From: David Howells <dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
To: Colin Walters <walters-gPq2gbYjIk8dnm+yROfE0A@public.gmane.org>
Cc: dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org,
ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org,
linux-nfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
keyrings-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [RFC PATCH] KEYS: Allow a live daemon in a namespace to service request_key upcalls
Date: Fri, 02 Jun 2017 17:34:14 +0100 [thread overview]
Message-ID: <2137.1496421254@warthog.procyon.org.uk> (raw)
In-Reply-To: <1496244979.313075.994296480.7C5735E8-2RFepEojUI2N1INw9kWLP6GC3tUn3ZHUQQ4Iyu8u01E@public.gmane.org>
Colin Walters <walters-gPq2gbYjIk8dnm+yROfE0A@public.gmane.org> wrote:
> Providing a feature without *known* users in a security-sensitive context
> seems to me to be something to think twice about.
Ummm... Kernel DNS lookups, NFS idmapper upcalls. CIFS could use it too.
> Kind of - what I'm getting at is that today, changing any of the kernel
> upcalls is a fully privileged operation.
Yes. Upcalls are more secure but finding out the collection of namespaces in
which to run an upcall is a real pain - and Eric's 'concrete' method doesn't
actually work.
> (Wait, is /sbin/request-key really hardcoded in the kernel? I guess that's
> good from the perspective of not having containers be able to change it
> like they could /proc/sys/kernel/core_pattern if it was writable, but
> it seems surprising)
Namespaces didn't exist at the time.
> Anyways, if we now expose a method to configure this, we have to look
> at the increase in attack surface.
To quote:
> In practice again, most container implementations I'm aware of use
> seccomp today to simply block off access to the keyring.
We're going to have to deal with that, but it's going to take some support on
the kernel side. I think it may require a 'key' namespace - but that's going
to have potentially difficult interactions with the 'net' namespace for
network filesystems where your process's key and net namespaces are different
to the that of the superblock you're trying to access.
> > > Basically my instinct here is to be conservative and have
> > > KEYCTL_SERVICE_ADD require CAP_SYS_ADMIN and only affect the userns
> > > keyring.
Sorry, what 'userns' keyring?
> At a high level I'm glad you're looking at the "service fd" model instead of
> upcalls - I do think it'll get us to a better place.
I disagree, but it may be the only way, given the unholy mess in which the
Linux 'container' system works.
David
next prev parent reply other threads:[~2017-06-02 16:34 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-30 16:08 [RFC PATCH] KEYS: Allow a live daemon in a namespace to service request_key upcalls David Howells
[not found] ` <149616052408.10194.7774163568767478808.stgit-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2017-05-30 16:13 ` Example daemon program David Howells
2017-05-31 13:59 ` [RFC PATCH] KEYS: Allow a live daemon in a namespace to service request_key upcalls Colin Walters
[not found] ` <1496239145.289295.994170312.57409998-2RFepEojUI2N1INw9kWLP6GC3tUn3ZHUQQ4Iyu8u01E@public.gmane.org>
2017-05-31 14:47 ` David Howells
[not found] ` <3412.1496242065-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2017-05-31 15:36 ` Colin Walters
[not found] ` <1496244979.313075.994296480.7C5735E8-2RFepEojUI2N1INw9kWLP6GC3tUn3ZHUQQ4Iyu8u01E@public.gmane.org>
2017-06-02 15:47 ` Jeff Layton
2017-06-02 16:34 ` David Howells [this message]
[not found] ` <1496418474.13822.6.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-06-02 16:14 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2137.1496421254@warthog.procyon.org.uk \
--to=dhowells-h+wxahxf7alqt0dzr+alfa@public.gmane.org \
--cc=James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=keyrings-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-nfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=walters-gPq2gbYjIk8dnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox