Received: by 2002:ab2:69cc:0:b0:1fd:c486:4f03 with SMTP id n12csp35068lqp;
        Mon, 10 Jun 2024 17:17:09 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCUOcPXlXl5EaKeCHPIYCZR7SObvzs/1F4B/Cyj9/kS3yCmXkok+Ke++SO/+CkMRrWmyQnGKm5uwxp5JcTr/8KfU+6rj1/87VfivhYua9w==
X-Google-Smtp-Source: AGHT+IF16WoUBYd3ubTyfxrH5Vj1be7rAcJESbTA+yULyLuVzePpRevpJ7012/RwLE46m9YvIV1m
X-Received: by 2002:a17:90b:1049:b0:2c2:cce9:2578 with SMTP id 98e67ed59e1d1-2c2cce92bd7mr8205649a91.17.1718065029206;
        Mon, 10 Jun 2024 17:17:09 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1718065029; cv=pass;
        d=google.com; s=arc-20160816;
        b=JpQzamONuSkjdx36UwEq4l/fbs5EtY6s20TtZDYdF5Cwi2XJUtSBMFrEHLKiB8LPtq
         k1BGnkYbZoTCy1fdQxZRcywPv6zL49WXTvlf3QVzwt4LSzR2zcr5bnp/z6jUxsFxvzz+
         FE748d+LsrNP8VQz286mZuqy+V4zmoQ/TBLO/Kka92UIWjXtDGR0mzNoD/OhjJ4qSBfF
         5T5901D2G2HTBcs9kRzxv0g1isL9AF1u3YQCJv1WVdQyaPNNDOCuDiXXAcZeRkbeKf7a
         gKUSecnde8sTxbXZyIHQnp5xx8DondjaZZDR63BH/zKYr6Omwfvshu8mMnHmpp52uEry
         Y1PA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=q8U88OhWZh1tCo+0WQ1tID8xLxoIwnJftDZHFtRwK3o=;
        fh=AXv2PjzrzdnQQHdFSSUcWuJJbSV4AYlF5UkVtF3bxMQ=;
        b=n9JFaRlcbdMvR6JS6WZwMa4uT7hKzZiaS6Ox6F3qByrQ+NmgKSa+WdkhRptRvSLlwe
         PWKdbeuQk8V4IwHhnf99pq+obGhIs5jQ4L6810CHHzqZiZdPhlTCzZZkI8kcarDAs0WN
         UfQGqSDwypnOuPYMQ4ojzERDKcwpuJe/VzNtRWOza186UbL+ggRr9B2qpDL30uMe2n/y
         jX5vv0gDSpEhAH6P863UMcS+0aflsnNH2m5AsLRkHQIxE5wsGb8dzwX46Lxmgwm0KAf5
         sNC6w5UjNbkezIkEwvy6E0Ghf++tyPVRFgeaF+8j4hcja48ayhMizKU+y/BG5TcJhIT/
         mwCA==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@toxicpanda-com.20230601.gappssmtp.com header.s=20230601 header.b=LYwY4ug2;
       arc=pass (i=1 dkim=pass dkdomain=toxicpanda-com.20230601.gappssmtp.com);
       spf=pass (google.com: domain of linux-kernel+bounces-208839-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-208839-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-kernel+bounces-208839-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
        by mx.google.com with ESMTPS id 98e67ed59e1d1-2c315d4bd27si1662530a91.43.2024.06.10.17.17.08
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 10 Jun 2024 17:17:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-208839-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@toxicpanda-com.20230601.gappssmtp.com header.s=20230601 header.b=LYwY4ug2;
       arc=pass (i=1 dkim=pass dkdomain=toxicpanda-com.20230601.gappssmtp.com);
       spf=pass (google.com: domain of linux-kernel+bounces-208839-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-208839-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id BA2FA2860CA
	for <linux.lists.archive@gmail.com>; Mon, 10 Jun 2024 20:12:52 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 07A0414F9CD;
	Mon, 10 Jun 2024 20:12:32 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=toxicpanda-com.20230601.gappssmtp.com header.i=@toxicpanda-com.20230601.gappssmtp.com header.b="LYwY4ug2"
Received: from mail-yw1-f175.google.com (mail-yw1-f175.google.com [209.85.128.175])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 596CD14F13D
	for <linux-kernel@vger.kernel.org>; Mon, 10 Jun 2024 20:12:29 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.175
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1718050351; cv=none; b=DeruN1WJnPV4e7Ime0fZLRBuXug5zCI1jiFC+7icshTnO5+uLuK+ELfPRWiWX6XJ3fsrPGNwhrMP9of1hg5ZgWY+9Tfhw2pOnAw+KosTWk/oH1z6GhOdYomE5CBxoJeMKazlHe//r/0mmPhH7kB8EpPf6Gw7DgBl4hVc5QZ0IHQ=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1718050351; c=relaxed/simple;
	bh=b7+MwoWNMLPQ7YyhI/4+4s4P3K4STGUIbLhPZG0Mamc=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=amb9M4ZOT7oDX07ss0JDZrQO/u7v7gna1z6+lOmakg79FnIfyEASifWlMIHW66mGylLtuKeTVo86lmWiRAf2NW71sfDiuVZqnbXu/C5JB02Pvdrvu2nasxOSF8dUc/hJPSYb1OZhk2BBlCgewC/bOAS6pi/CQOkSTsQUc5zXEYY=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=toxicpanda.com; spf=none smtp.mailfrom=toxicpanda.com; dkim=pass (2048-bit key) header.d=toxicpanda-com.20230601.gappssmtp.com header.i=@toxicpanda-com.20230601.gappssmtp.com header.b=LYwY4ug2; arc=none smtp.client-ip=209.85.128.175
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=toxicpanda.com
Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=toxicpanda.com
Received: by mail-yw1-f175.google.com with SMTP id 00721157ae682-62a08b250a2so45598757b3.3
        for <linux-kernel@vger.kernel.org>; Mon, 10 Jun 2024 13:12:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1718050348; x=1718655148; darn=vger.kernel.org;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=q8U88OhWZh1tCo+0WQ1tID8xLxoIwnJftDZHFtRwK3o=;
        b=LYwY4ug2iL/vJ4DIUm0/Hp2MvpGURHFsHfCR8hKgvsmAqgzRPxBeFZzp5Tfo48EbCo
         Euj3YFKE98R3xDK+TVi4X08MQrChZxoR0ZdwAIKYcBEyuT6J6pRA6MFIWpmGlK1QH6yk
         ayaE24UINt0NKI07iU6nbvvP+ur4CK0DddjWE0Gtpl8JlrD2yRSechl/xjLYVx0XPb6G
         i76retKit/NIZmraE8AuogV1B4ponmQt72v7gY3tzehh7ckEOuDJ8LHGOKzXVFo5n2E+
         4LMkjHweMxF1v6LeN1NaZpvEMI8QBe5KxGttDTh645mywME2cc7oJs1j5M/rPYABPg7M
         UNcA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1718050348; x=1718655148;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=q8U88OhWZh1tCo+0WQ1tID8xLxoIwnJftDZHFtRwK3o=;
        b=foRhIzxXoF+xEu/Hg9HOJyQotvctoCzcFbTAy+Oh8XUF83emPeo8tUQHjE3gzSvaAE
         t5+NYc2yaM1oDIDuSGRwM4Tjkome+ynmb8EBPWfLYlh5sAhlMyh1/XpUMw2YERhynr0r
         DXH+F2HKvwR/Y8zc8I4A73CNJjVTzilNVrKYdNy2g96ntxRIdTzqL9Ef9OT7UozYyUu5
         oC9pxXunWbq8O35nDfZ4z0gYVVJqbjUEc9w/RLx8IHbe9W9GqR/dXyeYAjh95ohzECOO
         h3nbPKLolt/PJNZcAeYxMq9XbuFiRsal9Hg7DOT4smW7SaKmH3XkInCkel8BfioLTh+c
         yzFw==
X-Forwarded-Encrypted: i=1; AJvYcCX9/pbsgrnKpmQwWSvGQrzr4jh3SRzAP1GaQJHslJKLCGzYFdJ7oEaWXJPI2GMCr3ygtzqnYri1h+JmwPQLzp6ZnnRz/7NiU2wlSVzu
X-Gm-Message-State: AOJu0Yy9/hp0z5Y1uoDlFR12oKnwP23Ns22BkpzmfT40cCWrpfb2kcU3
	q0bVtXfUdfBOERVyhzq/x4XhVzeenxXyqrNVtEgdIyHzkhI6hdlKiGlO5DJrqEk=
X-Received: by 2002:a81:ef0e:0:b0:61a:f206:bad6 with SMTP id 00721157ae682-62cd55f6755mr90104707b3.30.1718050348318;
        Mon, 10 Jun 2024 13:12:28 -0700 (PDT)
Received: from localhost (syn-076-182-020-124.res.spectrum.com. [76.182.20.124])
        by smtp.gmail.com with ESMTPSA id 00721157ae682-62ccaef2825sm17372997b3.139.2024.06.10.13.12.27
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 10 Jun 2024 13:12:27 -0700 (PDT)
Date: Mon, 10 Jun 2024 16:12:27 -0400
From: Josef Bacik <josef@toxicpanda.com>
To: Jonathan Calmels <jcalmels@3xx0.net>
Cc: brauner@kernel.org, ebiederm@xmission.com,
	Jonathan Corbet <corbet@lwn.net>, Paul Moore <paul@paul-moore.com>,
	James Morris <jmorris@namei.org>,
	"Serge E. Hallyn" <serge@hallyn.com>, KP Singh <kpsingh@kernel.org>,
	Matt Bobrowski <mattbobrowski@google.com>,
	Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Andrii Nakryiko <andrii@kernel.org>,
	Martin KaFai Lau <martin.lau@linux.dev>,
	Eduard Zingerman <eddyz87@gmail.com>, Song Liu <song@kernel.org>,
	Yonghong Song <yonghong.song@linux.dev>,
	John Fastabend <john.fastabend@gmail.com>,
	Stanislav Fomichev <sdf@google.com>, Hao Luo <haoluo@google.com>,
	Jiri Olsa <jolsa@kernel.org>, Luis Chamberlain <mcgrof@kernel.org>,
	Kees Cook <kees@kernel.org>, Joel Granados <j.granados@samsung.com>,
	John Johansen <john.johansen@canonical.com>,
	David Howells <dhowells@redhat.com>,
	Jarkko Sakkinen <jarkko@kernel.org>,
	Stephen Smalley <stephen.smalley.work@gmail.com>,
	Ondrej Mosnacek <omosnace@redhat.com>,
	Mykola Lysenko <mykolal@fb.com>, Shuah Khan <shuah@kernel.org>,
	containers@lists.linux.dev, linux-kernel@vger.kernel.org,
	linux-fsdevel@vger.kernel.org, linux-doc@vger.kernel.org,
	linux-security-module@vger.kernel.org, bpf@vger.kernel.org,
	apparmor@lists.ubuntu.com, keyrings@vger.kernel.org,
	selinux@vger.kernel.org, linux-kselftest@vger.kernel.org
Subject: Re: [PATCH v2 0/4] Introduce user namespace capabilities
Message-ID: <20240610201227.GD235772@perftesting>
References: <20240609104355.442002-1-jcalmels@3xx0.net>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20240609104355.442002-1-jcalmels@3xx0.net>

On Sun, Jun 09, 2024 at 03:43:33AM -0700, Jonathan Calmels wrote:
> This patch series introduces a new user namespace capability set, as
> well as some plumbing around it (i.e. sysctl, secbit, lsm support).
> 
> First patch goes over the motivations for this as well as prior art.
> 
> In summary, while user namespaces are a great success today in that they
> avoid running a lot of code as root, they also expand the attack surface
> of the kernel substantially which is often abused by attackers. 
> Methods exist to limit the creation of such namespaces [1], however,
> application developers often need to assume that user namespaces are
> available for various tasks such as sandboxing. Thus, instead of
> restricting the creation of user namespaces, we offer ways for userspace
> to limit the capabilities granted to them.
> 
> Why a new capability set and not something specific to the userns (e.g.
> ioctl_ns)?
> 
>     1. We can't really expect userspace to patch every single callsite
>     and opt-in this new security mechanism. 
> 
>     2. We don't necessarily want policies enforced at said callsites.
>     For example a service like systemd-machined or a PAM session need to
>     be able to place restrictions on any namespace spawned under it.
> 
>     3. We would need to come up with inheritance rules, querying
>     capabilities, etc. At this point we're just reinventing capability
>     sets.
> 
>     4. We can easily define interactions between capability sets, thus
>     helping with adoption (patch 2 is an example of this)
> 
> Some examples of how this could be leveraged in userspace:
> 
>     - Prevent user from getting CAP_NET_ADMIN in user namespaces under SSH:
>         echo "auth optional pam_cap.so" >> /etc/pam.d/sshd
>         echo "!cap_net_admin $USER"     >> /etc/security/capability.conf
>         capsh --secbits=$((1 << 8)) -- -c /usr/sbin/sshd
> 
>     - Prevent containers from ever getting CAP_DAC_OVERRIDE:
>         systemd-run -p CapabilityBoundingSet=~CAP_DAC_OVERRIDE \
>                     -p SecureBits=userns-strict-caps \
>                     /usr/bin/dockerd
>         systemd-run -p UserNSCapabilities=~CAP_DAC_OVERRIDE \
>                     /usr/bin/incusd
> 
>     - Kernel could be vulnerable to CAP_SYS_RAWIO exploits, prevent it:
>         sysctl -w cap_bound_userns_mask=0x1fffffdffff
> 
>     - Drop CAP_SYS_ADMIN for this shell and all the user namespaces below it:
>         bwrap --unshare-user --cap-drop CAP_SYS_ADMIN /bin/sh
> 

Where are the tests for this patchset?  I see you updated the bpf tests for the
bpf lsm bits, but there's nothing to validate this new behavior or exercise the
new ioctl you've added.  Thanks,

Josef