Received: by 10.223.164.202 with SMTP id h10csp1106412wrb;
        Thu, 9 Nov 2017 21:38:44 -0800 (PST)
X-Google-Smtp-Source: ABhQp+QwC0/HUsHo/VdeY6/IjRK9KZXH6FvGT00+9m/CJuOvfboVukFa435duG+ljyrp1yWP7ZXp
X-Received: by 10.99.124.75 with SMTP id l11mr3011662pgn.453.1510292324692;
        Thu, 09 Nov 2017 21:38:44 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1510292324; cv=none;
        d=google.com; s=arc-20160816;
        b=hv0BVcQ0TwR5D6bb2IquuGTYfJZBxDLSj8XuT4QaMW9KkISloR5OFTo1iGQPlA2qDG
         tPtgIqwaNviZ+Nc368AxJKwhtaf1EDK40RVyK8DFV4qML75Htkn+lEuk6VTj2LvHDwMj
         kV/EEDgb7jFkGkChEFxD7j+l0OZNnZ6dvkbPsQWqYTrY4GbL2xo87QSNr6DlSI22opP+
         EEUE1zSsr+P2KAvdcFNNX6Lqo0Cy/G5czumTa40+KAM15Gl4G8uaDPnAQt092nk1eZ4o
         TI1VlBhhArr7aquUByIlMfISMfDHpGquDF1pYj8Y1Xj+pJxLmf805bumyGn1dL8KFfEl
         mqQA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature:arc-authentication-results;
        bh=7/UYQwNN6wAjYGiicEjdizKs2fk8QXyIAjPpwSUcQ/I=;
        b=YLmizgn0vX+sk7hhlK7ffK/Zd2TBsVLst4LUbCK7fu5IyRaN1KrCYn98VOQdeOd2p8
         WCihXTnfh8Kxh12dknoFJcoaAoMhf3PbFj7VaP63sdR5z7Jiny/yA09WbwVwEDEJg6Tx
         9PjarM9vrAoxV6SdbCK11ZSAY1Ktp3Nqge6faYEkK57rbYcDIsiwXLfj3hOGx6k31ahK
         fPBLO3Mx989QcWx33CWGkT3FN/Y6Qz0S6akSdIQNpSOdebxNlHkaxLYthoE4bd6itWMg
         0MZYBu5kz8lsJUPHspu+rJTkjOybZxETyq5wKKFYt/hox/l2mZcVQTlOqqtssV+Kr+MJ
         HFWA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@bandewar-net.20150623.gappssmtp.com header.s=20150623 header.b=xHuwrm7D;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w9si7704689plp.186.2017.11.09.21.38.32;
        Thu, 09 Nov 2017 21:38:44 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@bandewar-net.20150623.gappssmtp.com header.s=20150623 header.b=xHuwrm7D;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751288AbdKJFhu (ORCPT <rfc822;arandomawesomegeek@gmail.com>
        + 83 others); Fri, 10 Nov 2017 00:37:50 -0500
Received: from mail-io0-f195.google.com ([209.85.223.195]:49938 "EHLO
        mail-io0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750885AbdKJFhr (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 10 Nov 2017 00:37:47 -0500
Received: by mail-io0-f195.google.com with SMTP id x63so156325ioe.6
        for <linux-kernel@vger.kernel.org>; Thu, 09 Nov 2017 21:37:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=bandewar-net.20150623.gappssmtp.com; s=20150623;
        h=from:to:cc:subject:date:message-id;
        bh=7/UYQwNN6wAjYGiicEjdizKs2fk8QXyIAjPpwSUcQ/I=;
        b=xHuwrm7D0kO2yheGs7MPe+VReOGnpv9CoUnk1Ma+fI6s/yJ6Nm0h8RmuwUqnQ00Lzo
         coX48OdY7CWlSoQvBM9GpuatO4BwREhyxWBXr91Mf5/Bun6yPHlDRMo7YXnvq0jnMgb1
         +7/PC2G7w4dcEIQIgQ/Djh+DBYcsymk/qpwWsJOPGFls48oHIaHuy7U085xau/Hj2iJp
         O2PE7E5kWOubFZMrEYKy4qBgSuVNQ6zu6pxCpCUTTDhGPVbbFVb8ExxR2QqyYlE6zA2F
         W5KfArc+pFdbfAY3w7Lbt4/gPnzZ33VpQe5IO1SPqDufrnfkT4BMuFLXPku4uL7d6Hsv
         BVSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=7/UYQwNN6wAjYGiicEjdizKs2fk8QXyIAjPpwSUcQ/I=;
        b=iecvNx9S0jb38Lc6QlvQZ3gMcKwwgv09R9/E3CW2dKWeGSGiRJ1vY1IKSCJP2hETo7
         Fn/j07IpWIV/OQ4/gVLcVoSHTCiRqNO0aV3XoVhQ9UXVpzxj37fiDQ1Sa+x+QbUdy6/n
         j6TkuApjED6gBkaNzOjferDgQCCepbX5S8OqQ852DVnBzYSWC3vBnq2yMTCjT+Jo/sRB
         LSeY3DaXVKT5+3L2TDf+NmHd8uj0FFLPuwUr0jz1PGr2Eppwtit7CTGOYeUjgHLayw1e
         wuiU09f6NfJv6M409oeNp4Gyh2Y5Av76spVr7IE6frHQYcAYDr86Tz6DXkPSedeZ4bvJ
         Z2/w==
X-Gm-Message-State: AJaThX4WTJm9YHBI5mf+3h+2bif6wgcNzFbKub1XbKLVxVB6Re/Pw+X0
        m57LJYvpnfB9FaaxkrvZ7N87OqXVbDQ=
X-Received: by 10.107.26.66 with SMTP id a63mr3491788ioa.49.1510292266928;
        Thu, 09 Nov 2017 21:37:46 -0800 (PST)
Received: from localhost ([2620:15c:2c4:201:1505:9ec4:1586:9751])
        by smtp.gmail.com with ESMTPSA id f12sm4131400ioh.21.2017.11.09.21.37.45
        (version=TLS1_2 cipher=AES128-SHA bits=128/128);
        Thu, 09 Nov 2017 21:37:45 -0800 (PST)
From:   Mahesh Bandewar <mahesh@bandewar.net>
To:     LKML <linux-kernel@vger.kernel.org>,
        Netdev <netdev@vger.kernel.org>
Cc:     Kernel-hardening <kernel-hardening@lists.openwall.com>,
        Linux API <linux-api@vger.kernel.org>,
        Kees Cook <keescook@chromium.org>,
        Serge Hallyn <serge@hallyn.com>,
        "Eric W . Biederman" <ebiederm@xmission.com>,
        Eric Dumazet <edumazet@google.com>,
        David Miller <davem@davemloft.net>,
        Mahesh Bandewar <mahesh@bandewar.net>,
        Mahesh Bandewar <maheshb@google.com>
Subject: [PATCHv2 0/2] capability controlled user-namespaces
Date:   Thu,  9 Nov 2017 21:37:39 -0800
Message-Id: <20171110053739.21022-1-mahesh@bandewar.net>
X-Mailer: git-send-email 2.15.0.448.gf294e3d99a-goog
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Mahesh Bandewar <maheshb@google.com>

TL;DR version
-------------
Creating a sandbox environment with namespaces is challenging
considering what these sandboxed processes can engage into. e.g.
CVE-2017-6074, CVE-2017-7184, CVE-2017-7308 etc. just to name few.
Current form of user-namespaces, however, if changed a bit can allow
us to create a sandbox environment without locking down user-
namespaces.

Detailed version
----------------

Problem
-------
User-namespaces in the current form have increased the attack surface as
any process can acquire capabilities which are not available to them (by
default) by performing combination of clone()/unshare()/setns() syscalls.

    #define _GNU_SOURCE
    #include <stdio.h>
    #include <sched.h>
    #include <netinet/in.h>

    int main(int ac, char **av)
    {
        int sock = -1;

        printf("Attempting to open RAW socket before unshare()...\n");
        sock = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW);
        if (sock < 0) {
            perror("socket() SOCK_RAW failed: ");
        } else {
            printf("Successfully opened RAW-Sock before unshare().\n");
            close(sock);
            sock = -1;
        }

        if (unshare(CLONE_NEWUSER | CLONE_NEWNET) < 0) {
            perror("unshare() failed: ");
            return 1;
        }

        printf("Attempting to open RAW socket after unshare()...\n");
        sock = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW);
        if (sock < 0) {
            perror("socket() SOCK_RAW failed: ");
        } else {
            printf("Successfully opened RAW-Sock after unshare().\n");
            close(sock);
            sock = -1;
        }

        return 0;
    }

The above example shows how easy it is to acquire NET_RAW capabilities
and once acquired, these processes could take benefit of above mentioned
or similar issues discovered/undiscovered with malicious intent. Note
that this is just an example and the problem/solution is not limited
to NET_RAW capability *only*. 

The easiest fix one can apply here is to lock-down user-namespaces which
many of the distros do (i.e. don't allow users to create user namespaces),
but unfortunately that prevents everyone from using them.

Approach
--------
Introduce a notion of 'controlled' user-namespaces. Every process on
the host is allowed to create user-namespaces (governed by the limit
imposed by per-ns sysctl) however, mark user-namespaces created by
sandboxed processes as 'controlled'. Use this 'mark' at the time of
capability check in conjunction with a global capability whitelist.
If the capability is not whitelisted, processes that belong to 
controlled user-namespaces will not be allowed.

Once a user-ns is marked as 'controlled'; all its child user-
namespaces are marked as 'controlled' too.

A global whitelist is list of capabilities governed by the
sysctl which is available to (privileged) user in init-ns to modify
while it's applicable to all controlled user-namespaces on the host.

Marking user-namespaces controlled without modifying the whitelist is
equivalent of the current behavior. The default value of whitelist includes
all capabilities so that the compatibility is maintained. However it gives
admins fine-grained ability to control various capabilities system wide
without locking down user-namespaces.

Please see individual patches in this series.

Mahesh Bandewar (2):
  capability: introduce sysctl for controlled user-ns capability whitelist
  userns: control capabilities of some user namespaces

 Documentation/sysctl/kernel.txt | 21 +++++++++++++++++
 include/linux/capability.h      |  4 ++++
 include/linux/user_namespace.h  | 20 ++++++++++++++++
 kernel/capability.c             | 52 +++++++++++++++++++++++++++++++++++++++++
 kernel/sysctl.c                 |  5 ++++
 kernel/user_namespace.c         |  4 ++++
 security/commoncap.c            |  8 +++++++
 7 files changed, 114 insertions(+)

-- 
2.15.0.448.gf294e3d99a-goog


From 1583610582745663631@xxx Thu Nov 09 17:32:19 +0000 2017
X-GM-THRID: 1583610582745663631
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread