From: Krister Johansen <kjlx@templeofstupid.com>
To: David Miller <davem@davemloft.net>
Cc: kjlx@templeofstupid.com, stephen@networkplumber.org,
netdev@vger.kernel.org
Subject: Re: [PATCH v2 net-next] Introduce a sysctl that modifies the value of PROT_SOCK.
Date: Fri, 13 Jan 2017 16:13:35 -0800 [thread overview]
Message-ID: <20170114001335.GD3094@templeofstupid.com> (raw)
In-Reply-To: <20170112.092213.864894939381841760.davem@davemloft.net>
On Thu, Jan 12, 2017 at 09:22:13AM -0500, David Miller wrote:
> From: Krister Johansen <kjlx@templeofstupid.com>
> > The use case for this change is to allow containerized processes to bind
> > to priviliged ports, but prevent them from ever being allowed to modify
> > their container's network configuration. The latter is accomplished by
> > ensuring that the network namespace is not a child of the user
> > namespace. This modification was needed to allow the container manager
> > to disable a namespace's priviliged port restrictions without exposing
> > control of the network namespace to processes in the user namespace.
>
> This is what CAP_NET_BIND_SERVICE is for, and why it is a separate
> network privilege, please use it.
It sounds like I may have done an inadequate job of explaining why I
took this approach instead of going the CAP_NET_BIND_SERVICE route.
In this scenario, the network namespace is created and configured first.
Then the containerized processed get placed into a separate user
namespace. This is so that the processes in the container, even if they
somehow manage to obtain extra privilege in the userns, can never modify
the network namespace.
The check in ns_capable() is looking at the priviliges of the user
namespace that created the netns and its parents. Even if I were to
grant a process in the container CAP_NET_BIND_SERVICE, ns_capable()
wouldn't recognize that as being a valid privilige for the netns.
If I were to invert the order of operations and create the userns before
the netns, then the capability would be recognized. However, that also
allows any potential privilege escalation in the userns to bring with it
the potential that an attacker can modify the container's network
configuration.
I'd much rather run the containers without privs, and without the userns
having rights to the netns, to mitigate the risk of an attacker being
able to alter the container's networking configuration.
-K
next prev parent reply other threads:[~2017-01-14 0:13 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-31 4:11 [PATCH] Introduce a sysctl that modifies the value of PROT_SOCK Krister Johansen
2016-12-31 20:55 ` Stephen Hemminger
2017-01-04 10:19 ` Krister Johansen
2017-01-12 6:52 ` [PATCH v2 net-next] " Krister Johansen
2017-01-12 14:22 ` David Miller
2017-01-14 0:13 ` Krister Johansen [this message]
2017-01-12 14:39 ` Eric Dumazet
2017-01-14 0:11 ` Krister Johansen
2017-01-21 1:49 ` [PATCH v3 " Krister Johansen
2017-01-23 20:39 ` David Miller
2017-01-24 17:11 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170114001335.GD3094@templeofstupid.com \
--to=kjlx@templeofstupid.com \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=stephen@networkplumber.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.