Received: by 10.223.164.202 with SMTP id h10csp901614wrb; Mon, 6 Nov 2017 18:32:43 -0800 (PST) X-Google-Smtp-Source: ABhQp+Qkstbj74puBjAUEtbbfyHQg4mE3v2s2G1uxXo9d6fg+YtTUuV0gYbLDr4vxZnIgzRek7QW X-Received: by 10.98.103.206 with SMTP id t75mr18696343pfj.173.1510021963097; Mon, 06 Nov 2017 18:32:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510021963; cv=none; d=google.com; s=arc-20160816; b=lI6qGYeSrTF0/k10PNVGuJ7b//J38GX4MBY/k6Yv3xpMgGuhVIp9HWmjRafTcTcdHW AuPPGB/xzBKct5xp6W6Yj/w5H4ooOuxYyefDeppigP9udwuVp172yLbBysg4FuykFv8+ u/LplyklbW+eQtGbqQbYjXpsDLSPF3L9Ho8rXO63eaY332LgKwS+cIMYDYSA+jdBog3R GIEtGzjzRWbjoAWv8VKeR2EOwNk5StRPGIgEyhRkH92okNtwr4UrYewpmHbCBczkiWwv FREohkIAM7pYOn1LX2nOFam7DggLVNhj5Jixz7l24UB7a7007FySYj4c7yymd8t4hvNI 1eJA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=LsGb9o/z13Ipm+270e/VkaIvDsxOtBmnYnOpLNtPYtE=; b=huBn0wOEjcaH/3fFUInh6/T044peNi4IDr2eAYA2m/f/tzSONkb3+ddCZ/9+nX2Sb9 FjO5sgxNx0qscVfBkBMtAc2rN+DyFsdvhAzmI4Yul9aivVbD79TqgeX7fSqTxnV9Qe9R 900jaCpB4209DLVPFcnvYuYR6y7aKH5dR3zTgjgI0jOE0bWCj56c1JCgoGP4m5ly0sWn SuBqRQevHOJRSsJ9C118LgoiLUt446mFoOi7cLT7kIj8JyRhz/rBNBkvTFFGfImsLmxw Nqcfo7L2P/lPuNdV3Cq6IpoMl4Ep9VOpqtGlXYriu5Wfhg0fVpTyo+cjZ30fTXQ3T36n YYRQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sempervictus-com.20150623.gappssmtp.com header.s=20150623 header.b=eLe68SLw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t189si124568pgb.672.2017.11.06.18.32.29; Mon, 06 Nov 2017 18:32:43 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@sempervictus-com.20150623.gappssmtp.com header.s=20150623 header.b=eLe68SLw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752650AbdKFXRY (ORCPT + 94 others); Mon, 6 Nov 2017 18:17:24 -0500 Received: from mail-pf0-f195.google.com ([209.85.192.195]:53940 "EHLO mail-pf0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752593AbdKFXRW (ORCPT ); Mon, 6 Nov 2017 18:17:22 -0500 Received: by mail-pf0-f195.google.com with SMTP id t188so8864940pfd.10 for ; Mon, 06 Nov 2017 15:17:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sempervictus-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=LsGb9o/z13Ipm+270e/VkaIvDsxOtBmnYnOpLNtPYtE=; b=eLe68SLwgOHTkv4T1T02uVzvY0s9vMlJ00ABypi+aDA4ZNGpMUSQvCpQXEVgNR5Psh UOyKKAKYPvxJAOHEeVzs3g2KfzCMZN6Qezy844eSQgjARgbvgdolhmBT9DgZt/8XKpMh zrTev7OQ7xgbTSyfOQFGlk8S6yoc+h6dZWLXZgOqxb5FB3mttDFgrhcpgg+XtvFQIctU wHzAsf4WeIZZu+C7hOS6/YXRTri8gwLte2fHrSEM/F6EoOXGaRvBnjOsTco+uAo+WScl YXRyVvTKwN+ecW49Dgx4BFXv63Agb0kwR4lx9UQlc8ffTZd0ZQfNRxDuL7HEWvKeZ6Bz Q5GA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=LsGb9o/z13Ipm+270e/VkaIvDsxOtBmnYnOpLNtPYtE=; b=C02vqZxbautHvd4vHUk2uQccPoxCLa4tOVGdjvP/O85fp8t5JAA2vvfTBXKnoSp4jC 6XTSk/LyAbx9Qtk4RCbBWY45nPRLJXoRudLJ2sD27u8AxNZHrG/FBkQjy88GOexKmfv3 4eUnGieo1JJXFGhFWeWYl9gUcpQCcj1QNpMlqRixEqi8+MFFqPzlXkFeZQngl4TGFfkf owQABdYjaDfZE3u0luuaHGUf2JY9M4G/IC8WrdCrv+Up71oILHzQ5YA7e5oXQyKA2P9d BgTSArWEu0kY+rBWQ2mtBIcVzYbMIeRXbKSlXPbFxOYVSl2vbm9fzLyDvUpERUv5zrVE quJw== X-Gm-Message-State: AMCzsaXtDkIcO43BCC4CyjuO/9ZF6xwhhxpasNJRCAXzdC0V1Eg9+uYY CZnnaFagD/oDhWwDClTUsLRGiL4Pcl5dcykJD6+uUg== X-Received: by 10.98.215.66 with SMTP id v2mr18126471pfl.24.1510010242107; Mon, 06 Nov 2017 15:17:22 -0800 (PST) MIME-Version: 1.0 Received: by 10.100.163.9 with HTTP; Mon, 6 