Received: by 2002:ab2:69cc:0:b0:1fd:c486:4f03 with SMTP id n12csp195089lqp; Tue, 11 Jun 2024 01:16:37 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCV/fHBey5Z21PLEkxGqZebJViTCN22XcjCDPmXx0CKCFg4jCM9kdfNdLuCS5EWKW7Kii1bYqm1RhnECkS9dmk2mhYh0UDV1QcZQPZmucg== X-Google-Smtp-Source: AGHT+IFcRqf3c9aFFTd+ikmP+3N6rKwz0HpZ/SoeOLEFawlImc2Q2B32XhY7h9mkx1vndwKKRvj/ X-Received: by 2002:a17:90a:17ac:b0:2bd:d6c6:f454 with SMTP id 98e67ed59e1d1-2c32b518e4dmr2745417a91.21.1718093796906; Tue, 11 Jun 2024 01:16:36 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1718093796; cv=pass; d=google.com; s=arc-20160816; b=jlzfUtBZ/Me17WbQrrlqImgcfEi0gEVuiUI3Y7KTwAcXtVK4lepKMiFJntE+FCkfNE +k70+Ht4wfbbNBpfbFEEn4gi1xVoVaG+cnCEt/bSkzeO8qTL3xymXvAGKNu8+ZuoZ3Sl M2pSBrDe4/FvGR2YXEwL6KpNKwvSL+IejCge8dcavgqUsqnUBNuWjp/MPAc7vsMb1nAy fW5TBKEQgoi6ZWWvhV8uqLfWNe7LoTMIg+KcMc9P+nFC5Cb5LrCoJXB81OrYqM630ZD4 uDcrjUnxkIQunfjjLFB6bmFa/xf9PfvqoynFqezX1iMDfJFpI5brZVKMV/tjtpp8xHux oLGg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:feedback-id:dkim-signature:dkim-signature; bh=FHmyaqd99KibuNFcHRNSHKPpvreyC45H6/JsNKHxzgM=; fh=JU73t1bRBYnZaAa3Sn4F7BPK69ftvsCr5GZoItYw/w0=; b=nX16K1ar2LBra5x0hzT3MWfVZCX689RiYlA3ZhABsQiX8D5dEIuSoKTNFGkiTev4t/ 3lv3uUwj/Z3iOhsafTdohytliv0jYksxgpx2iMzkrjZfHqNgFDNlgqRu8hMnaT/zrbaa pNoQhSxvGq0pk1lfLdFA0A6EpYMgsJwpZHh2y5t93HHFn2PAj/vkX+lLvBaYDhWZ/sr5 4p/em7rKCdc32AQNeu8/TtQaUVtJUFajOc8FRMCa5ypmd4mXKox5LT9tfUyMs9XT6SeT tlLoRTl+uz9qutRBbmdlkW42+0oQqmxVgAeYwZAFLJj8xwFGAxRYK/fYIvN+/8aPCfc2 538g==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@3xx0.net header.s=fm1 header.b="J/rYoVfI"; dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=knDhbLDt; arc=pass (i=1 spf=pass spfdomain=3xx0.net dkim=pass dkdomain=3xx0.net dkim=pass dkdomain=messagingengine.com dmarc=pass fromdomain=3xx0.net); spf=pass (google.com: domain of linux-kernel+bounces-209457-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-209457-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=3xx0.net Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id 98e67ed59e1d1-2c2d113b25csi6350764a91.155.2024.06.11.01.16.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Jun 2024 01:16:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-209457-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@3xx0.net header.s=fm1 header.b="J/rYoVfI"; dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=knDhbLDt; arc=pass (i=1 spf=pass spfdomain=3xx0.net dkim=pass dkdomain=3xx0.net dkim=pass dkdomain=messagingengine.com dmarc=pass fromdomain=3xx0.net); spf=pass (google.com: domain of linux-kernel+bounces-209457-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-209457-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=3xx0.net Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id AB45F28154F for ; Tue, 11 Jun 2024 08:15:55 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 439B8174EC1; Tue, 11 Jun 2024 08:15:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=3xx0.net header.i=@3xx0.net header.b="J/rYoVfI"; dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b="knDhbLDt" Received: from wflow1-smtp.messagingengine.com (wflow1-smtp.messagingengine.com [64.147.123.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B57F03F8C7; Tue, 11 Jun 2024 08:15:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=64.147.123.136 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718093739; cv=none; b=rYX/8Juy/KVXENGvSFn6eBQPvXAdYF0Hi82IqBImV2PeWGfR9AY8hXRMVRt5y7Ymc+m7i/0Ot8mK7BmiGVwRDp3WhF7SrQ6ofEpLU9Kkrm1uv8oOInxQLh7wX+Obrwtx+m58NkEudTN6+DE8UAxw39WjUg/1UcOWchvjgdiV3nU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718093739; c=relaxed/simple; bh=z43s94CnLrweY/tQQTWD/T164eJu5lCBbRFTHO2hCys=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=BGyJ1FIh+Ev3pFy8c1ZGH+Lr4ssu33UkggZZtY4z/iAjfKKo9PwKzge4os0RdFhQwCzRkP+zXzw/nMHu3Rqe7VVsLpzGJPqfubgDM3A3ddkVCQYGyG4CBjLqWSjH5v+LKd6JP6Regs6G2LUPm6JQcZx4b2r9I36oYilGp8YAhu4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=3xx0.net; spf=pass smtp.mailfrom=3xx0.net; dkim=pass (2048-bit key) header.d=3xx0.net header.i=@3xx0.net header.b=J/rYoVfI; dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b=knDhbLDt; arc=none smtp.client-ip=64.147.123.136 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=3xx0.