From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757002AbcGZPVV (ORCPT ); Tue, 26 Jul 2016 11:21:21 -0400 Received: from out01.mta.xmission.com ([166.70.13.231]:43064 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755488AbcGZPVR (ORCPT ); Tue, 26 Jul 2016 11:21:17 -0400 From: ebiederm@xmission.com (Eric W. Biederman) To: "Michael Kerrisk \(man-pages\)" Cc: Linux Containers , Andy Lutomirski , Jann Horn , Kees Cook , Nikolay Borisov , "Serge E. Hallyn" , Seth Forshee , linux-fsdevel@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org References: <8737n5dscy.fsf@x220.int.ebiederm.org> <87d1m754jc.fsf@x220.int.ebiederm.org> <6be70177-a81d-7ed8-d2c9-a596d4d6a165@gmail.com> Date: Tue, 26 Jul 2016 10:06:59 -0500 In-Reply-To: <6be70177-a81d-7ed8-d2c9-a596d4d6a165@gmail.com> (Michael Kerrisk's message of "Tue, 26 Jul 2016 12:30:10 +0200") Message-ID: <87shuwtp4c.fsf@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1bS49j-0000vV-KN;;;mid=<87shuwtp4c.fsf@x220.int.ebiederm.org>;;;hst=in02.mta.xmission.com;;;ip=67.3.204.119;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX1+Zeu1R0SnnxPxt1b6uUmbwXdMXkEOAblU= X-SA-Exim-Connect-IP: 67.3.204.119 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa06 1397; Body=1 Fuz1=1 Fuz2=1] X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;"Michael Kerrisk \(man-pages\)" X-Spam-Relay-Country: X-Spam-Timing: total 2459 ms - load_scoreonly_sql: 0.06 (0.0%), signal_user_changed: 3.2 (0.1%), b_tie_ro: 2.2 (0.1%), parse: 1.12 (0.0%), extract_message_metadata: 4.2 (0.2%), get_uri_detail_list: 1.87 (0.1%), tests_pri_-1000: 4.9 (0.2%), tests_pri_-950: 1.64 (0.1%), tests_pri_-900: 1.44 (0.1%), tests_pri_-400: 24 (1.0%), check_bayes: 23 (0.9%), b_tokenize: 6 (0.2%), b_tok_get_all: 7 (0.3%), b_comp_prob: 1.98 (0.1%), b_tok_touch_all: 2.7 (0.1%), b_finish: 0.70 (0.0%), tests_pri_0: 2399 (97.6%), check_dkim_signature: 0.53 (0.0%), check_dkim_adsp: 2098 (85.3%), tests_pri_500: 4.7 (0.2%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH v2 00/10] userns: sysctl limits for namespaces X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org "Michael Kerrisk (man-pages)" writes: > Hello Eric, > > I realized I had a question after the last mail. > > On 07/21/2016 06:39 PM, Eric W. Biederman wrote: >> >> This patchset addresses two use cases: >> - Implement a sane upper bound on the number of namespaces. >> - Provide a way for sandboxes to limit the attack surface from >> namespaces. > > Can you say more about the second point? What exactly is the > problem that is being addressed, and how does the patch series > address it? (It would be good to have those details in the > revised commit message...) At some point it was reported that seccomp was not sufficient to disable namespace creation. I need to go back and look at that claim to see which set of circumstances that was referring to. Seccomp doesn't stack so I can see why it is an issue. The general problem is that namespaces by their nature (and especially in combination with the user namespaces) allow unprivileged users to use more of the kernel than a user would have access to without them. This in turn allows malicious users more kernel calls they can use in attempt to find an exploitable bug. So if you are building a sandbox/chroot jail/chromium tab or anything like that and you know you won't be needing a kernel feature having an easy way to disable the feature is useful for making the kernel marginally more secure, as certain attack vectors are no longer possible. Eric From mboxrd@z Thu Jan 1 00:00:00 1970 From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman) Subject: Re: [PATCH v2 00/10] userns: sysctl limits for namespaces Date: Tue, 26 Jul 2016 10:06:59 -0500 Message-ID: <87shuwtp4c.fsf@x220.int.ebiederm.org> References: <8737n5dscy.fsf@x220.int.ebiederm.org> <87d1m754jc.fsf@x220.int.ebiederm.org> <6be70177-a81d-7ed8-d2c9-a596d4d6a165@gmail.com> Mime-Version: 1.0 Content-Type: text/plain Cc: Linux Containers , Andy Lutomirski , Jann Horn , Kees Cook , Nikolay Borisov , "Serge E. Hallyn" , Seth Forshee , linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: "Michael Kerrisk \(man-pages\)" Return-path: In-Reply-To: <6be70177-a81d-7ed8-d2c9-a596d4d6a165-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> (Michael Kerrisk's message of "Tue, 26 Jul 2016 12:30:10 +0200") Sender: linux-api-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org List-Id: netdev.vger.kernel.org "Michael Kerrisk (man-pages)" writes: > Hello Eric, > > I realized I had a question after the last mail. > > On 07/21/2016 06:39 PM, Eric W. Biederman wrote: >> >> This patchset addresses two use cases: >> - Implement a sane upper bound on the number of namespaces. >> - Provide a way for sandboxes to limit the attack surface from >> namespaces. > > Can you say more about the second point? What exactly is the > problem that is being addressed, and how does the patch series > address it? (It would be good to have those details in the > revised commit message...) At some point it was reported that seccomp was not sufficient to disable namespace creation. I need to go back and look at that claim to see which set of circumstances that was referring to. Seccomp doesn't stack so I can see why it is an issue. The general problem is that namespaces by their nature (and especially in combination with the user namespaces) allow unprivileged users to use more of the kernel than a user would have access to without them. This in turn allows malicious users more kernel calls they can use in attempt to find an exploitable bug. So if you are building a sandbox/chroot jail/chromium tab or anything like that and you know you won't be needing a kernel feature having an easy way to disable the feature is useful for making the kernel marginally more secure, as certain attack vectors are no longer possible. Eric From mboxrd@z Thu Jan 1 00:00:00 1970 From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman) Subject: Re: [PATCH v2 00/10] userns: sysctl limits for namespaces Date: Tue, 26 Jul 2016 10:06:59 -0500 Message-ID: <87shuwtp4c.fsf@x220.int.ebiederm.org> References: <8737n5dscy.fsf@x220.int.ebiederm.org> <87d1m754jc.fsf@x220.int.ebiederm.org> <6be70177-a81d-7ed8-d2c9-a596d4d6a165@gmail.com> Mime-Version: 1.0 Content-Type: text/plain Return-path: In-Reply-To: <6be70177-a81d-7ed8-d2c9-a596d4d6a165-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> (Michael Kerrisk's message of "Tue, 26 Jul 2016 12:30:10 +0200") Sender: linux-api-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: "Michael Kerrisk (man-pages)" Cc: Linux Containers , Andy Lutomirski , Jann Horn , Kees Cook , Nikolay Borisov , "Serge E. Hallyn" , Seth Forshee , linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org List-Id: linux-api@vger.kernel.org "Michael Kerrisk (man-pages)" writes: > Hello Eric, > > I realized I had a question after the last mail. > > On 07/21/2016 06:39 PM, Eric W. Biederman wrote: >> >> This patchset addresses two use cases: >> - Implement a sane upper bound on the number of namespaces. >> - Provide a way for sandboxes to limit the attack surface from >> namespaces. > > Can you say more about the second point? What exactly is the > problem that is being addressed, and how does the patch series > address it? (It would be good to have those details in the > revised commit message...) At some point it was reported that seccomp was not sufficient to disable namespace creation. I need to go back and look at that claim to see which set of circumstances that was referring to. Seccomp doesn't stack so I can see why it is an issue. The general problem is that namespaces by their nature (and especially in combination with the user namespaces) allow unprivileged users to use more of the kernel than a user would have access to without them. This in turn allows malicious users more kernel calls they can use in attempt to find an exploitable bug. So if you are building a sandbox/chroot jail/chromium tab or anything like that and you know you won't be needing a kernel feature having an easy way to disable the feature is useful for making the kernel marginally more secure, as certain attack vectors are no longer possible. Eric