From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934552AbdK2R24 (ORCPT ); Wed, 29 Nov 2017 12:28:56 -0500 Received: from h2.hallyn.com ([78.46.35.8]:42548 "EHLO h2.hallyn.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932138AbdK2R2x (ORCPT ); Wed, 29 Nov 2017 12:28:53 -0500 Date: Wed, 29 Nov 2017 11:28:52 -0600 From: "Serge E. Hallyn" To: "Theodore Ts'o" , David Miller , gnomes@lxorguk.ukuu.org.uk, keescook@chromium.org, mcgrof@kernel.org, tixxdz@gmail.com, luto@kernel.org, akpm@linux-foundation.org, james.l.morris@oracle.com, ben.hutchings@codethink.co.uk, solar@openwall.com, serge@hallyn.com, jeyu@kernel.org, rusty@rustcorp.com.au, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, kernel-hardening@lists.openwall.com, corbet@lwn.net, mingo@kernel.org, netdev@vger.kernel.org, peterz@infradead.org, torvalds@linux-foundation.org Subject: Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap() Message-ID: <20171129172852.GA14545@mail.hallyn.com> References: <20171128211659.GP729@wotan.suse.de> <20171129134612.72ccb53d@alans-desktop> <20171129.095014.1909386937628805919.davem@davemloft.net> <20171129155406.i2lyclquj75lvtn4@thunk.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20171129155406.i2lyclquj75lvtn4@thunk.org> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Quoting Theodore Ts'o (tytso@mit.edu): > Half the problem here is that with containers, people are changing the > security model, because they want to let untrusted users have "root", > without really having "root". Part of the fundamental problem is that > there are some well-meaning, but fundamentally misguided people, who > have been asserting: "Containers are just as secure as VM's". > > Well, they are not. And the sooner people get past this, the better > off they'll be.... Just to be clear, module loading requires - and must always continue to require - CAP_SYS_MODULE against the initial user namespace. Containers in user namespaces do not have that. I don't believe anyone has ever claimed that containers which are not in a user namespace are in any way secure. (And as for the other claim, I'd prefer to stick to "VMs are in most cases as insecure as properly configured containers" :) -serge From mboxrd@z Thu Jan 1 00:00:00 1970 From: serge@hallyn.com (Serge E. Hallyn) Date: Wed, 29 Nov 2017 11:28:52 -0600 Subject: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap() In-Reply-To: <20171129155406.i2lyclquj75lvtn4@thunk.org> References: <20171128211659.GP729@wotan.suse.de> <20171129134612.72ccb53d@alans-desktop> <20171129.095014.1909386937628805919.davem@davemloft.net> <20171129155406.i2lyclquj75lvtn4@thunk.org> Message-ID: <20171129172852.GA14545@mail.hallyn.com> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org Quoting Theodore Ts'o (tytso at mit.edu): > Half the problem here is that with containers, people are changing the > security model, because they want to let untrusted users have "root", > without really having "root". Part of the fundamental problem is that > there are some well-meaning, but fundamentally misguided people, who > have been asserting: "Containers are just as secure as VM's". > > Well, they are not. And the sooner people get past this, the better > off they'll be.... Just to be clear, module loading requires - and must always continue to require - CAP_SYS_MODULE against the initial user namespace. Containers in user namespaces do not have that. I don't believe anyone has ever claimed that containers which are not in a user namespace are in any way secure. (And as for the other claim, I'd prefer to stick to "VMs are in most cases as insecure as properly configured containers" :) -serge -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Wed, 29 Nov 2017 11:28:52 -0600 From: "Serge E. Hallyn" Message-ID: <20171129172852.GA14545@mail.hallyn.com> References: <20171128211659.GP729@wotan.suse.de> <20171129134612.72ccb53d@alans-desktop> <20171129.095014.1909386937628805919.davem@davemloft.net> <20171129155406.i2lyclquj75lvtn4@thunk.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20171129155406.i2lyclquj75lvtn4@thunk.org> Subject: [kernel-hardening] Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap() To: Theodore Ts'o , David Miller , gnomes@lxorguk.ukuu.org.uk, keescook@chromium.org, mcgrof@kernel.org, tixxdz@gmail.com, luto@kernel.org, akpm@linux-foundation.org, james.l.morris@oracle.com, ben.hutchings@codethink.co.uk, solar@openwall.com, serge@hallyn.com, jeyu@kernel.org, rusty@rustcorp.com.au, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, kernel-hardening@lists.openwall.com, corbet@lwn.net, mingo@kernel.org, netdev@vger.kernel.org, peterz@infradead.org, torvalds@linux-foundation.org List-ID: Quoting Theodore Ts'o (tytso@mit.edu): > Half the problem here is that with containers, people are changing the > security model, because they want to let untrusted users have "root", > without really having "root". Part of the fundamental problem is that > there are some well-meaning, but fundamentally misguided people, who > have been asserting: "Containers are just as secure as VM's". > > Well, they are not. And the sooner people get past this, the better > off they'll be.... Just to be clear, module loading requires - and must always continue to require - CAP_SYS_MODULE against the initial user namespace. Containers in user namespaces do not have that. I don't believe anyone has ever claimed that containers which are not in a user namespace are in any way secure. (And as for the other claim, I'd prefer to stick to "VMs are in most cases as insecure as properly configured containers" :) -serge