Received: by 10.223.164.221 with SMTP id h29csp2771403wrb;
        Thu, 2 Nov 2017 17:45:30 -0700 (PDT)
X-Google-Smtp-Source: ABhQp+SqGCyzGgdqjcm4p1RD+rM2QsTV9d5UqFjniDmcyKFcrqFwUD2sk50gmajBNb9AcAM8HrKv
X-Received: by 10.101.88.203 with SMTP id e11mr5412971pgu.173.1509669930134;
        Thu, 02 Nov 2017 17:45:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1509669930; cv=none;
        d=google.com; s=arc-20160816;
        b=fJv6YShHNy4uh3VmLYoeL4aAMO2e60COrIk+FaoQIQaWbpnQ5qGXVX1zo3tDf4PM55
         e+tCSSN/HWcU6t2Rvi0gZYOseM9+OzHykIRhCWM4MPjeLcAjYKKG2BoQ5pBBcjgOLj26
         2SIkaHjb+vlIopbQ0PozEecPzBWPUupp6xysDa0dBbVWP+SV1IKOcVL5JaY7dtv58xQY
         dsWBTUAeVFA2gA6GCSWIMNkTJLPJfa0sVRAyqS7PzQxFrq7rLZKNceaQyQmyS7wj9Y6x
         mBQVdLIhLfFbS8kAQ3B4y6bW+SBA0x0w2t3BxqHQPNYGsFOeERoGjA6Al8b2oDf2NuVb
         W+pQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature:arc-authentication-results;
        bh=T+LZhN8F+lAh++yZ3cnyLlnbjsgdMXaVzFYZVcJklqY=;
        b=tzi/NNCAU07YZcB4vWVX9FpHe18ZDzAcz0joZLBxWREolZFGShcvprJpBxnl296+X+
         UgfD7oAheZVDUQzMgQnd9f018Ud4sjpWbYvj2NNrjv++a9GrVDWvCXivl2uRL+F6P4c+
         ZLU0cxxxyrHcWMegBYFuFVI62LfkYfNsJMfHoVT1K0ugAl24h8WiQSq4fT5Y7n+q4n7O
         y8arHwuA/KdPZISBytJbxY6LxZii5Ye/ZhC1Rr9RLZtgN/RoUTBSaZhcF5YqxXTCU4tO
         bh3l4JjfvhjzxSQpLpUFouVaDZcbF1pIzRzfe2WHbdAEdYlIibqjknsSX7ZN3NOWmks2
         69hA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@bandewar-net.20150623.gappssmtp.com header.s=20150623 header.b=REKD5ZqX;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 61si3395192plz.184.2017.11.02.17.45.16;
        Thu, 02 Nov 2017 17:45:30 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@bandewar-net.20150623.gappssmtp.com header.s=20150623 header.b=REKD5ZqX;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S964965AbdKCAof (ORCPT <rfc822;chaneybenjamini@gmail.com>
        + 96 others); Thu, 2 Nov 2017 20:44:35 -0400
Received: from mail-io0-f196.google.com ([209.85.223.196]:51840 "EHLO
        mail-io0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S934684AbdKCAod (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 2 Nov 2017 20:44:33 -0400
Received: by mail-io0-f196.google.com with SMTP id b186so2876223iof.8
        for <linux-kernel@vger.kernel.org>; Thu, 02 Nov 2017 17:44:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=bandewar-net.20150623.gappssmtp.com; s=20150623;
        h=from:to:cc:subject:date:message-id;
        bh=T+LZhN8F+lAh++yZ3cnyLlnbjsgdMXaVzFYZVcJklqY=;
        b=REKD5ZqXhuQOcEBRyE30NpZlGpLIOY9pRTmXoNHq1CmEwippelSCQTr/uNzd7gpFLH
         2WpgKyjW2PwEj4v34u3C/yLUu2P2SG5O1Odd8cuu5XcmrY9SHJVylgL/LTnG7TcMzuOs
         4RPcDR9Mqlo7I6QNReDwziG1kle2BkiFhTGkRhPTaZFco8YIvUDOaE0I+7atWvNf/n1A
         YvBqxRjblbVjCRXNDnVi89/Z9NSVW7t1KWlZmegERLZeq3swj7bGLTGWE04KXDq9y+bP
         hNZ7wImguzLgjNxRaPdcMvspEYJdzzOislqDJjO0FKaPbZSM0T7rVCBS83WmtNihX5fk
         HJKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=T+LZhN8F+lAh++yZ3cnyLlnbjsgdMXaVzFYZVcJklqY=;
        b=pulRFIl4lthMlGxxZwBsnnvmnyaSMTAS7i1FZxGH9i7HyMbohcDJvCAAdkoovv/5yq
         4KgBx/vcq1p3avJCJ5+TNMZ6LLlN3gXJnGYrxhVE8aZfTjyKIKnZc63pPqGVhQ/cx41m
         eYNv11H6f9NeBq1I9y6D+Qq/KEuufPeN+vVllwKzhSsh59xvVLAfdiLvk0gOnGX73I1n
         4zHcnXJi/naa/C/5HRmAqMiuBqnEORLAwbGh+kuLwi7akloZdORvldLMF6v6x5HPs0qX
         BVHswq2Vrm5swB5i4pGXI9TQAKj0YYFvksBfGlcQ7WLVuWUuq2CKKpYhLJ8caxtFDUJo
         Qsww==
X-Gm-Message-State: AMCzsaXIwr4plsjULaz087fTH0A7PGnH21YqnHJ3Cf/1OD1YppXYV9dv
        r1ARpSjYQ343n2xm4mTah71bhAm4aUc=
X-Received: by 10.36.7.137 with SMTP id f131mr5220310itf.49.1509669872704;
        Thu, 02 Nov 2017 17:44:32 -0700 (PDT)
Received: from localhost ([2620:15c:2c4:201:1c44:73ca:1ad1:f607])
        by smtp.gmail.com with ESMTPSA id o29sm2123224ioi.29.2017.11.02.17.44.31
        (version=TLS1_2 cipher=AES128-SHA bits=128/128);
        Thu, 02 Nov 2017 17:44:31 -0700 (PDT)
From:   Mahesh Bandewar <mahesh@bandewar.net>
To:     LKML <linux-kernel@vger.kernel.org>,
        Netdev <netdev@vger.kernel.org>
Cc:     Kernel-hardening <kernel-hardening@lists.openwall.com>,
        Linux API <linux-api@vger.kernel.org>,
        Kees Cook <keescook@chromium.org>,
        Serge Hallyn <serge@hallyn.com>,
        "Eric W . Biederman" <ebiederm@xmission.com>,
        Eric Dumazet <edumazet@google.com>,
        David Miller <davem@davemloft.net>,
        Mahesh Bandewar <mahesh@bandewar.net>,
        Mahesh Bandewar <maheshb@google.com>
Subject: [PATCH resend 0/2] capability controlled user-namespaces
Date:   Thu,  2 Nov 2017 17:44:22 -0700
Message-Id: <20171103004422.39883-1-mahesh@bandewar.net>
X-Mailer: git-send-email 2.15.0.403.gc27cc4dac6-goog
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Mahesh Bandewar <maheshb@google.com>

