Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp2219260lqo; Sun, 19 May 2024 20:38:20 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCV/NN1CHSVyuTLxg0suscL3vtgoSTbUyJJcmAFIGMWoBAUqnhNxwfw10i3fgzYf3+bm1K0ZanbtTqDmnOi+RRlR7+FUqbTQ8NUtjXsk/w== X-Google-Smtp-Source: AGHT+IEIsAAMmL2wkL2fQIhpMbDs7t7HpGijK6j33CI1Ri/bbZTNbElWLPDi7v6zrRGIv2D9KkH0 X-Received: by 2002:a50:d610:0:b0:56d:b687:5a45 with SMTP id 4fb4d7f45d1cf-5734d597287mr18697170a12.1.1716176300340; Sun, 19 May 2024 20:38:20 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716176300; cv=pass; d=google.com; s=arc-20160816; b=ktSMpA37y8VHg6U2vTMdzlhuRdK/DPPdH7ZF6T3YCOU/bWSgwkFOV/cZCxzDBn7Od0 ku1yaNPAdrl/E1cSbrLBa3PgwiVgY5lNJq16LaLkt+lWNYsH0m8aWIG3BeZHTjYIpZhA vHxFhsqxR/zA48krJmFoMTTkUrY++Ko4e1Yib2TTt5UO/ylQ7sYXTRs7SFGWfCm3cSl2 ArxWG7Ku32WNaHYz+Il3TTANhefSi108ORXAToHMPV6aL07WmTQvQO2SIPEmp0UXKMsv Te7hKftRAlFU9uJX1psElQFgHbEYZOorBw3Gp3HU0sPVdXwTXn3RdvNYjJZGxFhRBtx+ qOuQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date; bh=FqnQM2ra6E3zxmkAATV0RSt1RzAqJHdgI0Qyeg9kQKQ=; fh=J7+GuMxQCkZAYZuZt7nxhQ+bKzJcqLVisW+cOJ1MV1s=; b=P4ld3Fhwa0kUy54LsY4KIC3DOF7e7DEOrGIfHfS1ssQpPkS9BiEz/Rb5EgkLmquicA qeQHBtL+9YKkB+LZAjF45gWfeyTNyWxlNzBml+CKcLJg1CTNdERFL7RBrSIfsaIEbAza jXzhT60SVhbAemar2rfksh0xaauavFp7SuqgSmQjfrOw79BHmF76ySC7kwFSu8CrmGS+ gfzT6fuvtxcLMVuQDcKQo5N/gNGQ+CV4GSxqW2Cgh/PmVrDIuzuIlBoAdLiL3jnr+tI4 q87q7q85HW0ZABUSUKW1Q4LtaMgISL8x8eItB3OWh2IZsR6fZQN0li8XiiK6NoRykQ3N uUcw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=mail.hallyn.com); spf=pass (google.com: domain of linux-kernel+bounces-183396-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-183396-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id 4fb4d7f45d1cf-57521c05713si3024593a12.597.2024.05.19.20.38.20 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 May 2024 20:38:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-183396-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=mail.hallyn.com); spf=pass (google.com: domain of linux-kernel+bounces-183396-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-183396-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 177261F22475 for ; Mon, 20 May 2024 03:38:20 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id EED9912B93; Mon, 20 May 2024 03:38:10 +0000 (UTC) Received: from mail.hallyn.com (mail.hallyn.com [178.63.66.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 89741101C4; Mon, 20 May 2024 03:38:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=178.63.66.53 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716176290; cv=none; b=trqReZqquVgi2phcsgREbl3dD5k50himIGptFvZ40C1AgNvFqNlfpYisw+ctTuFD9Arifdx3+b+5ZxKwrH+sWjWwqVEFZ/GvPWwvfQTn7y9annilgOQIgVoY6XIMsOdIgL07+lRlx9uzh6fV4GGSVVEbYdamO4JoZL706n/+Ty0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716176290; c=relaxed/simple; bh=LZxMx8cq+pqZU8qVni51ciYzQ72ZESo//RuR/LuvJGo=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=RIXSg4DtDJCIG6P1jYimo6FZz4keD8Vxpj2nrxPwh8IHttc92y4+PoR4HN0GHEYCGnq0y1ADncSaYRFrZtXIZynHZ8EvPGBKweALh9GhHuwjx9LDAgI4kjKvP5Et/v+eRLjZTyTPLSHeU/D78XxbV6DcF5K77YFUNI+5mGfBPWk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hallyn.com; spf=pass smtp.mailfrom=mail.hallyn.com; arc=none smtp.client-ip=178.63.66.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hallyn.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=mail.hallyn.com Received: by mail.hallyn.com (Postfix, from userid 1001) id B565FA17; Sun, 19 May 2024 22:38:05 -0500 (CDT) Date: Sun, 19 May 2024 22:38:05 -0500 From: "Serge E. Hallyn" To: Jonathan Calmels Cc: brauner@kernel.org, ebiederm@xmission.com, Luis Chamberlain , Kees Cook , Joel Granados , Serge Hallyn , Paul Moore , James Morris , David Howells , Jarkko Sakkinen , containers@lists.linux.dev, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org Subject: Re: [PATCH 2/3] capabilities: add securebit for strict userns caps Message-ID: <20240520033805.GA1816262@mail.hallyn.com> References: <20240516092213.6799-1-jcalmels@3xx0.net> <20240516092213.6799-3-jcalmels@3xx0.net> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20240516092213.6799-3-jcalmels@3xx0.net> On Thu, May 16, 2024 at 02:22:04AM -0700, Jonathan Calmels wrote: > This patch adds a new capability security bit designed to constrain a > task’s userns capability set to its bounding set. The reason for this is > twofold: > > - This serves as a quick and easy way to lock down a set of capabilities > for a task, thus ensuring that any namespace it creates will never be > more privileged than itself is. > - This helps userspace transition to more secure defaults by not requiring > specific logic for the userns capability set, or libcap support. > > Example: > > # capsh --secbits=$((1 << 8)) --drop=cap_sys_rawio -- \ > -c 'unshare -r grep Cap /proc/self/status' > CapInh: 0000000000000000 > CapPrm: 000001fffffdffff > CapEff: 000001fffffdffff > CapBnd: 000001fffffdffff > CapAmb: 0000000000000000 > CapUNs: 000001fffffdffff > > Signed-off-by: Jonathan Calmels Reviewed-by: Serge Hallyn > --- > include/linux/securebits.h | 1 + > include/uapi/linux/securebits.h | 11 ++++++++++- > kernel/user_namespace.c | 5 +++++ > 3 files changed, 16 insertions(+), 1 deletion(-) > > diff --git a/include/linux/securebits.h b/include/linux/securebits.h > index 656528673983..5f9d85cd69c3 100644 > --- a/include/linux/securebits.h > +++ b/include/linux/securebits.h > @@ -5,4 +5,5 @@ > #include > > #define issecure(X) (issecure_mask(X) & current_cred_xxx(securebits)) > +#define iscredsecure(cred, X) (issecure_mask(X) & cred->securebits) > #endif /* !_LINUX_SECUREBITS_H */ > diff --git a/include/uapi/linux/securebits.h b/include/uapi/linux/securebits.h > index d6d98877ff1a..2da3f4be4531 100644 > --- a/include/uapi/linux/securebits.h > +++ b/include/uapi/linux/securebits.h > @@ -52,10 +52,19 @@ > #define SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED \ > (issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE_LOCKED)) > > +/* When set, user namespace capabilities are restricted to their parent's bounding set. */ > +#define SECURE_USERNS_STRICT_CAPS 8 > +#define SECURE_USERNS_STRICT_CAPS_LOCKED 9 /* make bit-8 immutable */ > + > +#define SECBIT_USERNS_STRICT_CAPS (issecure_mask(SECURE_USERNS_STRICT_CAPS)) > +#define SECBIT_USERNS_STRICT_CAPS_LOCKED \ > + (issecure_mask(SECURE_USERNS_STRICT_CAPS_LOCKED)) > + > #define SECURE_ALL_BITS (issecure_mask(SECURE_NOROOT) | \ > issecure_mask(SECURE_NO_SETUID_FIXUP) | \ > issecure_mask(SECURE_KEEP_CAPS) | \ > - issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE)) > + issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE) | \ > + issecure_mask(SECURE_USERNS_STRICT_CAPS)) > #define SECURE_ALL_LOCKS (SECURE_ALL_BITS << 1) > > #endif /* _UAPI_LINUX_SECUREBITS_H */ > diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c > index 7e624607330b..53848e2b68cd 100644 > --- a/kernel/user_namespace.c > +++ b/kernel/user_namespace.c > @@ -10,6 +10,7 @@ > #include > #include > #include > +#include > #include > #include > #include > @@ -42,6 +43,10 @@ static void dec_user_namespaces(struct ucounts *ucounts) > > static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns) > { > + /* Limit userns capabilities to our parent's bounding set. */ > + if (iscredsecure(cred, SECURE_USERNS_STRICT_CAPS)) > + cred->cap_userns = cap_intersect(cred->cap_userns, cred->cap_bset); > + > /* Start with the capabilities defined in the userns set. */ > cred->cap_bset = cred->cap_userns; > cred->cap_permitted = cred->cap_userns; > -- > 2.45.0 >