From: Richard Weinberger <richard@nod.at>
To: Tobias Markus <tobias@miglix.eu>
Cc: LKML <linux-kernel@vger.kernel.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Al Viro <viro@zeniv.linux.org.uk>,
Serge Hallyn <serge.hallyn@canonical.com>,
Andrew Morton <akpm@linuxfoundation.org>,
Andy Lutomirski <luto@amacapital.net>,
Christoph Lameter <cl@linux.com>,
"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>,
LSM <linux-security-module@vger.kernel.org>,
"open list:ABI/API" <linux-api@vger.kernel.org>,
linux-man <linux-man@vger.kernel.org>
Subject: Re: [PATCH] userns/capability: Add user namespace capability
Date: Sun, 18 Oct 2015 22:48:25 +0200 [thread overview]
Message-ID: <56240599.3050903@nod.at> (raw)
In-Reply-To: <562403E7.6070300@miglix.eu>
Am 18.10.2015 um 22:41 schrieb Tobias Markus:
> On 18.10.2015 22:21, Richard Weinberger wrote:
>> Am 18.10.2015 um 22:13 schrieb Tobias Markus:
>>> On 17.10.2015 22:17, Richard Weinberger wrote:
>>>> On Sat, Oct 17, 2015 at 5:58 PM, Tobias Markus <tobias@miglix.eu> wrote:
>>>>> One question remains though: Does this break userspace executables that
>>>>> expect being able to create user namespaces without priviledge? Since
>>>>> creating user namespaces without CAP_SYS_ADMIN was not possible before
>>>>> Linux 3.8, programs should already expect a potential EPERM upon calling
>>>>> clone. Since creating a user namespace without CAP_SYS_USER_NS would
>>>>> also cause EPERM, we should be on the safe side.
>>>>
>>>> In case of doubt, yes it will break existing software.
>>>> Hiding user namespaces behind CAP_SYS_USER_NS will not magically
>>>> make them secure.
>>>>
>>> The goal is not to make user namespaces secure, but to limit access to
>>> them somewhat in order to reduce the potential attack surface.
>>
>> We have already a framework to reduce the attack surface, seccomp.
>> There is no need to invent new capabilities for every non-trivial
>> kernel feature.
>>
>> I can understand the user namespaces seems scary and had bugs.
>> But which software didn't?
>>
>> Are there any unfixed exploitable bugs in user namespaces in recent kerenls?
>>
>> Thanks,
>> //richard
>
> Isn't seccomp about setting a per-thread syscall filter? Correct me if
> I'm wrong, but I don't know of any way of using seccomp to globally ban
> the use of clone or unshare with CLONE_NEWUSER except for a few
> whiteliste executables, and that's the idea of this hypothetical capability.
This is correct.
If you want it globally you can still use LSM.
> Sure, there are no known exploitable bugs in recent kernels, but would
> you guarantee that for the next 10 years? Every software has bugs, some
> of them exploitable, no amount of testing can prevent that. I'm not
> paranoid, but on the other hand, why should every Linux user having
> CONFIG_USER_NS enabled have to expose more attack surface than he
> absolutely has to?
And what about all the other kernel features?
I really don't get why you choose user namespaces as your enemy.
> Richard, would you run an Apache HTTP server exposed to the internet on
> your own laptop, without any security precautions? According to your
> reasoning, Apache is surely scary and has many bugs, but every software
> has bugs, right?
This argument is bogus and you know that too.
> I really don't want to introduce a user-facing API change just for the
> fun of it - so if there's any better way to do this, please tell me.
As I said, it really don't see why we should treat user namespaces in a special
way. It is a kernel feature like many others are. If you don't trust it, disable it.
Thanks,
//richard
next prev parent reply other threads:[~2015-10-18 20:48 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-17 15:58 [PATCH] userns/capability: Add user namespace capability Tobias Markus
2015-10-17 20:17 ` Richard Weinberger
2015-10-18 20:13 ` Tobias Markus
2015-10-18 20:21 ` Richard Weinberger
2015-10-18 20:41 ` Tobias Markus
2015-10-18 20:48 ` Richard Weinberger [this message]
2015-10-18 21:49 ` Tobias Markus
2015-10-18 22:06 ` Richard Weinberger
2015-10-19 0:28 ` Mike Frysinger
2015-10-17 21:55 ` Serge E. Hallyn
2015-10-18 20:13 ` Tobias Markus
2015-10-19 1:41 ` Serge E. Hallyn
2015-10-19 12:36 ` Yves-Alexis Perez
2015-10-19 12:48 ` Richard Weinberger
2015-10-22 20:45 ` Eric W. Biederman
2015-10-22 21:02 ` Andy Lutomirski
2015-10-22 21:44 ` Eric W. Biederman
2015-10-19 14:24 ` Austin S Hemmelgarn
2015-10-21 18:53 ` Andy Lutomirski
2015-10-21 19:13 ` Austin S Hemmelgarn
2015-10-22 17:10 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56240599.3050903@nod.at \
--to=richard@nod.at \
--cc=akpm@linuxfoundation.org \
--cc=cl@linux.com \
--cc=ebiederm@xmission.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-man@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mtk.manpages@gmail.com \
--cc=serge.hallyn@canonical.com \
--cc=tobias@miglix.eu \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).