Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp1181892lqo; Fri, 17 May 2024 13:25:25 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWkRKmHo+2Cy5l5SJ0N09MdsbRg33+qMFloT5CsefLsO/X31t63gQPTLYV4joYSxKbD93AMBqN1+2QEVOVQUFM8+PZGgxAau/rMUa4kxA== X-Google-Smtp-Source: AGHT+IExB9hXKH4kowrDrQP3b7D9/faCv8QeAD++6VLU4HZNuFCspMGGQJqv7iZl6eJ9HFlSgFAF X-Received: by 2002:a05:6a20:9151:b0:1af:ad00:b2dd with SMTP id adf61e73a8af0-1afde1b27aamr28696736637.43.1715977525248; Fri, 17 May 2024 13:25:25 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715977525; cv=pass; d=google.com; s=arc-20160816; b=MD2rbpSzFms6+oTdCDZfn7UnOYBIlzJ6SM/HD/2QIHlnsvZPm8gQUoWWx0rDhdmx2/ SqKp2QqeqLXCyem1ICX6Dug2ScjKJb8WkxyD6/cv8V1ZvzU9+e4xOVKoaMXnRxitKkmD IWjuIUUbgGtqjPCzJHNPNyApZDIkYAxQyrtg0cJr0mS1Pjvp/e8HLDp0Xui6V6lk3k8t tfNbAxAfmXAGvJ3gzADcGH1vp1kIXW7FtaPWsbJRM0+O3jvDkX2fm0OB19ikIYJvmn5C Ak38sBbKjzjO7SsdjU8MSl/B1jEA/kNVL5VVEkrt3iuXEAIA1TuHHHNwXA4di1okKN2q 85pw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:feedback-id:dkim-signature:dkim-signature; bh=MolZk3aDwQ5AXPmBxbzqYEOhzXdd2allt5iM66ZHWGU=; fh=AhpXzx1/CtTvFlSdBb5rnagieApHpPQ5eDRgC8jjOwo=; b=a3g16xeM+EXp5lI0qiiPubJf/xxvuOkMHVsup/HKSHgXTwMz0ePFsGfPT6m8uXVweH CPaHAnDOrK4YRloQ1v2x5JCxYjA2durX/GLLC4n8Ci45ZrTOp9tQP6Rw9sXA1o9/QXKm NcyOXFUauBwWuR68Ko6XisFhSMCK9B8mTSXMYze+DC8LCBwuZR3qzMhk9Es4v2A7qkje IIQV+HcEP0cScsp4BH6RjOyjJwKmIwdz+zreOPa7xOIysoopcPvD+9Veb9xgGR7SF9O0 Ne+X/87nC0KtK8EplYpjiPiXDmylq8sPjV/atFr2mpaclvSCdAx9fw8RTeDuGFVtSHYH kcoQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=neutral (expired) header.i=@3xx0.net header.s=fm1 header.b=nk1YlmOw; dkim=neutral (expired) header.i=@messagingengine.com header.s=i76614979.fm3 header.b=GuOIWxak; arc=pass (i=1 spf=pass spfdomain=3xx0.net dkim=pass dkdomain=3xx0.net dkim=pass dkdomain=messagingengine.com dmarc=pass fromdomain=3xx0.net); spf=pass (google.com: domain of linux-kernel+bounces-182553-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-182553-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=3xx0.net Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id 41be03b00d2f7-6585438d645si4449692a12.451.2024.05.17.13.25.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 13:25:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-182553-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=neutral (expired) header.i=@3xx0.net header.s=fm1 header.b=nk1YlmOw; dkim=neutral (expired) header.i=@messagingengine.com header.s=i76614979.fm3 header.b=GuOIWxak; arc=pass (i=1 spf=pass spfdomain=3xx0.net dkim=pass dkdomain=3xx0.net dkim=pass dkdomain=messagingengine.com dmarc=pass fromdomain=3xx0.net); spf=pass (google.com: domain of linux-kernel+bounces-182553-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-182553-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=3xx0.net Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 55AB6286827 for ; Fri, 17 May 2024 19:07:13 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 0E42013E89B; Fri, 17 May 2024 19:06:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=3xx0.net header.i=@3xx0.net header.b="nk1YlmOw"; dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b="GuOIWxak" Received: from flow4-smtp.messagingengine.com (flow4-smtp.messagingengine.com [103.168.172.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2AAF56A005; Fri, 17 May 2024 19:06:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=103.168.172.139 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715972817; cv=none; b=apw6ydUW7H+rScpL8+9/y/Gcl99LZ0wFPKxsnhXws7hURA630rv25HLuvXbQU2vdA5vOM5i12j6uEISyNbzfyIHVlKNWZ4dk07/GQxGcMe7a1SQu41w5CP0UlyGIM9HTqBi1TKYvj0xngOcj129zIsWu5NkDzLdTA+KssbwNI6E= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715972817; c=relaxed/simple; bh=04rcN74LRVOgvg1Pgpl2S95I7nmZQRd+3n8EVCIHMLQ=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=WUmc6/KnOxzFw93tdzTYRtvSYqpNZgomR5duxCioZ3vIvmdHsuLyySaVUadyO4vU9V9QgpSG0NrvUnPav6piN7cKwaUrI9KzhLWDhwQLBtzsoJtT+ztrxVYnYP6d5d5v50yM9VvCL8kZfaF5mTk4uhjtTsu1xfXs8S8sjRQ24co= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=3xx0.net; spf=pass smtp.mailfrom=3xx0.net; dkim=pass (2048-bit key) header.d=3xx0.net header.i=@3xx0.net header.b=nk1YlmOw; dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b=GuOIWxak; arc=none smtp.client-ip=103.168.172.139 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=3xx0.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=3xx0.net Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailflow.nyi.internal (Postfix) with ESMTP id 406B520011D; Fri, 17 May 2024 15:06:55 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Fri, 17 May 2024 15:06:55 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=3xx0.net; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm1; t=1715972815; x=1715976415; bh=MolZk3aDwQ 5AXPmBxbzqYEOhzXdd2allt5iM66ZHWGU=; b=nk1YlmOwRf47RW6Xl0ocg8hbPh vhEG6vO5uradKBG1r0JN72SiAT7soy6dE4iT37d72v42/tyPA/Ju8NEZIeW6vMi2 lHNtPudTnfQrDUl1dsqt9+Sw3UeyAPiOMWguSjMv7jcD3UJLuZsGcirL8EOaJxUU lWHTk7rqcxM5rzVMK51IqjOHzWzh6aCw1lWXde2H9ZsAlbwAtzRVOHJRAqn3lgH3 DDFXS5Pu8V6lfj1beydisMASxr+JqcmVmRf9H0i0xNdEssVvuCK8JiBW6zE/dROG ZSGlnM4Z0hdc2hw0caXycrppcFYniN44Z20nw3rrhl7rCUr1MHiDgdMySKPQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= i76614979.fm3; t=1715972815; x=1715976415; bh=MolZk3aDwQ5AXPmBxb zqYEOhzXdd2allt5iM66ZHWGU=; b=GuOIWxakWky6eQrMiU9frb/EQ+8OXJvLTS jQeeA/nMKbaNfGCRm4Ga0A7jyDdpc3mkXngButmYaeKsELqqNBUZT1KpggexHykl Yxlt/7kLgTBFoRrEq35CmHN7m0XNvcn2j5ADurM66M4ZmJVXZK187q5ZnaeAfA6t z3fNq6hvufYtd3+S41FIRa6hMjn7eEGGWj4qaCZQ74eaK/MKdlB5kxNZLSkt2zqr +NDwBmERl/8PQExnYlDUCFFd+HKmkdif4t5FrmUelZD+02OWC18UTQbK3iiZH+31 563Tt7QfsqEImoiAkhKYrRtlH3s2zzJI3pHtlv7tlQe8CM3XddDg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrvdehgedggedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvfevuffkfhggtggujgesthdtsfdttddtjeenucfhrhhomheplfhonhgr thhhrghnucevrghlmhgvlhhsuceojhgtrghlmhgvlhhsseefgiigtddrnhgvtheqnecugg ftrfgrthhtvghrnhepkeekteegfefgvdefgfefffeufeffjedvudeijeehjeehffekjeek leffueelgffgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrh homhepjhgtrghlmhgvlhhsseefgiigtddrnhgvth X-ME-Proxy: Feedback-ID: i76614979:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 17 May 2024 15:06:50 -0400 (EDT) Date: Fri, 17 May 2024 12:11:52 -0700 From: Jonathan Calmels To: Casey Schaufler Cc: Jarkko Sakkinen , brauner@kernel.org, ebiederm@xmission.com, Luis Chamberlain , Kees Cook , Joel Granados , Serge Hallyn , Paul Moore , James Morris , David Howells , containers@lists.linux.dev, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org Subject: Re: [PATCH 0/3] Introduce user namespace capabilities Message-ID: References: <20240516092213.6799-1-jcalmels@3xx0.net> <2804dd75-50fd-481c-8867-bc6cea7ab986@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: On Fri, May 17, 2024 at 10:53:24AM GMT, Casey Schaufler wrote: > Of course they do. I have been following the use of capabilities > in Linux since before they were implemented. The uptake has been > disappointing in all use cases. Why "Of course"? What if they should not get *all* privileges? > Yes. The problems of a single, all powerful root privilege scheme are > well documented. That's my point, it doesn't have to be this way. > Hardly. Maybe I'm missing something, then. How do I restrict my users from gaining say CAP_NET_ADMIN in their userns today? > If you're going to run userspace that *requires* privilege, you have > to have a way to *allow* privilege. If the userspace insists on a root > based privilege model, you're stuck supporting it. Regardless of your > principles. I want *some* privileges, not *all* of them. > Which is a really, really bad idea. The equation for calculating effective > privilege is already more complicated than userspace developers are generally > willing to put up with. This is generally true, but this set is way more straightforward than the other sets, it's always: pU = pP = pE = X If you look at the patch, there is no transition logic or anything complicated, it's just a set of caps behind inherited. > I would not expect container developers to be eager to learn how to use > this facility. And they probably wouldn't. For most use cases it's going to be enforced through system policies (init, pam, etc). Other than that, usage won't change, you will run your usual `docker run --cap-add ...` to get caps, except now it works in userns. > I'm sorry, but this makes no sense to me whatsoever. You want to introduce > a capability set explicitly for namespaces in order to make them less > special? Maybe I'm just old and cranky. > > > They now work the same way as say a transition to root does with > > inheritable caps. > > That needs some explanation. From man capabilities(7): In order to mirror traditional UNIX semantics, the kernel performs special treatment of file capabilities when a process with UID 0 (root) executes a program [...] Thus, when [...] a process whose real and effective UIDs are zero execve(2)s a program, the calculation of the process's new permitted capabilities simplifies to: P'(permitted) = P(inheritable) | P(bounding) P'(effective) = P'(permitted) So, the same way a root process is bounded by its inheritable set when it execs, a "rootless" process is bounded by its userns set when it unshares.