVFhvVVl2T0g1MU5NV3ht?=
 =?utf-8?B?NVhjSUZKRGNDSzdyOEUxNlI0VXJqKzRGR0NwcitGU0ZTclBGcWUvWFVUVnUw?=
 =?utf-8?B?Z2w0a3E4eWh5VGJTWllyL3ZwQ0E4WERCZzhKOHZweWZVeTBtV1VCamVxK3Aw?=
 =?utf-8?B?WnJBbFVwMzFJV2RoQStsQXhCZmx1cFJlcUpldUcwOEx2VnpyaGVLbWVTQksr?=
 =?utf-8?B?Y1dJL2hoaS90TnMzamVNS2lNbHhMUk12ZFM1Z2wrejBLS051ejYrSG5aWk9v?=
 =?utf-8?B?N04wUVFLdCs0OWdQRnZjZVpVbmZEaXBDZUx2bDN1L1F2SExOWWtBOGFkQjIy?=
 =?utf-8?B?WkZFcnpueUMxbFVJRGVCc3pRVHJWblRPd25sVHljVlhZM2F1SXFXZ2I0V1k5?=
 =?utf-8?B?OEwyWlRraDVwcm44dHpwRnR2ck5uUWZ0VzBwa2FLVmF2MXdaSEt6emJtV3lh?=
 =?utf-8?B?V2JUTkhSTmx1NlNoS2M3eHpZbkxwbUdZQndiS0VGSmJ3ZkRETkU1YmdPM3FK?=
 =?utf-8?B?Wmc9PQ==?=
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: =?utf-8?B?OHkwK0RZU0hQdDFkd2VEaGV3dVhoT3JobjAybVBNWTFSOWZIa0t4dmZGK2lR?=
 =?utf-8?B?NS9MMW9qWUwzVEdLaENBWk5uZDl6dEZoNEZvNU0yOFNzaFFWZHRWNENyS1Fh?=
 =?utf-8?B?ZDN6RHNKbWJzQVNyWC91bnQ3bE1YV09QaVh6UFJzbUtYTHNFVHZrMjdyd2ZT?=
 =?utf-8?B?aTExeiswRENjQkc1RVp4Z2Fqd3AwRHZxVGV3NERSVXlsQXdPUTFNRUw3NE5k?=
 =?utf-8?B?ZnZZT1dwQ043SFg1aFVUSWxzMzh5QmhwbG5BWFZpU0VQNC9wcUFqai9BNjVG?=
 =?utf-8?B?TUc5VUlPNmoxTWU3M0h5cUxPakpXZ29ReTEray9mQ0Y1NVdMdXJ6RGdha01O?=
 =?utf-8?B?emNvL3VWbjU0QzBENDkvb1k1YkRqNFNjOGlMSDdCdEI0MVEzZFJySHRsVTh1?=
 =?utf-8?B?SGtUemZ4dGU5Yy9SckZ5ejRHeG9tRWxVOXg1WVNwUUZrdVNscndTdmZIWVNp?=
 =?utf-8?B?V1d0NHk3d0tYRU53Q25SYVg0QmhXZUk0eVBMR1Y4enV6YkoyODJMejBDY2pZ?=
 =?utf-8?B?UlBYWkt2LzgzWFMrcWpYL3krWnVBQmRvTGE3WE5WeUIzREVKZjRaa0dObDRW?=
 =?utf-8?B?aFRxcjhnSTJmYnVRYkdyVFZhRjZyTll3cUgwNWlrTCtBa0tTKzdJZXArYzc1?=
 =?utf-8?B?U3NWT2FDZnIxTEVMNnRBN1hlY0ZsalV3R21HRmFnSmw3bzhBZkJPNkhrTDF2?=
 =?utf-8?B?RnVmQ3ZoMkRXN0lqdXFjeTZMakhLSFgyYktqTGtzRThkTzBFcnVpb0YrNit1?=
 =?utf-8?B?cE9qanZLTVZmaVdsNlFZcDF4MjQ2amhzRVJNTGpvckg4U2lmWklwYzFoTjN1?=
 =?utf-8?B?cURGd1lZTk5vWVFmc3JRUWpWT3FCeGpSTE9vUmVBdmwrdm53OXhhRnpIc012?=
 =?utf-8?B?RGlNS3BHbm9GOEtxbnVpT2R0eCtvS2U3S3EyeklQY3l0UCtRcnQ0S2xyN2xU?=
 =?utf-8?B?cm5xbEkrZmdNN0tRTWgwb0JJZnlMbW4wNUU2SEwwQ0dza28wR3ZoSkZkNEpq?=
 =?utf-8?B?c1RWVlhiVE5iU0JPcmc2N0g4QWNrV0tWMFQxUVdxcjY0YnFKcGZ2U2hJSlFF?=
 =?utf-8?B?dnFhRVlLaExaL3gzZjhuTThpT2Evbmh1MHUrZnJzU3NvS3czaXoxSkMvMk55?=
 =?utf-8?B?VXlPOFc3WVlReHZPUFhTcGh6Ni9FSTRtazRzYlVMRFdRdWo1dkppV2Uyb29w?=
 =?utf-8?B?VXZhcktrV2xLaXRWbGx2M0NKVUZQbG94YmpsQ01MallMZ3MzMkx4RnkzbUo0?=
 =?utf-8?Q?8LgcwMF19zcbt48?=
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 822d80b9-ed42-4402-bd67-08daa77b6de2
X-MS-Exchange-CrossTenant-AuthSource: PH0PR10MB5433.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Oct 2022 09:16:19.5550
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: kQ6uigBPsuhsPKFIw1h9hGqOFEARm8FHW5PUaoupGdDUjFmvcXL/dSXvQKegCXacsp6vZL0oPn0F2r7/jUNdtLMxZErGbk578DGjQdQv0l4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR10MB6614
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.528,FMLib:17.11.122.1
 definitions=2022-10-05_05,2022-10-06_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 phishscore=0 adultscore=0
 mlxlogscore=999 malwarescore=0 bulkscore=0 mlxscore=0 suspectscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2209130000
 definitions=main-2210060055
X-Proofpoint-GUID: FX1COqXVaycgEc1k8sqKbdEaC0Qn3i2e
X-Proofpoint-ORIG-GUID: FX1COqXVaycgEc1k8sqKbdEaC0Qn3i2e
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_LOW,
        RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


On 8/15/22 17:50, Serge E. Hallyn wrote:
> On Mon, Aug 15, 2022 at 10:27:53AM +0200, Vegard Nossum wrote:
>> Creating a new user namespace grants you the ability to reach a lot of code
>> (including loading certain kernel modules) that would otherwise be out of
>> reach of an attacker. We can reduce the attack surface and block exploits
>> by ensuring that user namespaces cannot trigger module (auto-)loading.

[...]

>> +	/*
>> +	 * Disallow if we're in a user namespace and we don't have
>> +	 * CAP_SYS_MODULE in the init namespace.
>> +	 */
>> +	if (current_user_ns() != &init_user_ns &&
>> +	    !capable(CAP_SYS_MODULE) &&
> 
> It's monday, so maybe I'm thinking wrongly - but I don't believe that you can
> possible pass capable(CAP_SYS_MODULE) if current_user_ns() != &init_user_ns.
> So I think you can drop the second check.

Hm, I think I see what you're saying -- cap_capable() will not even
search for caps outside the current_cred() namespace and return -EPERM?

     /*
      * If we're already at a lower level than we're looking for,
      * we're done searching.
      */
     if (ns->level <= cred->user_ns->level)
         return -EPERM;

I'll submit a v3 -- this sysctl is still useful even with the security
hook for userns creation that just got merged.

Thanks,


Vegard