TL;DR version
-------------
Creating a sandbox environment with namespaces is challenging
considering what these sandboxed processes can engage into. e.g.
CVE-2017-6074, CVE-2017-7184, CVE-2017-7308 etc. just to name few.
Current form of user-namespaces, however, if changed a bit can allow
us to create a sandbox environment without locking down user-
namespaces.

Detailed version
----------------

Problem
-------
User-namespaces in the current form have increased the attack surface as
any process can acquire capabilities which are not available to them (by
default) by performing combination of clone()/unshare()/setns() syscalls.

    #define _GNU_SOURCE
    #include <stdio.h>
    #include <sched.h>
    #include <netinet/in.h>

    int main(int ac, char **av)
    {
        int sock = -1;

        printf("Attempting to open RAW socket before unshare()...\n");
        sock = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW);
        if (sock < 0) {
            perror("socket() SOCK_RAW failed: ");
        } else {
            printf("Successfully opened RAW-Sock before unshare().\n");
            close(sock);
            sock = -1;
        }

        if (unshare(CLONE_NEWUSER | CLONE_NEWNET) < 0) {
            perror("unshare() failed: ");
            return 1;
        }

        printf("Attempting to open RAW socket after unshare()...\n");
        sock = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW);
        if (sock < 0) {
            perror("socket() SOCK_RAW failed: ");
        } else {
            printf("Successfully opened RAW-Sock after unshare().\n");
            close(sock);
            sock = -1;
        }

        return 0;
    }

The above example shows how easy it is to acquire NET_RAW capabilities
and once acquired, these processes could take benefit of above mentioned
or similar issues discovered/undiscovered with malicious intent. Note
that this is just an example and the problem/solution is not limited
to NET_RAW capability *only*. 

The easiest fix one can apply here is to lock-down user-namespaces which
many of the distros do (i.e. don't allow users to create user namespaces),
but unfortunately that prevents everyone from using them.

Approach
--------
Introduce a notion of 'controlled' user-namespaces. Every process on
the host is allowed to create user-namespaces (governed by the limit
imposed by per-ns sysctl) however, mark user-namespaces created by
sandboxed processes as 'controlled'. Use this 'mark' at the time of
capability check in conjunction with a global capability whitelist.
If the capability is not whitelisted, processes that belong to 
controlled user-namespaces will not be allowed.

Once a user-ns is marked as 'controlled'; all its child user-
namespaces are marked as 'controlled' too.

A global whitelist is list of capabilities governed by the
sysctl which is available to (privileged) user in init-ns to modify
while it's applicable to all controlled user-namespaces on the host.

Marking user-namespaces controlled without modifying the whitelist is
equivalent of the current behavior. The default value of whitelist includes
all capabilities so that the compatibility is maintained. However it gives
admins fine-grained ability to control various capabilities system wide
without locking down user-namespaces.

Please see individual patches in this series.

Mahesh Bandewar (2):
  capability: introduce sysctl for controlled user-ns capability
    whitelist
  userns: control capabilities of some user namespaces

 Documentation/sysctl/kernel.txt | 21 +++++++++++++++++
 include/linux/capability.h      |  4 ++++
 include/linux/user_namespace.h  | 20 ++++++++++++++++
 kernel/capability.c             | 52 +++++++++++++++++++++++++++++++++++++++++
 kernel/sysctl.c                 |  5 ++++
 kernel/user_namespace.c         |  3 +++
 security/commoncap.c            |  8 +++++++
 7 files changed, 113 insertions(+)

-- 
2.15.0.403.gc27cc4dac6-goog


From 1583174099361688591@xxx Sat Nov 04 21:54:36 +0000 2017
X-GM-THRID: 1583174099361688591
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread