Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp665691lqo;
        Thu, 16 May 2024 19:17:02 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCVA/5SvVQJa26lFMy+AboSzuZDKUYEbwJEXTayuX0urGjq3FuLnvuKptNF7kx7hQzM1X+K3kqugCrTTcYwqDyURXR6Hpa58Ikm8c3Gexw==
X-Google-Smtp-Source: AGHT+IEw1uD15TNRzMszUxygncyPJzDA7AXYwRsJ9ywg3LV3pHpAVuOf1LwfVp6t0V+YIY/noGwc
X-Received: by 2002:a05:6870:1702:b0:245:4440:c66c with SMTP id 586e51a60fabf-2454440dfbemr4280478fac.54.1715912222512;
        Thu, 16 May 2024 19:17:02 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1715912222; cv=pass;
        d=google.com; s=arc-20160816;
        b=tls1B5/8jL3nRIXzBLGmZHttWzJGwH5iyHJ01IpexqAGIK7wKLl28YaI1purUFMBLv
         z3lIM0IRYZWWAOCPYIKChkri0qmmFse017zesuwE1pXxLbirF+XoEWyE6VLbmIHUvOoZ
         sBKBrPJ9hnTFRjBhTX1WDy+3Zg1pUq5RXWbGhWXbmO/RTNmUpCBIHO8BwJqWfPGsenG7
         x9orOPA7B9eDBsM6UxAvMyCYYeMKFS55nn6ahGDPcdRqhaekAuK79wQQmBA6dsdaES//
         9yIRscA3mLGg6Wj3Tm111M2LZRgZo0N73V/WWRnEkvdzOLlnJHMgrf8RbCJmO9xvvkbF
         k+AQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:in-reply-to:from:content-language
         :references:cc:to:subject:user-agent:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:date:message-id:dkim-signature;
        bh=yNlZ6SD8AV4L2IiFccQWOEbwRuaVS5TqhgBGaRz5hS0=;
        fh=HZAHOF3yZDKfOY3f2q6wOqWJ6azAdho6qB++9m3fbrA=;
        b=CRjBHlRbANwd/vwgE6y4nh75GjTcLn7PtJvmDF07AEFRncG1JfZFz9Iois0+0/Jpuw
         BPphpXNm5YD/DqTs8xcjPrflpqfhs1wfZzcNVCtidoS3Zioqlb7iF51TM4ebqDm3dpph
         H7GtGqrGQSMhGz4eNsJQDi1sjPefBo+LNauWWGYY8wrGeBS7JvvftvrMuYc8b8GdMAfT
         xy1bII+4ndd8pekdu4TNs9SDDQlzXHjMl4UyrFkuA/q5EOBXFT1mRuE2Bvk9d5CuNIZo
         w8HQngv7Mw31QllyrflP8vkJH+b09WIHpq/93IrN8uZEwPijOhQa+g/b6rQ2QuptCL9u
         DrUw==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@yahoo.com header.s=s2048 header.b=asqs+wVl;
       arc=pass (i=1 dkim=pass dkdomain=yahoo.com);
       spf=pass (google.com: domain of linux-kernel+bounces-181514-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-181514-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-kernel+bounces-181514-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1])
        by mx.google.com with ESMTPS id 41be03b00d2f7-651c0752372si5735578a12.60.2024.05.16.19.17.01
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 16 May 2024 19:17:02 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-181514-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@yahoo.com header.s=s2048 header.b=asqs+wVl;
       arc=pass (i=1 dkim=pass dkdomain=yahoo.com);
       spf=pass (google.com: domain of linux-kernel+bounces-181514-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-181514-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id 68955B24B95
	for <linux.lists.archive@gmail.com>; Thu, 16 May 2024 19:11:14 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 5648815746E;
	Thu, 16 May 2024 19:07:19 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="asqs+wVl"
