Received: by 10.223.164.202 with SMTP id h10csp1364549wrb; Wed, 8 Nov 2017 03:11:19 -0800 (PST) X-Google-Smtp-Source: ABhQp+TFOZXu8Bjp9dkG2DRJTKRhV+xTONWzAbVh7Br4xa6k1cRY+Q6cxWAPF1mLNvgoMZxuFTRu X-Received: by 10.159.206.193 with SMTP id x1mr98754plo.319.1510139479321; Wed, 08 Nov 2017 03:11:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510139479; cv=none; d=google.com; s=arc-20160816; b=N0w+TwckJldz8V55cEnfmpsWDw041EEdQeQx17HaDXIIyoAmEf4AJ6H8tH/O5LA5nj USiUKX013xTaTMz8FS+966ytlEvNL9d1vM48xi6o4cfObRXwNZMC9RWfODMhVmcqWM4R 1TaQC8rX1fDIPqPVKyZoYtf3OJu9k854jspDwLg1qVRLic9WN2O2wHcw74hatHwMe1jf 3T0UFoKWjgvZ1Odcux2Q/qMeMcFyer7KmIK9ci27GAqVKzMiSuu/jW0YlvGwpr68A56G mRq9zqFiF02yzpEfE8xGKHDVFw4ClPpq6Fl5K54c8z9lCI1Cta+cimhlHdAUitfr8PU9 +KhQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=lq6MTKobIBIFtLIUrAVEH6iVZZuPxcgH6RqdzeZdaPo=; b=pTAS/gNQiH6q9GZp+vJW+2SJ/bqTVlQJKnPeTOPi0Gm4Cfc7AW9b4sDcEBtNtZBhd7 zqHc/y4DMpNS9xWfmXSrTddDs51aL47qkt8mC2HIrBuR/D2dZ/jNttfAHBH3Cokzi4Vn Ox0QoERKfCxvxDypLPr9IuRgaaDUQkfRjjNr4VCN19LMtfzhEuhSI+KeeQsjWmJKOnds r291xGpS3nbowYZyMUgurOr9I2u9UVrMOvHPIMPXZuvA2zEEJnWeXNZvUKCWq4GaaSaE 0fpB5JXhOgpYTl+FDhcb4aX7yhqrhyBt9cdq6XPp8uFRaEV9WTsVGPVRcyzuYo5KnSPn n44A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=bxmbh6Fz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a23si3905234pfg.402.2017.11.08.03.11.06; Wed, 08 Nov 2017 03:11:19 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=bxmbh6Fz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752254AbdKHLKX (ORCPT + 91 others); Wed, 8 Nov 2017 06:10:23 -0500 Received: from mail-yw0-f178.google.com ([209.85.161.178]:49290 "EHLO mail-yw0-f178.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751705AbdKHLKV (ORCPT ); Wed, 8 Nov 2017 06:10:21 -0500 Received: by mail-yw0-f178.google.com with SMTP id z195so1947554ywz.6 for ; Wed, 08 Nov 2017 03:10:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=lq6MTKobIBIFtLIUrAVEH6iVZZuPxcgH6RqdzeZdaPo=; b=bxmbh6FzEHQUQLhfgjYvGvGZTx55WN9riq5KqV8VtCOOU8Bpb4va5gxiznapXUs/gP FHYPG0hCnvd/nRrgIlXAzSs6cCsTejQ64ApavKfoO6BH4ZgyYuap3VD3sktfz8v6e5QN pUnk64WF25Sd4wwnqE61srEftuCOhaNbT11sN9o//ra0I0jpCLnW4ez7d73xfnt7v9Wk TQqU37Zu8KajBHhUEA1E8ih+zr5Gxh0kEyC3gun8iOXctCkv7zqn/8M8aUs3yT/E0Ovi KB9suvl6n7iiRFE0X5n8Z/MraYAQkpFAeGN5FpKlP3RIlqyHtZsp6MykyaohPh7MuNPD LeZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=lq6MTKobIBIFtLIUrAVEH6iVZZuPxcgH6RqdzeZdaPo=; b=g9MDbfge1MZT0o/5dw2zkKeGXO/sxgb+PkstU4vaAd50PHWXjn4avCHowxZpOJfijR PHeI46oniBx/Oogzaco+Ki2/7XkNJgxarMFgP+JvYkdtn5W368qz69gsenqXS2kAABhp 1JgwEcmqPLVQut0/eF7xrOQ6Oo3KrvtPyCYEnJEQmFYwhSG0jm5WEFYqJVX0BE8P1rFt Q4K7mHlZucnn/EdvcWCjX/oGj0ONDlZsEiIl9YtISorK0cPkfVOqPRNF4Pcj7SxD0aca uSr2ecG0DCgxPRk9opIuR6xDUaOWGxx4qDrwA82cJjxyE9qMBfaZPmK5d1gZANncKp2Z D8nQ== X-Gm-Message-State: AJaThX45dhLu2NgOJhTHJE017xj6TxKVdiw2IgpRTnM+eb4pZEwWgaI1 SxBIwzgOs5hA1OgiC/rtPw6Gcgn+r7BSFIfcM3MSTA== X-Received: by 10.37.216.208 with SMTP id p199mr50507ybg.429.1510139420035; Wed, 08 Nov 2017 03:10:20 -0800 (PST) MIME-Version: 1.0 Received: by 10.37.131.198 with HTTP; Wed, 8 Nov 2017 03:09:59 -0800 (PST) In-Reply-To: <20171107032802.GA6669@mail.hallyn.com> References: <20171103004436.40026-1-mahesh@bandewar.net> <20171104235346.GA17170@mail.hallyn.com> <20171106150302.GA26634@mail.hallyn.com> <1510003994.736.0.camel@gmail.com> <20171106221418.GA32543@mail.hallyn.com> <20171106233913.GA1518@mail.hallyn.com> <20171107032802.GA6669@mail.hallyn.com> From: =?UTF-8?B?TWFoZXNoIEJhbmRld2FyICjgpK7gpLngpYfgpLYg4KSs4KSC4KSh4KWH4KS14KS+4KSwKQ==?