From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752203AbbJRUsc (ORCPT ); Sun, 18 Oct 2015 16:48:32 -0400 Received: from a.ns.miles-group.at ([95.130.255.143]:11952 "EHLO radon.swed.at" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751222AbbJRUs3 (ORCPT ); Sun, 18 Oct 2015 16:48:29 -0400 Subject: Re: [PATCH] userns/capability: Add user namespace capability To: Tobias Markus References: <5622700C.9090107@miglix.eu> <5623FD86.2030609@miglix.eu> <5623FF36.8080800@nod.at> <562403E7.6070300@miglix.eu> Cc: LKML , "Eric W. Biederman" , Al Viro , Serge Hallyn , Andrew Morton , Andy Lutomirski , Christoph Lameter , "Michael Kerrisk (man-pages)" , LSM , "open list:ABI/API" , linux-man From: Richard Weinberger X-Enigmail-Draft-Status: N1110 Message-ID: <56240599.3050903@nod.at> Date: Sun, 18 Oct 2015 22:48:25 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <562403E7.6070300@miglix.eu> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Am 18.10.2015 um 22:41 schrieb Tobias Markus: > On 18.10.2015 22:21, Richard Weinberger wrote: >> Am 18.10.2015 um 22:13 schrieb Tobias Markus: >>> On 17.10.2015 22:17, Richard Weinberger wrote: >>>> On Sat, Oct 17, 2015 at 5:58 PM, Tobias Markus wrote: >>>>> One question remains though: Does this break userspace executables that >>>>> expect being able to create user namespaces without priviledge? Since >>>>> creating user namespaces without CAP_SYS_ADMIN was not possible before >>>>> Linux 3.8, programs should already expect a potential EPERM upon calling >>>>> clone. Since creating a user namespace without CAP_SYS_USER_NS would >>>>> also cause EPERM, we should be on the safe side. >>>> >>>> In case of doubt, yes it will break existing software. >>>> Hiding user namespaces behind CAP_SYS_USER_NS will not magically >>>> make them secure. >>>> >>> The goal is not to make user namespaces secure, but to limit access to >>> them somewhat in order to reduce the potential attack surface. >> >> We have already a framework to reduce the attack surface, seccomp. >> There is no need to invent new capabilities for every non-trivial >> kernel feature. >> >> I can understand the user namespaces seems scary and had bugs. >> But which software didn't? >> >> Are there any unfixed exploitable bugs in user namespaces in recent kerenls? >> >> Thanks, >> //richard > > Isn't seccomp about setting a per-thread syscall filter? Correct me if > I'm wrong, but I don't know of any way of using seccomp to globally ban > the use of clone or unshare with CLONE_NEWUSER except for a few > whiteliste executables, and that's the idea of this hypothetical capability. This is correct. If you want it globally you can still use LSM. > Sure, there are no known exploitable bugs in recent kernels, but would > you guarantee that for the next 10 years? Every software has bugs, some > of them exploitable, no amount of testing can prevent that. I'm not > paranoid, but on the other hand, why should every Linux user having > CONFIG_USER_NS enabled have to expose more attack surface than he > absolutely has to? And what about all the other kernel features? I really don't get why you choose user namespaces as your enemy. > Richard, would you run an Apache HTTP server exposed to the internet on > your own laptop, without any security precautions? According to your > reasoning, Apache is surely scary and has many bugs, but every software > has bugs, right? This argument is bogus and you know that too. > I really don't want to introduce a user-facing API change just for the > fun of it - so if there's any better way to do this, please tell me. As I said, it really don't see why we should treat user namespaces in a special way. It is a kernel feature like many others are. If you don't trust it, disable it. Thanks, //richard