Received-SPF: pass (google.com: domain of linux-kernel+bounces-182768-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Feedback-ID: i76614979:Fastmail
Date: Fri, 17 May 2024 20:50:44 -0700
From: Jonathan Calmels <jcalmels@3xx0.net>
To: John Johansen <john.johansen@canonical.com>
Cc: brauner@kernel.org, ebiederm@xmission.com, 
	Luis Chamberlain <mcgrof@kernel.org>, Kees Cook <keescook@chromium.org>, 
	Joel Granados <j.granados@samsung.com>, Serge Hallyn <serge@hallyn.com>, 
	Paul Moore <paul@paul-moore.com>, James Morris <jmorris@namei.org>, 
	David Howells <dhowells@redhat.com>, Jarkko Sakkinen <jarkko@kernel.org>, containers@lists.linux.dev, 
	linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, 
	linux-security-module@vger.kernel.org, keyrings@vger.kernel.org
Subject: Re: [PATCH 1/3] capabilities: user namespace capabilities
Message-ID: <txmrzwf2kr6devb5iqghctgvtbccjaspf44entk4fopjbaet2j@zqdfxiy6y6ej>
References: <20240516092213.6799-1-jcalmels@3xx0.net>
 <20240516092213.6799-2-jcalmels@3xx0.net>
 <641a34bd-e702-4f02-968e-4f71e0957af1@canonical.com>
 <jwuknxmitht42ghsy6nkoegotte5kxi67fh6cbei7o5w3bv5jy@eyphufkqwaap>
 <be62b80f-2e86-4cbc-82ce-c9f62098ef60@canonical.com>
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <be62b80f-2e86-4cbc-82ce-c9f62098ef60@canonical.com>

On Fri, May 17, 2024 at 04:59:41AM GMT, John Johansen wrote:
> On 5/17/24 03:51, Jonathan Calmels wrote:
> > This new capability set would be a universal thing that could be
> > leveraged today without modification to userspace. Moreover, it’s a
> > simple framework that can be extended.
> 
> I would argue that is a problem. Userspace has to change for this to be
> secure. Is it an improvement over the current state yes.

Well, yes and no. With those patches, I can lock down things today on my
system and I don't need to change anything.

For example I can decide that none of my rootless containers started
under SSH will get CAP_NET_ADMIN:

# echo "auth optional pam_cap.so" >> /etc/pam.d/sshd
# echo "!cap_net_admin $USER"     >> /etc/security/capability.conf
# capsh --secbits=$((1 << 8)) -- -c /usr/sbin/sshd

$ ssh localhost 'unshare -r capsh --current'
Current: =ep cap_net_admin-ep
Current IAB: !cap_net_admin

Or I can decide than I don't ever want CAP_SYS_RAWIO in my namespaces:

# sysctl -w cap_bound_userns_mask=0x1fffffdffff

This doesn't require changes to userspace.
Now, granted if you want to have finer-grained controls, it will require
*some* changes in *some* places (e.g. adding new systemd property like
UserNSSet=).

> > Well that’s the thing, from past conversations, there is a lot of
> > disagreement about restricting namespaces. By restricting the
> > capabilities granted by namespaces instead, we’re actually treating the
> > root cause of most concerns.
> > 
> no disagreement there. This is actually Ubuntu's posture with user namespaces
> atm. Where the user namespace is allowed but the capabilities within it
> are denied.
> 
> It does however when not handled correctly result in some very odd failures
> and would be easier to debug if the use of user namespaces were just
> cleanly denied.

Yes but as we established it depends on the use case, both are not
mutually exclusive.

> its not so much the capabilities set as the inheritable part that is
> problematic. Yes I am well aware of where that is required but I question
> that capabilities provides the needed controls here.

Again, I'm not opposed to doing this with LSMs. I just think both could
work well together. We already do that with standard capabilities vs
LSMs, both have their strength and weaknesses.

It's always a tradeoff, do you want a setting that's universal and
coarse, or do you want one that's tailored to specific things but less
ubiquitous.

It's also a tradeoff on usability. If this doesn't get used in practice,
then there is no point.
I would argue that even though capabilities are complicated, they are
more widely understood than LSMs. Are capabilities insufficient in
certain scenarios, absolutely, and that's usually where LSMs come in.

> > This is possible with the security bit introduced in the second patch.
> > The idea of having those separate is that a service which has dropped
> > its capabilities can still create a fully privileged user namespace.
> 
> yes, which is the problem. Not that we don't do that with say setuid
> applications, but the difference is that they were known to be doing
> something dangerous and took measures around that.
> 
> We are starting from a different posture here. Where applications have
> assumed that user namespaces where safe and no measures were needed.
> Tools like unshare and bwrap if set to allow user namespaces in their
> fcaps will allow exploits a trivial by-pass.

Agreed, but we can't really walk back this decision unfortunately.
At least with this patch series system administrators have the ability
to limit such tools.

> What I was trying to get at is two points.
> 1. The written description wasn't clear enough, leaving room for
>    ambiguity.
> 2. That I quest that the behavior should be allowed given the
>    current set of tools that use user namespaces. It reduces exploit
>    codes ability to directly use unprivileged user namespaces but
>    makes it all to easy to by-pass the restriction because of the
>    behavior of the current tool set. ie. user space has to change.

> But again, I believe the fcaps behavior is wrong, because of the state of
> current software. If this had been a proposal where there was no existing
> software infrastructure I would be starting from a different stance.

As mentioned above, userspace doesn't necessarily have to change. I'm
also not sure what you mean by easy to by-pass? If I mask off some
capabilities system wide or in a given process tree, I know for a fact
that no namespace will ever get those capabilities.