Received: from sonic310-30.consmr.mail.ne1.yahoo.com (sonic310-30.consmr.mail.ne1.yahoo.com [66.163.186.211])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9CD86156F55
	for <linux-kernel@vger.kernel.org>; Thu, 16 May 2024 19:07:16 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.186.211
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1715886438; cv=none; b=LNoCClIOpPQ7Acir7U14r4CCe3B0eo0AT6sD/dJg+pOIzOONPh7PGoaY8YxMVde/W3izIx7LSXjHIWdrz47tl0zpXsD5es99+Phpd6PhPAc2afN13cQvxEQhMpI40BwZf5c4kTyshZ1j+NJ2JFeiozsG1fL+imApBJouILEsTyY=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1715886438; c=relaxed/simple;
	bh=wxXjpMQ3CVgL6XhPOBwVDZJdQ+2ElLYlyyUvbGIHuVI=;
	h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:
	 In-Reply-To:Content-Type; b=UcVG6CT4s6JK9SExXzvMfX/3e0FWFH2SlI5ugkf0lg6Iz2ebW2mcxsBzesI1CY0udY//a8YDWkba8m5eNlYn27bUI864dEXlDTYUv5LbIbbmFOjZZCgBl3eMnT6N2C8V0M24YW2lX8mMs/Q+CRwdmFX0nLcAW2i5QzqlYuPL7us=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=asqs+wVl; arc=none smtp.client-ip=66.163.186.211
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1715886430; bh=yNlZ6SD8AV4L2IiFccQWOEbwRuaVS5TqhgBGaRz5hS0=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From:Subject:Reply-To; b=asqs+wVlFKgk77FMOf8o18CsUL3aYTBEr8Vd2ExIMeEDlhUtTyVn6FpEax04DGIBxTM4FiRhBrBrKrod2qCpcRLQMH5Xik6+nvOo8VeUnkao2MdyeZSpPRAvEY+DnjOE19g5Z09M26OMo6cE4WhQM++b+zCf3lS4P0wx7xPy2Z2axd8LV9k8Es7U5ybr8t4PjYzdEKwBjK137knuIXtN37YbqXOYn70zGyGn1LH1Mxd+f9p6P8pfQ0DKNT5YytvWxc9PgFCbPqn4p/cq4bE4b8KMki8VVX2BBqF1TzUCkvfKGgyO5M8Xmj3ykQo+S4EzhA/wXZPnQOiThxYXYdWg9A==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1715886430; bh=xs+KbK7iZ6xb8mK5Dh8mGIcifqdDvmM0US8FwFZWRhp=; h=X-Sonic-MF:Date:Subject:To:From:From:Subject; b=Jvvobh+sWltZLAmlyjFixKR9nDEbO65QdDjVDUTGfMzFheEcUgvTbJAGlkDWRpOcMbJurZ6TZ3klHhucFvCGdjrfD+TecXaZL/e1c8t84szXs6QX3AIQFiN/YriJe5dzeoxPKoEn0YdreICy965aWGPELwizkcB9A028DefgEVsxfp00zeTCSUfESNKfHIR1OJVvFLaBxkSdyd/LP2mJjNY1tasn7pdM9wKXU03+TeRqYOshOkq7yIBhNRol41OUnEWFAhe1zlfdYA7q7JwPiXGZGvS8U1K4wDAyoSKjqgSP5BMFPNU69Z5D70YxvqMLQHG64coP1JC2maU86x5GOQ==
X-YMail-OSG: pZBMlF8VM1k2zM2XHcCduB696.Z_YU2fsX5EmVOh6R0JnHnJI8PWMIznjX5mEQf
 Z7KMY55FzxPakQobR1lVZHHHQIJMqULL.t6gufmJ3RF.AxcHnD6yfDQcnTUvcXMXOCzClqORm3nE
 qXIHnF3GPVG9vlAUMjqMyPvyeSQ32pD89D8Xwb3CeLnpvFETG38Hkz197lc2gXbD8LX1nmLBpz3s
 xT5kAkiDVxum841pNFUhyTp5zijzlkLe7oq29Lty0y2zpZDR0anxz5d7Yhz6p0t7bul7wCvCEaH4
 A05.R2OdXdTL0u2vIAHCVxmiseZZ2GuT91bBB04hZg_OK0Xv_Iptps9AseR4Z4lkulMSEMmagfAY
 cSMJaiUxYJtG13KQzJYWaXs2jXDdR51dQLCIeRJh.GxIuMhXHuSjlA5QuZpmS_C_x6ntBfB.sVBh
 t_qizro1_UYBlAJsEhIg9.mk9P6mqG665_DwmLzltxj8Dmj_wXSTH_l_dRvdmH8ZYbRg4kqMD4SC
 5s_OXQ8afqu0BTxo8s2DF_RlXtKROPwX.cvEikrOEi6vpOdN2sz6379Jr9.jdPlmBBMPOiaG4g1w
 z6qNztXrLZyhrPJ6LF.mRrJluHf4eCte3M6qgG7rEvh86RBbvbzJLheb_0aoKr9QPkl59ISiwMQg
 xO0ZXT2HDmW28eqbbqzL0CyzEmmyrCibk.KmRrObawRwrrwx8GstXlpb3M7JJDCE74rQtjY377GS
 hjrO2B2lB1fLWscC_KUC7ktCdTMYhF6AyYGBr9k_pEZlxOrjggZ0Nvb0xFc_KjMifHLmRI7I75p.
 xB_zEdlvr9typvSIIEFn_dPc3gJSHsFw6lnjCbofx3tMGUDSE2PqCJNLe7LPdBX908ITsQpw2xwy
 pM9h.GYqw1HRkYiXaCB7siZmWx.w.mTSPADNytEBh3VFOl4nxOcvgSZycUuu6fsf3jEMqoH52Kgz
 w45fCrQn_FP6PeOxWIs7ChQkHY7tydT0T5d_s1wsDfwsyvwzI.NArkFRgkFt_ai5eSssQ0aGPGEf
 eTWKmGi3UUrjVTSsZAjDqN8wqpX1FzR_wjGeIQLtS76iUbkbDZfXQy6EBjeBW88SseUSTcNCE.b_
 K5tRJkcq9tgFUmk7WRkFoGGQyrZ5g6r0mGt1RqqeqZkpxED85coDid8UCFXJGRDb9FyBsBjGsoQN
 x3_5nXXcp3ZH64pfQCI7qy4wSEeuiuP36jxYhJO2M52yooM19CBMUR3pBhdw.mj7VeZWbVLNNDzL
 9qIvhALHLYMs4cuz6ILakLYRkVGiwMuD5IB4_as7DI1WMoMKQAZQAeUxllqsr2w_YRKlUueaBWr3
 Rs9gNMDDcY3xZ0Vg_.j_hKZwen3JQw_XX7V0I01PGziLVP5o04Ec5SUj83.n24ivjg5qzcatSJn0
 g1mpqL4qubfa0.yWBrcya.DOfbEy7gic3987u2YnV.3HzsYMTRw2Vnbm0d9OZV7oxRIDGLyoPWuq
 bh8eBW4JO495aOJdUDOHykA240F2BHnpTN7fMs5d8WVF8oetz1SP9AwHZ0Oaqrw6ldxEsYLMsIC5
 rTgTBt.XW6AH1TuzhNQ.N.QaK4aBsJgQTeHh2OlenGki1rx5o7lHBsHHYQjec50U0f0GCVJNw5N_
 KwC9NqQmVFbnWgR5wvNrBLJ9Dn9DfqG0ygycdY7IXlph_csrhAwSW88CPA2KQ0Z9BHcU2aVzXQpa
 ZodEMiLGQWfUWDYkOLCV2Fh7iJ0hIpxNCAOzX9KZbm.nKWi5LEncuAx1jMVtbMkSyYOVozma6Cw3
 6h.7UqmnD9kQZoLTThG2Br59eiaDyQPXTQvY5BlZRBXrtJ_GotWzuYiOp7SjvtV2F6A9jRda2IhW
 x1JkE7n2AqqEo8mnE9hfaz686.PskkbnVK_4DIiuMgbHh8Q0G1R.1fgwlhkwzicxChyFh6APhA7v
 hkDMBNiPSKl5u5SnrUrCYGUjKgLgCPTxpLPUkvpfU11YEhtLwDauceqASXpsF_FyEkzqLZhtCk.g
 U2jrkSz43B4x9S6.AzXGQ9oJId195N7nTp_FmLe6kZkc1C.PfgsxMyXrDxBXjX0Ndg9rOTpMYZsK
 TvLxMfChMzyr7o6zSoAZi4ylavGxrRaWz8Lo.KF8M1n6hCrAvn51JAng9DefzfNq3hIgyFV5LAyW
 eAVF0Fq8shIwp6lfBaf_QCU8q1IH0mQIWRIkjqrLWH1lPP96E3X0XJYggw9G56RiDhVsEukEctkx
 IWFGAOotXkWo1G6smNegb0DDYRoC7TPvsBpcehz3En506hKJloY67PpFivSixL1q5FWZUUw0hgMV
 AiyASE4Mos9fT
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: cc1a172b-e4e9-4422-891f-00a5a4d558f7
Received: from sonic.gate.mail.ne1.yahoo.com by sonic310.consmr.mail.ne1.yahoo.com with HTTP; Thu, 16 May 2024 19:07:10 +0000
Received: by hermes--production-gq1-59c575df44-94tst (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 8763c159b28ba26d1fa19a878a48be67;
          Thu, 16 May 2024 19:07:08 +0000 (UTC)
Message-ID: <2804dd75-50fd-481c-8867-bc6cea7ab986@schaufler-ca.com>
Date: Thu, 16 May 2024 12:07:07 -0700
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PATCH 0/3] Introduce user namespace capabilities
To: Jonathan Calmels <jcalmels@3xx0.net>, brauner@kernel.org,
 ebiederm@xmission.com, Luis Chamberlain <mcgrof@kernel.org>,
 Kees Cook <keescook@chromium.org>, Joel Granados <j.granados@samsung.com>,
 Serge Hallyn <serge@hallyn.com>, Paul Moore <paul@paul-moore.com>,
 James Morris <jmorris@namei.org>, David Howells <dhowells@redhat.com>,
 Jarkko Sakkinen <jarkko@kernel.org>, Casey Schaufler <casey@schaufler-ca.com>
Cc: containers@lists.linux.dev, linux-kernel@vger.kernel.org,
 linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org,
 keyrings@vger.kernel.org
References: <20240516092213.6799-1-jcalmels@3xx0.net>
Content-Language: en-US
From: Casey Schaufler <casey@schaufler-ca.com>
In-Reply-To: <20240516092213.6799-1-jcalmels@3xx0.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Mailer: WebService/1.1.22356 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo

On 5/16/2024 2:22 AM, Jonathan Calmels wrote:
> It's that time of the year again where we debate security settings for user
> namespaces ;)
>
> I’ve been experimenting with different approaches to address the gripe
> around user namespaces being used as attack vectors.
> After invaluable feedback from Serge and Christian offline, this is what I
> came up with.
>
> There are obviously a lot of things we could do differently but I feel this
> is the right balance between functionality, simplicity and security. This
> also serves as a good foundation and could always be extended if the need
> arises in the future.
>
> Notes:
>
> - Adding a new capability set is far from ideal, but trying to reuse the
>   existing capability framework was deemed both impractical and
>   questionable security-wise, so here we are.

I suggest that adding a capability set for user namespaces is a bad idea:
	- It is in no way obvious what problem it solves
	- It is not obvious how it solves any problem
	- The capability mechanism has not been popular, and relying on a
	  community (e.g. container developers) to embrace it based on this
	  enhancement is a recipe for failure
	- Capabilities are already more complicated than modern developers
	  want to deal with. Adding another, special purpose set, is going
	  to make them even more difficult to use.

> - We might want to add new capabilities for some of the checks instead of
>   reusing CAP_SETPCAP every time. Serge mentioned something like
>   CAP_SYS_LIMIT?
>
> - In the last patch, we could decide to have stronger requirements and
>   perform checks inside cap_capable() in case we want to retroactively
>   prevent capabilities in old namespaces, this might be an overreach though
>   so I left it out.
>
>   I'm also not fond of the ulong logic for setting the sysctl parameter, on
>   the other hand, the usermodhelper code always uses two u32s which makes it
>   very confusing to set in userspace.
>
>
> Jonathan Calmels (3):
>   capabilities: user namespace capabilities
>   capabilities: add securebit for strict userns caps
>   capabilities: add cap userns sysctl mask
>
>  fs/proc/array.c                 |  9 ++++
>  include/linux/cred.h            |  3 ++
>  include/linux/securebits.h      |  1 +
>  include/linux/user_namespace.h  |  7 +++
>  include/uapi/linux/prctl.h      |  7 +++
>  include/uapi/linux/securebits.h | 11 ++++-
>  kernel/cred.c                   |  3 ++
>  kernel/sysctl.c                 | 10 ++++
>  kernel/umh.c                    | 16 +++++++
>  kernel/user_namespace.c         | 83 ++++++++++++++++++++++++++++++---
>  security/commoncap.c            | 59 +++++++++++++++++++++++
>  security/keys/process_keys.c    |  3 ++
>  12 files changed, 204 insertions(+), 8 deletions(-)
>