Received: by 10.223.164.202 with SMTP id h10csp499248wrb;
        Thu, 9 Nov 2017 09:32:58 -0800 (PST)
X-Google-Smtp-Source: ABhQp+QbyoHd7pvltvj3Az98aRoZ3iY1agZsbuxt3xK8/bGwysaMHUUnhOUc7R2vSv79IiBBdZ5W
X-Received: by 10.98.157.157 with SMTP id a29mr1235733pfk.30.1510248778242;
        Thu, 09 Nov 2017 09:32:58 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1510248778; cv=none;
        d=google.com; s=arc-20160816;
        b=o5v/2idAaUFKJ45nT2ijTa3Gc1D+IxYdAQsYIkhdcil2tX79DBSexZGZdMtx95BueP
         yVodRFvcNllTC0q7aCI2T3lg8x5FUll/e07LjE0eC4Suzs2bohPtKkssqNyRZ87eQWW7
         LvYBPiZte655VlF6HH14cKJGToKSDLavoszLPJ0h+LHDN9HM+ksNINU8eDmF2ka5HiGh
         APW6gvUvlFiZ8CdapBH4p3NTZvgo1efmEq/aZJqwftKF43of5Mp1kz9RvCkOUYokzZsj
         5pqGvmkUpbSYKe7WiX6i/caD4N7fnExQMad/GgCMrIgpYwoy/O2T3CMHIcDDG4C5J1Vc
         T2Hw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:arc-authentication-results;
        bh=Duq0qedieQj9jJ3qZ62oz5kthSIKlpNpmbGksJMdfYc=;
        b=auXKymqu4ZCXq7D5oJ5nCKFzvmT6k6+vxexTfLBokKgzHTYOCuyo0qAf2DLmUGxMw2
         89xR8bmDu7SVZfrqiXhWMEyzO2a0WaTcY2hUD3QsF7YxF/0n7ThrXZniYiAcVZrYk06k
         9XRYwbdDuEWf+HS8KeS4HH9zlyWRS5gT0twQdC3tuR7XTtHhAt4DCW7mOLn0jg75bBj7
         5BqEYQKDk43iUyz47hHo3Q+zpBBw9VDixqjCswj+F16NvmGIbW2Sz0f+FhsKKILv0J/M
         hguJZhjyvng7mK2Z8N4JgnCLum0evIf8MYtesmKiP+mCRVIh8EDJsn9ge7TUCNg4j8hM
         wgIw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l17si7119729pfj.16.2017.11.09.09.32.46;
        Thu, 09 Nov 2017 09:32:58 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753244AbdKIRal (ORCPT <rfc822;kkoh.linux@gmail.com>
        + 81 others); Thu, 9 Nov 2017 12:30:41 -0500
Received: from h2.hallyn.com ([78.46.35.8]:49690 "EHLO h2.hallyn.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1752459AbdKIRai (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 9 Nov 2017 12:30:38 -0500
Received: by h2.hallyn.com (Postfix, from userid 1001)
        id 236DE1204E8; Thu,  9 Nov 2017 11:30:37 -0600 (CST)
Date:   Thu, 9 Nov 2017 11:30:37 -0600
From:   "Serge E. Hallyn" <serge@hallyn.com>
To:     Mahesh Bandewar <mahesh@bandewar.net>
Cc:     LKML <linux-kernel@vger.kernel.org>,
        Netdev <netdev@vger.kernel.org>,
        Kernel-hardening <kernel-hardening@lists.openwall.com>,
        Linux API <linux-api@vger.kernel.org>,
        Kees Cook <keescook@chromium.org>,
        Serge Hallyn <serge@hallyn.com>,
        "Eric W . Biederman" <ebiederm@xmission.com>,
        Eric Dumazet <edumazet@google.com>,
        David Miller <davem@davemloft.net>,
        Mahesh Bandewar <maheshb@google.com>
Subject: Re: [PATCH resend 1/2] capability: introduce sysctl for controlled
 user-ns capability whitelist
Message-ID: <20171109173037.GC26229@mail.hallyn.com>
References: <20171103004433.39954-1-mahesh@bandewar.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20171103004433.39954-1-mahesh@bandewar.net>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Quoting Mahesh Bandewar (mahesh@bandewar.net):
> From: Mahesh Bandewar <maheshb@google.com>
> 
> Add a sysctl variable kernel.controlled_userns_caps_whitelist. This

I understand the arguments in favor of whitelists in most cases for
security purposes.  But given that you've said the goal here is to
prevent use of a capability in a user namespace when a CVE has been
found, a whitelist seems the wrong choice, since

1. it means that an attacker may through some other means be able
to add a capability back into the whitelist when you specifically
wanted to drop it.  With a blacklist, you could say "once a cap has
been dropped it can never be re-added without rebooting".
2. it means by default all capabilities will be denied once the
switch is pulled which is specifically not what you want in this
case.
3. the admin can't just say "drop CAP_NET_ADMIN", but needs to
know to echo ~CAP_NET_ADMIN.

Why not make it a blacklist, and once a cap is dropped it can
never be re-added?

-serge

From 1583610012067557266@xxx Thu Nov 09 17:23:15 +0000 2017
X-GM-THRID: 1583003684527762870
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread