From: "Serge E. Hallyn" <serge@hallyn.com>
To: Boris Lukashev <blukashev@sempervictus.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
"Daniel Micay" <danielmicay@gmail.com>,
"Mahesh Bandewar (महेश बंडेवार)" <maheshb@google.com>,
"Mahesh Bandewar" <mahesh@bandewar.net>,
LKML <linux-kernel@vger.kernel.org>,
Netdev <netdev@vger.kernel.org>,
Kernel-hardening <kernel-hardening@lists.openwall.com>,
"Linux API" <linux-api@vger.kernel.org>,
"Kees Cook" <keescook@chromium.org>,
"Eric W . Biederman" <ebiederm@xmission.com>,
"Eric Dumazet" <edumazet@google.com>,
"David Miller" <davem@davemloft.net>
Subject: Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces
Date: Mon, 6 Nov 2017 17:39:13 -0600 [thread overview]
Message-ID: <20171106233913.GA1518@mail.hallyn.com> (raw)
In-Reply-To: <CAFUG7CcEy9a=RxBQZJR-C_2VuhZXrzJ_QxJnrSxdM=ox36DsXQ@mail.gmail.com>
Quoting Boris Lukashev (blukashev@sempervictus.com):
> On Mon, Nov 6, 2017 at 5:14 PM, Serge E. Hallyn <serge@hallyn.com> wrote:
> > Quoting Daniel Micay (danielmicay@gmail.com):
> >> Substantial added attack surface will never go away as a problem. There
> >> aren't a finite number of vulnerabilities to be found.
> >
> > There's varying levels of usefulness and quality. There is code which I
> > want to be able to use in a container, and code which I can't ever see a
> > reason for using there. The latter, especially if it's also in a
> > staging driver, would be nice to have a toggle to disable.
> >
> > You're not advocating dropping the added attack surface, only adding a
> > way of dealing with an 0day after the fact. Privilege raising 0days can
> > exist anywhere, not just in code which only root in a user namespace can
> > exercise. So from that point of view, ksplice seems a more complete
> > solution. Why not just actually fix the bad code block when we know
> > about it?
> >
> > Finally, it has been well argued that you can gain many new caps from
> > having only a few others. Given that, how could you ever be sure that,
> > if an 0day is found which allows root in a user ns to abuse
> > CAP_NET_ADMIN against the host, just keeping CAP_NET_ADMIN from them
> > would suffice? It seems to me that the existing control in
> > /proc/sys/kernel/unprivileged_userns_clone might be the better duct tape
> > in that case.
> >
> > -serge
>
> This seems to be heading toward "we need full zones in Linux" with
> their own procfs and sysfs namespace and a stricter isolation model
> for resources and capabilities. So long as things can happen in a
> namespace which have a privileged relationship with host resources,
> this is going to be cat-and-mouse to one degree or another.
>
> Containers and namespaces dont have a one-to-one relationship, so i'm
> not sure that's the best term to use in the kernel security context
Sorry - what's not the best term to use?
> since there's a bunch of userspace and implementation delta across the
> different systems (with their own security models and so forth).
> Without accounting for what a specific implementation may or may not
> do, and only looking at "how do we reduce privileged impact on parent
> context from unprivileged namespaces," this patch does seem to provide
> a logical way of reducing the privileges available in such a namespace
> and often needed to mount escapes/impact parent context.
What different implementations do is irrelevant - as an unprivileged user
I can always, with no help, create a new user namespace mapping my current
uid to root, and exercise this code. So the security model implemented
by a particular userspace namespace-using driver doesn't matter, as it
only restricts me if I choose to use it.
But, I guess you're actually saying that some program might know that it
should never use network code so want to drop CAP_NET_*? And you're
saying that a "global capability bounding set" might be useful?
Would it be better to actually implement it as a new bounding set that
is maintained across user namespace creations, but is per-task (inherted
by children of course)? Instead of a sysctl?
-serge
next prev parent reply other threads:[~2017-11-06 23:39 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-03 0:44 [PATCH resend 2/2] userns: control capabilities of some user namespaces Mahesh Bandewar
[not found] ` <20171103004436.40026-1-mahesh-bmGAjcP2qsnk1uMJSBkQmQ@public.gmane.org>
2017-11-04 23:53 ` Serge E. Hallyn
[not found] ` <20171104235346.GA17170-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2017-11-06 7:23 ` Mahesh Bandewar (महेश बंडेवार)
2017-11-06 15:03 ` Serge E. Hallyn
[not found] ` <20171106150302.GA26634-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2017-11-06 21:33 ` [kernel-hardening] " Daniel Micay
[not found] ` <1510003994.736.0.camel-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-11-06 22:14 ` Serge E. Hallyn
[not found] ` <20171106221418.GA32543-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2017-11-06 22:42 ` Christian Brauner
2017-11-07 2:16 ` Daniel Micay
[not found] ` <1510020963.736.42.camel-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-11-07 3:23 ` Serge E. Hallyn
2017-11-09 18:01 ` chris hyser
[not found] ` <da764cbf-7522-06a0-6c21-adfa3eaac9c2-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
2017-11-09 18:05 ` Serge E. Hallyn
2017-11-09 18:27 ` chris hyser
2017-11-06 23:17 ` Boris Lukashev
2017-11-06 23:39 ` Serge E. Hallyn [this message]
2017-11-07 0:01 ` Boris Lukashev
[not found] ` <CAFUG7CcW077LHcQEqk7qy7iVvmi-3J8psD1Kwj45XvHThiZC6w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-11-07 3:28 ` [kernel-hardening] " Serge E. Hallyn
[not found] ` <20171107032802.GA6669-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2017-11-08 11:09 ` Mahesh Bandewar (महेश बंडेवार)
2017-11-08 19:02 ` Christian Brauner
[not found] ` <20171108190223.vdkyepcaegmub6le-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-11-09 0:55 ` Mahesh Bandewar (महेश बंडेवार)
[not found] ` <CAF2d9jjed4Q7QvCD9Kpaa7L-Ngg3XFbJvt0jNVUUwt=52wDjjw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-11-09 3:21 ` Serge E. Hallyn
2017-11-09 7:13 ` Mahesh Bandewar (महेश बंडेवार)
2017-11-09 7:18 ` Mahesh Bandewar (महेश बंडेवार)
2017-11-09 16:14 ` Serge E. Hallyn
[not found] ` <CAF2d9jgs5MYn1dMT2mbhF=6UB2Hoo5kwmJhXuE6memBfWzkWXQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-11-09 21:58 ` [kernel-hardening] " Eric W. Biederman
[not found] ` <871sl7dsh8.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-11-10 4:30 ` Mahesh Bandewar (महेश बंडेवार)
2017-11-10 4:46 ` Serge E. Hallyn
[not found] ` <20171110044645.GA3694-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2017-11-10 5:28 ` Mahesh Bandewar (महेश बंडेवार)
2017-11-09 17:25 ` Serge E. Hallyn
2017-11-10 1:49 ` Mahesh Bandewar (महेश बंडेवार)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171106233913.GA1518@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=blukashev@sempervictus.com \
--cc=danielmicay@gmail.com \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=edumazet@google.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mahesh@bandewar.net \
--cc=maheshb@google.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).