Received: by 10.223.164.202 with SMTP id h10csp742490wrb; Mon, 6 Nov 2017 14:50:01 -0800 (PST) X-Google-Smtp-Source: ABhQp+SC6D3aqYoLkBrO3mi4939nrVgVD8mW1ih25WPMtXutqnPPW0xAc8PJSkxCrbZtzHYeirEN X-Received: by 10.101.82.76 with SMTP id q12mr16670196pgp.140.1510008600985; Mon, 06 Nov 2017 14:50:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510008600; cv=none; d=google.com; s=arc-20160816; b=x/v70KIwiUpPYvCCxDBKwqgbs6pqoff7vJ1rDjbfzuG1d7Slzw+BaiL1n1uvDWuIKv IOuytkRoN9GvVeZYKnsB/eopmWVgbt0EqDJVDxAZzyMQwejHQ7Ev7igZv1isy9llrzs8 LaTh+dDayG5qMEpONf+8tKBOnlTARcCvK1cibCICddcaKs7g9PzuKIy12XBAn2veWaDi /6Oq8TBGCYGDZOaPwbzmuf3PHU+25fEm8XM2b5P2kw3/NSlG5wfRLI9O2oOzA6lRO1by sygqp5ZkOrDHlJNvNpU5sgcn7UoSNYVmDZbmz/dP0ArPxUgt8UtSWZ4jtlHCSmgcaxHY 3/1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=NfhDaLg2ShhoraSVDzxO7IybOz3x8F9eD74wAzBXIxE=; b=IOgUqy5bgJz6+CbDKSjl4LAHcT96nqni9ee1NjFkPWxFVdhmcvFJeQRo1HT3utSwMP Kw3luAc+qHDSK1p/1YIjWjJL/UZR17hnunIKXpWVXXWoelm5U2em/YQFJ1i/OmdeW/O8 WPzE2+pRci4T/Nq6BO4S/d7Qtb9CO85SLqKF504HfMsko7+A5AzO6+1JwiuaMuQHaVhI DSH0oMMCnG05DXZ61u7cFiP8wtOGNCT8lxiOvmAEN9jZTJeAPbafasRdB8nLioF3f0n4 jugOd7q0Fmep/7K7bDh9zl2rfhwmKNzeFVi6ORyL+Z5J1XQMrT2MlTkRkPozbXuGjFxz E+OA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l12si10843884plc.811.2017.11.06.14.49.48; Mon, 06 Nov 2017 14:50:00 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753342AbdKFWmO (ORCPT + 94 others); Mon, 6 Nov 2017 17:42:14 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:54401 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752514AbdKFWmM (ORCPT ); Mon, 6 Nov 2017 17:42:12 -0500 Received: from mail-wr0-f199.google.com ([209.85.128.199]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1eBq5r-0001B4-Aw for linux-kernel@vger.kernel.org; Mon, 06 Nov 2017 22:42:11 +0000 Received: by mail-wr0-f199.google.com with SMTP id j15so6821825wre.15 for ; Mon, 06 Nov 2017 14:42:11 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=NfhDaLg2ShhoraSVDzxO7IybOz3x8F9eD74wAzBXIxE=; b=mPPTUcLrCYjc+qri0vx8411OElZQTZMrpq5F4oiO2jbf9nK5a9S9OPuX/jZtfduRb1 Ts0qzdxhkXSGD3IUBq+6PwieWzNxAS+fyW9MBinfntKGcrMQqBrYQUwUULB4LxSbinx2 zngbHwLX6dsL/chIAS5YJRinjEoLOlzplfLDVLgaeNzd/NHkwGr/zaVrk5h0rDEKjYIT aTD3i0TamwloljoMQE9/5MtzMmmZzt8/VsRoCsD2saJlxsPax2wszFlOuz9JrqOesIH7 5H71r7j7kY1UmWuROpMPc+cA+9juK0gji4+lwE5T1J7WGR7qAs4mi1Kog3yyzZ4nn+J5 ZJYw== X-Gm-Message-State: AJaThX4Dl5lCKzM+e8Y6CIcnYxdQ7vKRMM8vig0cWVxmOcCYWSKcFr09 HVeUFA9Uz0710MWcAwdufxbCOqAW/ruz/4cAWZkvz8y3Md4i+k7X3bk9wInjlZP5YmOPRpIyZyC TTEWa1Ok61cym2NorYpUSik7er8iC+wLatSd1ZAPYhA== X-Received: by 10.28.239.16 with SMTP id n16mr5907208wmh.49.1510008130946; Mon, 06 Nov 2017 14:42:10 -0800 (PST) X-Received: by 10.28.239.16 with SMTP id n16mr5907202wmh.49.1510008130746; Mon, 06 Nov 2017 14:42:10 -0800 (PST) Received: from gmail.com (p5B2A6E1B.dip0.t-ipconnect.de. [91.42.110.27]) by smtp.gmail.com with ESMTPSA id r63sm64204wmg.13.2017.11.06.14.42.09 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 06 Nov 2017 14:42:10 -0800 (PST) Date: Mon, 6 Nov 2017 23:42:08 +0100 From: Christian Brauner To: "Serge E. Hallyn" Cc: Daniel Micay , Mahesh Bandewar =?utf-8?B?KOCkruCkueClh+CktiDgpKzgpILgpKHgpYfgpLXgpL4=?= =?utf-8?B?4KSwKQ==?= , Mahesh Bandewar , LKML , Netdev , Kernel-hardening , Linux API , Kees Cook , "Eric W . Biederman" , Eric Dumazet , David Miller Subject: Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces Message-ID: <20171106224207.pdws44vorkxdf6ur@gmail.com> References: <20171103004436.40026-1-mahesh@bandewar.net> <20171104235346.GA17170@mail.hallyn.com> <20171106150302.GA26634@mail.hallyn.com> <1510003994.736.0.camel@gmail.com> <20171106221418.GA32543@mail.hallyn.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20171106221418.GA32543@mail.hallyn.com> User-Agent: NeoMutt/20170609 (1.8.3) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Nov 06, 2017 at 04:14:18PM -0600, Serge Hallyn wrote: > Quoting Daniel Micay (danielmicay@gmail.com): > > Substantial added attack surface will never go away as a problem. There > > aren't a finite number of vulnerabilities to be found. > > There's varying levels of usefulness and quality. There is code which I > want to be able to use in a container, and code which I can't ever see a > reason for using there. The latter, especially if it's also in a > staging driver, would be nice to have a toggle to disable. > > You're not advocating dropping the added attack surface, only adding a > way of dealing with an 0day after the fact. Privilege raising 0days can > exist anywhere, not just in code which only root in a user namespace can > exercise. So from that point of view, ksplice seems a more complete > solution. Why not just actually fix the bad code block when we know > about it? > > Finally, it has been well argued that you can gain many new caps from > having only a few others. Given that, how could you ever be sure that, > if an 0day is found which allows root in a user ns to abuse > CAP_NET_ADMIN against the host, just keeping CAP_NET_ADMIN from them > would suffice? It seems to me that the existing control in > /proc/sys/kernel/unprivileged_userns_clone might be the better duct tape > in that case. I agree that /proc/sys/kernel/unprivileged_userns_clone is the most reasonable thing to do. This patch introduces a layer of complexity to fine-tune user namespace creation that - in the relevant security critical scenario - should simply be turned of entirely. Is /proc/sys/kernel/unprivileged_userns_clone upstreamed or is this still only carried downstream? From 1583358410712398683@xxx Mon Nov 06 22:44:09 +0000 2017 X-GM-THRID: 1583003759650790753 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread