Received: by 10.223.164.202 with SMTP id h10csp738458wrb;
        Mon, 6 Nov 2017 14:44:10 -0800 (PST)
X-Google-Smtp-Source: ABhQp+Sx+8nGlA5wDMAowkewYGDucgw5jNbi2Xy8sOOZVkiavlUOeG+bo5em2TznZoITVlwuMy+T
X-Received: by 10.101.96.68 with SMTP id b4mr16383371pgv.155.1510008250100;
        Mon, 06 Nov 2017 14:44:10 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1510008250; cv=none;
        d=google.com; s=arc-20160816;
        b=MMccyr/bvPUPbKOFDXVBxYnxfrwdOEAU5izBxNCjiUsZpnycu2pzXFXwxhDn7jtHKW
         QfJOeSYtudJc7cbROQQRmbXLBM47el9s/TsUoqmHssUFKCD1PiZ8BnA7yh2ud8GFurLH
         F+fnAm2/M7qH6azJyYwiQAARiT4bciCMRXwUp7IVk9Q89uMMEzBeZi2dC7JkuHa293Bo
         D/Og6FhyXsj5p4Y0XlNa1VlpCG5RW76Lnlu6KT6tu43MwZAltPAMlkA/4Z+51CY8beJD
         4e5/wPw45/Hm4kxEFrogJSTFXIX48Vugu7JY34ScRLeDLkO9SgKyNtuKQ7XVMhANLK37
         bp1Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:arc-authentication-results;
        bh=djIvwIWLuhoD1JblJMMWSUh1/D/1X+rs1RxmB6jHzv8=;
        b=eb4mLCFJunl0rTFLj068ds8xOsIMjtnCwCHoLX7BTXhpeHNQaDg4zDu8aRrU8z/ozJ
         yT2eBbF4Lk5DIoTw2xqgeSV+7FmE8UqViff5z68Luv+EDlWuEFnnUUwnpbHFZxLPssdN
         GaODRuPvSrVBNdDkKk981Qgy8KpkYuPUsHFIKlrAmlIX8ugyBH9TqCfBeggFM8KOU7jW
         w5jlkivOfKnji4TKfv7cgddH2t4ryRxHNPf9jyyLAyP7K7O2Jwk12RIQGIOXhy20V/ER
         t3WHkfKE4mnrWqMGSQgznE9D9zET5vZzuqQEI8emGWUWfFhEgS7V/XFuhbztguYP6iel
         3ipA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p86si13119165pfd.295.2017.11.06.14.43.57;
        Mon, 06 Nov 2017 14:44:10 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754117AbdKFWOW (ORCPT <rfc822;ttoukan.linux@gmail.com>
        + 94 others); Mon, 6 Nov 2017 17:14:22 -0500
Received: from h2.hallyn.com ([78.46.35.8]:34348 "EHLO h2.hallyn.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1753819AbdKFWOU (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 6 Nov 2017 17:14:20 -0500
Received: by h2.hallyn.com (Postfix, from userid 1001)
        id CDAAC120469; Mon,  6 Nov 2017 16:14:18 -0600 (CST)
Date:   Mon, 6 Nov 2017 16:14:18 -0600
From:   "Serge E. Hallyn" <serge@hallyn.com>
To:     Daniel Micay <danielmicay@gmail.com>
Cc:     "Serge E. Hallyn" <serge@hallyn.com>,
        Mahesh Bandewar
         =?utf-8?B?KOCkruCkueClh+CktiDgpKzgpILgpKHgpYfgpLXgpL4=?=
         =?utf-8?B?4KSwKQ==?= <maheshb@google.com>,
        Mahesh Bandewar <mahesh@bandewar.net>,
        LKML <linux-kernel@vger.kernel.org>,
        Netdev <netdev@vger.kernel.org>,
        Kernel-hardening <kernel-hardening@lists.openwall.com>,
        Linux API <linux-api@vger.kernel.org>,
        Kees Cook <keescook@chromium.org>,
        "Eric W . Biederman" <ebiederm@xmission.com>,
        Eric Dumazet <edumazet@google.com>,
        David Miller <davem@davemloft.net>
Subject: Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control
 capabilities of some user namespaces
Message-ID: <20171106221418.GA32543@mail.hallyn.com>
References: <20171103004436.40026-1-mahesh@bandewar.net>
 <20171104235346.GA17170@mail.hallyn.com>
 <CAF2d9jg1tZz-hnVBeXm3geq7jSBt5v5w6+p5B1V-7huS4qbMBA@mail.gmail.com>
 <20171106150302.GA26634@mail.hallyn.com>
 <1510003994.736.0.camel@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1510003994.736.0.camel@gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Quoting Daniel Micay (danielmicay@gmail.com):
> Substantial added attack surface will never go away as a problem. There
> aren't a finite number of vulnerabilities to be found.

There's varying levels of usefulness and quality.  There is code which I
want to be able to use in a container, and code which I can't ever see a
reason for using there.  The latter, especially if it's also in a
staging driver, would be nice to have a toggle to disable.

You're not advocating dropping the added attack surface, only adding a
way of dealing with an 0day after the fact.  Privilege raising 0days can
exist anywhere, not just in code which only root in a user namespace can
exercise.  So from that point of view, ksplice seems a more complete
solution.  Why not just actually fix the bad code block when we know
about it?

Finally, it has been well argued that you can gain many new caps from
having only a few others.  Given that, how could you ever be sure that,
if an 0day is found which allows root in a user ns to abuse
CAP_NET_ADMIN against the host, just keeping CAP_NET_ADMIN from them
would suffice?  It seems to me that the existing control in
/proc/sys/kernel/unprivileged_userns_clone might be the better duct tape
in that case.

-serge

From 1583336283803681610@xxx Mon Nov 06 16:52:28 +0000 2017
X-GM-THRID: 1583003759650790753
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread