Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp1152102lqo; Fri, 17 May 2024 12:17:39 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWNBVtj8OGzVWbjhftBDo7VEIqoXQNkdRYuengztnuF+ZfrkthJ613VW+NVocMLCOL27HoWIYLX3ELYmyHkLgF/n8fcNkg5yN5lY++m9Q== X-Google-Smtp-Source: AGHT+IFYEeuC2gGt6ugPOB9NGBu7zPQaxsqB78oCgsPOM+ChS5tuXSFJdK6MgYyxahXbFj0h/bD6 X-Received: by 2002:a05:620a:384:b0:790:b1db:d28 with SMTP id af79cd13be357-792c75f26bcmr2539398685a.48.1715973459672; Fri, 17 May 2024 12:17:39 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715973459; cv=pass; d=google.com; s=arc-20160816; b=Sd5hi6XaXZZLgEmFyRtD3dIncgLolKPcGHB84cl7rEnRPGk1vHzTf0l54JAVD0Bq9J arda1PJhspy5GzYXus5qw4gk6U63vY/jeSJAOvh4R6lPp/wT9MZ6eQ3Cd3tLtADV3BVK sf5oaz7PepejhKcko4pfCBlloH4HsRjVD0Db0jnIp9Qmn0Ng90edFkJbdxHHqOGRNZ/Z FrJ0h6Bqkm9YrC3DDIqzUOZCiWTIzZXLiORecV5iEl06l/Oyt3NqOEgoRGBQOLsPQ7cS 1kiS/NLp4F3gzB8sE/XG6Dc4HpJ/8FQWu7CQaI+CCeAJ+aOcHDQPk9fM4GDWy71xHOF2 Hm/A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:feedback-id:dkim-signature:dkim-signature; bh=DG6bdjmTz4bBiRVx5vRqnyJGZODkSyHM0WPBKPD11vg=; fh=N5PW5If4CD1maMxe1MoqwgDCI0s/78id/dnM6lPVf4E=; b=UMpGnKIc1IsszSb6v/6ZXxd+aQaBI3v2notX4LPMnR8nb5kXMYrYxGVxdDnR4V3nWP o/LEt7zq6GAv8+GnK2UktA8ikryrQDfUTYEgVH0A8qImnwh5Kk6WWl9rqUQQwVnr9uae +h8KiNL3GnaNl7XFQ+4XDPGoIWgwh32mOISsna2y//nJgq7jET22Wl9NqiaNagDiQIcN 6GJLkDu5gQM+wkUJANnMx71tPhAjGSXbyb6t4/udj45V2bzYrzzk3fdyBx5TR9s7BIGF Kq+Xh9MC7yHAgR5pegBOvhLG038r1M8vQBkbcuoIBzFdLjWqVAm7BCdjvTbRVI7YhQVe DUIw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=neutral (expired) header.i=@3xx0.net header.s=fm1 header.b=uMfGVJkU; dkim=neutral (expired) header.i=@messagingengine.com header.s=i76614979.fm3 header.b=TDNEW63p; arc=pass (i=1 spf=pass spfdomain=3xx0.net dkim=pass dkdomain=3xx0.net dkim=pass dkdomain=messagingengine.com dmarc=pass fromdomain=3xx0.net); spf=pass (google.com: domain of linux-kernel+bounces-182496-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-182496-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=3xx0.net Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id af79cd13be357-792bf30b68dsi1939432385a.354.2024.05.17.12.17.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 12:17:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-182496-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=neutral (expired) header.i=@3xx0.net header.s=fm1 header.b=uMfGVJkU; dkim=neutral (expired) header.i=@messagingengine.com header.s=i76614979.fm3 header.b=TDNEW63p; arc=pass (i=1 spf=pass spfdomain=3xx0.net dkim=pass dkdomain=3xx0.net dkim=pass dkdomain=messagingengine.com dmarc=pass fromdomain=3xx0.net); spf=pass (google.com: domain of linux-kernel+bounces-182496-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-182496-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=3xx0.net Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id C975D1C20BB0 for ; Fri, 17 May 2024 17:58:37 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E0B3013E3E6; Fri, 17 May 2024 17:57:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=3xx0.net header.i=@3xx0.net header.b="uMfGVJkU"; dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b="TDNEW63p" Received: from wflow2-smtp.messagingengine.com (wflow2-smtp.messagingengine.com [64.147.123.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3852B13DDCA; Fri, 17 May 2024 17:57:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=64.147.123.137 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715968648; cv=none; b=nIrom0Z2xz7JRQxQxCl5TtU2iuO1Edqt/bKFh/QoeQvFMCtIO3qKv9vmxnso8cVJjcGVrhU1m8bIaxyY+fDE85jWnuX1IroS2yZZQbbFGOMZ5sROoMRecAtNBr7lL2Bk26prs7TYD+0bl5O45Iw4FszoWLkWZ1cJ+kpcEnXC5Q0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715968648; c=relaxed/simple; bh=I2w45PghcaqjI+y7WfkIeFOVTyWdnhXIf4c8rZ8OaJw=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=KnIDRhrQfP7T8N2nKCGyXi5RNUnz8pF8ACH3RTkFbJOnbzG1phL52NNPOnJf+O6B8W0HELQ/VhVgFAoG3Z779J1FvSFStRrul9eepvTX6R5VyC9SHHxFPpECA+wSFgvVDVnYKXAtiV4vib4eGQ6HgICwMZWY8YRFPaHWttBtfu4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=3xx0.net; spf=pass smtp.mailfrom=3xx0.net; dkim=pass (2048-bit key) header.d=3xx0.net header.i=@3xx0.net header.b=uMfGVJkU; dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b=TDNEW63p; arc=none smtp.client-ip=64.147.123.137 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=3xx0.