Received: by 10.223.164.202 with SMTP id h10csp225873wrb; Thu, 30 Nov 2017 09:18:38 -0800 (PST) X-Google-Smtp-Source: AGs4zMbSlaCfZmblgwEoDJQP8omcYrD48MJXWkYdAjCdRGlO4S/6o9ReZTKxMqPVYSsH5A8FjF5S X-Received: by 10.99.155.9 with SMTP id r9mr3051465pgd.202.1512062318683; Thu, 30 Nov 2017 09:18:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1512062318; cv=none; d=google.com; s=arc-20160816; b=hoU2OejJ1NQbnaMhdzNlbv7QZUAwQm25oB+IIEoXDoElTFs6sGNP1WmPy2TGFdTxUl /OTyyyoVB+iUNlyXZywKhb/KxkJ0D3jsZFrOMpzDR65JsSOmfKkekJKYYpb/44P51mxc METh8mQe3/IZ9+22iir4+WDa/EgAidwZDL8kAhAMwqqWMjdaXfnyzVnK5GMKOfoYPI/y UytPxKcsdN3R4uPj/d7GrOfP0ZyUh+MMJclsEh8K2LQIVpXI/TeMhwTQ4832lUwhN1fo WAmeFQ5luewHICfDI22TtAEL7zNlTQaiec3cDYmCR00A0IZ/XJKrmpXe2QjwaYeNAxkq hNYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:to :from:date:arc-authentication-results; bh=Qv6HutPnJUQ53V+L/YtTDha4HLs9DT7ghrISBTs0kXk=; b=n8ShGzx5/c2AK5ox9mfdvc66sP0X8m+t6ZGYPKtS6E9olfb4XAhH2XgcmQGPwiXpN7 0oBLPT87JHuMKwwEkp+fllpNpG3YPzmgiXb5Zu5GrcAa0AQHDZebRr4llDZCdoeag7ay IQpVBT9ptFspp1lPkFuF89QfUu+SnsNMBx+OKQ2fA6G/Lls7MbK3iHPiNbdOfUsY7sNE ZnRPjVIVt6ozYUBCL3STQ4f/K+mrqw9XJliU2DQoBZcs+Aod6IYNrbB67wAQDC2tMI3n xbXMgE10Md2fL14TofkAVayjC7FMSrabx0P8TXnFNapeoVO4A8h0ZgAK/HGmpn69O+ZM c6EA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p63si3271322pga.746.2017.11.30.09.18.25; Thu, 30 Nov 2017 09:18:38 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753736AbdK3RRy (ORCPT + 99 others); Thu, 30 Nov 2017 12:17:54 -0500 Received: from h2.hallyn.com ([78.46.35.8]:57694 "EHLO h2.hallyn.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753701AbdK3RRx (ORCPT ); Thu, 30 Nov 2017 12:17:53 -0500 Received: by h2.hallyn.com (Postfix, from userid 1001) id BB3231204E8; Thu, 30 Nov 2017 11:17:51 -0600 (CST) Date: Thu, 30 Nov 2017 11:17:51 -0600 From: "Serge E. Hallyn" To: Theodore Ts'o , "Serge E. Hallyn" , David Miller , gnomes@lxorguk.ukuu.org.uk, keescook@chromium.org, mcgrof@kernel.org, tixxdz@gmail.com, luto@kernel.org, akpm@linux-foundation.org, james.l.morris@oracle.com, ben.hutchings@codethink.co.uk, solar@openwall.com, jeyu@kernel.org, rusty@rustcorp.com.au, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, kernel-hardening@lists.openwall.com, corbet@lwn.net, mingo@kernel.org, netdev@vger.kernel.org, peterz@infradead.org, torvalds@linux-foundation.org Subject: Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap() Message-ID: <20171130171751.GA5521@mail.hallyn.com> References: <20171128211659.GP729@wotan.suse.de> <20171129134612.72ccb53d@alans-desktop> <20171129.095014.1909386937628805919.davem@davemloft.net> <20171129155406.i2lyclquj75lvtn4@thunk.org> <20171129172852.GA14545@mail.hallyn.com> <20171130003531.gwpl22bxmweifjz2@thunk.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20171130003531.gwpl22bxmweifjz2@thunk.org> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Nov 29, 2017 at 07:35:31PM -0500, Theodore Ts'o wrote: > On Wed, Nov 29, 2017 at 11:28:52AM -0600, Serge E. Hallyn wrote: > > > > Just to be clear, module loading requires - and must always continue to > > require - CAP_SYS_MODULE against the initial user namespace. Containers > > in user namespaces do not have that. > > > > I don't believe anyone has ever claimed that containers which are not in > > a user namespace are in any way secure. > > Unless the container performs some action which causes the kernel to > call request_module(), which then loads some kernel module, A local unprivileged user can do the same thing. I reject the popular notion that linux is a single user operating system. More interesting are the (very real) cases where root in a container can do something which a local unprivileged user could not do. Since a local unprivileged user can always create a new namespace, *those* constitute a real and interesting problem. > potentially containing cr*p unmaintained code which was included when > the distro compiled the world, into the host kernel. > This is an attack vector that doesn't exist if you are using VM's. Until the vm tenant uses a trivial vm escape. > And in general, the attack surface of the entire Linux > kernel<->userspace API is far larger than that which is exposed by the > guest<->host interface. > > For that reason, containers are *far* more insecure than VM's, since > once the attacker gets root on the guest VM, they then have to attack > the hypervisor interface. And if you compare the attack surface of > the two, it's pretty clear which is larger, and it's not the > hypervisor interface. Any time anyone spends a day looking at either the black hole that is the hardware emulators or the xen and kvm code itself they walk away with a set of cve's. It *should* be more secure, it's not. You're telling me your house is safe because you put up a no tresspassing sign. -serge From 1585449252540809258@xxx Thu Nov 30 00:37:12 +0000 2017 X-GM-THRID: 1585240691370988488 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread