From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753272AbdKIRal (ORCPT ); Thu, 9 Nov 2017 12:30:41 -0500 Received: from h2.hallyn.com ([78.46.35.8]:49690 "EHLO h2.hallyn.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752459AbdKIRai (ORCPT ); Thu, 9 Nov 2017 12:30:38 -0500 Date: Thu, 9 Nov 2017 11:30:37 -0600 From: "Serge E. Hallyn" To: Mahesh Bandewar Cc: LKML , Netdev , Kernel-hardening , Linux API , Kees Cook , Serge Hallyn , "Eric W . Biederman" , Eric Dumazet , David Miller , Mahesh Bandewar Subject: Re: [PATCH resend 1/2] capability: introduce sysctl for controlled user-ns capability whitelist Message-ID: <20171109173037.GC26229@mail.hallyn.com> References: <20171103004433.39954-1-mahesh@bandewar.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20171103004433.39954-1-mahesh@bandewar.net> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Quoting Mahesh Bandewar (mahesh@bandewar.net): > From: Mahesh Bandewar > > Add a sysctl variable kernel.controlled_userns_caps_whitelist. This I understand the arguments in favor of whitelists in most cases for security purposes. But given that you've said the goal here is to prevent use of a capability in a user namespace when a CVE has been found, a whitelist seems the wrong choice, since 1. it means that an attacker may through some other means be able to add a capability back into the whitelist when you specifically wanted to drop it. With a blacklist, you could say "once a cap has been dropped it can never be re-added without rebooting". 2. it means by default all capabilities will be denied once the switch is pulled which is specifically not what you want in this case. 3. the admin can't just say "drop CAP_NET_ADMIN", but needs to know to echo ~CAP_NET_ADMIN. Why not make it a blacklist, and once a cap is dropped it can never be re-added? -serge From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Thu, 9 Nov 2017 11:30:37 -0600 From: "Serge E. Hallyn" Message-ID: <20171109173037.GC26229@mail.hallyn.com> References: <20171103004433.39954-1-mahesh@bandewar.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20171103004433.39954-1-mahesh@bandewar.net> Subject: [kernel-hardening] Re: [PATCH resend 1/2] capability: introduce sysctl for controlled user-ns capability whitelist To: Mahesh Bandewar Cc: LKML , Netdev , Kernel-hardening , Linux API , Kees Cook , Serge Hallyn , "Eric W . Biederman" , Eric Dumazet , David Miller , Mahesh Bandewar List-ID: Quoting Mahesh Bandewar (mahesh@bandewar.net): > From: Mahesh Bandewar > > Add a sysctl variable kernel.controlled_userns_caps_whitelist. This I understand the arguments in favor of whitelists in most cases for security purposes. But given that you've said the goal here is to prevent use of a capability in a user namespace when a CVE has been found, a whitelist seems the wrong choice, since 1. it means that an attacker may through some other means be able to add a capability back into the whitelist when you specifically wanted to drop it. With a blacklist, you could say "once a cap has been dropped it can never be re-added without rebooting". 2. it means by default all capabilities will be denied once the switch is pulled which is specifically not what you want in this case. 3. the admin can't just say "drop CAP_NET_ADMIN", but needs to know to echo ~CAP_NET_ADMIN. Why not make it a blacklist, and once a cap is dropped it can never be re-added? -serge