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=3xx0.net Received: from compute7.internal (compute7.nyi.internal [10.202.2.48]) by mailflow.west.internal (Postfix) with ESMTP id 7886D2CC010B; Fri, 17 May 2024 13:57:25 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute7.internal (MEProxy); Fri, 17 May 2024 13:57:26 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=3xx0.net; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm1; t=1715968645; x=1715972245; bh=DG6bdjmTz4 bBiRVx5vRqnyJGZODkSyHM0WPBKPD11vg=; b=uMfGVJkUQVRfm1T4SuQfg81+Vd 5+EwSSzA1veRwFXODlGOsYMfbC5e9PDXupLK9HyaH/xalBd1s2kzVUiWMT2yQzvw hwRQ1fjYhfph5jS6R/35a6KtY34plcZMeR9Ze6xsvaXAZmSVgYgDUo2CD8pKLFPo Xy/T7Yx76YZjEUvdKWTQ/L8b+RH71BSELaxN8E1DA4gdeovy8JQ/GaJdIRS7/+JU nOR9kD+ElEjP9xlmH0WurtQuTo73SZegb2IizZ8K96HXLon2ZWd8yjQxXX9/jyWV LYzWnUzZv2IlDZ6c/LFUuMihTF52VWHKB3S26Kahi3BE/rYv+w/AkiBW4sjQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= i76614979.fm3; t=1715968645; x=1715972245; bh=DG6bdjmTz4bBiRVx5v RqnyJGZODkSyHM0WPBKPD11vg=; b=TDNEW63pXqb2VU0CcKW4l1HzhcHIdknUB/ pz14lQW13kC6oa25PaUJ3EtzVqxHTnNRnTjcdfH+8czm5HMuaNUoZJNfrrzALEjj BhXP3yluNNAc75YUSlp2g1JKsDbzm4O1ZNjegjBzQEutxAV2qwhBA+PiVAl2qSTD wcvi2l7YIS6ZSe/e860AJvkLBo69+YWUv9s79bv4P/X0XeFjuMU/7FXm6jZHziD5 dV8pUspsjHJiSbf/yF1J/558iKeCjLZNiZRLmWuEOFh+rxdDTbikzjB/nf4RuUcS 9zUWeQhZVMpSt+DZfp2vzbU8AQQhAgnJoJrumNrLMdK5EsRfgtng== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrvdehgedgvdehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvfevuffkfhggtggujgesthdtsfdttddtjeenucfhrhhomheplfhonhgr thhhrghnucevrghlmhgvlhhsuceojhgtrghlmhgvlhhsseefgiigtddrnhgvtheqnecugg ftrfgrthhtvghrnhepkeekteegfefgvdefgfefffeufeffjedvudeijeehjeehffekjeek leffueelgffgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrh homhepjhgtrghlmhgvlhhsseefgiigtddrnhgvth X-ME-Proxy: Feedback-ID: i76614979:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 17 May 2024 13:57:22 -0400 (EDT) Date: Fri, 17 May 2024 11:02:23 -0700 From: Jonathan Calmels To: "Eric W. Biederman" Cc: brauner@kernel.org, Luis Chamberlain , Kees Cook , Joel Granados , Serge Hallyn , Paul Moore , James Morris , David Howells , Jarkko Sakkinen , containers@lists.linux.dev, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org Subject: Re: [PATCH 1/3] capabilities: user namespace capabilities Message-ID: References: <20240516092213.6799-1-jcalmels@3xx0.net> <20240516092213.6799-2-jcalmels@3xx0.net> <878r08brmp.fsf@email.froward.int.ebiederm.org> <87jzjsa57k.fsf@email.froward.int.ebiederm.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <87jzjsa57k.fsf@email.froward.int.ebiederm.org> > > On Fri, May 17, 2024 at 06:32:46AM GMT, Eric W. Biederman wrote: > As I read your introduction you were justifying the introduction > of a new security mechanism with the observation that distributions > were carrying distribution specific patches. > > To the best of my knowledge distribution specific patches and > distributions disabling user namespaces have been gone for quite a > while. So if that has changed recently I would like to know. On the top of my head: - RHEL based: namespace.unpriv_enable user_namespace.enable - Arch/Debian based: kernel.unprivileged_userns_clone - Ubuntu based: kernel.apparmor_restrict_unprivileged_userns I'm not sure which exact version those apply to, but it's definitely still out there. The observation is that while you can disable namespaces today, in practice it breaks userspace in various ways. Hence, being able to control capabilities is a better way to approach it. For example, today's big hammer to prevent CAP_NET_ADMIN in userns: # sysctl -qw user.max_net_namespaces=0 $ unshare -U -r -n ip tuntap add mode tap tap0 && echo OK unshare: unshare failed: No space left on device With patch, this becomes manageable: # capsh --drop=cap_net_admin --secbits=$((1 << 8)) --user=$USER -- \ -c 'unshare -U -r -n ip tuntap add mode tap tap0 && echo OK' ioctl(TUNSETIFF): Operation not permitted