All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Serge E. Hallyn" <serge@hallyn.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Paul Moore <paul@paul-moore.com>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Frederick Lawler <fred@cloudflare.com>,
	kpsingh@kernel.org, revest@chromium.org, jackmanb@chromium.org,
	ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
	kafai@fb.com, songliubraving@fb.com, yhs@fb.com,
	john.fastabend@gmail.com, jmorris@namei.org,
	stephen.smalley.work@gmail.com, eparis@parisplace.org,
	shuah@kernel.org, brauner@kernel.org, casey@schaufler-ca.com,
	bpf@vger.kernel.org, linux-security-module@vger.kernel.org,
	selinux@vger.kernel.org, linux-kselftest@vger.kernel.org,
	linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
	kernel-team@cloudflare.com, cgzones@googlemail.com,
	karl@bigbadwolfsecurity.com, tixxdz@gmail.com
Subject: Re: [PATCH v5 0/4] Introduce security_create_user_ns()
Date: Fri, 26 Aug 2022 10:23:19 -0500	[thread overview]
Message-ID: <20220826152319.GA12466@mail.hallyn.com> (raw)
In-Reply-To: <875yigp4tp.fsf@email.froward.int.ebiederm.org>

On Thu, Aug 25, 2022 at 01:15:46PM -0500, Eric W. Biederman wrote:
> Paul Moore <paul@paul-moore.com> writes:
> 
> > On Fri, Aug 19, 2022 at 10:45 AM Serge E. Hallyn <serge@hallyn.com> wrote:
> >>  I am hoping we can come up with
> >> "something better" to address people's needs, make everyone happy, and
> >> bring forth world peace.  Which would stack just fine with what's here
> >> for defense in depth.
> >>
> >> You may well not be interested in further work, and that's fine.  I need
> >> to set aside a few days to think on this.
> >
> > I'm happy to continue the discussion as long as it's constructive; I
> > think we all are.  My gut feeling is that Frederick's approach falls
> > closest to the sweet spot of "workable without being overly offensive"
> > (*cough*), but if you've got an additional approach in mind, or an
> > alternative approach that solves the same use case problems, I think
> > we'd all love to hear about it.
> 
> I would love to actually hear the problems people are trying to solve so
> that we can have a sensible conversation about the trade offs.
> 
> As best I can tell without more information people want to use
> the creation of a user namespace as a signal that the code is
> attempting an exploit.

I don't think that's it at all.  I think the problem is that it seems
you can pretty reliably get a root shell at some point in the future
by creating a user namespace, leaving it open for a bit, and waiting
for a new announcement of the latest netfilter or whatever exploit
that requires root in a user namespace.  Then go back to your userns
shell and run the exploit.

So i was hoping we could do something more targeted.  Be it splitting
off the ability to run code under capable_ns code from uid mapping (to
an extent), or maybe some limited-livepatch type of thing where
certain parts of code become inaccessible to code in a non-init userns
after some sysctl has been toggled, or something cooloer that I've
failed to think of.

-serge

      parent reply	other threads:[~2022-08-26 15:27 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-08-15 16:20 [PATCH v5 0/4] Introduce security_create_user_ns() Frederick Lawler
2022-08-15 16:20 ` [PATCH v5 1/4] security, lsm: " Frederick Lawler
2022-08-15 16:20 ` [PATCH v5 2/4] bpf-lsm: Make bpf_lsm_userns_create() sleepable Frederick Lawler
2022-08-15 16:20 ` [PATCH v5 3/4] selftests/bpf: Add tests verifying bpf lsm userns_create hook Frederick Lawler
2022-08-15 16:20 ` [PATCH v5 4/4] selinux: Implement " Frederick Lawler
2022-08-16 21:51 ` [PATCH v5 0/4] Introduce security_create_user_ns() Paul Moore
2022-08-17 15:07   ` Eric W. Biederman
2022-08-17 16:01     ` Paul Moore
2022-08-17 19:57       ` Eric W. Biederman
2022-08-17 20:13         ` Paul Moore
2022-08-17 20:56           ` Eric W. Biederman
2022-08-17 21:09             ` Paul Moore
2022-08-17 21:24               ` Eric W. Biederman
2022-08-17 21:50                 ` Paul Moore
2022-08-18  0:35                   ` Jonathan Chapman-Moore
2022-08-18 14:05                 ` Serge E. Hallyn
2022-08-18 15:11                   ` Paul Moore
2022-08-19 14:45                     ` Serge E. Hallyn
2022-08-19 21:10                       ` Paul Moore
2022-08-25 18:15                         ` Eric W. Biederman
2022-08-25 19:19                           ` Paul Moore
2022-08-25 21:58                             ` Song Liu
2022-08-25 22:10                               ` Paul Moore
2022-08-25 22:42                                 ` Song Liu
2022-08-26 15:02                                   ` Paul Moore
2022-08-26 16:57                                     ` Song Liu
2022-08-26 15:24                               ` Serge E. Hallyn
2022-08-26 17:00                                 ` Song Liu
2022-08-26 21:00                                   ` Serge E. Hallyn
2022-08-26 22:34                                     ` Song Liu
2022-08-29 15:33                                     ` Christian Brauner
2022-09-03  3:58                                       ` Serge E. Hallyn
2022-08-26  9:10                             ` Ignat Korchagin
2022-08-26 15:12                               ` Paul Moore
2022-08-26 15:23                           ` Serge E. Hallyn [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220826152319.GA12466@mail.hallyn.com \
    --to=serge@hallyn.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=brauner@kernel.org \
    --cc=casey@schaufler-ca.com \
    --cc=cgzones@googlemail.com \
    --cc=daniel@iogearbox.net \
    --cc=ebiederm@xmission.com \
    --cc=eparis@parisplace.org \
    --cc=fred@cloudflare.com \
    --cc=jackmanb@chromium.org \
    --cc=jmorris@namei.org \
    --cc=john.fastabend@gmail.com \
    --cc=kafai@fb.com \
    --cc=karl@bigbadwolfsecurity.com \
    --cc=kernel-team@cloudflare.com \
    --cc=kpsingh@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=revest@chromium.org \
    --cc=selinux@vger.kernel.org \
    --cc=shuah@kernel.org \
    --cc=songliubraving@fb.com \
    --cc=stephen.smalley.work@gmail.com \
    --cc=tixxdz@gmail.com \
    --cc=torvalds@linux-foundation.org \
    --cc=yhs@fb.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.