From: Christian Brauner <christian.brauner@canonical.com>
To: "Serge E. Hallyn" <serge@hallyn.com>
Cc: "Daniel Micay" <danielmicay@gmail.com>,
"Mahesh Bandewar (महेश बंडेवार)" <maheshb@google.com>,
"Mahesh Bandewar" <mahesh@bandewar.net>,
LKML <linux-kernel@vger.kernel.org>,
Netdev <netdev@vger.kernel.org>,
Kernel-hardening <kernel-hardening@lists.openwall.com>,
"Linux API" <linux-api@vger.kernel.org>,
"Kees Cook" <keescook@chromium.org>,
"Eric W . Biederman" <ebiederm@xmission.com>,
"Eric Dumazet" <edumazet@google.com>,
"David Miller" <davem@davemloft.net>
Subject: Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces
Date: Mon, 6 Nov 2017 23:42:08 +0100 [thread overview]
Message-ID: <20171106224207.pdws44vorkxdf6ur@gmail.com> (raw)
In-Reply-To: <20171106221418.GA32543@mail.hallyn.com>
On Mon, Nov 06, 2017 at 04:14:18PM -0600, Serge Hallyn wrote:
> Quoting Daniel Micay (danielmicay@gmail.com):
> > Substantial added attack surface will never go away as a problem. There
> > aren't a finite number of vulnerabilities to be found.
>
> There's varying levels of usefulness and quality. There is code which I
> want to be able to use in a container, and code which I can't ever see a
> reason for using there. The latter, especially if it's also in a
> staging driver, would be nice to have a toggle to disable.
>
> You're not advocating dropping the added attack surface, only adding a
> way of dealing with an 0day after the fact. Privilege raising 0days can
> exist anywhere, not just in code which only root in a user namespace can
> exercise. So from that point of view, ksplice seems a more complete
> solution. Why not just actually fix the bad code block when we know
> about it?
>
> Finally, it has been well argued that you can gain many new caps from
> having only a few others. Given that, how could you ever be sure that,
> if an 0day is found which allows root in a user ns to abuse
> CAP_NET_ADMIN against the host, just keeping CAP_NET_ADMIN from them
> would suffice? It seems to me that the existing control in
> /proc/sys/kernel/unprivileged_userns_clone might be the better duct tape
> in that case.
I agree that /proc/sys/kernel/unprivileged_userns_clone is the most reasonable
thing to do. This patch introduces a layer of complexity to fine-tune user
namespace creation that - in the relevant security critical scenario - should
simply be turned of entirely.
Is /proc/sys/kernel/unprivileged_userns_clone upstreamed or is this still only
carried downstream?
WARNING: multiple messages have this Message-ID (diff)
From: Christian Brauner <christian.brauner-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
To: "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
Cc: "Daniel Micay"
<danielmicay-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
"Mahesh Bandewar (महेश बंडेवार)"
<maheshb-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
"Mahesh Bandewar"
<mahesh-bmGAjcP2qsnk1uMJSBkQmQ@public.gmane.org>,
LKML <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Netdev <netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Kernel-hardening
<kernel-hardening-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8@public.gmane.org>,
"Linux API" <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
"Kees Cook" <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
"Eric W . Biederman"
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>,
"Eric Dumazet" <edumazet-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
"David Miller" <davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
Subject: Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces
Date: Mon, 6 Nov 2017 23:42:08 +0100 [thread overview]
Message-ID: <20171106224207.pdws44vorkxdf6ur@gmail.com> (raw)
In-Reply-To: <20171106221418.GA32543-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
On Mon, Nov 06, 2017 at 04:14:18PM -0600, Serge Hallyn wrote:
> Quoting Daniel Micay (danielmicay-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org):
> > Substantial added attack surface will never go away as a problem. There
> > aren't a finite number of vulnerabilities to be found.
>
> There's varying levels of usefulness and quality. There is code which I
> want to be able to use in a container, and code which I can't ever see a
> reason for using there. The latter, especially if it's also in a
> staging driver, would be nice to have a toggle to disable.
>
> You're not advocating dropping the added attack surface, only adding a
> way of dealing with an 0day after the fact. Privilege raising 0days can
> exist anywhere, not just in code which only root in a user namespace can
> exercise. So from that point of view, ksplice seems a more complete
> solution. Why not just actually fix the bad code block when we know
> about it?
>
> Finally, it has been well argued that you can gain many new caps from
> having only a few others. Given that, how could you ever be sure that,
> if an 0day is found which allows root in a user ns to abuse
> CAP_NET_ADMIN against the host, just keeping CAP_NET_ADMIN from them
> would suffice? It seems to me that the existing control in
> /proc/sys/kernel/unprivileged_userns_clone might be the better duct tape
> in that case.
