Received: by 10.223.164.202 with SMTP id h10csp529114wrb; Thu, 9 Nov 2017 10:03:11 -0800 (PST) X-Google-Smtp-Source: ABhQp+TkjxUJUUSjqzDRGxxJnpTTektWyUpySplTtW2F3aBNzET8vRrQWsYzYcGg3QceaGMRK/t7 X-Received: by 10.159.203.197 with SMTP id r5mr1172664plo.431.1510250590922; Thu, 09 Nov 2017 10:03:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510250590; cv=none; d=google.com; s=arc-20160816; b=wH2BlMMJg43BpN5RVvz17ZdUpY3RHxI5/OyuFwoo8T34gYyO/c3woJINbJmv3A6xgT cFR3bYSZwcSsh80w5V4gwB8axZwr/9ZDoqwa2M74DQPgOM4sOMXrg6sFUecGcUquQpTW toU7zVfBGbTjD3XleHxRMi7VWfo+T7LVfhiJ1gB85+yLsWhWICWIKtC6GrjgNdi6BfQb Gvxp6UfMCnbF5Ehkm1ePupeQfXlH9RnOYLSGLGmjlDvwm6clEi4QxkDi5uxxdmfzOP9n i4qceN2PFc9fABnaR1NI6dTXBJTxReVPc+4eQGRcgXCOA75jF6VEprVqc4Oxn+KaKnt2 dhdA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=Z1MatlS/ED5QxRnH8D/d7rD/9jybc4nvRR6D/v10KY4=; b=gvVwPTYl0VWvtexRo0gtYt2ry6lrbIJyL3BBkKJyRZZTr3ULwlLDAxerEXN22Czed/ idtG6nDUQqLKtMAQRdVYgiC0bzJZj/VzhcjaJTrTW/Zy0EV0cMZxqcEtBP5T6NzjvUWy g/Cb+aN8PvZKmVgF/HS3wQiJBW550LKhwVnDYWInNagREW8b7RTN8455rezERKt7tU7N ylA3uDYgLZQSpgs0ZV4V4VAgGcNngpy5vUpG+QTMZeeNQd9ef5AzSRyKp4FiKBKlHf7d z7WQXxGmGZShwZGnWeI+YUfeW/Y0QOk4LqGqcc3vYoHNu+MhdVKCJaLfi/9SznmSFP9C 8dcg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t19si1650406plj.431.2017.11.09.10.02.58; Thu, 09 Nov 2017 10:03:10 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753913AbdKISCC (ORCPT + 81 others); Thu, 9 Nov 2017 13:02:02 -0500 Received: from aserp1040.oracle.com ([141.146.126.69]:20020 "EHLO aserp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752622AbdKISCA (ORCPT ); Thu, 9 Nov 2017 13:02:00 -0500 Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id vA9I1VKw018711 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 9 Nov 2017 18:01:32 GMT Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id vA9I1V3E014087 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 9 Nov 2017 18:01:31 GMT Received: from abhmp0001.oracle.com (abhmp0001.oracle.com [141.146.116.7]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id vA9I1Som017212; Thu, 9 Nov 2017 18:01:30 GMT Received: from [192.168.0.171] (/69.207.174.138) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 09 Nov 2017 10:01:28 -0800 Subject: Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces To: "Serge E. Hallyn" , Daniel Micay Cc: =?UTF-8?B?TWFoZXNoIEJhbmRld2FyICjgpK7gpLngpYfgpLYg4KSs4KSC4KSh4KWH4KS1?= =?UTF-8?B?4KS+4KSwKQ==?= , Mahesh Bandewar , LKML , Netdev , Kernel-hardening , Linux API , Kees Cook , "Eric W . Biederman" , Eric Dumazet , David Miller References: <20171103004436.40026-1-mahesh@bandewar.net> <20171104235346.GA17170@mail.hallyn.com> <20171106150302.GA26634@mail.hallyn.com> <1510003994.736.0.camel@gmail.com> <20171106221418.GA32543@mail.hallyn.com> <1510020963.736.42.camel@gmail.com> <20171107032310.GA6429@mail.hallyn.com> From: chris hyser Message-ID: Date: Thu, 9 Nov 2017 13:01:24 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <20171107032310.GA6429@mail.hallyn.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Source-IP: userv0022.oracle.com [156.151.31.74] Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 11/06/2017 10:23 PM, Serge E. Hallyn wrote: > I think I definately prefer what I mentioned in the email to Boris. > Basically a "permanent capability bounding set". The normal bounding > set gets reset to a full set on every new user_ns creation. In this > proposal, it would instead be set to the calling task's permanent > capability set, which starts (at boot) full, and which privileged > tasks can pull capabilities out of. Actually, this may solve a similar problem I've been looking at. The idea was basically at strategic points in the kernel (possibly LSM hook sites, still evaluating, and probably syscall entry) validate that a task has not "magically" acquired capabilities that it or parent specifically said it cannot have and then take some action like say killing it immediately. Using your terms, basically make the "permanent capability set" a write-once privilege escalation defense. To handle the 0-day threat, perhaps make it writable but only with more "restrictive" values. -chrish From 1583610253758057579@xxx Thu Nov 09 17:27:06 +0000 2017 X-GM-THRID: 1583003759650790753 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread