Received: by 2002:a89:d88:0:b0:1fa:5c73:8e2d with SMTP id eb8csp539028lqb; Fri, 24 May 2024 06:19:38 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCX1sRCW6/FIaszJ58JRmo7RPM2G1xZfLlyl1TyL+DUI3C5iJV4KwfQTfX8d98q4ZWQfCoXcpEDSDXCr9sh0fRHpuLvl+9SQsttu94QraA== X-Google-Smtp-Source: AGHT+IHDdfMwY7gLD2UjgvBTqicuH0SYr2g9OIlLk8TuYEOViJ/tpfsSrhU57y/lugOuEkcgj/RF X-Received: by 2002:a05:6214:4a07:b0:6a0:af07:107f with SMTP id 6a1803df08f44-6abcd12f263mr26645066d6.61.1716556778263; Fri, 24 May 2024 06:19:38 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716556778; cv=pass; d=google.com; s=arc-20160816; b=hq44E03STchG+nPaRw3KYc4nvvUmrWU0gdB/g6CM/jb9ZC9obotnHpwaKRGJvWFQZP TQ19Uvjk/csgWyBr9WbsRSo6n29vXWqAXK8hfYxpoIVRvFRNuk9BVPJhEjVixfcUqdEa kFB63VGfwNa0cYrsoHlyZmGsL5A4gxgKsLFuHRkHlWHB98h1U86SwXW0gaP1RYBTEN26 c6qgTIa/02AUF0pHUxqRTNrJ1MSdDirI+mTYbnC2/wdS9orh4Ur+JCsm72V4HTeD13IM 832USdkNAGp+dBPACqGKG9PWLkL7Jo/og3KqvLW2VBd8XF1yvPY8hu2eKoHQiHDyS7vb sEEg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date:dkim-signature; bh=k1nvfSWBypXcBnT9uPzgrRewy4HsQZdWxgzgzt7NqF0=; fh=gdSURPoG5o9lfGovgvsHDy62P4FvG6i6WWc5pDgZ8BE=; b=BY0vUvhYg0H01MA816vZaFdZZpVmZTePhEJgBzY+/eymwijrUTGu9dQESaGDJSqDEw TORvbjYzoidEJq92xzDhVCdTLOCRLXlEn98n6mh7cl6D046xG9j3rUjwLvG3WandZmLC IIUOAysusqSFgzLytoi5jhvgufvP8/X04wF02+Pfp2d4Fh/ZOln3clAvyvp7nvn3fF66 JJrbAKfeiADMAKs1SqVE8OK8gXzWZ57y0dnYg78hr4IK6IEaFymg2dCFip53UmvFlNbg qVBro7rg8/wNqgPDUdLOuKR30spOb5/rsWIMsgY4751QM36tBj3j01xKn7yGyqr9SFGR UBpQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Yd9T+h1P; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-188722-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-188722-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id 6a1803df08f44-6ac070f15c6si16449376d6.289.2024.05.24.06.19.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 24 May 2024 06:19:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-188722-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Yd9T+h1P; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-188722-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-188722-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id E9DCC1C21AC8 for ; Fri, 24 May 2024 13:19:37 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 250C186244; Fri, 24 May 2024 13:19:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Yd9T+h1P" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2F743126F36 for ; Fri, 24 May 2024 13:19:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716556747; cv=none; b=Z33TXA9dS8gCwK4yJSxBa7A3AVg9IVyYmw2OyCrhchk4BDffQvpwUeBeFiyZsV7ZDrY0duQM6uK94O9WWUlKGx/XLqmI2ZvwOL1kwMK0W6QCAW8ypuscYIRb84kG6QHBkbSEmC0LLg136IKU8qWKcu9c5TC8DOH/gvEcr/atxWA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716556747; c=relaxed/simple; bh=Q+wqz3GLDVTyBy+htHp9EFQVMzJAbwNTFykwjw54cWo=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=QQc4VcWgzzCIG7Q6rSdkVmSX+kj8hrDmggCreSurYxqslfzAQaN4ofNdKmd1Mlof8KwzhfintzrdsK3ipypI09zdpG8JRNUDArZJTxVEXso9NAj5YMpEarz/P8hpNiTIx7E+pPhPz2GSO3Dnkp2eNVG8rWdSl2n6zsEGzjM9/sI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Yd9T+h1P; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id A26A3C2BBFC; Fri, 24 May 2024 13:19:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1716556746; bh=Q+wqz3GLDVTyBy+htHp9EFQVMzJAbwNTFykwjw54cWo=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Yd9T+h1PmFDhQSmzfkJRhMKvFI/aSiL0wmPEIHAGBfyo28yxE0Hrun5NN1BL07ifY KY9P92Ank8ua64aNU8vlsVG4yhDioIqSBSVEpBEu+YsAK9iLflazRnL53fm6Vxx8om FLpqbUb5MJurSYBL8oo1UMBG1GylLm9QJm1WUt70HsoSOPpqNceK74elAu11VRWKYC 5oRzWhOlQ2KX0gtS5718jXYnwLGsmEsapJRMqv4K9gOd6NpMeg2YeMbfYgWaVPN6zq fgpH7SVwhn/FMmFVJpU48jz/a43VZ4bkf519wK35X+7DrnilmX/PtcJeo4x6AGEfnM MphMnE26ZVk9w== Date: Fri, 24 May 2024 15:19:01 +0200 From: Christian Brauner To: Javier Martinez Canillas Cc: linux-kernel@vger.kernel.org, Daniel Lezcano , "Eric W . Biederman" , javier@dowhile0.org, Andrew Morton , "Gustavo A. R. Silva" , Masahiro Yamada , Nhat Pham , Petr Mladek , Randy Dunlap , Vincent Guittot , Yoann Congal Subject: Re: [PATCH] userns: Default to 'yes' when CONFIG_MEMCG option is enabled Message-ID: <20240524-putzen-ablauf-12f514413be6@brauner> References: <20240524082434.657573-1-javierm@redhat.com> <20240524-beurkunden-kantig-101649d6b5cf@brauner> <874jangzjk.fsf@minerva.mail-host-address-is-not-set> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <874jangzjk.fsf@minerva.mail-host-address-is-not-set> On Fri, May 24, 2024 at 02:33:19PM +0200, Javier Martinez Canillas wrote: > Christian Brauner writes: > > Hello Christian, > > Thanks a lot for your feedback. > > > On Fri, May 24, 2024 at 10:24:16AM +0200, Javier Martinez Canillas wrote: > >> The default value for the CONFIG_USER_NS Kconfig symbol changed over time. > >> > >> When first was introduced by commit acce292c82d4 ("user namespace: add the > >> framework"), the default was 'no'. But then it was changed to 'yes' if the > >> CONFIG_NAMESPACES option was enabled, by commit 17a6d4411a4d ("namespaces: > >> default all the namespaces to 'yes' when CONFIG_NAMESPACES is selected"). > >> > >> Then, commit 5673a94c1457 ("userns: Add a Kconfig option to enforce strict > >> kuid and kgid type checks") changed the default to 'no' again and selected > >> the (now defunct) UIDGID_STRICT_TYPE_CHECKS option. > >> > >> This selected option was removed by commit 261000a56b63 ("userns: Remove > >> UIDGID_STRICT_TYPE_CHECKS"), but CONFIG_USER_NS default was left to 'no'. > >> > >> Finally, the commit e11f0ae388f2 ("userns: Recommend use of memory control > >> groups") added to the Kconfig symbol's help text a recommendation that the > >> memory control groups should be used, to limit the amount of memory that a > >> user who can create user namespaces can consume. > >> > >> Looking at the changes' history, a default to 'yes' when the CONFIG_MEMCG > >> option is enabled seems like a sane thing to do. Specially since systemd > >> requires user namespaces support for services that use the PrivateUsers= > >> property in their unit files (e.g: the UPower daemon). > > > > Fyi, user namespaces are an entirely optional feature in systemd and it > > gracefully falls back if they are not available with PrivateUsers= set. > > If that isn't the case then it's a bug in systemd with PrivateUsers= > > handling and should be reported. > > > > Interesting, it definitely failed for me: > > $ systemctl status upower > ● upower.service - Daemon for power management > Loaded: loaded (/lib/systemd/system/upower.service; disabled; vendor preset: enabled) > Active: failed (Result: exit-code) since Fri 2024-05-24 12:23:49 UTC; 34s ago > Docs: man:upowerd(8) > Process: 390 ExecStart=/usr/libexec/upowerd (code=exited, status=217/USER) > Main PID: 390 (code=exited, status=217/USER) > CPU: 122ms > > May 24 12:23:49 igep systemd[1]: upower.service: Scheduled restart job, restart counter is at 5. > May 24 12:23:49 igep systemd[1]: Stopped Daemon for power management. > May 24 12:23:49 igep systemd[1]: upower.service: Start request repeated too quickly. > May 24 12:23:49 igep systemd[1]: upower.service: Failed with result 'exit-code'. > May 24 12:23:49 igep systemd[1]: Failed to start Daemon for power management. > > $ journalctl -u upower > May 24 12:23:49 igep systemd[1]: Starting Daemon for power management... > May 24 12:23:49 igep systemd[404]: upower.service: Failed to set up user namespacing: Invalid argument > May 24 12:23:49 igep systemd[404]: upower.service: Failed at step USER spawning /usr/libexec/upowerd: Invalid argument > May 24 12:23:49 igep systemd[1]: upower.service: Main process exited, code=exited, status=217/USER > May 24 12:23:49 igep systemd[1]: upower.service: Failed with result 'exit-code'. > May 24 12:23:49 igep systemd[1]: Failed to start Daemon for power management. > May 24 12:23:49 igep systemd[1]: upower.service: Scheduled restart job, restart counter is at 1. > May 24 12:23:49 igep systemd[1]: Stopped Daemon for power management. > > That lead me to https://gitlab.freedesktop.org/upower/upower/-/issues/104 > and finally to systemd's README: > > https://github.com/systemd/systemd/blob/main/README#L89C22-L89C34 > > But I'll investigate more if is upower or systemd to be blamed here... > > > But specifically to you change, afair CONFIG_MEMCG and userns are > > unrelated so tying them together like this in the kconfig seems > > misguided. > > > > Yes, but the config USER_NS help text already tieds them toghether: > > help > This allows containers, i.e. vservers, to use user namespaces > to provide different user info for different servers. > > When user namespaces are enabled in the kernel it is > recommended that the MEMCG option also be enabled and that But then the patch your patch is the wrong way around and you should make CONFIG_USER_NS select CONFIG_MEMCG. IOW, if you do userns, do memcg but _not_ if you do memcg, do userns. > user-space use the memory control groups to limit the amount > of memory a memory unprivileged users can use. > > And as mentioned in the commit message, it seems to be the reason why the > default for this Kconfig symbol is no. Maybe I misunderstood though or do > you think that could be switched unconditionally to 'default y' ? No, definitely not. > > Or is there a reason to be the only namespace to be default to no instead > of yes? Specially since important system services are trying to use it. Yes, it has a lot more security implications than all of the other ones and makes them available to unprivileged users by default. So that definitely requires a conscious choice. > > -- > Best regards, > > Javier Martinez Canillas > Core Platforms > Red Hat >