From: Colin Walters <walters@verbum.org>
To: Kees Cook <keescook@chromium.org>, Andy Lutomirski <luto@amacapital.net>
Cc: linux-kernel@vger.kernel.org,
"Eric W. Biederman" <ebiederm@xmission.com>,
Linux Containers <containers@lists.linux-foundation.org>,
Alexander Larsson <alexl@redhat.com>,
Serge Hallyn <serge.hallyn@ubuntu.com>,
Stephane Graber <stgraber@ubuntu.com>,
Seth Forshee <seth.forshee@canonical.com>
Subject: Re: Thoughts on tightening up user namespace creation
Date: Wed, 09 Mar 2016 13:51:07 -0500 [thread overview]
Message-ID: <1457549467.650797.544465346.49653120@webmail.messagingengine.com> (raw)
In-Reply-To: <CAGXu5jLB5==RAs9YrsPi4m6ZBPn3UtbCzagu_+gr-rtSgKzB1Q@mail.gmail.com>
On Wed, Mar 9, 2016, at 01:14 PM, Kees Cook wrote:
> On Mon, Mar 7, 2016 at 9:15 PM, Andy Lutomirski <luto@amacapital.net> wrote:
> > Hi all-
> >
> > There are several users and distros that are nervous about user
> > namespaces from an attack surface point of view.
> >
> > - RHEL and Arch have userns disabled.
> >
> > - Ubuntu requires CAP_SYS_ADMIN
> >
> > - Kees periodically proposes to upstream some sysctl to control
> > userns creation.
>
> And here's another ring0 escalation flaw, made available to
> unprivileged users because of userns:
>
> https://code.google.com/p/google-security-research/issues/detail?id=758
Looks like Andy won't have to eat his hat ;)
> The change in attack surface is _substantial_. We must have a way to
> globally disable userns.
No one would object if it was enabled but only accessible to
CAP_SYS_ADMIN though, right? This could be useful for
writing setuid binaries that expose some of the features, but e.g. not
CAP_NET_ADMIN.
Andy's suggestion of having this be a per-namespace setting makes
sense to me. Currently some container tools that do use userns
are by default denying it to be recursive (Sandstorm.io and Docker 1.10 at least)
by using a seccomp filter on clone(). If we had this setting that
filter wouldn't be necessary, and would solve the issue that seccomp filters
aren't robust against the kernel adding new API, e.g. a new CLONE_NEWUSER_NONEWPRIVS
which might enable chroot() but not CAP_NET_ADMIN.
next prev parent reply other threads:[~2016-03-09 18:51 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-08 5:15 Thoughts on tightening up user namespace creation Andy Lutomirski
2016-03-08 6:06 ` Serge E. Hallyn
2016-03-08 18:31 ` Andy Lutomirski
2016-03-08 22:41 ` Serge E. Hallyn
2016-03-08 10:05 ` Alexander Larsson
2016-03-08 16:31 ` Eric W. Biederman
2016-03-09 18:14 ` Kees Cook
2016-03-09 18:51 ` Colin Walters [this message]
2016-03-09 19:04 ` Austin S. Hemmelgarn
2016-03-09 19:21 ` Serge E. Hallyn
2016-03-09 19:25 ` Kees Cook
2016-03-09 19:07 ` Serge E. Hallyn
2016-03-09 19:12 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1457549467.650797.544465346.49653120@webmail.messagingengine.com \
--to=walters@verbum.org \
--cc=alexl@redhat.com \
--cc=containers@lists.linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=serge.hallyn@ubuntu.com \
--cc=seth.forshee@canonical.com \
--cc=stgraber@ubuntu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).