Received: by 2002:ab2:784b:0:b0:1fd:adc2:8405 with SMTP id m11csp256194lqp; Mon, 10 Jun 2024 03:11:24 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWqIlMHUjeG4A4uzcAIbU6qXxIFHFhFLoGskXq7ATkdCmbEuWSxfNXCK0ukQFGakLHpHaVg+Nqo35YW389Slz2lSU0Ouhh1GjCMzgsGeg== X-Google-Smtp-Source: AGHT+IFib4tmzFUCmFKkrPMfq8tmoqJMQ9rEVoAKEBDhm2k5DtLSREoMXU62YSBIt2QhfZ4UTCsi X-Received: by 2002:a05:6a20:258b:b0:1b8:4107:ce35 with SMTP id adf61e73a8af0-1b84107d0ffmr643558637.28.1718014283974; Mon, 10 Jun 2024 03:11:23 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1718014283; cv=pass; d=google.com; s=arc-20160816; b=xE5km6xAiTm7/PjacTGZ/Gl3ZFr+nqg7VysUBjf+XsabZZMap2+A/j0+IOC4tZRwjL LwWMydTM35B3SHBC71rsqTuAbzhjXCeBwfDQ1U/h21lAqY0ihSshNkY9eZhXnigVkUk0 rAhqih5YjaU4K0iZW+sILPFZbyX1DO/JYMrh5PE0vLtMEQ0WHtTr5HZEsSKo6hLgCe5V p49zMeMSI1VgbdWSLgpPI6srYO+oPXgWHE36FZaEodKAh1zn6kpJ8DVXCtQ8o5Cg3NwC d+T6UCPpzeuEJ79TLQ0XsYrv6cbe1ItTXBO3FPaT8y8AclyJVzazDAEI3Rvr+RjOzSsY fTCA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date:feedback-id :dkim-signature:dkim-signature; bh=+ir2CVbBvWnglzlujH/fXHt0aYyVxse9Z8DINg2urHY=; fh=jbFL/rqziQiEdKUX2Emvr8nvoico4a7NzMzSiANh0AA=; b=grJf9hou40zjhfw8JAivKRG8v+Q4DPTbkV8zvc7FLGpwGHF4OaESLdaarzwwREwwri Fts6UJmvVW64v7IhmRkDblpWUzCVEsHwowRwE4Xgne2EbrlEr4oSx8PkXVhZU8OzmubW AmzWjfu8ASG1zXd/kIdOtMvP2XRwj5aZkRleUiU3prKwSl2tEbOmCPfJOJTlGPVsbMGD Y3GMfR9w+bghdfpWF5V8EHpjVBa5IhjPighrj8yAXxUWo8QZdVl+A+K9pzq40bJc6AyO kbFAHvQ1OAvumIjTUzITq1pFfdktfvHt/41yztsRv4UHGdSVsV261644D65m8IESRNXV gRdw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@3xx0.net header.s=fm1 header.b=RabQY3O+; dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=LEIkqa0S; arc=pass (i=1 spf=pass spfdomain=3xx0.net dkim=pass dkdomain=3xx0.net dkim=pass dkdomain=messagingengine.com dmarc=pass fromdomain=3xx0.net); spf=pass (google.com: domain of linux-kernel+bounces-207958-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-207958-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=3xx0.net Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id 41be03b00d2f7-6e5e89cbd92si4477622a12.77.2024.06.10.03.11.22 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 Jun 2024 03:11:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-207958-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@3xx0.net header.s=fm1 header.b=RabQY3O+; dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=LEIkqa0S; arc=pass (i=1 spf=pass spfdomain=3xx0.net dkim=pass dkdomain=3xx0.net dkim=pass dkdomain=messagingengine.com dmarc=pass fromdomain=3xx0.net); spf=pass (google.com: domain of linux-kernel+bounces-207958-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-207958-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=3xx0.net Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id A5ECFB26453 for ; Mon, 10 Jun 2024 09:41:22 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A4A797605E; Mon, 10 Jun 2024 09:41:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=3xx0.net header.i=@3xx0.net header.b="RabQY3O+"; dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b="LEIkqa0S" Received: from flow1-smtp.messagingengine.com (flow1-smtp.messagingengine.com [103.168.172.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 73E991DFD0; Mon, 10 Jun 2024 09:41:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=103.168.172.136 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718012463; cv=none; b=ZXcq+8u6IJt5XKh9lDmPCzr+QcIM0TFxEaiXTaO3/rDZOC8eP/bVRugA5cWlRaP2j3zMY2UpqPmPu1WoT9sEUnlfiaxGkp5qxqJ/7kNg4ngtdsgtf2BZyiswt1f7mm26Rp8Zza67mTem+wbB7T/e5SOx98nyZRSUMI60nt0oDRU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718012463; c=relaxed/simple; bh=KNKCKklTuYVMpCezbUE7O/dEuK5srQjktU+JvcvNVFM=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=Ray4flBOg0A/9wGOjrVmFWjz2jI2hvpmFvY7YtQblUaTiWuvP/Cy9hNbDzk13ariUrL6gwx8JG9HtItIv95tzIMvwXUHeg+oYcrRdTZ0r9jToDgXVl0SyhhMrsyOuBzR6siQkq/Q1hxTR7tZUJK/HJLZJnw9vs4hnSdCCs1TrIU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=3xx0.net; spf=pass smtp.mailfrom=3xx0.net; dkim=pass (2048-bit key) header.d=3xx0.net header.i=@3xx0.net header.b=RabQY3O+; dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b=LEIkqa0S; arc=none smtp.client-ip=103.168.172.136 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=3xx0.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=3xx0.net Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailflow.nyi.internal (Postfix) with ESMTP id 963B22005E8; Mon, 10 Jun 2024 05:41:00 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Mon, 10 Jun 2024 05:41:00 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=3xx0.net; h=cc :cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm1; t=1718012460; x=1718016060; bh=+ir2CVbBvWnglzlujH/fXHt0aYyVxse9Z8DINg2urHY=; b= RabQY3O+4UNdZ0WFareLb30ij2ij24ABk6Lbynu1oSJqzBNhkIQQWgVpYAt6nxZs xtCHgP0hZbwR5BCOd3+A6byK5nCv8/C39etwGTzwROaBpProdCKhOoilOPHqfX4G 9BPEw8rqUJ2b4bKJGD097P+GyZmNRYnlE9r5l/3qfgNTjwSIOS5iRdJ2/lcaKWol Ags4NKBIAEP4oDf6E5eP9xySuXZbbf3Rf+ZjrT1E/LFJ3zILwD3bPZl1TONdqocr gWE553KoKC/NxwfzjGl7vRY02Hm/52TNnjdQsoEmz4LyEbSX88ictmd9TYed7QO8 Vi4saa1D9ANVTGK3GtTJ1Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1718012460; x= 1718016060; bh=+ir2CVbBvWnglzlujH/fXHt0aYyVxse9Z8DINg2urHY=; b=L EIkqa0ScrIZM+LbM+UQmyBMYTjnw/MyuAVysR6rU8V05ivy3cj/G/xnKynMg4RwD eolvhub/c6EaaAHYadJ+LHXze9kE8kbNYL8xHi+ro2PkwCbmS7v5nIj546/lDQk9 yJwzxlK8VjIJ/0IDp2oqBanZ0aNkMNYqHjbhqleFLcoB499khNfsSlT1yTzGh7v9 EmPyHRchH8a+BvKi2JzSqd9BNH9HaOU+crMxGt5PAY7FNdjtc9zGlv90XwpX/kNt z61R4Y3DicCu3qYARJku45VG37c3eRLbXkqD58xvt5HnwEavfIXbEfD+lINrb+ee 2mSP7VhAJ0kfxhctfS5Hw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrfedutddgudekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvfevuffkfhggtggugfgjsehtkefstddttdejnecuhfhrohhmpeflohhn rghthhgrnhcuvegrlhhmvghlshcuoehjtggrlhhmvghlshesfeiggidtrdhnvghtqeenuc ggtffrrghtthgvrhhnpeetgedutdfggeetleefhfeuhedtheduteekieduvdeigeegvdev vddtieekiedvheenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfh hrohhmpehjtggrlhhmvghlshesfeiggidtrdhnvght X-ME-Proxy: Feedback-ID: i76614979:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 10 Jun 2024 05:40:56 -0400 (EDT) Date: Mon, 10 Jun 2024 02:46:06 -0700 From: Jonathan Calmels To: "Serge E. Hallyn" Cc: brauner@kernel.org, ebiederm@xmission.com, Jonathan Corbet , Paul Moore , James Morris , KP Singh , Matt Bobrowski , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , Stanislav Fomichev , Hao Luo , Jiri Olsa , Luis Chamberlain , Kees Cook , Joel Granados , John Johansen , David Howells , Jarkko Sakkinen , Stephen Smalley , Ondrej Mosnacek , Mykola Lysenko , Shuah Khan , containers@lists.linux.dev, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-doc@vger.kernel.org, linux-security-module@vger.kernel.org, bpf@vger.kernel.org, apparmor@lists.ubuntu.com, keyrings@vger.kernel.org, selinux@vger.kernel.org, linux-kselftest@vger.kernel.org Subject: Re: [PATCH v2 2/4] capabilities: Add securebit to restrict userns caps Message-ID: References: <20240609104355.442002-1-jcalmels@3xx0.net> <20240609104355.442002-3-jcalmels@3xx0.net> <20240610023301.GA2183903@mail.hallyn.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20240610023301.GA2183903@mail.hallyn.com> On Sun, Jun 09, 2024 at 09:33:01PM GMT, Serge E. Hallyn wrote: > On Sun, Jun 09, 2024 at 03:43:35AM -0700, Jonathan Calmels wrote: > > This patch adds a new capability security bit designed to constrain a > > task’s userns capability set to its bounding set. The reason for this is > > twofold: > > > > - This serves as a quick and easy way to lock down a set of capabilities > > for a task, thus ensuring that any namespace it creates will never be > > more privileged than itself is. > > - This helps userspace transition to more secure defaults by not requiring > > specific logic for the userns capability set, or libcap support. > > > > Example: > > > > # capsh --secbits=$((1 << 8)) --drop=cap_sys_rawio -- \ > > -c 'unshare -r grep Cap /proc/self/status' > > CapInh: 0000000000000000 > > CapPrm: 000001fffffdffff > > CapEff: 000001fffffdffff > > CapBnd: 000001fffffdffff > > CapAmb: 0000000000000000 > > CapUNs: 000001fffffdffff > > But you are not (that I can see, in this or the previous patch) > keeping SECURE_USERNS_STRICT_CAPS in securebits on the next > level unshare. Though I think it's ok, because by then both > cap_userns and cap_bset are reduced and cap_userns can't be > expanded. (Sorry, just thinking aloud here) Right this is safe to reset, but maybe we do keep it if the secbit is locked? This is kind of a special case compared to the other bits. > > + /* Limit userns capabilities to our parent's bounding set. */ > > In the case of userns_install(), it will be the target user namespace > creator's bounding set, right? Not "our parent's"? Good point, I should reword this comment.