Nov 2017 15:17:21 -0800 (PST) X-Originating-IP: [72.70.61.204] In-Reply-To: <20171106221418.GA32543@mail.hallyn.com> References: <20171103004436.40026-1-mahesh@bandewar.net> <20171104235346.GA17170@mail.hallyn.com> <20171106150302.GA26634@mail.hallyn.com> <1510003994.736.0.camel@gmail.com> <20171106221418.GA32543@mail.hallyn.com> From: Boris Lukashev Date: Mon, 6 Nov 2017 18:17:21 -0500 Message-ID: Subject: Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces To: "Serge E. Hallyn" Cc: Daniel Micay , =?UTF-8?B?TWFoZXNoIEJhbmRld2FyICjgpK7gpLngpYfgpLYg4KSs4KSC4KSh4KWH4KS14KS+4KSwKQ==?= , Mahesh Bandewar , LKML , Netdev , Kernel-hardening , Linux API , Kees Cook , "Eric W . Biederman" , Eric Dumazet , David Miller Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Nov 6, 2017 at 5:14 PM, Serge E. Hallyn wrote: > Quoting Daniel Micay (danielmicay@gmail.com): >> Substantial added attack surface will never go away as a problem. There >> aren't a finite number of vulnerabilities to be found. > > There's varying levels of usefulness and quality. There is code which I > want to be able to use in a container, and code which I can't ever see a > reason for using there. The latter, especially if it's also in a > staging driver, would be nice to have a toggle to disable. > > You're not advocating dropping the added attack surface, only adding a > way of dealing with an 0day after the fact. Privilege raising 0days can > exist anywhere, not just in code which only root in a user namespace can > exercise. So from that point of view, ksplice seems a more complete > solution. Why not just actually fix the bad code block when we know > about it? > > Finally, it has been well argued that you can gain many new caps from > having only a few others. Given that, how could you ever be sure that, > if an 0day is found which allows root in a user ns to abuse > CAP_NET_ADMIN against the host, just keeping CAP_NET_ADMIN from them > would suffice? It seems to me that the existing control in > /proc/sys/kernel/unprivileged_userns_clone might be the better duct tape > in that case. > > -serge This seems to be heading toward "we need full zones in Linux" with their own procfs and sysfs namespace and a stricter isolation model for resources and capabilities. So long as things can happen in a namespace which have a privileged relationship with host resources, this is going to be cat-and-mouse to one degree or another. Containers and namespaces dont have a one-to-one relationship, so i'm not sure that's the best term to use in the kernel security context since there's a bunch of userspace and implementation delta across the different systems (with their own security models and so forth). Without accounting for what a specific implementation may or may not do, and only looking at "how do we reduce privileged impact on parent context from unprivileged namespaces," this patch does seem to provide a logical way of reducing the privileges available in such a namespace and often needed to mount escapes/impact parent context. -Boris -- Boris Lukashev Systems Architect Semper Victus From 1583369526750388211@xxx Tue Nov 07 01:40:51 +0000 2017 X-GM-THRID: 1583003759650790753 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread