From: "Serge E. Hallyn" <serge@hallyn.com>
To: Mahesh Bandewar <mahesh@bandewar.net>
Cc: LKML <linux-kernel@vger.kernel.org>,
Netdev <netdev@vger.kernel.org>,
Kernel-hardening <kernel-hardening@lists.openwall.com>,
Linux API <linux-api@vger.kernel.org>,
Kees Cook <keescook@chromium.org>,
Serge Hallyn <serge@hallyn.com>,
"Eric W . Biederman" <ebiederm@xmission.com>,
Eric Dumazet <edumazet@google.com>,
David Miller <davem@davemloft.net>,
Mahesh Bandewar <maheshb@google.com>
Subject: Re: [PATCH resend 1/2] capability: introduce sysctl for controlled user-ns capability whitelist
Date: Thu, 9 Nov 2017 11:30:37 -0600 [thread overview]
Message-ID: <20171109173037.GC26229@mail.hallyn.com> (raw)
In-Reply-To: <20171103004433.39954-1-mahesh@bandewar.net>
Quoting Mahesh Bandewar (mahesh@bandewar.net):
> From: Mahesh Bandewar <maheshb@google.com>
>
> Add a sysctl variable kernel.controlled_userns_caps_whitelist. This
I understand the arguments in favor of whitelists in most cases for
security purposes. But given that you've said the goal here is to
prevent use of a capability in a user namespace when a CVE has been
found, a whitelist seems the wrong choice, since
1. it means that an attacker may through some other means be able
to add a capability back into the whitelist when you specifically
wanted to drop it. With a blacklist, you could say "once a cap has
been dropped it can never be re-added without rebooting".
2. it means by default all capabilities will be denied once the
switch is pulled which is specifically not what you want in this
case.
3. the admin can't just say "drop CAP_NET_ADMIN", but needs to
know to echo ~CAP_NET_ADMIN.
Why not make it a blacklist, and once a cap is dropped it can
never be re-added?
-serge
next prev parent reply other threads:[~2017-11-09 17:30 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-03 0:44 [PATCH resend 1/2] capability: introduce sysctl for controlled user-ns capability whitelist Mahesh Bandewar
2017-11-09 17:22 ` Serge E. Hallyn
2017-11-10 3:31 ` Mahesh Bandewar (महेश बंडेवार)
[not found] ` <CAF2d9jhCbZA2J1WCc5MNUssiNSNeP5J8i9VNUETKBGhM4X4t8Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-11-10 4:30 ` Serge E. Hallyn
[not found] ` <20171110043010.GA3572-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2017-11-10 5:05 ` Mahesh Bandewar (महेश बंडेवार)
2017-11-09 17:30 ` Serge E. Hallyn [this message]
[not found] ` <20171109173037.GC26229-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2017-11-10 3:43 ` Mahesh Bandewar (महेश बंडेवार)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171109173037.GC26229@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=edumazet@google.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mahesh@bandewar.net \
--cc=maheshb@google.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).