Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp939399lqo; Fri, 17 May 2024 06:22:16 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVEtPMP84PmSypvp8CjFbmkibNWNzWkmGONF/CEgfrLHmzC1SUFYcNZYF4XKeawDI4ES9wfE2rzAPkLKDlWec7LinwT8IQeUb6dQh3woQ== X-Google-Smtp-Source: AGHT+IFJoEqMnq4Fw221bTNhQOYhbPsZ5geZqXK7gerYYtwgvEWa9qKJQ+tS5DB4gCgCgaW6mrfU X-Received: by 2002:a05:651c:1a21:b0:2e2:64d:6849 with SMTP id 38308e7fff4ca-2e52039dc74mr213707181fa.50.1715952135781; Fri, 17 May 2024 06:22:15 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715952135; cv=pass; d=google.com; s=arc-20160816; b=1IEpSegfyxBqNGLwVfETvNoGTwj+/gZfJOub+HiDjsd13ues8Ib3dKQ7dZKbJEO40u /mN2NcjzRdck1e45q/TzZAz9rrDm/6XGA6Az2w9F37NFnDqQ4n1RSei8Z7bpYRCn4bNG THAFE27VqakH4bcp91FmPCzP9BCq31nSM6GrE12q6fHTzcoExaWMVPyqy3LVAnY8Jp5w j3OEdIQ1igAMILPTng1QnJaryW1kuzCkYNHhtTNibNjgHsxNeJjsVOdxzNf8MnubNH1M zIp02romjn+f0kp7VFArM3rkDbL4fRgHuQa2uDCQmlVl2buOEQfDg4YJdWZOpK96bj69 zoTg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:feedback-id:dkim-signature:dkim-signature; bh=nI3D7dv9mamdu0MSJ/mg14u62h/nEOjeznANWab6vVU=; fh=YgSg4bKXPNxkh0nz9nc0JfJeh3Pjtz+JvJs8hyqtlTw=; b=aQjOpOSXtrj23oUweW2gHBaYDG1HXiGi5wmy9HEr+zpY5Wi0ocNvX8lZIGCc0Qsz4i 0Vy4CqU60cnzHQjrs7Xtx33vumc5BWY2TztYT6CUY92hiEVBdj/xvApQSLymWedFJWdF 08fViFOouTi9Yd/9kdo1sE0nD2NVLveqxY05mIvif7tf+DdvlzW2BhlGIGW7DyiCpWXN 0uMM1Q9ozocJKI6lqiyfCyuYH5Oi/qn45A8h2u5inETeR8eKei8n3jRComFP2BwCfTvX mcmNWtX6jZZ87dR9WYuhhJCIBpabUxl513oW8c1LvPg6Zfxvcab3eeBeHSDxowMl0lzE 76mA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=neutral (expired) header.i=@3xx0.net header.s=fm1 header.b=RP7soohG; dkim=neutral (expired) header.i=@messagingengine.com header.s=i76614979.fm3 header.b=Yow8Rti0; arc=pass (i=1 spf=pass spfdomain=3xx0.net dkim=pass dkdomain=3xx0.net dkim=pass dkdomain=messagingengine.com dmarc=pass fromdomain=3xx0.net); spf=pass (google.com: domain of linux-kernel+bounces-182060-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-182060-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=3xx0.net Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id a640c23a62f3a-a5a17be6fa8si1008436466b.856.2024.05.17.06.22.15 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 06:22:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-182060-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=neutral (expired) header.i=@3xx0.net header.s=fm1 header.b=RP7soohG; dkim=neutral (expired) header.i=@messagingengine.com header.s=i76614979.fm3 header.b=Yow8Rti0; arc=pass (i=1 spf=pass spfdomain=3xx0.net dkim=pass dkdomain=3xx0.net dkim=pass dkdomain=messagingengine.com dmarc=pass fromdomain=3xx0.net); spf=pass (google.com: domain of linux-kernel+bounces-182060-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-182060-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=3xx0.net Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 81F321F23FC3 for ; Fri, 17 May 2024 11:37:19 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id C67833F8EA; Fri, 17 May 2024 11:37:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=3xx0.net header.i=@3xx0.net header.b="RP7soohG"; dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b="Yow8Rti0" Received: from wflow6-smtp.messagingengine.com (wflow6-smtp.messagingengine.com [64.147.123.141]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1EB1839FE0; Fri, 17 May 2024 11:37:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=64.147.123.141 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715945827; cv=none; b=t+vWUCRdghkev4ovXSn/1xnV2Q5UZBRO/VK1/Uy7SahJb7+t8FDu/jQ6ikCbmQ6quHGVzyISu6OqVsAFY2VTFagALK5Ez2Ve2Xl2O5gRk/xV0h8yyrPu1Xno0FP2DmCB6USQUIiMerQ0Czx3myPF3Ziyam9miBqb/CkXpq60Ros= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715945827; c=relaxed/simple; bh=9iwRhGote2VDlqpW9jTKlkdZQA3B+wPYMKRzpfbwwc4=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=EhlqbkfybwvGlawJDVKcDhgl6rybsr7+Oo+6ykvvWM02/s7UvAdBUkbJAUNe1QGsCKL3TKI6MFz4AUWAzQ32YILq2OwMzLNo2Y9aqtMbmK1ceKdlwtglq+MX1DbwOBcVjlGPo4zKZFjAu70neG2Q405v5oS5UI3iY9OjrkVRVIU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=3xx0.net; spf=pass smtp.mailfrom=3xx0.net; dkim=pass (2048-bit key) header.d=3xx0.net header.i=@3xx0.net header.b=RP7soohG; dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b=Yow8Rti0; arc=none smtp.client-ip=64.147.123.141 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=3xx0.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=3xx0.net Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailflow.west.internal (Postfix) with ESMTP id 2DF562CC0146; Fri, 17 May 2024 07:37:04 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Fri, 17 May 2024 07:37:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=3xx0.net; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm1; t=1715945823; x=1715949423; bh=nI3D7dv9ma mdu0MSJ/mg14u62h/nEOjeznANWab6vVU=; b=RP7soohGfwMt3AO8dys3F2agT+ EJoeH1j6f/glE00+8FdBTfi+nIkvSiQsJMzL/hwQkn6uCE7KSJ0MweWaxzFCqNwW fXwyJ79qcIdGeKWlLv4vqx00QPKZhsWdADHQedVow+sRy/e1diFo8xN80ELcvNky qmzZSLWm4YeI0+DjQyq+HmWje9eYdAYqAds1DOZ08EAD5QixDFhhAIgDddApmflC +CYyEy0ds6LRlAFGR1R9lScGMaFlskvtMmkIhvGG0d3NC/UbhvHNUbxvF/qpvm8N j0Hg9ElKIZK+FIDMZNmV9kLkSWFBTp2HeLsHtytIYrZQ631cSuphJnhldEEg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= i76614979.fm3; t=1715945823; x=1715949423; bh=nI3D7dv9mamdu0MSJ/ mg14u62h/nEOjeznANWab6vVU=; b=Yow8Rti0jLSufYdeUU+Zt81/T5g8I0tDeQ H2YLccyc78jDer7JXkdBBWemJsc82/oINbcPb+RPjtK1mFaqouIQp3FfmHAHeaz2 B64dlAPJKZ0KUNzIq6n++6YqAetFzWU8JrEda4OShudEjGcN9TCJe48+wSOF5c4B JPVzNH9niYpxlYXlfO2rXcOsbSP0LC37UUP6/TBM2DF/myvLFq6FfjHZT4DHW+fs gqgQE1pPvvyfxfRy5pm8ezvWLfph39KPiajmY6RivnFhTygiTdWn96ixaVqlFKOx 5mg4G2THALUdw49d167R5iA9jU29zZQStpwCw/4YQaUAsbewWODg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrvdehfedgleegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvfevuffkfhggtggujgesthdtsfdttddtjeenucfhrhhomheplfhonhgr thhhrghnucevrghlmhgvlhhsuceojhgtrghlmhgvlhhsseefgiigtddrnhgvtheqnecugg ftrfgrthhtvghrnhepjeeigefhffdtledukeekueekffdulefhteejhfelvdeftdelteet gedufeeukedunecuffhomhgrihhnpehprghmpggtrghprdhsohenucevlhhushhtvghruf hiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehjtggrlhhmvghlshesfeiggidt rdhnvght X-ME-Proxy: Feedback-ID: i76614979:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 17 May 2024 07:37:00 -0400 (EDT) Date: Fri, 17 May 2024 04:42:02 -0700 From: Jonathan Calmels To: Jarkko Sakkinen Cc: Casey Schaufler , brauner@kernel.org, ebiederm@xmission.com, Luis Chamberlain , Kees Cook , Joel Granados , Serge Hallyn , Paul Moore , James Morris , David Howells , containers@lists.linux.dev, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org Subject: Re: [PATCH 0/3] Introduce user namespace capabilities Message-ID: References: <20240516092213.6799-1-jcalmels@3xx0.net> <2804dd75-50fd-481c-8867-bc6cea7ab986@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: > > > On Thu May 16, 2024 at 10:07 PM EEST, Casey Schaufler wrote: > > > > I suggest that adding a capability set for user namespaces is a bad idea: > > > > - It is in no way obvious what problem it solves > > > > - It is not obvious how it solves any problem > > > > - The capability mechanism has not been popular, and relying on a > > > > community (e.g. container developers) to embrace it based on this > > > > enhancement is a recipe for failure > > > > - Capabilities are already more complicated than modern developers > > > > want to deal with. Adding another, special purpose set, is going > > > > to make them even more difficult to use. Sorry if the commit wasn't clear enough. Basically: - Today user namespaces grant full capabilities. This behavior is often abused to attack various kernel subsystems. Only option is to disable them altogether which breaks a lot of userspace stuff. This goes against the least privilege principle. - It adds a new capability set. This set dictates what capabilities are granted in namespaces (instead of always getting full caps). This brings namespaces in line with the rest of the system, user namespaces are no more "special". They now work the same way as say a transition to root does with inheritable caps. - This isn't intended to be used by end users per se (although they could). This would be used at the same places where existing capabalities are used today (e.g. init system, pam, container runtime, browser sandbox), or by system administrators. To give you some ideas of things you could do: # E.g. prevent alice from getting CAP_NET_ADMIN in user namespaces under SSH echo "auth optional pam_cap.so" >> /etc/pam.d/sshd echo "!cap_net_admin alice" >> /etc/security/capability.conf. # E.g. prevent any Docker container from ever getting CAP_DAC_OVERRIDE systemd-run -p CapabilityBoundingSet=~CAP_DAC_OVERRIDE \ -p SecureBits=userns-strict-caps \ /usr/bin/dockerd # E.g. kernel could be vulnerable to CAP_SYS_RAWIO exploits # Prevent users from ever gaining it sysctl -w cap_bound_userns_mask=0x1fffffdffff