= Date: Wed, 8 Nov 2017 03:09:59 -0800 Message-ID: Subject: Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces To: "Serge E. Hallyn" Cc: Boris Lukashev , Daniel Micay , Mahesh Bandewar , LKML , Netdev , Kernel-hardening , Linux API , Kees Cook , "Eric W . Biederman" , Eric Dumazet , David Miller Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Sorry folks I was traveling and seems like lot happened on this thread. :p I will try to response few of these comments selectively - > The thing that makes me hesitate with this set is that it is a > permanent new feature to address what (I hope) is a temporary > problem. I agree this is permanent new feature but it's not solving a temporary problem. It's impossible to assess what and when new vulnerability that could show up. I think Daniel summed it up appropriately in his response > Seems like there are two naive ways to do it, the first being to just > look at all code under ns_capable() plus code called from there. It > seems like looking at the result of that could be fruitful. This is really hard. The main issue that there were features designed and developed before user-ns days with an assumption that unprivileged users will never get certain capabilities which only root user gets. Now that is not true anymore with user-ns creation with mapping root for any process. Also at the same time blocking user-ns creation for eveyone is a big-hammer which is not needed too. So it's not that easy to just perform a code-walk-though and correct those decisions now. > It seems to me that the existing control in > /proc/sys/kernel/unprivileged_userns_clone might be the better duct tape > in that case. This solution is essentially blocking unprivileged users from using the user-namespaces entirely. This is not really a solution that can work. The solution that this patch-set adds allows unprivileged users to create user-namespaces. Actually the proposed solution is more fine-grained approach than the unprivileged_userns_clone solution since you can selectively block capabilities rather than completely blocking the functionality. > I meant each task has a perm_cap_bset next to the cap_bset. So task > p1 (if it has privilege) can drop CAP_SYS_ADMIN from perm_cap_bset, > p2 (if it has privilege) can drop CAP_NET_ADMIN. When p1 creates a > new user_ns, that init task has its cap_bset set to all caps but > CAP_SYS_ADMIN. > > I think for simplicity perm_cap_bset would *only* affect the filling > of cap_bset at user namespace creation. So if you wanted to drop a > capability from your own cap_bset as well, you'd have to do that > separately. My original intention is to reduce the attack surface when vulnerabilities are discovered / published, but I don't see how this is solving that issue. Also the reason to have sysctl is to have simplistic control across the board to contain the situation. If that is not addressed then we might need some other solution on top of this. From 1583426058425925542@xxx Tue Nov 07 16:39:23 +0000 2017 X-GM-THRID: 1583003759650790753 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread