As we move to use Linux Containers User Namespace

As we move to use Linux Containers User Namespace

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think we need the kernel to start checking container Capabilities rather
then system capabilities.

I would like to be able to say something like

allow svirt_lxc_net_t self:nscapability sys_admin;

This way we can use MAC to better control break out of user namespace.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLW998ACgkQrlYvE4MpobP6IgCglpmgF8XKjr1W1xzPU6eGU6k+
h8EAniQwwEhMAOeAy4e1NUw/8o2h/oWs
=g8UL
-----END PGP SIGNATURE-----

Re: As we move to use Linux Containers User Namespace

[Eric Paris]

Just to blow everyone's minds: The first thought that came to me was
that the only way to make this useful is to actually put a label on
the user namespace.

If I create a container, and then a container inside that container,
I'd think selinux should be able to control the capabilities at the
second level down.  Dan's only asking about one level down...

On Wed, Jan 15, 2014 at 4:04 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I think we need the kernel to start checking container Capabilities rather
> then system capabilities.
>
> I would like to be able to say something like
>
> allow svirt_lxc_net_t self:nscapability sys_admin;
>
> This way we can use MAC to better control break out of user namespace.
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlLW998ACgkQrlYvE4MpobP6IgCglpmgF8XKjr1W1xzPU6eGU6k+
> h8EAniQwwEhMAOeAy4e1NUw/8o2h/oWs
> =g8UL
> -----END PGP SIGNATURE-----
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

Re: As we move to use Linux Containers User Namespace

[William Roberts]

Booom...mind is blown. namespaces are kernel resources, and labeling
them has been working so far.

On Wed, Jan 15, 2014 at 6:25 PM, Eric Paris <eparis@parisplace.org> wrote:
> Just to blow everyone's minds: The first thought that came to me was
> that the only way to make this useful is to actually put a label on
> the user namespace.
>
> If I create a container, and then a container inside that container,
> I'd think selinux should be able to control the capabilities at the
> second level down.  Dan's only asking about one level down...
>
> On Wed, Jan 15, 2014 at 4:04 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> I think we need the kernel to start checking container Capabilities rather
>> then system capabilities.
>>
>> I would like to be able to say something like
>>
>> allow svirt_lxc_net_t self:nscapability sys_admin;
>>
>> This way we can use MAC to better control break out of user namespace.
>>
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iEYEARECAAYFAlLW998ACgkQrlYvE4MpobP6IgCglpmgF8XKjr1W1xzPU6eGU6k+
>> h8EAniQwwEhMAOeAy4e1NUw/8o2h/oWs
>> =g8UL
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.



-- 
Respectfully,

William C Roberts

Re: As we move to use Linux Containers User Namespace

[Paul Moore]

On Wednesday, January 15, 2014 06:25:05 PM Eric Paris wrote:
> Just to blow everyone's minds: The first thought that came to me was
> that the only way to make this useful is to actually put a label on
> the user namespace.
> 
> If I create a container, and then a container inside that container,
> I'd think selinux should be able to control the capabilities at the
> second level down.  Dan's only asking about one level down...

Turtles all the way down.

If we are going to do it for one level, we should do it for all levels.

-- 
paul moore
www.paul-moore.com

Re: As we move to use Linux Containers User Namespace

[Serge E. Hallyn]

Quoting Paul Moore (paul@paul-moore.com):
> On Wednesday, January 15, 2014 06:25:05 PM Eric Paris wrote:

Note first off that you'll rarely want to check for capabilities against
yourself, because any unprivileged task can unshare a new user namespace
with his own (host) uid mapped to root in the new namespace, and pass
that test.  However, checking for capabilities against an open file (meaning
a inode_capable() check) makes sense.

> > Just to blow everyone's minds: The first thought that came to me was
> > that the only way to make this useful is to actually put a label on
> > the user namespace.
> > 
> > If I create a container, and then a container inside that container,
> > I'd think selinux should be able to control the capabilities at the
> > second level down.  Dan's only asking about one level down...

(Not sure whether you mean up or down? :)

> Turtles all the way down.
> 
> If we are going to do it for one level, we should do it for all levels.

Speaking in non-selinux terms, it would make sense to simply ask whether
task T1 has Capability C1 against object O1, where O1 is a task, a nic,
a file, a mountpoint, etc.  Referring to a specific user namespace by its
own label would be awkward, I believe.

I'm not sure how to put that in selinux terms, since labels will certainly
cross namespaces.

-serge