Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp1152102lqo;
        Fri, 17 May 2024 12:17:39 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCWNBVtj8OGzVWbjhftBDo7VEIqoXQNkdRYuengztnuF+ZfrkthJ613VW+NVocMLCOL27HoWIYLX3ELYmyHkLgF/n8fcNkg5yN5lY++m9Q==
X-Google-Smtp-Source: AGHT+IFYEeuC2gGt6ugPOB9NGBu7zPQaxsqB78oCgsPOM+ChS5tuXSFJdK6MgYyxahXbFj0h/bD6
X-Received: by 2002:a05:620a:384:b0:790:b1db:d28 with SMTP id af79cd13be357-792c75f26bcmr2539398685a.48.1715973459672;
        Fri, 17 May 2024 12:17:39 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1715973459; cv=pass;
        d=google.com; s=arc-20160816;
        b=Sd5hi6XaXZZLgEmFyRtD3dIncgLolKPcGHB84cl7rEnRPGk1vHzTf0l54JAVD0Bq9J
         arda1PJhspy5GzYXus5qw4gk6U63vY/jeSJAOvh4R6lPp/wT9MZ6eQ3Cd3tLtADV3BVK
         sf5oaz7PepejhKcko4pfCBlloH4HsRjVD0Db0jnIp9Qmn0Ng90edFkJbdxHHqOGRNZ/Z
         FrJ0h6Bqkm9YrC3DDIqzUOZCiWTIzZXLiORecV5iEl06l/Oyt3NqOEgoRGBQOLsPQ7cS
         1kiS/NLp4F3gzB8sE/XG6Dc4HpJ/8FQWu7CQaI+CCeAJ+aOcHDQPk9fM4GDWy71xHOF2
         Hm/A==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:message-id:subject:cc
         :to:from:date:feedback-id:dkim-signature:dkim-signature;
        bh=DG6bdjmTz4bBiRVx5vRqnyJGZODkSyHM0WPBKPD11vg=;
        fh=N5PW5If4CD1maMxe1MoqwgDCI0s/78id/dnM6lPVf4E=;
        b=UMpGnKIc1IsszSb6v/6ZXxd+aQaBI3v2notX4LPMnR8nb5kXMYrYxGVxdDnR4V3nWP
         o/LEt7zq6GAv8+GnK2UktA8ikryrQDfUTYEgVH0A8qImnwh5Kk6WWl9rqUQQwVnr9uae
         +h8KiNL3GnaNl7XFQ+4XDPGoIWgwh32mOISsna2y//nJgq7jET22Wl9NqiaNagDiQIcN
         6GJLkDu5gQM+wkUJANnMx71tPhAjGSXbyb6t4/udj45V2bzYrzzk3fdyBx5TR9s7BIGF
         Kq+Xh9MC7yHAgR5pegBOvhLG038r1M8vQBkbcuoIBzFdLjWqVAm7BCdjvTbRVI7YhQVe
         DUIw==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=neutral (expired) header.i=@3xx0.net header.s=fm1 header.b=uMfGVJkU;
       dkim=neutral (expired) header.i=@messagingengine.com header.s=i76614979.fm3 header.b=TDNEW63p;
       arc=pass (i=1 spf=pass spfdomain=3xx0.net dkim=pass dkdomain=3xx0.net dkim=pass dkdomain=messagingengine.com dmarc=pass fromdomain=3xx0.net);
       spf=pass (google.com: domain of linux-kernel+bounces-182496-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-182496-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=3xx0.net
Return-Path: <linux-kernel+bounces-182496-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1])
        by mx.google.com with ESMTPS id af79cd13be357-792bf30b68dsi1939432385a.354.2024.05.17.12.17.39
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 17 May 2024 12:17:39 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-182496-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Authentication-Results: mx.google.com;
       dkim=neutral (expired) header.i=@3xx0.net header.s=fm1 header.b=uMfGVJkU;
       dkim=neutral (expired) header.i=@messagingengine.com header.s=i76614979.fm3 header.b=TDNEW63p;
       arc=pass (i=1 spf=pass spfdomain=3xx0.net dkim=pass dkdomain=3xx0.net dkim=pass dkdomain=messagingengine.com dmarc=pass fromdomain=3xx0.net);
       spf=pass (google.com: domain of linux-kernel+bounces-182496-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-182496-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=3xx0.net
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id C975D1C20BB0
	for <linux.lists.archive@gmail.com>; Fri, 17 May 2024 17:58:37 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id E0B3013E3E6;
	Fri, 17 May 2024 17:57:29 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=3xx0.net header.i=@3xx0.net header.b="uMfGVJkU";
	dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b="TDNEW63p"
Received: from wflow2-smtp.messagingengine.com (wflow2-smtp.messagingengine.com [64.147.123.137])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3852B13DDCA;
	Fri, 17 May 2024 17:57:27 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=64.147.123.137
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1715968648; cv=none; b=nIrom0Z2xz7JRQxQxCl5TtU2iuO1Edqt/bKFh/QoeQvFMCtIO3qKv9vmxnso8cVJjcGVrhU1m8bIaxyY+fDE85jWnuX1IroS2yZZQbbFGOMZ5sROoMRecAtNBr7lL2Bk26prs7TYD+0bl5O45Iw4FszoWLkWZ1cJ+kpcEnXC5Q0=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1715968648; c=relaxed/simple;
	bh=I2w45PghcaqjI+y7WfkIeFOVTyWdnhXIf4c8rZ8OaJw=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=KnIDRhrQfP7T8N2nKCGyXi5RNUnz8pF8ACH3RTkFbJOnbzG1phL52NNPOnJf+O6B8W0HELQ/VhVgFAoG3Z779J1FvSFStRrul9eepvTX6R5VyC9SHHxFPpECA+wSFgvVDVnYKXAtiV4vib4eGQ6HgICwMZWY8YRFPaHWttBtfu4=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=3xx0.net; spf=pass smtp.mailfrom=3xx0.net; dkim=pass (2048-bit key) header.d=3xx0.net header.i=@3xx0.net header.b=uMfGVJkU; dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b=TDNEW63p; arc=none smtp.client-ip=64.147.123.137
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=3xx0.net
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=3xx0.net
Received: from compute7.internal (compute7.nyi.internal [10.202.2.48])
	by mailflow.west.internal (Postfix) with ESMTP id 7886D2CC010B;
	Fri, 17 May 2024 13:57:25 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
  by compute7.internal (MEProxy); Fri, 17 May 2024 13:57:26 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=3xx0.net; h=cc
	:cc:content-type:content-type:date:date:from:from:in-reply-to
	:in-reply-to:message-id:mime-version:references:reply-to:subject
	:subject:to:to; s=fm1; t=1715968645; x=1715972245; bh=DG6bdjmTz4
	bBiRVx5vRqnyJGZODkSyHM0WPBKPD11vg=; b=uMfGVJkUQVRfm1T4SuQfg81+Vd
	5+EwSSzA1veRwFXODlGOsYMfbC5e9PDXupLK9HyaH/xalBd1s2kzVUiWMT2yQzvw
	hwRQ1fjYhfph5jS6R/35a6KtY34plcZMeR9Ze6xsvaXAZmSVgYgDUo2CD8pKLFPo
	Xy/T7Yx76YZjEUvdKWTQ/L8b+RH71BSELaxN8E1DA4gdeovy8JQ/GaJdIRS7/+JU
	nOR9kD+ElEjP9xlmH0WurtQuTo73SZegb2IizZ8K96HXLon2ZWd8yjQxXX9/jyWV
	LYzWnUzZv2IlDZ6c/LFUuMihTF52VWHKB3S26Kahi3BE/rYv+w/AkiBW4sjQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-type:content-type:date:date
	:feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
	:message-id:mime-version:references:reply-to:subject:subject:to
	:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=
	i76614979.fm3; t=1715968645; x=1715972245; bh=DG6bdjmTz4bBiRVx5v
	RqnyJGZODkSyHM0WPBKPD11vg=; b=TDNEW63pXqb2VU0CcKW4l1HzhcHIdknUB/
	pz14lQW13kC6oa25PaUJ3EtzVqxHTnNRnTjcdfH+8czm5HMuaNUoZJNfrrzALEjj
	BhXP3yluNNAc75YUSlp2g1JKsDbzm4O1ZNjegjBzQEutxAV2qwhBA+PiVAl2qSTD
	wcvi2l7YIS6ZSe/e860AJvkLBo69+YWUv9s79bv4P/X0XeFjuMU/7FXm6jZHziD5
	dV8pUspsjHJiSbf/yF1J/558iKeCjLZNiZRLmWuEOFh+rxdDTbikzjB/nf4RuUcS
	9zUWeQhZVMpSt+DZfp2vzbU8AQQhAgnJoJrumNrLMdK5EsRfgtng==
X-ME-Sender: <xms:hJpHZgt-DnLYAP4XfCB3f4QDQ4JOhbJ0kjv4C7wIKndVKYrK6cgIIQ>
    <xme:hJpHZteog5l-85Pkdhrlk26_ZDbUVd1ZBbQGP0nfgODF4pJa5auMVRXbP8aJJU3Up
    NcIi4mMySIixXSafOo>
X-ME-Received: <xmr:hJpHZrxlVLZZGOGFQfKZBifYj11s-ibw1SC9sayyin6qUTgQyif-0J2hn7vqmYdM9hEJR-MQ_giyQTDryczmkrI>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrvdehgedgvdehucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
    cujfgurhepfffhvfevuffkfhggtggujgesthdtsfdttddtjeenucfhrhhomheplfhonhgr
    thhhrghnucevrghlmhgvlhhsuceojhgtrghlmhgvlhhsseefgiigtddrnhgvtheqnecugg
    ftrfgrthhtvghrnhepkeekteegfefgvdefgfefffeufeffjedvudeijeehjeehffekjeek
    leffueelgffgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrh
    homhepjhgtrghlmhgvlhhsseefgiigtddrnhgvth
X-ME-Proxy: <xmx:hJpHZjOliYt1B30kBgmlLYDz3U_k0ILR04enLwlswHtl81Hc9_tOOw>
    <xmx:hJpHZg_tTtVt17uZ85S7l8qt2ezP1HcqKp8HG_d_HTVqD7c6KaT-Cg>
    <xmx:hJpHZrUFUcj0c_VL6ZrIN41Q8tSZ2WWCOA-aRCVfDXmGeifvQPDOGA>
    <xmx:hJpHZpedGcEgWYQAWwY_aGP7jCPuyq_4VonVfo014ODZjsk29EXztw>
    <xmx:hZpHZrUx1OlgTMngfhQPqJ-LWsX64N4U3yZMVc9MloMg7FfoIwLl0U3_>
Feedback-ID: i76614979:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri,
 17 May 2024 13:57:22 -0400 (EDT)
Date: Fri, 17 May 2024 11:02:23 -0700
From: Jonathan Calmels <jcalmels@3xx0.net>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: brauner@kernel.org, Luis Chamberlain <mcgrof@kernel.org>, 
	Kees Cook <keescook@chromium.org>, Joel Granados <j.granados@samsung.com>, 
	Serge Hallyn <serge@hallyn.com>, Paul Moore <paul@paul-moore.com>, 
	James Morris <jmorris@namei.org>, David Howells <dhowells@redhat.com>, 
	Jarkko Sakkinen <jarkko@kernel.org>, containers@lists.linux.dev, linux-kernel@vger.kernel.org, 
	linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org
Subject: Re: [PATCH 1/3] capabilities: user namespace capabilities
Message-ID: <mya7cjq5yzf4xc53un65zia2bwp45mbrt5ys67mgr4azn3phet@o54svegibxze>
References: <20240516092213.6799-1-jcalmels@3xx0.net>
 <20240516092213.6799-2-jcalmels@3xx0.net>
 <878r08brmp.fsf@email.froward.int.ebiederm.org>
 <xv52m5xu5tgwpckkcvyjvefbvockmb7g7fvhlky5yjs2i2jhsp@dcuovgkys4eh>
 <87jzjsa57k.fsf@email.froward.int.ebiederm.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <87jzjsa57k.fsf@email.froward.int.ebiederm.org>

> > On Fri, May 17, 2024 at 06:32:46AM GMT, Eric W. Biederman wrote:
> As I read your introduction you were justifying the introduction
> of a new security mechanism with the observation that distributions
> were carrying distribution specific patches.
> 
> To the best of my knowledge distribution specific patches and
> distributions disabling user namespaces have been gone for quite a
> while.  So if that has changed recently I would like to know.

On the top of my head:

- RHEL based:
  namespace.unpriv_enable
  user_namespace.enable

- Arch/Debian based:
  kernel.unprivileged_userns_clone

- Ubuntu based:
  kernel.apparmor_restrict_unprivileged_userns

I'm not sure which exact version those apply to, but it's definitely
still out there.

The observation is that while you can disable namespaces today, in
practice it breaks userspace in various ways. Hence, being able to
control capabilities is a better way to approach it.

For example, today's big hammer to prevent CAP_NET_ADMIN in userns:

# sysctl -qw user.max_net_namespaces=0

$ unshare -U -r -n ip tuntap add mode tap tap0 && echo OK
unshare: unshare failed: No space left on device

With patch, this becomes manageable:

# capsh --drop=cap_net_admin --secbits=$((1 << 8)) --user=$USER -- \
        -c 'unshare -U -r -n ip tuntap add mode tap tap0 && echo OK'
ioctl(TUNSETIFF): Operation not permitted