I agree that /proc/sys/kernel/unprivileged_userns_clone is the most reasonable
thing to do. This patch introduces a layer of complexity to fine-tune user
namespace creation that - in the relevant security critical scenario - should
simply be turned of entirely.
Is /proc/sys/kernel/unprivileged_userns_clone upstreamed or is this still only
carried downstream?
next prev parent reply other threads:[~2017-11-06 22:42 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-03 0:44 [kernel-hardening] [PATCH resend 2/2] userns: control capabilities of some user namespaces Mahesh Bandewar
2017-11-03 0:44 ` Mahesh Bandewar
2017-11-04 23:53 ` [kernel-hardening] " Serge E. Hallyn
2017-11-04 23:53 ` Serge E. Hallyn
2017-11-04 23:53 ` Serge E. Hallyn
2017-11-06 7:23 ` [kernel-hardening] " Mahesh Bandewar (महेश बंडेवार)
2017-11-06 7:23 ` Mahesh Bandewar (महेश बंडेवार)
2017-11-06 7:23 ` Mahesh Bandewar (महेश बंडेवार)
2017-11-06 15:03 ` [kernel-hardening] " Serge E. Hallyn
2017-11-06 15:03 ` Serge E. Hallyn
2017-11-06 21:33 ` [kernel-hardening] " Daniel Micay
2017-11-06 21:33 ` Daniel Micay
2017-11-06 22:14 ` Serge E. Hallyn
2017-11-06 22:14 ` Serge E. Hallyn
2017-11-06 22:42 ` Christian Brauner [this message]
2017-11-06 22:42 ` Christian Brauner
2017-11-06 23:17 ` Boris Lukashev
2017-11-06 23:39 ` Serge E. Hallyn
2017-11-07 0:01 ` Boris Lukashev
2017-11-07 0:01 ` Boris Lukashev
2017-11-07 3:28 ` [kernel-hardening] " Serge E. Hallyn
2017-11-07 3:28 ` Serge E. Hallyn
2017-11-08 11:09 ` Mahesh Bandewar (महेश बंडेवार)
2017-11-08 11:09 ` Mahesh Bandewar (महेश बंडेवार)
2017-11-08 19:02 ` Christian Brauner
2017-11-09 0:55 ` Mahesh Bandewar (महेश बंडेवार)
2017-11-09 0:55 ` Mahesh Bandewar (महेश बंडेवार)
2017-11-09 3:21 ` Serge E. Hallyn
2017-11-09 3:21 ` Serge E. Hallyn
2017-11-09 7:13 ` Mahesh Bandewar (महेश बंडेवार)
2017-11-09 7:13 ` Mahesh Bandewar (महेश बंडेवार)
2017-11-09 7:18 ` [kernel-hardening] " Mahesh Bandewar (महेश बंडेवार)
2017-11-09 7:18 ` Mahesh Bandewar (महेश बंडेवार)
2017-11-09 16:14 ` [kernel-hardening] " Serge E. Hallyn
2017-11-09 16:14 ` Serge E. Hallyn
2017-11-09 21:58 ` [kernel-hardening] " Eric W. Biederman
2017-11-09 21:58 ` Eric W. Biederman
2017-11-10 4:30 ` Mahesh Bandewar (महेश बंडेवार)
2017-11-10 4:30 ` Mahesh Bandewar (महेश बंडेवार)
2017-11-10 4:46 ` Serge E. Hallyn
2017-11-10 4:46 ` Serge E. Hallyn
2017-11-10 5:28 ` Mahesh Bandewar (महेश बंडेवार)
2017-11-10 5:28 ` Mahesh Bandewar (महेश बंडेवार)
2017-11-07 2:16 ` Daniel Micay
2017-11-07 2:16 ` Daniel Micay
2017-11-07 3:23 ` Serge E. Hallyn
2017-11-07 3:23 ` Serge E. Hallyn
2017-11-09 18:01 ` chris hyser
2017-11-09 18:05 ` Serge E. Hallyn
2017-11-09 18:05 ` Serge E. Hallyn
2017-11-09 18:27 ` chris hyser
2017-11-09 17:25 ` Serge E. Hallyn
2017-11-09 17:25 ` Serge E. Hallyn
2017-11-10 1:49 ` [kernel-hardening] " Mahesh Bandewar (महेश बंडेवार)
2017-11-10 1:49 ` Mahesh Bandewar (महेश बंडेवार)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171106224207.pdws44vorkxdf6ur@gmail.com \
--to=christian.brauner@canonical.com \
--cc=danielmicay@gmail.com \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=edumazet@google.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mahesh@bandewar.net \
--cc=maheshb@google.com \
--cc=netdev@vger.kernel.org \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.