From: "Mahesh Bandewar (महेश बंडेवार)" <maheshb@google.com>
To: "Serge E. Hallyn" <serge@hallyn.com>
Cc: Mahesh Bandewar <mahesh@bandewar.net>,
LKML <linux-kernel@vger.kernel.org>,
Netdev <netdev@vger.kernel.org>,
Kernel-hardening <kernel-hardening@lists.openwall.com>,
Linux API <linux-api@vger.kernel.org>,
Kees Cook <keescook@chromium.org>,
"Eric W . Biederman" <ebiederm@xmission.com>,
Eric Dumazet <edumazet@google.com>,
David Miller <davem@davemloft.net>
Subject: Re: [PATCH resend 1/2] capability: introduce sysctl for controlled user-ns capability whitelist
Date: Fri, 10 Nov 2017 12:43:47 +0900 [thread overview]
Message-ID: <CAF2d9jg__SpwvqwYuiXC2d-WxC2C3wq-o-66=K5+ze+BMFPkdQ@mail.gmail.com> (raw)
In-Reply-To: <20171109173037.GC26229@mail.hallyn.com>
On Fri, Nov 10, 2017 at 2:30 AM, Serge E. Hallyn <serge@hallyn.com> wrote:
> Quoting Mahesh Bandewar (mahesh@bandewar.net):
>> From: Mahesh Bandewar <maheshb@google.com>
>>
>> Add a sysctl variable kernel.controlled_userns_caps_whitelist. This
>
> I understand the arguments in favor of whitelists in most cases for
> security purposes. But given that you've said the goal here is to
> prevent use of a capability in a user namespace when a CVE has been
> found, a whitelist seems the wrong choice, since
>
> 1. it means that an attacker may through some other means be able
> to add a capability back into the whitelist when you specifically
> wanted to drop it. With a blacklist, you could say "once a cap has
> been dropped it can never be re-added without rebooting".
> 2. it means by default all capabilities will be denied once the
> switch is pulled which is specifically not what you want in this
> case.
> 3. the admin can't just say "drop CAP_NET_ADMIN", but needs to
> know to echo ~CAP_NET_ADMIN.
>
> Why not make it a blacklist, and once a cap is dropped it can
> never be re-added?
>
Well, I'm not going to deny that blacklist approach would work equally
well but code becomes little simpler when you use the whitelist
approach. especially less complicated when a new capability needs to
be added (not that we add capabilities very often) but that would be
something one would have to pay attention to. However with this
approach I can just the CAP_FULL_SET which is readily available.
Having said that I specifically don't have strong preference in this
regard (whitelist vs. blacklist).
> -serge
WARNING: multiple messages have this Message-ID (diff)
From: "Mahesh Bandewar (महेश बंडेवार)" <maheshb-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
To: "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
Cc: Mahesh Bandewar <mahesh-bmGAjcP2qsnk1uMJSBkQmQ@public.gmane.org>,
LKML <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Netdev <netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Kernel-hardening
<kernel-hardening-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8@public.gmane.org>,
Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
"Eric W . Biederman"
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>,
Eric Dumazet <edumazet-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
David Miller <davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
Subject: Re: [PATCH resend 1/2] capability: introduce sysctl for controlled user-ns capability whitelist
Date: Fri, 10 Nov 2017 12:43:47 +0900 [thread overview]
Message-ID: <CAF2d9jg__SpwvqwYuiXC2d-WxC2C3wq-o-66=K5+ze+BMFPkdQ@mail.gmail.com> (raw)
In-Reply-To: <20171109173037.GC26229-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
On Fri, Nov 10, 2017 at 2:30 AM, Serge E. Hallyn <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org> wrote:
> Quoting Mahesh Bandewar (mahesh-bmGAjcP2qsnk1uMJSBkQmQ@public.gmane.org):
>> From: Mahesh Bandewar <maheshb-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
>>
>> Add a sysctl variable kernel.controlled_userns_caps_whitelist. This
>
> I understand the arguments in favor of whitelists in most cases for
> security purposes. But given that you've said the goal here is to
> prevent use of a capability in a user namespace when a CVE has been
> found, a whitelist seems the wrong choice, since
>
> 1. it means that an attacker may through some other means be able
> to add a capability back into the whitelist when you specifically
> wanted to drop it. With a blacklist, you could say "once a cap has
> been dropped it can never be re-added without rebooting".
> 2. it means by default all capabilities will be denied once the
> switch is pulled which is specifically not what you want in this
> case.
> 3. the admin can't just say "drop CAP_NET_ADMIN", but needs to
> know to echo ~CAP_NET_ADMIN.
>
> Why not make it a blacklist, and once a cap is dropped it can
> never be re-added?
>
Well, I'm not going to deny that blacklist approach would work equally
well but code becomes little simpler when you use the whitelist
approach. especially less complicated when a new capability needs to
be added (not that we add capabilities very often) but that would be
something one would have to pay attention to. However with this
approach I can just the CAP_FULL_SET which is readily available.
Having said that I specifically don't have strong preference in this
regard (whitelist vs. blacklist).
> -serge
WARNING: multiple messages have this Message-ID (diff)
From: "Mahesh Bandewar (महेश बंडेवार)" <maheshb@google.com>
To: "Serge E. Hallyn" <serge@hallyn.com>
Cc: Mahesh Bandewar <mahesh@bandewar.net>,
LKML <linux-kernel@vger.kernel.org>,
Netdev <netdev@vger.kernel.org>,
Kernel-hardening <kernel-hardening@lists.openwall.com>,
Linux API <linux-api@vger.kernel.org>,
Kees Cook <keescook@chromium.org>,
"Eric W . Biederman" <ebiederm@xmission.com>,
Eric Dumazet <edumazet@google.com>,
David Miller <davem@davemloft.net>
Subject: [kernel-hardening] Re: [PATCH resend 1/2] capability: introduce sysctl for controlled user-ns capability whitelist
Date: Fri, 10 Nov 2017 12:43:47 +0900 [thread overview]
Message-ID: <CAF2d9jg__SpwvqwYuiXC2d-WxC2C3wq-o-66=K5+ze+BMFPkdQ@mail.gmail.com> (raw)
In-Reply-To: <20171109173037.GC26229@mail.hallyn.com>
On Fri, Nov 10, 2017 at 2:30 AM, Serge E. Hallyn <serge@hallyn.com> wrote:
> Quoting Mahesh Bandewar (mahesh@bandewar.net):
>> From: Mahesh Bandewar <maheshb@google.com>
>>
>> Add a sysctl variable kernel.controlled_userns_caps_whitelist. This
>
> I understand the arguments in favor of whitelists in most cases for
> security purposes. But given that you've said the goal here is to
> prevent use of a capability in a user namespace when a CVE has been
> found, a whitelist seems the wrong choice, since
>
> 1. it means that an attacker may through some other means be able
> to add a capability back into the whitelist when you specifically
> wanted to drop it. With a blacklist, you could say "once a cap has
> been dropped it can never be re-added without rebooting".
> 2. it means by default all capabilities will be denied once the
> switch is pulled which is specifically not what you want in this
> case.
> 3. the admin can't just say "drop CAP_NET_ADMIN", but needs to
> know to echo ~CAP_NET_ADMIN.
>
> Why not make it a blacklist, and once a cap is dropped it can
> never be re-added?
>
Well, I'm not going to deny that blacklist approach would work equally
well but code becomes little simpler when you use the whitelist
approach. especially less complicated when a new capability needs to
be added (not that we add capabilities very often) but that would be
something one would have to pay attention to. However with this
approach I can just the CAP_FULL_SET which is readily available.
Having said that I specifically don't have strong preference in this
regard (whitelist vs. blacklist).
> -serge
next prev parent reply other threads:[~2017-11-10 3:44 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-03 0:44 [PATCH resend 1/2] capability: introduce sysctl for controlled user-ns capability whitelist Mahesh Bandewar
2017-11-03 0:44 ` [kernel-hardening] " Mahesh Bandewar
2017-11-09 17:22 ` Serge E. Hallyn
2017-11-09 17:22 ` [kernel-hardening] " Serge E. Hallyn
2017-11-10 3:31 ` Mahesh Bandewar (महेश बंडेवार)
2017-11-10 3:31 ` [kernel-hardening] " Mahesh Bandewar (महेश बंडेवार)
2017-11-10 4:30 ` Serge E. Hallyn
2017-11-10 4:30 ` [kernel-hardening] " Serge E. Hallyn
2017-11-10 4:30 ` Serge E. Hallyn
2017-11-10 5:05 ` Mahesh Bandewar (महेश बंडेवार)
2017-11-10 5:05 ` [kernel-hardening] " Mahesh Bandewar (महेश बंडेवार)
2017-11-10 5:05 ` Mahesh Bandewar (महेश बंडेवार)
2017-11-09 17:30 ` Serge E. Hallyn
2017-11-09 17:30 ` [kernel-hardening] " Serge E. Hallyn
2017-11-10 3:43 ` Mahesh Bandewar (महेश बंडेवार) [this message]
2017-11-10 3:43 ` Mahesh Bandewar (महेश बंडेवार)
2017-11-10 3:43 ` Mahesh Bandewar (महेश बंडेवार)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAF2d9jg__SpwvqwYuiXC2d-WxC2C3wq-o-66=K5+ze+BMFPkdQ@mail.gmail.com' \
--to=maheshb@google.com \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=edumazet@google.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mahesh@bandewar.net \
--cc=netdev@vger.kernel.org \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.