Received: by 2002:ab2:784b:0:b0:1fd:adc2:8405 with SMTP id m11csp220809lqp; Mon, 10 Jun 2024 01:43:11 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCX2Q7wleKovxegRYaS+a1RTyR4BkVjI9pf0g3eRYgAWrWdIo5pWRltJkfVd4F1Gph/1RdKM/zayw0GmFZG9asJ/Fy3nb/WzF1gjqIbykw== X-Google-Smtp-Source: AGHT+IHvjlcOV015Me5mY2m52bKJGL52fgBLszC2Gh1Lp/mdpFxsyIv7cAYpiuxxZqsQREZAeGzw X-Received: by 2002:ac5:cb05:0:b0:4d8:7a5e:392f with SMTP id 71dfb90a1353d-4eb562b9f79mr7140734e0c.12.1718008991437; Mon, 10 Jun 2024 01:43:11 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1718008991; cv=pass; d=google.com; s=arc-20160816; b=KS+7515YHi+v98DtNcGz1ij2LGe4gz7povAMbSW3K+WkpaQWDlGZedAj8M5Oz5iJqb OV2rOqoLwp5ev1mg1dW2wUGVLA8LFq2hyGTndC9jAAlH6ZALoreMg2IEPffpzAz3bk6Z 9wAF8I5eXmau3b9p7DOtC4Qv6ZESGCo9x4wQFNIKeqqPaOb5daEW6W19bkUPFO/M16GW hTk5ZGRQHjk9wxr0LnVTHgIwW5iLRkZzfqFA2a7l3JVBNhNBmygtstUTLvJlYaUu1DME gPcE01py1prCWyZGC6afVmX/Zr/IJ9Mf0q/qdomL4KHH8MN/1vpEp6fHvJd27GJ3fHMk m6PA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:feedback-id:dkim-signature:dkim-signature; bh=qmk9dz8QY8vVMsdJ1Kd+/af5+W3nNXWO20q8csDii3A=; fh=JU73t1bRBYnZaAa3Sn4F7BPK69ftvsCr5GZoItYw/w0=; b=MTfbx+qnm/u2g5ym/NUL2zuyAr3seJgVJRaDR4dSQoxOOF8ky7iy0BsnBLofL1dsZP a/IWZ1Kd90NQ5OQ2s8BIgBKSMdj9DXHMiRyiZ6hMNZizuE4NEG7YG7xP4A4IRJFM/s++ rxe9IKjv6gsr/M0v4Bq1OuQXa7K+6Z7/RFR8klw64G/Tnl9z1WiqI05W59H6L/9Jrzrs Kt4IHp6Z06y7yRtiumOFHTCSikYzShWAMmocYOlmXbwVNWJJPWMg/uP1P1DoQK/LYgDQ G7gVMI54GIhyhJuG0JYueDMFQnWxaypjPQFia8A8ijFOqbHQ7v5ODMVrwOCzqNHRL2hn riXw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@3xx0.net header.s=fm1 header.b=mnhLTPrt; dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=oYdR8igH; arc=pass (i=1 spf=pass spfdomain=3xx0.net dkim=pass dkdomain=3xx0.net dkim=pass dkdomain=messagingengine.com dmarc=pass fromdomain=3xx0.net); spf=pass (google.com: domain of linux-kernel+bounces-207869-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-207869-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=3xx0.net Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id af79cd13be357-795331ce945si1066657285a.373.2024.06.10.01.43.11 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 Jun 2024 01:43:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-207869-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@3xx0.net header.s=fm1 header.b=mnhLTPrt; dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=oYdR8igH; arc=pass (i=1 spf=pass spfdomain=3xx0.net dkim=pass dkdomain=3xx0.net dkim=pass dkdomain=messagingengine.com dmarc=pass fromdomain=3xx0.net); spf=pass (google.com: domain of linux-kernel+bounces-207869-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-207869-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=3xx0.net Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 201B71C215F0 for ; Mon, 10 Jun 2024 08:43:11 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 3C5B274049; Mon, 10 Jun 2024 08:42:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=3xx0.net header.i=@3xx0.net header.b="mnhLTPrt"; dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b="oYdR8igH" Received: from flow1-smtp.messagingengine.com (flow1-smtp.messagingengine.com [103.168.172.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4E68B6F2F0; Mon, 10 Jun 2024 08:42:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=103.168.172.136 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718008929; cv=none; b=o5pQs48g5zsm8nTh2s5B0+7sciSSQJmKMGNDpN5lR72vdbFlho7YIAZi6+LRMA3czgCGnY9dGBD4QjeI8y+rI8VHSY/OkPs2iFjQnXsrxQuPCX+m60SuzjNqXad1RD0YDNnLGCS4c1A4oY8hOlBsoja8zRnVIH89a0NZef9S5yA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718008929; c=relaxed/simple; bh=ITgA5tjnrazsj2z8uUTCi7sXYM16+9a2OVtLAQMXods=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=Relsxzy4uQyga+2a98GurNHHEQIEExo26YbVWohBMv+H7mKKVdz/Hpmv/8odHhLY4IZNe7E16gGqOobQWcB+vJBqlXanCysjfuaXuXcpF3z94peuEkDooGfRXdYSOdvJ38e8Yu+WOMR72csTV9H1Mbq3uX+Iz22IdUpp3m/hr1g= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=3xx0.net; spf=pass smtp.mailfrom=3xx0.net; dkim=pass (2048-bit key) header.d=3xx0.net header.i=@3xx0.net header.b=mnhLTPrt; dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b=oYdR8igH; arc=none smtp.client-ip=103.168.172.136 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=3xx0.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=3xx0.net Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailflow.nyi.internal (Postfix) with ESMTP id 5B03E200404; Mon, 10 Jun 2024 04:42:06 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Mon, 10 Jun 2024 04:42:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=3xx0.net; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm1; t=1718008926; x=1718012526; bh=qmk9dz8QY8 vVMsdJ1Kd+/af5+W3nNXWO20q8csDii3A=; b=mnhLTPrtZQ/DDGiawOwuJeaWat 64250584gAjf2J/Dh8JvewKGYb34oCQE7URqIZHKpzJUeYA1kKsjDnhkfUZX+E68 +8LVxRN9t/wJJjEEuCIuLof7r8VwRIZrZVHEAxubGvtTPuErvpSMPolZc6h/FBs6 TnUtSUmlc0OkbJmubq9zDokuTpz7ngnJl4EEexVQqOAqSn6pQo4Yp6x54OpvrcCE XoIpGEw5oanL1CCEcLnD1Mbujxjb6oms1X2GanNYQEYDUDbSg8aqnlDuyXX+O/MN PNOtsnmF7Ft5GaBeljHc9lHlaU2Wz+ihucK9sDes64ynJ1BHh+vrhTVwTgQQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; t=1718008926; x=1718012526; bh=qmk9dz8QY8vVMsdJ1Kd+/af5+W3n NXWO20q8csDii3A=; b=oYdR8igHwhuxgPsbo+C1eL/H3iR7gJqPSOM/AbjIQpfK 67ktft+vuRVUKOaSvQRrky9qaOMVWGj9avRo7pDMQvDIUFwkzbpuOiDn6K/TcgJt K0frIvAmuJWqDSWzdLA0kJ+/Mque4OK/hfemuDOAqZAWyceRSHkX5eUTbIyt8DYe OhZixUDRh5ix2wgO28sZgvD7JW1Xe/+XTSGgkl9r6Q/yVMV6LyMXNCZhBqlzO2Wo mWBL3VIwKNRUn2DZuAKHbw6ioQD7VWsp8Bn9Ad8sFqGX9pKA8tZ6n3tYRn9gmqbD Z3JJFybCaAzTgVcMBgq/Sa50HuXv9Mh3IMoYALTfUA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrfedutddgtdejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvfevuffkfhggtggujgesthdtsfdttddtjeenucfhrhhomheplfhonhgr thhhrghnucevrghlmhgvlhhsuceojhgtrghlmhgvlhhsseefgiigtddrnhgvtheqnecugg ftrfgrthhtvghrnhepkeekteegfefgvdefgfefffeufeffjedvudeijeehjeehffekjeek leffueelgffgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrh homhepjhgtrghlmhgvlhhsseefgiigtddrnhgvth X-ME-Proxy: Feedback-ID: i76614979:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 10 Jun 2024 04:42:02 -0400 (EDT) Date: Mon, 10 Jun 2024 01:47:13 -0700 From: Jonathan Calmels To: "Serge E. Hallyn" Cc: Andrew Morgan , brauner@kernel.org, ebiederm@xmission.com, Jonathan Corbet , Paul Moore , James Morris , KP Singh , Matt Bobrowski , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , Stanislav Fomichev , Hao Luo , Jiri Olsa , Luis Chamberlain , Kees Cook , Joel Granados , John Johansen , David Howells , Jarkko Sakkinen , Stephen Smalley , Ondrej Mosnacek , Mykola Lysenko , Shuah Khan , containers@lists.linux.dev, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-doc@vger.kernel.org, linux-security-module@vger.kernel.org, bpf@vger.kernel.org, apparmor@lists.ubuntu.com, keyrings@vger.kernel.org, selinux@vger.kernel.org, linux-kselftest@vger.kernel.org Subject: Re: [PATCH v2 1/4] capabilities: Add user namespace capabilities Message-ID: <6pwskrbtmxjy2ti3xabfslmupjhat7dhrnbftinzhxgxnsveum@5jq5l6ws7hls> References: <20240609104355.442002-1-jcalmels@3xx0.net> <20240609104355.442002-2-jcalmels@3xx0.net> <20240610015024.GA2182786@mail.hallyn.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20240610015024.GA2182786@mail.hallyn.com> On Sun, Jun 09, 2024 at 08:50:24PM GMT, Serge E. Hallyn wrote: > On Sun, Jun 09, 2024 at 03:43:34AM -0700, Jonathan Calmels wrote: > > Attackers often rely on user namespaces to get elevated (yet confined) > > privileges in order to target specific subsystems (e.g. [1]). Distributions > > I'd modify this to say "in order to target *bugs* in specific subsystems" :) Ack > > This effectively mimics the inheritable set rules and means that, by > > default, only root in the user namespace can regain userns capabilities > > previously dropped: > > Something about this last sentence feels wrong, but I'm not sure what > the best alternative would be. As is, though, it makes it sound as though > root in the userns can always regain previously dropped capabilities, but > that's not true if dropped in ancestor ns, or if root also dropped the > bits from its bounding set (right?). Right, the wording is a little bit confusing here I admit. What I meant to say is that if a cap is dropped in a *given* namespace, then it can only be regained by root there. But yes, caps can never be regained from ancestors ns. I'll try to rephrase it. BTW, this is rather strict, but I think that's what we want right, something simple? Alternative would be to have a new cap masked off by default, but if granted to a userns, allows you to regain ancestors caps.