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=3xx0.net Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailflow.west.internal (Postfix) with ESMTP id 57A532CC01C9; Tue, 11 Jun 2024 04:15:34 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Tue, 11 Jun 2024 04:15:37 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=3xx0.net; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm1; t=1718093733; x=1718097333; bh=FHmyaqd99K ibuNFcHRNSHKPpvreyC45H6/JsNKHxzgM=; b=J/rYoVfIrIPfb3R2Z5VsoocWAy 9b2ZNUviqa5JVMGRCXBoiGRPeEeflfhkWFoS4xp0wjGjjSoSzjr9/Ry2HM1NQBN3 rGqBL30RWZBG73M3IR0nPjnmrU3Sz21PdFoKWDbMJzhPW3O6iAMidFE01i0ne35m ZCifgOEBmaiySDmPBUt0jV5RVgES7tcTELewog99jLkcFGyJRB8tLQTfAuJ5fzWU NvC+jd9iAPGpwbp55drVsng9u6fA/WRQbuNVFLgVl4Q6G7g9XnWXU3XoTYp415xB qCvlyQPcfOV73rrJSbvTeUD+H6r87uB59hI4zB3Q1HHFT3ENM1XmjkFWtMsg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; t=1718093733; x=1718097333; bh=FHmyaqd99KibuNFcHRNSHKPpvrey C45H6/JsNKHxzgM=; b=knDhbLDtDZHXqot+UutYHGqxS+ybOwLtEfM2l9Qv3Bwk xRNVii1WuqbblONh3bapyi6jj+y6ihyLWa0qNKKjHiIl7XFMm7fgR+5L+xCTF92K GWHUzRyxh9lghsjWzQ9gBVJ9hjKTS/HWxw2ShAhRKgm7Vm8yRx40W3qpoNsSCaGu aqquX1GrReuK45wM0FrT8SBTo3nZHK/2eH89ywUAXSuW5VUSDZmD4xm60JzA6TSe giAHdHgi2K8JXuiZ7rHtmgxSaDO6GemHKVygtxIh52B0oRqDmtyKfd4UH0PMBIWP mYiMgkVPIG2EZJBxX48gzPmFFkCXkWkL2HNPICsi/Q== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrfeduvdcutefuodetggdotefrodftvfcurf hrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecuuegr ihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjug hrpeffhffvvefukfhfgggtuggjsehttdfstddttdejnecuhfhrohhmpeflohhnrghthhgr nhcuvegrlhhmvghlshcuoehjtggrlhhmvghlshesfeiggidtrdhnvghtqeenucggtffrrg htthgvrhhnpeekkeetgeefgfdvfefgfeffueefffejvdduieejheejheffkeejkeelffeu lefggfenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpe hjtggrlhhmvghlshesfeiggidtrdhnvght X-ME-Proxy: Feedback-ID: i76614979:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 11 Jun 2024 04:15:29 -0400 (EDT) Date: Tue, 11 Jun 2024 01:20:40 -0700 From: Jonathan Calmels To: "Serge E. Hallyn" Cc: Andrew Morgan , brauner@kernel.org, ebiederm@xmission.com, Jonathan Corbet , Paul Moore , James Morris , KP Singh , Matt Bobrowski , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , Stanislav Fomichev , Hao Luo , Jiri Olsa , Luis Chamberlain , Kees Cook , Joel Granados , John Johansen , David Howells , Jarkko Sakkinen , Stephen Smalley , Ondrej Mosnacek , Mykola Lysenko , Shuah Khan , containers@lists.linux.dev, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-doc@vger.kernel.org, linux-security-module@vger.kernel.org, bpf@vger.kernel.org, apparmor@lists.ubuntu.com, keyrings@vger.kernel.org, selinux@vger.kernel.org, linux-kselftest@vger.kernel.org Subject: Re: [PATCH v2 1/4] capabilities: Add user namespace capabilities Message-ID: References: <20240609104355.442002-1-jcalmels@3xx0.net> <20240609104355.442002-2-jcalmels@3xx0.net> <20240610130057.GB2193924@mail.hallyn.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20240610130057.GB2193924@mail.hallyn.com> On Mon, Jun 10, 2024 at 08:00:57AM GMT, Serge E. Hallyn wrote: > > Now, one thing that does occur to me here is that there is a > very mild form of sendmail-capabilities vulnerability that > could happen here. Unpriv user joe can drop CAP_SYS_ADMIN > from cap_userns, then run a setuid-root program which starts > a container which expects CAP_SYS_ADMIN. This could be a > shared container, and so joe could be breaking expected > behavior there. > > I *think* we want to say we don't care about this case, but > if we did, I suppose we could say that the normal cap raise > rules on setuid should apply to cap_userns? > Right, good catch. If we do want to fix it, we could just check for setuid no? Or do we want to follow the normal root inheritance rules too? Essentially something like this: pU' = is_suid(root) ? X : pU