Re: [kernel-hardening] Re: [PATCH 0/2] sysctl: allow CLONE_NEWUSER to be disabled

kernel-hardening.lists.openwall.com archive mirror
 help / color / mirror / Atom feed

From: "Austin S. Hemmelgarn" <ahferroin7@gmail.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>,
	Kees Cook <keescook@chromium.org>
Cc: "Serge Hallyn" <serge.hallyn@ubuntu.com>,
	"kernel-hardening@lists.openwall.com"
	<kernel-hardening@lists.openwall.com>,
	"Andy Lutomirski" <luto@amacapital.net>,
	"Andrew Morton" <akpm@linux-foundation.org>,
	"Al Viro" <viro@zeniv.linux.org.uk>,
	"Richard Weinberger" <richard@nod.at>,
	"Robert Święcki" <robert@swiecki.net>,
	"Dmitry Vyukov" <dvyukov@google.com>,
	"David Howells" <dhowells@redhat.com>,
	"Kostya Serebryany" <kcc@google.com>,
	"Alexander Potapenko" <glider@google.com>,
	"Eric Dumazet" <edumazet@google.com>,
	"Sasha Levin" <sasha.levin@oracle.com>,
	"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [kernel-hardening] Re: [PATCH 0/2] sysctl: allow CLONE_NEWUSER to be disabled
Date: Wed, 27 Jan 2016 07:32:02 -0500	[thread overview]
Message-ID: <56A8B8C2.7000702@gmail.com> (raw)
In-Reply-To: <874mdzgvw8.fsf@x220.int.ebiederm.org>

On 2016-01-27 05:27, Eric W. Biederman wrote:
> Kees Cook <keescook@chromium.org> writes:
>
>> On Tue, Jan 26, 2016 at 9:15 AM, Serge Hallyn <serge.hallyn@ubuntu.com> wrote:
>>> Quoting Josh Boyer (jwboyer@fedoraproject.org):
>>>> What you're saying is true for the "oh crap" case of a new userns
>>>> related CVE being found.  However, there is the case where sysadmins
>>>> know for a fact that a set of machines should not allow user
>>>> namespaces to be enabled.  Currently they have 2 choices, 1) use their
>>>
>>> Hi - can you give a specific example of this?  (Where users really should
>>> not be able to use them - not where they might not need them)  I think
>>> it'll help the discussion tremendously.  Because so far the only good
>>> arguments I've seen have been about actual bugs in the user namespaces,
>>> which would not warrant a designed-in permanent disable switch.  If
>>> there are good use cases where such a disable switch will always be
>>> needed (and compiling out can't satisfy) that'd be helpful.
>>
>> My example is a machine in a colo rack serving web pages. A site gets
>> attacked, and www-data uses user namespaces to continue their attack
>> to gain root privileges.
>>
>> The admin of such a machine could have disabled userns months earlier
>> and limited the scope of the attack.
>
> Of course for the paranoid there is already a mechanism to do this.
> /sbin/chroot.
>
> No new user namespaces are allowed to be created inside of a chroot.
I would like to point out that this is undocumented outside of the 
kernel source code on every Linux system I've seen.  And, it's not 
hugely obvious from looking at the source code unless you have some 
experience with kernel programming.

Also, being able to limit to exactly one (or possibly two depending on 
the application's usage of them) user namespace would be useful, as that 
would allow sand-boxing without the ability to create any more through 
some exploit.

next prev parent reply	other threads:[~2016-01-27 12:32 UTC|newest]

Thread overview: 53+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-01-22 22:39 [kernel-hardening] [PATCH 0/2] sysctl: allow CLONE_NEWUSER to be disabled Kees Cook
2016-01-22 22:39 ` [kernel-hardening] [PATCH 1/2] sysctl: expand use of proc_dointvec_minmax_sysadmin Kees Cook
2016-01-23  3:10   ` [kernel-hardening] " Eric W. Biederman
2016-01-23 22:25     ` Jann Horn
2016-01-24  1:20       ` Eric W. Biederman
2016-01-24  1:43         ` Al Viro
2016-01-24  1:56           ` Jann Horn
2016-01-24  6:02             ` Eric W. Biederman
2016-01-24  6:32               ` Jann Horn
2016-01-24  6:44                 ` Eric W. Biederman
2016-01-22 22:39 ` [kernel-hardening] [PATCH 2/2] sysctl: allow CLONE_NEWUSER to be disabled Kees Cook
2016-01-22 22:47   ` [kernel-hardening] " Robert Święcki
2016-01-22 22:50     ` Kees Cook
2016-01-22 22:55       ` Robert Święcki
2016-01-22 23:00         ` Kees Cook
2016-01-23  0:44           ` Serge Hallyn
2016-01-23  0:44           ` Serge Hallyn
2016-01-23  0:59           ` Ben Hutchings
2016-01-24 20:59             ` Kees Cook
2016-01-24 22:20               ` Andy Lutomirski
2016-01-25 18:51                 ` Kees Cook
2016-01-22 22:49 ` [kernel-hardening] Re: [PATCH 0/2] " Richard Weinberger
2016-01-23  3:02 ` Eric W. Biederman
2016-01-24 20:57   ` Kees Cook
2016-01-26  7:38     ` Serge Hallyn
2016-01-24 22:22   ` Andy Lutomirski
2016-01-25 18:51     ` Kees Cook
2016-01-25 18:53       ` Andy Lutomirski
2016-01-25 18:56         ` Kees Cook
2016-01-25 19:33           ` Eric W. Biederman
2016-01-25 22:34             ` Kees Cook
2016-01-25 23:33               ` Andy Lutomirski
2016-01-26  2:27               ` Daniel Micay
2016-01-26  4:57               ` Eric W. Biederman
2016-01-26 14:38                 ` Josh Boyer
2016-01-26 14:46                   ` Austin S. Hemmelgarn
2016-01-26 14:56                     ` Josh Boyer
2016-01-26 17:20                       ` Serge Hallyn
2016-01-26 19:56                         ` Josh Boyer
2016-01-26 20:11                           ` Austin S. Hemmelgarn
2016-01-26 17:15                   ` Serge Hallyn
2016-01-26 18:09                     ` Austin S. Hemmelgarn
2016-01-26 18:27                       ` Andy Lutomirski
2016-01-26 18:45                         ` Austin S. Hemmelgarn
2016-01-26 23:15                         ` Kees Cook
2016-01-26 23:13                     ` Kees Cook
2016-01-27 10:27                       ` Eric W. Biederman
2016-01-27 12:32                         ` Austin S. Hemmelgarn [this message]
2016-01-28 14:41                         ` Robert Święcki
2016-01-26 23:47                     ` Josh Boyer
2016-01-26 16:37                 ` Kees Cook
2016-01-28  8:56                 ` Serge E. Hallyn
2016-01-28 12:53                   ` Austin S. Hemmelgarn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=56A8B8C2.7000702@gmail.com \
    --to=ahferroin7@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=dhowells@redhat.com \
    --cc=dvyukov@google.com \
    --cc=ebiederm@xmission.com \
    --cc=edumazet@google.com \
    --cc=glider@google.com \
    --cc=kcc@google.com \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=richard@nod.at \
    --cc=robert@swiecki.net \
    --cc=sasha.levin@oracle.com \
    --cc=serge.hallyn@ubuntu.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).