From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S935155AbcA1R6q (ORCPT <rfc822;w@1wt.eu>);
	Thu, 28 Jan 2016 12:58:46 -0500
Received: from out01.mta.xmission.com ([166.70.13.231]:43984 "EHLO
	out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S932657AbcA1R5y (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Thu, 28 Jan 2016 12:57:54 -0500
From: ebiederm@xmission.com (Eric W. Biederman)
To: Kees Cook <keescook@chromium.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
        Al Viro <viro@zeniv.linux.org.uk>,
        "Serge E. Hallyn" <serge.hallyn@ubuntu.com>,
        Andy Lutomirski <luto@kernel.org>,
        "Austin S. Hemmelgarn" <ahferroin7@gmail.com>,
        Richard Weinberger <richard@nod.at>,
        Robert =?utf-8?B?xZp3acSZY2tp?= <robert@swiecki.net>,
        Dmitry Vyukov <dvyukov@google.com>,
        David Howells <dhowells@redhat.com>,
        Kostya Serebryany <kcc@google.com>,
        Alexander Potapenko <glider@google.com>,
        Eric Dumazet <edumazet@google.com>,
        Sasha Levin <sasha.levin@oracle.com>, linux-doc@vger.kernel.org,
        linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com
References: <20160128143825.GA17383@www.outflux.net>
Date: Thu, 28 Jan 2016 11:48:33 -0600
In-Reply-To: <20160128143825.GA17383@www.outflux.net> (Kees Cook's message of
	"Thu, 28 Jan 2016 06:38:25 -0800")
Message-ID: <87io2degsu.fsf@x220.int.ebiederm.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-XM-AID: U2FsdGVkX180Jmk+0kafo5DCucdqvFZtq9uR3Nevj+E=
X-SA-Exim-Connect-IP: 97.121.81.63
X-SA-Exim-Mail-From: ebiederm@xmission.com
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
	*  0.0 TVD_RCVD_IP Message was received from an IP address
	*  0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available.
	*  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
	*      [score: 0.4950]
	* -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
	*      [sa06 1397; Body=1 Fuz1=1 Fuz2=1]
X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: ;Kees Cook <keescook@chromium.org>
X-Spam-Relay-Country: 
X-Spam-Timing: total 287 ms - load_scoreonly_sql: 0.03 (0.0%),
	signal_user_changed: 7 (2.6%), b_tie_ro: 4.9 (1.7%), parse: 0.71 (0.2%),
	extract_message_metadata: 10 (3.6%), get_uri_detail_list: 0.52 (0.2%),
	tests_pri_-1000: 5 (1.9%), tests_pri_-950: 1.18 (0.4%), tests_pri_-900: 1.04
	(0.4%), tests_pri_-400: 24 (8.2%), check_bayes: 23 (7.9%), b_tokenize: 4.9
	(1.7%), b_tok_get_all: 5 (1.8%), b_comp_prob: 1.62 (0.6%), b_tok_touch_all:
	2.8 (1.0%), b_finish: 0.63 (0.2%), tests_pri_0: 229 (79.9%),
	check_dkim_signature: 0.50 (0.2%), check_dkim_adsp: 4.5 (1.6%),
	tests_pri_500: 5 (1.8%), rewrite_mail: 0.00 (0.0%)
Subject: Re: [PATCH v2] sysctl: allow CLONE_NEWUSER to be disabled
X-Spam-Flag: No
X-SA-Exim-Version: 4.2.1 (built Wed, 24 Sep 2014 11:00:52 -0600)
X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Kees Cook <keescook@chromium.org> writes:

> +	if (sysctl_userns_restrict && !(capable(CAP_SYS_ADMIN) &&
> +					capable(CAP_SETUID) &&
> +					capable(CAP_SETGID)))
> +		return -EPERM;
> +

I will also note that the way I have seen containers used this check
adds no security and is not mentioned or justified in any way in your
patch description.

Furthermore this looks like blame shifting.  And quite frankly shifting
the responsibility to users if they get hacked is not an acceptable
attitude.

Eric