From mboxrd@z Thu Jan 1 00:00:00 1970 From: Christian Brauner Subject: Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces Date: Mon, 6 Nov 2017 23:42:08 +0100 Message-ID: <20171106224207.pdws44vorkxdf6ur@gmail.com> References: <20171103004436.40026-1-mahesh@bandewar.net> <20171104235346.GA17170@mail.hallyn.com> <20171106150302.GA26634@mail.hallyn.com> <1510003994.736.0.camel@gmail.com> <20171106221418.GA32543@mail.hallyn.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Return-path: Content-Disposition: inline In-Reply-To: <20171106221418.GA32543-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org> Sender: linux-api-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: "Serge E. Hallyn" Cc: Daniel Micay , Mahesh Bandewar =?utf-8?B?KOCkruCkueClh+CktiDgpKzgpILgpKHgpYfgpLXgpL4=?= =?utf-8?B?4KSwKQ==?= , Mahesh Bandewar , LKML , Netdev , Kernel-hardening , Linux API , Kees Cook , "Eric W . Biederman" , Eric Dumazet , David Miller List-Id: linux-api@vger.kernel.org On Mon, Nov 06, 2017 at 04:14:18PM -0600, Serge Hallyn wrote: > Quoting Daniel Micay (danielmicay-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org): > > Substantial added attack surface will never go away as a problem. There > > aren't a finite number of vulnerabilities to be found. > > There's varying levels of usefulness and quality. There is code which I > want to be able to use in a container, and code which I can't ever see a > reason for using there. The latter, especially if it's also in a > staging driver, would be nice to have a toggle to disable. > > You're not advocating dropping the added attack surface, only adding a > way of dealing with an 0day after the fact. Privilege raising 0days can > exist anywhere, not just in code which only root in a user namespace can > exercise. So from that point of view, ksplice seems a more complete > solution. Why not just actually fix the bad code block when we know > about it? > > Finally, it has been well argued that you can gain many new caps from > having only a few others. Given that, how could you ever be sure that, > if an 0day is found which allows root in a user ns to abuse > CAP_NET_ADMIN against the host, just keeping CAP_NET_ADMIN from them > would suffice? It seems to me that the existing control in > /proc/sys/kernel/unprivileged_userns_clone might be the better duct tape > in that case. I agree that /proc/sys/kernel/unprivileged_userns_clone is the most reasonable thing to do. This patch introduces a layer of complexity to fine-tune user namespace creation that - in the relevant security critical scenario - should simply be turned of entirely. Is /proc/sys/kernel/unprivileged_userns_clone upstreamed or is this still only carried downstream?