From: ebiederm@xmission.com (Eric W. Biederman)
To: "Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>
Cc: Linux Containers <containers@lists.linux-foundation.org>,
Andy Lutomirski <luto@amacapital.net>, Jann Horn <jann@thejh.net>,
Kees Cook <keescook@chromium.org>,
Nikolay Borisov <kernel@kyup.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Seth Forshee <seth.forshee@canonical.com>,
linux-fsdevel@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-api@vger.kernel.org
Subject: Re: [PATCH v2 00/10] userns: sysctl limits for namespaces
Date: Tue, 26 Jul 2016 10:06:59 -0500 [thread overview]
Message-ID: <87shuwtp4c.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <6be70177-a81d-7ed8-d2c9-a596d4d6a165@gmail.com> (Michael Kerrisk's message of "Tue, 26 Jul 2016 12:30:10 +0200")
"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
> Hello Eric,
>
> I realized I had a question after the last mail.
>
> On 07/21/2016 06:39 PM, Eric W. Biederman wrote:
>>
>> This patchset addresses two use cases:
>> - Implement a sane upper bound on the number of namespaces.
>> - Provide a way for sandboxes to limit the attack surface from
>> namespaces.
>
> Can you say more about the second point? What exactly is the
> problem that is being addressed, and how does the patch series
> address it? (It would be good to have those details in the
> revised commit message...)
At some point it was reported that seccomp was not sufficient to disable
namespace creation. I need to go back and look at that claim to see
which set of circumstances that was referring to. Seccomp doesn't stack
so I can see why it is an issue.
The general problem is that namespaces by their nature (and especially
in combination with the user namespaces) allow unprivileged users to use
more of the kernel than a user would have access to without them. This
in turn allows malicious users more kernel calls they can use in attempt
to find an exploitable bug.
So if you are building a sandbox/chroot jail/chromium tab or anything
like that and you know you won't be needing a kernel feature having an
easy way to disable the feature is useful for making the kernel
marginally more secure, as certain attack vectors are no longer
possible.
Eric
next prev parent reply other threads:[~2016-07-26 15:21 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <8737n5dscy.fsf@x220.int.ebiederm.org>
2016-07-21 16:39 ` [PATCH v2 00/10] userns: sysctl limits for namespaces Eric W. Biederman
2016-07-21 16:40 ` [PATCH v2 01/10] sysctl: Stop implicitly passing current into sysctl_table_root.lookup Eric W. Biederman
2016-07-21 16:40 ` [PATCH v2 02/10] userns: Add per user namespace sysctls Eric W. Biederman
2016-07-26 0:02 ` Eric W. Biederman
2016-07-26 0:24 ` David Miller
2016-07-26 0:44 ` Eric W. Biederman
2016-07-26 2:58 ` David Miller
2016-07-26 4:00 ` Eric W. Biederman
2016-07-21 16:40 ` [PATCH v2 03/10] userns: Add a limit on the number of user namespaces Eric W. Biederman
2016-07-25 23:05 ` Serge E. Hallyn
2016-07-21 16:40 ` [PATCH v2 04/10] userns: Generalize the user namespace count into ucount Eric W. Biederman
2016-07-25 23:09 ` Serge E. Hallyn
2016-07-21 16:40 ` [PATCH v2 05/10] pidns: Add a limit on the number of pid namespaces Eric W. Biederman
2016-07-25 23:09 ` Serge E. Hallyn
2016-07-21 16:40 ` [PATCH v2 06/10] utsns: Add a limit on the number of uts namespaces Eric W. Biederman
2016-07-25 23:09 ` Serge E. Hallyn
2016-07-21 16:40 ` [PATCH v2 07/10] ipcns: Add a limit on the number of ipc namespaces Eric W. Biederman
2016-07-25 23:10 ` Serge E. Hallyn
2016-07-21 16:40 ` [PATCH v2 08/10] cgroupns: Add a limit on the number of cgroup namespaces Eric W. Biederman
2016-07-25 23:12 ` Serge E. Hallyn
2016-07-21 16:40 ` [PATCH v2 09/10] netns: Add a limit on the number of net namespaces Eric W. Biederman
2016-07-25 23:13 ` Serge E. Hallyn
2016-07-26 6:01 ` Andrei Vagin
2016-07-26 20:00 ` Eric W. Biederman
2016-07-21 16:40 ` [PATCH v2 10/10] mntns: Add a limit on the number of mount namespaces Eric W. Biederman
2016-07-25 23:15 ` Serge E. Hallyn
2016-07-22 13:33 ` [PATCH v2 00/10] userns: sysctl limits for namespaces Colin Walters
2016-07-22 18:45 ` Eric W. Biederman
2016-07-22 21:46 ` Kees Cook
2016-07-23 2:11 ` Eric W. Biederman
2016-07-26 10:27 ` Michael Kerrisk (man-pages)
2016-07-26 15:14 ` Eric W. Biederman
2016-07-26 10:30 ` Michael Kerrisk (man-pages)
2016-07-26 15:06 ` Eric W. Biederman [this message]
2016-07-26 16:52 ` Kees Cook
2016-07-26 17:29 ` Michael Kerrisk (man-pages)
2016-07-26 20:44 ` Kees Cook
2016-08-08 21:16 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87shuwtp4c.fsf@x220.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=containers@lists.linux-foundation.org \
--cc=jann@thejh.net \
--cc=keescook@chromium.org \
--cc=kernel@kyup.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mtk.manpages@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=seth.forshee@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox