Received: by 10.223.164.202 with SMTP id h10csp1026340wrb;
        Thu, 9 Nov 2017 19:45:01 -0800 (PST)
X-Google-Smtp-Source: ABhQp+SEv1Vd0nGUS5hURF+GtxGG1Z/ZvIFLv4ajS8IiedaVPaWzhsphUfYzhEJSIK26S0rVPgTK
X-Received: by 10.99.132.72 with SMTP id k69mr2702098pgd.437.1510285500898;
        Thu, 09 Nov 2017 19:45:00 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1510285500; cv=none;
        d=google.com; s=arc-20160816;
        b=nSl/JDac9FvPcuYxrWunsdUJoY1+C0CvlNE+vJQJbYaflZ0kYkaorcSEMCro6KG9Y5
         a5BlGc2YNs6Crx1CtYhm3eIxXGLYcOMKY8PGmg/+45KylVXmpGg2mWDRscQ5M/hFJODb
         LSDHI6STI1Uq2b56LJIuR+V6XzrIP8/PbUKyNHqVn1Q9yyJ1vJMwIPg0ypvuNJWvBRPb
         lJu2X6+153ul9c3gl46roe3bT7GwlFblyVPmibpHC29v/VGYBPlVvny3Q+5jTQHGh1bx
         976qBV1PN8PsDtv7G3W6cRFA0q6jylcB5QpzCP0VD4u9NJjw2Cg4J1BVrpsjsTdG7wnf
         O9Lg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=nAe1MZHBlnHder6A6l/zYkFECt5c0/i79IYacDbWdMU=;
        b=ZUGW6O+yncCcMtmiWhUV+rwjVcPwPCUKF/Gng7jPZXQz3X+MFUgz0J69gHGjXgD6VV
         bvZT5SvzFU5BEwtwcwQvKgFEFn89EPT+qwpfgklYkvwL96rhEmpt8BpGHqu5BEsEfL10
         r9X2SyFOsFz/ZKXOmd3F1/VnefNf8BqYbNWCvsBpp9GAdZC6LGIf0Zcf9nNMwZzCGLhZ
         PI06xXrvRkCcaYCcHwiWKm77eJH7nW60Nlv3/THEodo+6xLzzssg0ECPbY/1ohDqqCy5
         868gOHCXS1PPOd9PwRM+Gpz5E8VtNZYZrjP4X+G1Kk3e1iUZnqTT3/2/pRHU3g5EybSj
         2YkQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=IsJO7WHf;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h192si3636151pgc.152.2017.11.09.19.44.48;
        Thu, 09 Nov 2017 19:45:00 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=IsJO7WHf;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755872AbdKJDoL (ORCPT <rfc822;arandomawesomegeek@gmail.com>
        + 83 others); Thu, 9 Nov 2017 22:44:11 -0500
Received: from mail-yw0-f173.google.com ([209.85.161.173]:46143 "EHLO
        mail-yw0-f173.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1755777AbdKJDoJ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 9 Nov 2017 22:44:09 -0500
Received: by mail-yw0-f173.google.com with SMTP id t71so7161484ywc.3
        for <linux-kernel@vger.kernel.org>; Thu, 09 Nov 2017 19:44:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=nAe1MZHBlnHder6A6l/zYkFECt5c0/i79IYacDbWdMU=;
        b=IsJO7WHf7NlDrSJQeY9Tr/PvFwj/6AUOnYKCzokqdVSa0cSr+dVzVdYLKQ+5nHmywa
         xo+I40FSR9ZqVWXxv1gzQHVKjipxVIImK+O3mYW1E7kJMgp20k8ooKT8rbnreoOUuYLD
         ydpBJx7d5Wa/vQpiJUvW3UyC1RKA1yGixmU3Jp7T8FHKLvjrE1jpOPJCX8NDj6/SIpK7
         nhv41b4hfEXjml0F02JId1a6rv5S7XOrhsOP/YlbmXbboIjFFj8Dn59YvkHFO8ru5ftf
         XWIgNW+dwO6HcSYHKp5UkcPQ7bPcXuEF9DC0kK/bdSGV3jmbG1H9qNCUnL5urVBdBVIk
         P0rQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=nAe1MZHBlnHder6A6l/zYkFECt5c0/i79IYacDbWdMU=;
        b=fS+d4Omu2m/i7I4ZoetTnRlSRXdZnl6zSg3gYV4/ZxB8hOI3hPfOFA+FKeAniH2Hyx
         TFB8P4MifWuafVJExWhnvSfSXCHAjnalkvXRVVFXpvkDHjxw1R3mrKg+QlBLTw7tdW0g
         hNXySHphzCC/qeXu2DTPurbmRMqBZ5cK0meNFvmH36aw8TyyyzSEv+fYVtwbXAxXVc0r
         RyJOKt/hGzz/oHFmvZ9cUn54tzhHvfNZEduiSyspaNTF2+8cG9R8KV6+yPYGrtZzk3g9
         pCu0NN7KYIy619hfBNvjECKIy1Bm6tO+SeEMede95JoQc5ajAmBEHGSPFVieeNXJ5S9W
         uxig==
X-Gm-Message-State: AJaThX4vmAc7EjhFcCYiOZjIsukolv9qsowyedYcFtLtEHOGvtOFbMty
        R/woK4jGxfKsYTE9HpC+6SMWIIihGAoxNEZ98ceeBA==
X-Received: by 10.129.177.68 with SMTP id p65mr1794744ywh.85.1510285448251;
 Thu, 09 Nov 2017 19:44:08 -0800 (PST)
MIME-Version: 1.0
Received: by 10.37.131.198 with HTTP; Thu, 9 Nov 2017 19:43:47 -0800 (PST)
In-Reply-To: <20171109173037.GC26229@mail.hallyn.com>
References: <20171103004433.39954-1-mahesh@bandewar.net> <20171109173037.GC26229@mail.hallyn.com>
From:   =?UTF-8?B?TWFoZXNoIEJhbmRld2FyICjgpK7gpLngpYfgpLYg4KSs4KSC4KSh4KWH4KS14KS+4KSwKQ==?= 
        <maheshb@google.com>
Date:   Fri, 10 Nov 2017 12:43:47 +0900
Message-ID: <CAF2d9jg__SpwvqwYuiXC2d-WxC2C3wq-o-66=K5+ze+BMFPkdQ@mail.gmail.com>
Subject: Re: [PATCH resend 1/2] capability: introduce sysctl for controlled
 user-ns capability whitelist
To:     "Serge E. Hallyn" <serge@hallyn.com>
Cc:     Mahesh Bandewar <mahesh@bandewar.net>,
        LKML <linux-kernel@vger.kernel.org>,
        Netdev <netdev@vger.kernel.org>,
        Kernel-hardening <kernel-hardening@lists.openwall.com>,
        Linux API <linux-api@vger.kernel.org>,
        Kees Cook <keescook@chromium.org>,
        "Eric W . Biederman" <ebiederm@xmission.com>,
        Eric Dumazet <edumazet@google.com>,
        David Miller <davem@davemloft.net>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Nov 10, 2017 at 2:30 AM, Serge E. Hallyn <serge@hallyn.com> wrote:
> Quoting Mahesh Bandewar (mahesh@bandewar.net):
>> From: Mahesh Bandewar <maheshb@google.com>
>>
>> Add a sysctl variable kernel.controlled_userns_caps_whitelist. This
>
> I understand the arguments in favor of whitelists in most cases for
> security purposes.  But given that you've said the goal here is to
> prevent use of a capability in a user namespace when a CVE has been
> found, a whitelist seems the wrong choice, since
>
> 1. it means that an attacker may through some other means be able
> to add a capability back into the whitelist when you specifically
> wanted to drop it.  With a blacklist, you could say "once a cap has
> been dropped it can never be re-added without rebooting".
> 2. it means by default all capabilities will be denied once the
> switch is pulled which is specifically not what you want in this
> case.
> 3. the admin can't just say "drop CAP_NET_ADMIN", but needs to
> know to echo ~CAP_NET_ADMIN.
>
> Why not make it a blacklist, and once a cap is dropped it can
> never be re-added?
>
Well, I'm not going to deny that blacklist approach would work equally
well but code becomes little simpler when you use the whitelist
approach. especially less complicated when a new capability needs to
be added (not that we add capabilities very often) but that would be
something one would have to pay attention to. However with this
approach I can just the CAP_FULL_SET which is readily available.

Having said that I specifically don't have strong preference in this
regard (whitelist vs. blacklist).

> -serge

From 1583648336420899386@xxx Fri Nov 10 03:32:24 +0000 2017
X-GM-THRID: 1583003684527762870
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread