Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp501745rwd;
        Wed, 31 May 2023 01:05:50 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ5RMjOqlxiH0stnmp3znjyj57XmrlrXzXAVpoIhVDxYWVkjMCekkB7NuCnUL2cI8e4hdN2T
X-Received: by 2002:a17:903:120f:b0:1ab:11c8:777a with SMTP id l15-20020a170903120f00b001ab11c8777amr5102632plh.13.1685520350190;
        Wed, 31 May 2023 01:05:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1685520350; cv=none;
        d=google.com; s=arc-20160816;
        b=ohfY/qHDjtJCUeCWAmGbN4Y0iOq8Uw4hiCiahlkhFEQA1sC19J8D+BP6e7DuDhXYTh
         sMNVVTMJL7j4vXj5mlImOUMTPPk6EJh67msT/eIeUIx/T07rSQEuNWbWfukb5s9Ab8Uo
         WE+URMlQ8YL3ghplhqK6v4HdQTz9+k+D7v5f/cJKc9I78T+Kuhh0Yzg+6x/sTVOSzRD6
         6RVTQ6x66LaYO++bFTwIvqnQnYMuUF68n/8CLEpsJ1gHnnyxL6C5veoTGJtlTbZBvadO
         /WBciNIXsE6hs1qrCR6rmUhJ7CBGVMEbKn4nCAgkAhSnrbGnh7xA8l8kjLGi5A7cwAgQ
         Qf2Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-transfer-encoding
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=nAf8GYtHBeP66cqYpOwIkTusnsRzhQ0jvoNI70L/QFU=;
        b=kKGOJKA9ls2luoDwEY1wWI/TiOGEpiLFQs+VGXsX/lSqHfFPXaPEGr7k8svGg6Oqg1
         7i4p6YnZK7keT4gWGgl5ZRGqj15Ba7lRDyEaIxddVrM0oQkhLYdwzwvrYqRTXbT4ZnIf
         1RSY2MzKB3RSY17c+NxyBwTUyRgfYFQPUUZkd5DFIiE2Bz8rUjYt2kaSv4AV7lHRaAM7
         l7kYWXIqwArSi97AAXr1zcJ7WCbdPWfQRHnhhIdxwlgF/pyPI22EYc1FG6FZLNOoTK9c
         HKKV5MKZw81/EhMHy29rCJOdkv/Se4QJS0xwAGefg3cSkFw1UoV3rMP6xKgh9I5bNEyG
         SIfQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=IGGx4xkq;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id b12-20020a170902d50c00b001a51c26f601si452211plg.627.2023.05.31.01.05.26;
        Wed, 31 May 2023 01:05:50 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=IGGx4xkq;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234849AbjEaHw3 (ORCPT <rfc822;aadipersonal10@gmail.com>
        + 99 others); Wed, 31 May 2023 03:52:29 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54900 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234897AbjEaHvp (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 31 May 2023 03:51:45 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7DBF0E60
        for <linux-kernel@vger.kernel.org>; Wed, 31 May 2023 00:51:02 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 78C6E61AE0
        for <linux-kernel@vger.kernel.org>; Wed, 31 May 2023 07:51:01 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 21030C433EF;
        Wed, 31 May 2023 07:50:58 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1685519460;
        bh=lQ+/+VySnKEwEK2/+enBJ/bdWDZVM2zfusNO9qgsRGk=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=IGGx4xkqTxa27Dd/zbDrwKbe2fnjfPn8LU1q32T9aiAj2XVBNsqcnlbiQ8LdWiTme
         L4U5C3yybM9sdvhJvL4gtze9LEMDnA0UqfaKfB7cyKVXcjNGMUX135qltl0yE02xP+
         cA4vlzpBy1CNk9zwwi268tR/D2dCnk/dQju3Z8LHazys6ugI1LmyEmBcmDWGwJ+YKe
         nnyCV/K44c7x8VUsnPW4eYXX7AWCzt3bCzi8Jh+AD7bnBiJWRinmduu+gOv7vhIvuu
         QQay6tRPgUgVDGsSjKrnIN5665kDWigBbiDZlCigXDCfxL3U8nYh/45/ZizCAW+x9P
         B7ubMiDZVOMcQ==
Date:   Wed, 31 May 2023 09:50:55 +0200
From:   Christian Brauner <brauner@kernel.org>
To:     Paul Moore <paul@paul-moore.com>
Cc:     ~akihirosuda <suda.kyoto@gmail.com>, linux-kernel@vger.kernel.org,
        containers@lists.linux.dev, serge@hallyn.com,
        ebiederm@xmission.com, akihiro.suda.cz@hco.ntt.co.jp
Subject: Re: [PATCH linux 0/3] [PATCH] userns: add sysctl
 "kernel.userns_group_range"
Message-ID: <20230531-urgestein-utensil-4420b51542c4@brauner>
References: <168547265011.24337.4306067683997517082-0@git.sr.ht>
 <CAHC9VhQhBBPyZE24LM6KvYrET2huW-W_YYsyPndpNkn70Mu3Ug@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAHC9VhQhBBPyZE24LM6KvYrET2huW-W_YYsyPndpNkn70Mu3Ug@mail.gmail.com>
X-Spam-Status: No, score=-4.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, May 30, 2023 at 05:58:48PM -0400, Paul Moore wrote:
> On Tue, May 30, 2023 at 2:50 PM ~akihirosuda <akihirosuda@git.sr.ht> wrote:
> >
> > This sysctl limits groups who can create a new userns without
> > CAP_SYS_ADMIN in the current userns, so as to mitigate potential kernel
> > vulnerabilities around userns.
> >
> > The sysctl value format is same as "net.ipv4.ping_group_range".
> >
> > To disable creating new unprivileged userns, set the sysctl value to "1
> > 0" in the initial userns.
> >
> > To allow everyone to create new userns, set the sysctl value to "0
> > 4294967294". This is the default value.
> >
> > This sysctl replaces "kernel.unprivileged_userns_clone" that is found in
> > Ubuntu [1] and Debian GNU/Linux.
> >
> > Link: https://git.launchpad.net/~ubuntu-
> > kernel/ubuntu/+source/linux/+git/jammy/commit?id=3422764 [1]
> 
> Given the challenges around adding access controls to userns
> operations, have you considered using the LSM support that was added
> upstream last year?  The relevant LSM hook can be found in commit
> 7cd4c5c2101c ("security, lsm: Introduce security_create_user_ns()"),
> and although only SELinux currently provides an access control
> implementation, there is no reason you couldn't add support for your
> favorite LSM, or even just a simple BPF LSM to enforce the group
> controls as you've described them here.

Yes. Please, no more sysctls...