Received: by 10.223.164.202 with SMTP id h10csp424869wrb; Tue, 7 Nov 2017 08:28:35 -0800 (PST) X-Google-Smtp-Source: ABhQp+TEqQRR353yPbV4CL/My+KmdtfDZvLOwbUv+iNX7ZpgKBBi9qrzepyPBOEMVafA5mN4L+vB X-Received: by 10.98.62.195 with SMTP id y64mr21229388pfj.140.1510072115369; Tue, 07 Nov 2017 08:28:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510072115; cv=none; d=google.com; s=arc-20160816; b=0gmIO+Q67IEo3luUXSFkt2lZe1S/BRD2RLW5tobx0Vw0rrZ7HJr+zzkPsKr2m5ri/s 11sK3kgWk6pdH/5P6kMSxKKfCep4f7njqFP/y62461qviArbx/ODIK5vHGLgR4fWWcS2 YsatjSslH8mGcytCkElQBEj2T+MZtbTty+/CGHA07Wo1stADf6+YkvR9D95YkqsAhep3 Tz1T77vUqNer33B8i1bLo0b4RIQE/TNRRv5s/nwKuuSfWkHx7oguUW71eJ0OsyMbiI8c sgSCAqxssY20w4IhJkQ7ij7xGC+yCCNXjfWtonUSSRPa1NJ01BuRgltJ3ZqtsDpGO7LO uD3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature:arc-authentication-results; bh=vXIy2R91Ih7FhHOL8t8q8mMWwXxMvvoTMO83W0tpvlc=; b=09g0GBrgHjWjKZqs9McMUvbN3VQAp1iQh+vFqaqdufTrK1F3gl11lezO0q6e5WgSb7 wJbIKm27zEJHAeGT+ceV8d7yS62Hcq/aovLZxGvPs3K858oTITz+0g8bVS6YMRR6VV21 XxSL85QhytvcC+ypy4eT/hWr5uf7fMTUDDJZPpmgH8X3f3GTRiH5auNjyYdl7vhIwpme GP93MrGYr75AfZ/Ztebg8YhTgMYaeeRvMmRTCthJ1mh/RMlYBakXYyAJaJXXd0+Xo5l/ TCySzVaND6Y4AUtw8loQxJaw0jWmMQ8nK4XR/lBar+CJAbmV2CR8h4yCLzuU7oSZBQhw 9TDQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=DVaSRmLW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b5si1500247pgc.137.2017.11.07.08.28.22; Tue, 07 Nov 2017 08:28:35 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=DVaSRmLW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753366AbdKGCQJ (ORCPT + 92 others); Mon, 6 Nov 2017 21:16:09 -0500 Received: from mail-it0-f65.google.com ([209.85.214.65]:51620 "EHLO mail-it0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751779AbdKGCQG (ORCPT ); Mon, 6 Nov 2017 21:16:06 -0500 Received: by mail-it0-f65.google.com with SMTP id o135so580896itb.0; Mon, 06 Nov 2017 18:16:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:subject:from:to:cc:date:in-reply-to:references :mime-version:content-transfer-encoding; bh=vXIy2R91Ih7FhHOL8t8q8mMWwXxMvvoTMO83W0tpvlc=; b=DVaSRmLWqAbMD8099f+KOKyX3yk1/t5Gv/tY1wo4heyAs97aqMI8vfPrFNLsOXRqN5 eqHr4rZRM5XlH26Ero4xhvZ5ld8z3KQj8ml+ZaARRjNcUyAbbkQhUoJa7x1njpb2UWRR 8YqA2nZq5AYCNIWGzDiy7yDsjYXzzu3Eb7MLRscNVRIT5R7AIu2Bg4PZV56kqoq77KWa hUkKMFZHFq+gAQ1wMcm373TNsnTPH1uhItyDtLPb2/ZIznn21OBBW9tqBDD1KsgpRU8k shGvzIO+vTKFsQPqEQhe/0ZM7a+tPAxarhFoPoPiP+O5+wFmEovCI1csr+SW7Z9gI0Ot etbg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:mime-version:content-transfer-encoding; bh=vXIy2R91Ih7FhHOL8t8q8mMWwXxMvvoTMO83W0tpvlc=; b=sJFATw1LEDy/6o5+PeiUyMiUpIw09pFhTAivhIn8Ns1gjqdbydVo7uq40LroktCvyM ZaoTuXGBqNhi3L/m7cuim+vTLXyvHeUZaHCurX4npw4hbd4V+tYtxMphbS9++vT2TiAL cu30HoUlRJPq3PKXNa4c6PmqNiyH7DwxpwvCsohfIz39dg+v5htX1oe09t/SWyCu1YNS AvCPf8BGBsrk8vKU/YfU5ikA1+vS5HorFWLOLT/kQrEFQf9uqvcJMHG6y3RswlgbLmM0 lVrDnDT3rH/aOaK64zEQMf5BdAE5ctbMW7psLgDhVXo1+yekuJFzVXiv8v6WMtnfn+TV LCZg== X-Gm-Message-State: AJaThX6zJjHDC3bZxL7a0Ot25JQtS88iewSTiAAC/D+V5Slsa/tTOqLR 9TdRfKCo0RLPs61pI1BH+e8= X-Received: by 10.36.118.210 with SMTP id z201mr312135itb.78.1510020966151; Mon, 06 Nov 2017 18:16:06 -0800 (PST) Received: from thinktank ([2607:fea8:59f:fec5::3]) by smtp.googlemail.com with ESMTPSA id d16sm63501iod.38.2017.11.06.18.16.04 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 06 Nov 2017 18:16:05 -0800 (PST) Message-ID: <1510020963.736.42.camel@gmail.com> Subject: Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces From: Daniel Micay To: "Serge E. Hallyn" Cc: Mahesh Bandewar =?UTF-8?Q?=28=E0=A4=AE=E0=A4=B9=E0=A5=87=E0=A4=B6_?= =?UTF-8?Q?=E0=A4=AC=E0=A4=82=E0=A4=A1=E0=A5=87=E0=A4=B5=E0=A4=BE?= =?UTF-8?Q?=E0=A4=B0=29?= , Mahesh Bandewar , LKML , Netdev , Kernel-hardening , Linux API , Kees Cook , "Eric W . Biederman" , Eric Dumazet , David Miller Date: Mon, 06 Nov 2017 21:16:03 -0500 In-Reply-To: <20171106221418.GA32543@mail.hallyn.com> References: <20171103004436.40026-1-mahesh@bandewar.net> <20171104235346.GA17170@mail.hallyn.com> <20171106150302.GA26634@mail.hallyn.com> <1510003994.736.0.camel@gmail.com> <20171106221418.GA32543@mail.hallyn.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.2 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 2017-11-06 at 16:14 -0600, Serge E. Hallyn wrote: > Quoting Daniel Micay (danielmicay@gmail.com): > > Substantial added attack surface will never go away as a problem. > > There > > aren't a finite number of vulnerabilities to be found. > > There's varying levels of usefulness and quality. There is code which > I > want to be able to use in a container, and code which I can't ever see > a > reason for using there. The latter, especially if it's also in a > staging driver, would be nice to have a toggle to disable. > > You're not advocating dropping the added attack surface, only adding a > way of dealing with an 0day after the fact. Privilege raising 0days > can > exist anywhere, not just in code which only root in a user namespace > can > exercise. So from that point of view, ksplice seems a more complete > solution. Why not just actually fix the bad code block when we know > about it? That's not what I'm advocating. I only care about it for proactive attack surface reduction downstream. I have no interest in using it to block access to known vulnerabilities. > Finally, it has been well argued that you can gain many new caps from > having only a few others. Given that, how could you ever be sure > that, > if an 0day is found which allows root in a user ns to abuse > CAP_NET_ADMIN against the host, just keeping CAP_NET_ADMIN from them > would suffice? I didn't suggest using it that way... > It seems to me that the existing control in > /proc/sys/kernel/unprivileged_userns_clone might be the better duct > tape > in that case. There's no such thing as unprivileged_userns_clone in mainline. The advantage of this over unprivileged_userns_clone in Debian and maybe some other distributions is not giving up unprivileged app containers / sandboxes implemented via user namespaces. For example, Chromium's user namespace sandbox likely only needs to have CAP_SYS_CHROOT. Chromium will be dropping their setuid sandbox, forcing usage of user namespaces to avoid losing the sandbox which will greatly increase local kernel attack surface on the host by exposing netfilter management, etc. to unprivileged users. The proposed approach isn't necessarily the best way to implement this kind of mitigation but I think it's filling a real need. From 1583422934155225278@xxx Tue Nov 07 15:49:44 +0000 2017 X-GM-THRID: 1583003759650790753 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread