From: "Mahesh Bandewar (महेश बंडेवार)" <maheshb@google.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Mahesh Bandewar <mahesh@bandewar.net>,
LKML <linux-kernel@vger.kernel.org>,
James Morris <james.l.morris@oracle.com>,
Netdev <netdev@vger.kernel.org>,
Kernel-hardening <kernel-hardening@lists.openwall.com>,
Linux API <linux-api@vger.kernel.org>,
Linux Security <linux-security-module@vger.kernel.org>,
Serge Hallyn <serge@hallyn.com>,
Michael Kerrisk <mtk.manpages@gmail.com>,
Kees Cook <keescook@chromium.org>,
Eric Dumazet <edumazet@google.com>,
David Miller <davem@davemloft.net>
Subject: Re: [PATCHv4 0/2] capability controlled user-namespaces
Date: Wed, 3 Jan 2018 21:53:45 -0800 [thread overview]
Message-ID: <CAF2d9jhB56O6dGVokRtU46sbvJk4891Oa6A86okWbWptcG=pMg@mail.gmail.com> (raw)
In-Reply-To: <87po6qzycp.fsf@xmission.com>
On Wed, Jan 3, 2018 at 8:44 AM, Eric W. Biederman <ebiederm@xmission.com> wrote:
> Mahesh Bandewar <mahesh@bandewar.net> writes:
>
>> From: Mahesh Bandewar <maheshb@google.com>
>>
>> TL;DR version
>> -------------
>> Creating a sandbox environment with namespaces is challenging
>> considering what these sandboxed processes can engage into. e.g.
>> CVE-2017-6074, CVE-2017-7184, CVE-2017-7308 etc. just to name few.
>> Current form of user-namespaces, however, if changed a bit can allow
>> us to create a sandbox environment without locking down user-
>> namespaces.
>
> In other conversations it appears it has been pointed out that user
> namespaces are not necessarily safe under no_new_privs. In theory
> user namespaces should be safe but in practice not so much.
>
> So let me ask. Would your concerns be addressed if we simply made
> creation and joining of user namespaces impossible in a no_new_privs
> sandbox?
>
Isn't this another form of locking down user-ns similar to setting per
user-ns sysctl max_userns = 0?
Having said that, not allowing processes to create and/or attach
user-namespaces is going to be problematic and possibly a regression.
This (current) patchset doesn't do that. It allows users to create
user-ns's of any depth and number permitted by per-ns max_userns
sysctl. However one can decide what to take-off and what to leave in
terms of capabilities for the sandbox environment.
--mahesh..
> Eric
>
[...]
WARNING: multiple messages have this Message-ID (diff)
From: "Mahesh Bandewar (महेश बंडेवार)" <maheshb-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
To: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Cc: Mahesh Bandewar <mahesh-bmGAjcP2qsnk1uMJSBkQmQ@public.gmane.org>,
LKML <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
James Morris
<james.l.morris-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>,
Netdev <netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Kernel-hardening
<kernel-hardening-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8@public.gmane.org>,
Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Linux Security
<linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Serge Hallyn <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>,
Michael Kerrisk
<mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
Eric Dumazet <edumazet-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
David Miller <davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
Subject: Re: [PATCHv4 0/2] capability controlled user-namespaces
Date: Wed, 3 Jan 2018 21:53:45 -0800 [thread overview]
Message-ID: <CAF2d9jhB56O6dGVokRtU46sbvJk4891Oa6A86okWbWptcG=pMg@mail.gmail.com> (raw)
In-Reply-To: <87po6qzycp.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
On Wed, Jan 3, 2018 at 8:44 AM, Eric W. Biederman <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org> wrote:
> Mahesh Bandewar <mahesh-bmGAjcP2qsnk1uMJSBkQmQ@public.gmane.org> writes:
>
>> From: Mahesh Bandewar <maheshb-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
>>
>> TL;DR version
>> -------------
>> Creating a sandbox environment with namespaces is challenging
>> considering what these sandboxed processes can engage into. e.g.
>> CVE-2017-6074, CVE-2017-7184, CVE-2017-7308 etc. just to name few.
>> Current form of user-namespaces, however, if changed a bit can allow
>> us to create a sandbox environment without locking down user-
>> namespaces.
>
> In other conversations it appears it has been pointed out that user
> namespaces are not necessarily safe under no_new_privs. In theory
> user namespaces should be safe but in practice not so much.
>
> So let me ask. Would your concerns be addressed if we simply made
> creation and joining of user namespaces impossible in a no_new_privs
> sandbox?
>
Isn't this another form of locking down user-ns similar to setting per
user-ns sysctl max_userns = 0?
Having said that, not allowing processes to create and/or attach
user-namespaces is going to be problematic and possibly a regression.
This (current) patchset doesn't do that. It allows users to create
user-ns's of any depth and number permitted by per-ns max_userns
sysctl. However one can decide what to take-off and what to leave in
terms of capabilities for the sandbox environment.
--mahesh..
> Eric
>
[...]
WARNING: multiple messages have this Message-ID (diff)
From: maheshb@google.com (Mahesh Bandewar (महेश बंडेवार))
To: linux-security-module@vger.kernel.org
Subject: [PATCHv4 0/2] capability controlled user-namespaces
Date: Wed, 3 Jan 2018 21:53:45 -0800 [thread overview]
Message-ID: <CAF2d9jhB56O6dGVokRtU46sbvJk4891Oa6A86okWbWptcG=pMg@mail.gmail.com> (raw)
In-Reply-To: <87po6qzycp.fsf@xmission.com>
On Wed, Jan 3, 2018 at 8:44 AM, Eric W. Biederman <ebiederm@xmission.com> wrote:
> Mahesh Bandewar <mahesh@bandewar.net> writes:
>
>> From: Mahesh Bandewar <maheshb@google.com>
>>
>> TL;DR version
>> -------------
>> Creating a sandbox environment with namespaces is challenging
>> considering what these sandboxed processes can engage into. e.g.
>> CVE-2017-6074, CVE-2017-7184, CVE-2017-7308 etc. just to name few.
>> Current form of user-namespaces, however, if changed a bit can allow
>> us to create a sandbox environment without locking down user-
>> namespaces.
>
> In other conversations it appears it has been pointed out that user
> namespaces are not necessarily safe under no_new_privs. In theory
> user namespaces should be safe but in practice not so much.
>
> So let me ask. Would your concerns be addressed if we simply made
> creation and joining of user namespaces impossible in a no_new_privs
> sandbox?
>
Isn't this another form of locking down user-ns similar to setting per
user-ns sysctl max_userns = 0?
Having said that, not allowing processes to create and/or attach
user-namespaces is going to be problematic and possibly a regression.
This (current) patchset doesn't do that. It allows users to create
user-ns's of any depth and number permitted by per-ns max_userns
sysctl. However one can decide what to take-off and what to leave in
terms of capabilities for the sandbox environment.
--mahesh..
> Eric
>
[...]
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: "Mahesh Bandewar (महेश बंडेवार)" <maheshb@google.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Mahesh Bandewar <mahesh@bandewar.net>,
LKML <linux-kernel@vger.kernel.org>,
James Morris <james.l.morris@oracle.com>,
Netdev <netdev@vger.kernel.org>,
Kernel-hardening <kernel-hardening@lists.openwall.com>,
Linux API <linux-api@vger.kernel.org>,
Linux Security <linux-security-module@vger.kernel.org>,
Serge Hallyn <serge@hallyn.com>,
Michael Kerrisk <mtk.manpages@gmail.com>,
Kees Cook <keescook@chromium.org>,
Eric Dumazet <edumazet@google.com>,
David Miller <davem@davemloft.net>
Subject: [kernel-hardening] Re: [PATCHv4 0/2] capability controlled user-namespaces
Date: Wed, 3 Jan 2018 21:53:45 -0800 [thread overview]
Message-ID: <CAF2d9jhB56O6dGVokRtU46sbvJk4891Oa6A86okWbWptcG=pMg@mail.gmail.com> (raw)
In-Reply-To: <87po6qzycp.fsf@xmission.com>
On Wed, Jan 3, 2018 at 8:44 AM, Eric W. Biederman <ebiederm@xmission.com> wrote:
> Mahesh Bandewar <mahesh@bandewar.net> writes:
>
>> From: Mahesh Bandewar <maheshb@google.com>
>>
>> TL;DR version
>> -------------
>> Creating a sandbox environment with namespaces is challenging
>> considering what these sandboxed processes can engage into. e.g.
>> CVE-2017-6074, CVE-2017-7184, CVE-2017-7308 etc. just to name few.
>> Current form of user-namespaces, however, if changed a bit can allow
>> us to create a sandbox environment without locking down user-
>> namespaces.
>
> In other conversations it appears it has been pointed out that user
> namespaces are not necessarily safe under no_new_privs. In theory
> user namespaces should be safe but in practice not so much.
>
> So let me ask. Would your concerns be addressed if we simply made
> creation and joining of user namespaces impossible in a no_new_privs
> sandbox?
>
Isn't this another form of locking down user-ns similar to setting per
user-ns sysctl max_userns = 0?
Having said that, not allowing processes to create and/or attach
user-namespaces is going to be problematic and possibly a regression.
This (current) patchset doesn't do that. It allows users to create
user-ns's of any depth and number permitted by per-ns max_userns
sysctl. However one can decide what to take-off and what to leave in
terms of capabilities for the sandbox environment.
--mahesh..
> Eric
>
[...]
next prev parent reply other threads:[~2018-01-04 5:54 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-03 7:26 [PATCHv4 0/2] capability controlled user-namespaces Mahesh Bandewar
2018-01-03 7:26 ` [kernel-hardening] " Mahesh Bandewar
2018-01-03 7:26 ` Mahesh Bandewar
2018-01-03 16:44 ` Eric W. Biederman
2018-01-03 16:44 ` [kernel-hardening] " Eric W. Biederman
2018-01-03 16:44 ` Eric W. Biederman
2018-01-04 5:53 ` Mahesh Bandewar (महेश बंडेवार) [this message]
2018-01-04 5:53 ` [kernel-hardening] " Mahesh Bandewar (महेश बंडेवार)
2018-01-04 5:53 ` Mahesh Bandewar (महेश बंडेवार)
2018-01-04 5:53 ` Mahesh Bandewar (महेश बंडेवार)
[not found] ` <CAF2d9jjPiXX2Rf5QTvMKPdym5cqZBpTSP1Z21xzyjNcpaD=fGg@mail.gmail.com>
[not found] ` <20180205144015.GA12118@mail.hallyn.com>
[not found] ` <CANn89iL3y7aEqgUYP8Qq5NbJiYcPKMFCOWedhgOrO5cgy5c7vA@mail.gmail.com>
[not found] ` <alpine.LRH.2.21.1803090901100.20664@namei.org>
2018-03-08 22:52 ` Eric W. Biederman
2018-03-08 23:22 ` Mahesh Bandewar (महेश बंडेवार)
2018-03-08 23:46 ` Eric W. Biederman
2018-03-09 5:19 ` Mahesh Bandewar (महेश बंडेवार)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAF2d9jhB56O6dGVokRtU46sbvJk4891Oa6A86okWbWptcG=pMg@mail.gmail.com' \
--to=maheshb@google.com \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=edumazet@google.com \
--cc=james.l.morris@oracle.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mahesh@bandewar.net \
--cc=mtk.manpages@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.