Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

public inbox for netdev@vger.kernel.org 
 help / color / mirror / Atom feed

From: Christian Brauner <christian.brauner@canonical•com>
To: "Mahesh Bandewar (महेश बंडेवार)" <maheshb@google•com>
Cc: "Serge E. Hallyn" <serge@hallyn•com>,
	Boris Lukashev <blukashev@sempervictus•com>,
	Daniel Micay <danielmicay@gmail•com>,
	Mahesh Bandewar <mahesh@bandewar•net>,
	LKML <linux-kernel@vger•kernel.org>,
	Netdev <netdev@vger•kernel.org>,
	Kernel-hardening <kernel-hardening@lists•openwall.com>,
	Linux API <linux-api@vger•kernel.org>,
	Kees Cook <keescook@chromium•org>,
	"Eric W . Biederman" <ebiederm@xmission•com>,
	Eric Dumazet <edumazet@google•com>,
	David Miller <davem@davemloft•net>
Subject: Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces
Date: Wed, 8 Nov 2017 20:02:25 +0100	[thread overview]
Message-ID: <20171108190223.vdkyepcaegmub6le@gmail.com> (raw)
In-Reply-To: <CAF2d9jiwu3Ss7Dtem8qSptKgMc0Mc_o8MAAJkWM5CwJaFsbrcg@mail.gmail.com>

On Wed, Nov 08, 2017 at 03:09:59AM -0800, Mahesh Bandewar (महेश बंडेवार) wrote:
> Sorry folks I was traveling and seems like lot happened on this thread. :p
> 
> I will try to response few of these comments selectively -
> 
> > The thing that makes me hesitate with this set is that it is a
> > permanent new feature to address what (I hope) is a temporary
> > problem.
> I agree this is permanent new feature but it's not solving a temporary
> problem. It's impossible to assess what and when new vulnerability
> that could show up. I think Daniel summed it up appropriately in his
> response
> 
> > Seems like there are two naive ways to do it, the first being to just
> > look at all code under ns_capable() plus code called from there.  It
> > seems like looking at the result of that could be fruitful.
> This is really hard. The main issue that there were features designed
> and developed before user-ns days with an assumption that unprivileged
> users will never get certain capabilities which only root user gets.
> Now that is not true anymore with user-ns creation with mapping root
> for any process. Also at the same time blocking user-ns creation for
> eveyone is a big-hammer which is not needed too. So it's not that easy
> to just perform a code-walk-though and correct those decisions now.
> 
> > It seems to me that the existing control in
> > /proc/sys/kernel/unprivileged_userns_clone might be the better duct tape
> > in that case.
> This solution is essentially blocking unprivileged users from using
> the user-namespaces entirely. This is not really a solution that can
> work. The solution that this patch-set adds allows unprivileged users
> to create user-namespaces. Actually the proposed solution is more
> fine-grained approach than the unprivileged_userns_clone solution
> since you can selectively block capabilities rather than completely
> blocking the functionality.

I've been talking to Stéphane today about this and we should also keep in mind
that we have:

chb@conventiont|~
> ls -al /proc/sys/user/
total 0
dr-xr-xr-x 1 root root 0 Nov  6 23:32 .
dr-xr-xr-x 1 root root 0 Nov  2 22:13 ..
-rw-r--r-- 1 root root 0 Nov  8 19:48 max_cgroup_namespaces
-rw-r--r-- 1 root root 0 Nov  8 19:48 max_inotify_instances
-rw-r--r-- 1 root root 0 Nov  8 19:48 max_inotify_watches
-rw-r--r-- 1 root root 0 Nov  8 19:48 max_ipc_namespaces
-rw-r--r-- 1 root root 0 Nov  8 19:48 max_mnt_namespaces
-rw-r--r-- 1 root root 0 Nov  8 19:48 max_net_namespaces
-rw-r--r-- 1 root root 0 Nov  8 19:48 max_pid_namespaces
-rw-r--r-- 1 root root 0 Nov  8 19:48 max_user_namespaces
-rw-r--r-- 1 root root 0 Nov  8 19:48 max_uts_namespaces

These files allow you to limit the number of namespaces that can be created
*per namespace* type. So let's say your system runs a bunch of user namespaces
you can do:

chb@conventiont|~
> echo 0 > /proc/sys/user/max_user_namespaces

So that the next time you try to create a user namespaces you'd see:

chb@conventiont|~
> unshare -U
unshare: unshare failed: No space left on device

So there's not even a need to upstream a new sysctl since we have ways of
blocking this.

Also I'd like to point out that a lot of capability checks and actual security
vulnerabilities are associated with CAP_SYS_ADMIN. So what you likely want to do
is block CAP_SYS_ADMIN in user namespaces but at this point they become
basically useless for a lot of interesting use cases. In addition, this patch
would add another layer of complexity that is - imho - not really warranted
given what we already have. The relationship between capabilities and user
namespaces should stay as simply as possible so that it stays maintaineable.
User namespaces already introduce a proper layer of complexity.
Just my two cents. I might be totally off here of course.

Christian

next prev parent reply	other threads:[~2017-11-08 19:02 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-11-03  0:44 [PATCH resend 2/2] userns: control capabilities of some user namespaces Mahesh Bandewar
     [not found] ` <20171103004436.40026-1-mahesh-bmGAjcP2qsnk1uMJSBkQmQ@public.gmane.org>
2017-11-04 23:53   ` Serge E. Hallyn
     [not found]     ` <20171104235346.GA17170-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2017-11-06  7:23       ` Mahesh Bandewar (महेश बंडेवार)
2017-11-06 15:03         ` Serge E. Hallyn
     [not found]           ` <20171106150302.GA26634-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2017-11-06 21:33             ` [kernel-hardening] " Daniel Micay
     [not found]               ` <1510003994.736.0.camel-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-11-06 22:14                 ` Serge E. Hallyn
     [not found]                   ` <20171106221418.GA32543-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2017-11-06 22:42                     ` Christian Brauner
2017-11-07  2:16                     ` Daniel Micay
     [not found]                       ` <1510020963.736.42.camel-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-11-07  3:23                         ` Serge E. Hallyn
2017-11-09 18:01                           ` chris hyser
     [not found]                             ` <da764cbf-7522-06a0-6c21-adfa3eaac9c2-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
2017-11-09 18:05                               ` Serge E. Hallyn
2017-11-09 18:27                                 ` chris hyser
2017-11-06 23:17                   ` Boris Lukashev
2017-11-06 23:39                     ` Serge E. Hallyn
2017-11-07  0:01                       ` Boris Lukashev
     [not found]                         ` <CAFUG7CcW077LHcQEqk7qy7iVvmi-3J8psD1Kwj45XvHThiZC6w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-11-07  3:28                           ` [kernel-hardening] " Serge E. Hallyn
     [not found]                             ` <20171107032802.GA6669-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2017-11-08 11:09                               ` Mahesh Bandewar (महेश बंडेवार)
2017-11-08 19:02                                 ` Christian Brauner [this message]
     [not found]                                   ` <20171108190223.vdkyepcaegmub6le-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-11-09  0:55                                     ` Mahesh Bandewar (महेश बंडेवार)
     [not found]                                       ` <CAF2d9jjed4Q7QvCD9Kpaa7L-Ngg3XFbJvt0jNVUUwt=52wDjjw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-11-09  3:21                                         ` Serge E. Hallyn
2017-11-09  7:13                                           ` Mahesh Bandewar (महेश बंडेवार)
2017-11-09  7:18                                           ` Mahesh Bandewar (महेश बंडेवार)
2017-11-09 16:14                                             ` Serge E. Hallyn
     [not found]                                             ` <CAF2d9jgs5MYn1dMT2mbhF=6UB2Hoo5kwmJhXuE6memBfWzkWXQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-11-09 21:58                                               ` [kernel-hardening] " Eric W. Biederman
     [not found]                                                 ` <871sl7dsh8.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-11-10  4:30                                                   ` Mahesh Bandewar (महेश बंडेवार)
2017-11-10  4:46                                                   ` Serge E. Hallyn
     [not found]                                                     ` <20171110044645.GA3694-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2017-11-10  5:28                                                       ` Mahesh Bandewar (महेश बंडेवार)
2017-11-09 17:25 ` Serge E. Hallyn
2017-11-10  1:49   ` Mahesh Bandewar (महेश बंडेवार)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171108190223.vdkyepcaegmub6le@gmail.com \
    --to=christian.brauner@canonical$(echo .)com \
    --cc=blukashev@sempervictus$(echo .)com \
    --cc=danielmicay@gmail$(echo .)com \
    --cc=davem@davemloft$(echo .)net \
    --cc=ebiederm@xmission$(echo .)com \
    --cc=edumazet@google$(echo .)com \
    --cc=keescook@chromium$(echo .)org \
    --cc=kernel-hardening@lists$(echo .)openwall.com \
    --cc=linux-api@vger$(echo .)kernel.org \
    --cc=linux-kernel@vger$(echo .)kernel.org \
    --cc=mahesh@bandewar$(echo .)net \
    --cc=maheshb@google$(echo .)com \
    --cc=netdev@vger$(echo .)kernel.org \
    --cc=serge@hallyn$(echo .)com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox