Received: by 10.223.164.202 with SMTP id h10csp3693594wrb; Tue, 28 Nov 2017 15:52:02 -0800 (PST) X-Google-Smtp-Source: AGs4zMY4a1ZcuhYhiKQAStWAWxIZAWLWRmlW/CT7m36xn0Y2i/ebVoyYRbQc3yoe/dHl7uYYCnb/ X-Received: by 10.84.234.198 with SMTP id i6mr859705plt.159.1511913122126; Tue, 28 Nov 2017 15:52:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511913122; cv=none; d=google.com; s=arc-20160816; b=v/VifhQHAh2HIoZ11qU+wem6bSxb/kVm9RRAjESquJJNRLBqHcZHcdtcP/wQ1uwING tdAK1UV+Ou4s/FRJw2DGsbFUy4YzH9T3Un3Kc3GS4tTKJCY/chPIIDeh3McDGJWpnbj3 KmblTm+iXS1N8mtETr3IIPD5OaNFvuxl60C4r2g7Dy+vEQ9ZD2U7HyZx7cev7P31YdBy MUL5iBQn83YKKFSdEp8iEmwekQdMq2RlSSOWgHTDtMIbGOHIPPMrFizgQF5ms/le+zj8 unUR+Jd8CSdFEq98mDk4hk6WRmeFo89hHGKI3JgojcEztFHEIUJzizCQmaLsMQXnNYHd U5/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:references:in-reply-to:mime-version :dkim-signature:arc-authentication-results; bh=b6NsarvVaz6JxKFazGlEiE6QB98ulMCORoU+bNFW6kc=; b=YLLksre8pZeBPJwqIrJht/j4acDdFmvUemBR3FHW2pW9AKyL00A9TF88e/FiuJP1DU miCdX7vJApFbkg7NcPVax7q9B9CCjakZR1Hon2oCkJOHsAbkxbZCnrfGZIC/TujWHFQT Bor4aDtXuHC3E4G1IP0b3DYIo1o003ZQ724c2yx78JREiUHvTbMVnJIao3+/oXmGZlyY IVEWaki+o6Tpy6f1PfblbssSn16weOphYoica/U+pxOHMuCmqXSkZj3lW4mARaNk0jmE mOj8MT08NUbrPPhXMftu7bM3mVCWwXXuDFzXk5Id0E1ASJVjxPIgQzQ0eH+bzhd4wlFs JjwQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=HmXMXM9W; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v17si259903plo.358.2017.11.28.15.51.51; Tue, 28 Nov 2017 15:52:02 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=HmXMXM9W; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753127AbdK1XvM (ORCPT + 70 others); Tue, 28 Nov 2017 18:51:12 -0500 Received: from mail-yb0-f171.google.com ([209.85.213.171]:33275 "EHLO mail-yb0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752148AbdK1XvJ (ORCPT ); Tue, 28 Nov 2017 18:51:09 -0500 Received: by mail-yb0-f171.google.com with SMTP id i15so701335ybk.0 for ; Tue, 28 Nov 2017 15:51:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=b6NsarvVaz6JxKFazGlEiE6QB98ulMCORoU+bNFW6kc=; b=HmXMXM9W+rYKQ/wXHsxOu92fqWt05VNesVvuA1eY3ME271iUCxZqAujF2sgq7ZOwTd +n97mmk46wbUuEi1BqKNLAQaI3iLeMGyfEpaEjxqKf7vX0zN9/i6crjXw7KMC/xBI0Bn lfFesg4stA2oLV0g5m16tIL4wa+TuqP9sXgMvhYUjaSuGL2Fr4DSenmXcJ170V9G09Kd HcoB3WZtltxabVssUiweyHZQCW8zn0kwbmndLIy0EmCu4s9I2aIP/GhK/qqv8AxuogUl Ibx6QKRW1m34dHbn34eOj04Ve9X/Sk4TAU1x5EK2ot6aZBMtbZvc2skJz9ibmim4LVW3 Ft4g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=b6NsarvVaz6JxKFazGlEiE6QB98ulMCORoU+bNFW6kc=; b=brgxcfA/DeVlNgc92tSVVpJQFA895USjTNJr/Y7OZNyzXvC/9i88peJujxlQ77CLUU AmVmJGCxFZc/R+L6UT7kCLqFqAWDvYvjUBQ8GrHS+JB/nZ+HXh+Qex8UJgiHL2gKvGF1 yzHQfa8hbWnN9LHSI4H3uadoV8zHSy+hu0p9qjyjv1gfeq2I9tW0ZqLz8h5ITKuLhLRD h4nbVsyPINHjHx2mmQzvVcER494PR+kxz+EHQvQvkk1ETYnslJ0GZIzwuiTyC8ZJHs0P pub2Nh3sO1MuqJuEJBRUkyPffYOM/WcFoGWqWgwGnt+4fviCkqbYgPyNpZxOnU08vj0U GPVA== X-Gm-Message-State: AJaThX4juWL0wURtG1DiZMRNthtaDdJ1GsMDCSpuwLiFraVbvdUZsjOC G1Sevgw4EgFZwv0ZDSXtIrLbWYRgIdJN+81Z8HNHtw== X-Received: by 10.37.216.208 with SMTP id p199mr586416ybg.429.1511913068513; Tue, 28 Nov 2017 15:51:08 -0800 (PST) MIME-Version: 1.0 Received: by 10.37.95.8 with HTTP; Tue, 28 Nov 2017 15:50:48 -0800 (PST) In-Reply-To: <20171128230440.GB28297@mail.hallyn.com> References: <20171110053757.21170-1-mahesh@bandewar.net> <20171126064037.GB30279@mail.hallyn.com> <20171128230440.GB28297@mail.hallyn.com> From: =?UTF-8?B?TWFoZXNoIEJhbmRld2FyICjgpK7gpLngpYfgpLYg4KSs4KSC4KSh4KWH4KS14KS+4KSwKQ==?= Date: Tue, 28 Nov 2017 15:50:48 -0800 Message-ID: Subject: Re: [PATCHv2 2/2] userns: control capabilities of some user namespaces To: "Serge E. Hallyn" Cc: Mahesh Bandewar , LKML , Netdev , Kernel-hardening , Linux API , Kees Cook , "Eric W . Biederman" , Eric Dumazet , David Miller Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 28, 2017 at 3:04 PM, Serge E. Hallyn wrote: > Quoting Mahesh Bandewar (=E0=A4=AE=E0=A4=B9=E0=A5=87=E0=A4=B6 =E0=A4=AC= =E0=A4=82=E0=A4=A1=E0=A5=87=E0=A4=B5=E0=A4=BE=E0=A4=B0) (maheshb@google.com= ): > ... >> >> diff --git a/security/commoncap.c b/security/commoncap.c >> >> index fc46f5b85251..89103f16ac37 100644 >> >> --- a/security/commoncap.c >> >> +++ b/security/commoncap.c >> >> @@ -73,6 +73,14 @@ int cap_capable(const struct cred *cred, struct us= er_namespace *targ_ns, >> >> { >> >> struct user_namespace *ns =3D targ_ns; >> >> >> >> + /* If the capability is controlled and user-ns that process >> >> + * belongs-to is 'controlled' then return EPERM and no need >> >> + * to check the user-ns hierarchy. >> >> + */ >> >> + if (is_user_ns_controlled(cred->user_ns) && >> >> + is_capability_controlled(cap)) >> >> + return -EPERM; >> > >> > I'd be curious to see the performance impact on this on a regular >> > workload (kernel build?) in a controlled ns. >> > >> Should it affect? If at all, it should be +ve since, the recursive >> user-ns hierarchy lookup is avoided with the above check if the >> capability is controlled. > > Yes but I expect that to be the rare case for normal lxc installs > (which are of course what I am interested in) > >> The additional cost otherwise is this check >> per cap_capable() call. > > And pipeline refetching? > > Capability calls also shouldn't be all that frequent, but still I'm > left wondering... Correct, and capability checks are part of the control-path and not the data-path so shouldn't matter but I guess it doesn't hurt to find-out the number. Do you have any workload in mind, that we can use for this test/benchmark? From 1585352889856567263@xxx Tue Nov 28 23:05:33 +0000 2017 X-GM-THRID: 1583656299755400145 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread