From mboxrd@z Thu Jan 1 00:00:00 1970 From: James Morris Subject: Re: [PATCHv3 0/2] capability controlled user-namespaces Date: Mon, 8 Jan 2018 20:51:20 +1100 (AEDT) Message-ID: References: <20171205223052.12687-1-mahesh@bandewar.net> <20180108062452.GA21717@mail.hallyn.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Return-path: List-Post: List-Help: List-Unsubscribe: List-Subscribe: In-Reply-To: <20180108062452.GA21717@mail.hallyn.com> To: "Serge E. Hallyn" Cc: =?UTF-8?Q?Mahesh_Bandewar_=28=E0=A4=AE=E0=A4=B9=E0=A5=87=E0=A4=B6_=E0=A4=AC=E0=A4=82=E0=A4=A1=E0=A5=87=E0=A4=B5=E0=A4=BE=E0=A4=B0=29?= , LKML , Netdev , Kernel-hardening , Linux API , Kees Cook , "Eric W . Biederman" , Eric Dumazet , David Miller , Mahesh Bandewar List-Id: linux-api@vger.kernel.org On Mon, 8 Jan 2018, Serge E. Hallyn wrote: > > Also, why do we need the concept of a controlled user-ns at all, if the > > default whitelist maintains existing behavior? > > In past discussions two uses have been brought up: > > 1. if an 0-day is discovered which is exacerbated by a specific > privilege in user namespaces, that privilege could be turned off until a > reboot with a fixed kernel is scheduled, without fully disabling all > containers. > > 2. some systems may be specifically designed to run software which > only requires a few capabilities in a userns. In that case all others > could be disabled. > I meant in terms of "marking" a user ns as "controlled" type -- it's unnecessary jargon from an end user point of view. This may happen internally but don't make it a special case with a different name and don't bother users with internal concepts: simply implement capability whitelists with the default having equivalent behavior of everything allowed. Then, document the semantics of the whitelist in terms of inheritance etc., as a feature of user namespaces, not as a "type" of user namespace. - James -- James Morris