From: Andy Lutomirski <luto@amacapital.net> To: "Eric W. Biederman" <ebiederm@xmission.com> Cc: "Kees Cook" <keescook@chromium.org>, "Andrew Morton" <akpm@linux-foundation.org>, "Al Viro" <viro@zeniv.linux.org.uk>, "Richard Weinberger" <richard@nod.at>, "Robert Święcki" <robert@swiecki.net>, "Dmitry Vyukov" <dvyukov@google.com>, "David Howells" <dhowells@redhat.com>, "Miklos Szeredi" <mszeredi@suse.cz>, "Kostya Serebryany" <kcc@google.com>, "Alexander Potapenko" <glider@google.com>, "Eric Dumazet" <edumazet@google.com>, "Sasha Levin" <sasha.levin@oracle.com>, "linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>, "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>, "kernel-hardening@lists.openwall.com" <kernel-hardening@lists.openwall.com> Subject: Re: [PATCH 0/2] sysctl: allow CLONE_NEWUSER to be disabled Date: Sun, 24 Jan 2016 14:22:19 -0800 [thread overview] Message-ID: <CALCETrWYRvqhyCwx5RX6L3TEYCfW0j6ThFUc+ASL7BpxgO5dEQ@mail.gmail.com> (raw) In-Reply-To: <8737tp0zhr.fsf@x220.int.ebiederm.org> On Fri, Jan 22, 2016 at 7:02 PM, Eric W. Biederman <ebiederm@xmission.com> wrote: > Kees Cook <keescook@chromium.org> writes: > >> There continues to be unexpected side-effects and security exposures >> via CLONE_NEWUSER. For many end-users running distro kernels with >> CONFIG_USER_NS enabled, there is no way to disable this feature when >> desired. As such, this creates a sysctl to restrict CLONE_NEWUSER so >> admins not running containers or Chrome can avoid the risks of this >> feature. > > I don't actually think there do continue to be unexpected side-effects > and security exposures with CLONE_NEWUSER. It takes a while for all of > the fixes to trickle out to distros. At most what I have seen recently > are problems with other kernel interfaces being amplified with user > namespaces. AKA the current mess with devpts, and the unexpected > issues with bind mounts in mount namespaces. > > > So to keep this productive. Please tell me about the threat model > you envision, and how you envision knobs in the kernel being used to > counter those threats. I consider the ability to use CLONE_NEWUSER to acquire CAP_NET_ADMIN over /any/ network namespace and to thus access the network configuration API to be a huge risk. For example, unprivileged users can program iptables. I'll eat my hat if there are no privilege escalations in there. (They can't request module loading, but still.) --Andy
WARNING: multiple messages have this Message-ID (diff)
From: Andy Lutomirski <luto@amacapital.net> To: "Eric W. Biederman" <ebiederm@xmission.com> Cc: "Kees Cook" <keescook@chromium.org>, "Andrew Morton" <akpm@linux-foundation.org>, "Al Viro" <viro@zeniv.linux.org.uk>, "Richard Weinberger" <richard@nod.at>, "Robert Święcki" <robert@swiecki.net>, "Dmitry Vyukov" <dvyukov@google.com>, "David Howells" <dhowells@redhat.com>, "Miklos Szeredi" <mszeredi@suse.cz>, "Kostya Serebryany" <kcc@google.com>, "Alexander Potapenko" <glider@google.com>, "Eric Dumazet" <edumazet@google.com>, "Sasha Levin" <sasha.levin@oracle.com>, "linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>, "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>, "kernel-hardening@lists.openwall.com" <kernel-hardening@lists.openwall.com> Subject: [kernel-hardening] Re: [PATCH 0/2] sysctl: allow CLONE_NEWUSER to be disabled Date: Sun, 24 Jan 2016 14:22:19 -0800 [thread overview] Message-ID: <CALCETrWYRvqhyCwx5RX6L3TEYCfW0j6ThFUc+ASL7BpxgO5dEQ@mail.gmail.com> (raw) In-Reply-To: <8737tp0zhr.fsf@x220.int.ebiederm.org> On Fri, Jan 22, 2016 at 7:02 PM, Eric W. Biederman <ebiederm@xmission.com> wrote: > Kees Cook <keescook@chromium.org> writes: > >> There continues to be unexpected side-effects and security exposures >> via CLONE_NEWUSER. For many end-users running distro kernels with >> CONFIG_USER_NS enabled, there is no way to disable this feature when >> desired. As such, this creates a sysctl to restrict CLONE_NEWUSER so >> admins not running containers or Chrome can avoid the risks of this >> feature. > > I don't actually think there do continue to be unexpected side-effects > and security exposures with CLONE_NEWUSER. It takes a while for all of > the fixes to trickle out to distros. At most what I have seen recently > are problems with other kernel interfaces being amplified with user > namespaces. AKA the current mess with devpts, and the unexpected > issues with bind mounts in mount namespaces. > > > So to keep this productive. Please tell me about the threat model > you envision, and how you envision knobs in the kernel being used to > counter those threats. I consider the ability to use CLONE_NEWUSER to acquire CAP_NET_ADMIN over /any/ network namespace and to thus access the network configuration API to be a huge risk. For example, unprivileged users can program iptables. I'll eat my hat if there are no privilege escalations in there. (They can't request module loading, but still.) --Andy
next prev parent reply other threads:[~2016-01-24 22:22 UTC|newest] Thread overview: 80+ messages / expand[flat|nested] mbox.gz Atom feed top 2016-01-22 22:39 [PATCH 0/2] sysctl: allow CLONE_NEWUSER to be disabled Kees Cook 2016-01-22 22:39 ` [kernel-hardening] " Kees Cook 2016-01-22 22:39 ` [PATCH 1/2] sysctl: expand use of proc_dointvec_minmax_sysadmin Kees Cook 2016-01-22 22:39 ` [kernel-hardening] " Kees Cook 2016-01-23 3:10 ` Eric W. Biederman 2016-01-23 3:10 ` [kernel-hardening] " Eric W. Biederman 2016-01-23 22:25 ` Jann Horn 2016-01-24 1:20 ` Eric W. Biederman 2016-01-24 1:43 ` Al Viro 2016-01-24 1:56 ` Jann Horn 2016-01-24 6:02 ` Eric W. Biederman 2016-01-24 6:32 ` Jann Horn 2016-01-24 6:44 ` Eric W. Biederman 2016-01-22 22:39 ` [PATCH 2/2] sysctl: allow CLONE_NEWUSER to be disabled Kees Cook 2016-01-22 22:39 ` [kernel-hardening] " Kees Cook 2016-01-22 22:47 ` Robert Święcki 2016-01-22 22:47 ` [kernel-hardening] " Robert Święcki 2016-01-22 22:50 ` Kees Cook 2016-01-22 22:50 ` [kernel-hardening] " Kees Cook 2016-01-22 22:55 ` Robert Święcki 2016-01-22 22:55 ` [kernel-hardening] " Robert Święcki 2016-01-22 23:00 ` Kees Cook 2016-01-22 23:00 ` [kernel-hardening] " Kees Cook 2016-01-23 0:44 ` Serge Hallyn 2016-01-23 0:44 ` [kernel-hardening] " Serge Hallyn 2016-01-23 0:44 ` Serge Hallyn 2016-01-23 0:44 ` [kernel-hardening] " Serge Hallyn 2016-01-23 0:59 ` Ben Hutchings 2016-01-24 20:59 ` Kees Cook 2016-01-24 20:59 ` Kees Cook 2016-01-24 22:20 ` Andy Lutomirski 2016-01-25 18:51 ` Kees Cook 2016-01-22 22:49 ` [PATCH 0/2] " Richard Weinberger 2016-01-22 22:49 ` [kernel-hardening] " Richard Weinberger 2016-01-23 3:02 ` Eric W. Biederman 2016-01-23 3:02 ` [kernel-hardening] " Eric W. Biederman 2016-01-24 20:57 ` Kees Cook 2016-01-24 20:57 ` [kernel-hardening] " Kees Cook 2016-01-26 7:38 ` Serge Hallyn 2016-01-24 22:22 ` Andy Lutomirski [this message] 2016-01-24 22:22 ` Andy Lutomirski 2016-01-25 18:51 ` Kees Cook 2016-01-25 18:51 ` [kernel-hardening] " Kees Cook 2016-01-25 18:53 ` Andy Lutomirski 2016-01-25 18:53 ` [kernel-hardening] " Andy Lutomirski 2016-01-25 18:56 ` Kees Cook 2016-01-25 18:56 ` [kernel-hardening] " Kees Cook 2016-01-25 19:33 ` Eric W. Biederman 2016-01-25 19:33 ` [kernel-hardening] " Eric W. Biederman 2016-01-25 22:34 ` Kees Cook 2016-01-25 22:34 ` [kernel-hardening] " Kees Cook 2016-01-25 23:33 ` Andy Lutomirski 2016-01-25 23:33 ` [kernel-hardening] " Andy Lutomirski 2016-01-26 2:27 ` Daniel Micay 2016-01-26 4:57 ` Eric W. Biederman 2016-01-26 4:57 ` [kernel-hardening] " Eric W. Biederman 2016-01-26 14:38 ` Josh Boyer 2016-01-26 14:38 ` [kernel-hardening] " Josh Boyer 2016-01-26 14:46 ` Austin S. Hemmelgarn 2016-01-26 14:46 ` [kernel-hardening] " Austin S. Hemmelgarn 2016-01-26 14:56 ` Josh Boyer 2016-01-26 14:56 ` [kernel-hardening] " Josh Boyer 2016-01-26 17:20 ` Serge Hallyn 2016-01-26 19:56 ` Josh Boyer 2016-01-26 20:11 ` Austin S. Hemmelgarn 2016-01-26 17:15 ` Serge Hallyn 2016-01-26 18:09 ` Austin S. Hemmelgarn 2016-01-26 18:27 ` Andy Lutomirski 2016-01-26 18:45 ` Austin S. Hemmelgarn 2016-01-26 23:15 ` Kees Cook 2016-01-26 23:13 ` Kees Cook 2016-01-27 10:27 ` Eric W. Biederman 2016-01-27 12:32 ` Austin S. Hemmelgarn 2016-01-28 14:41 ` Robert Święcki 2016-01-28 14:41 ` Robert Święcki 2016-01-26 23:47 ` Josh Boyer 2016-01-26 16:37 ` Kees Cook 2016-01-26 16:37 ` [kernel-hardening] " Kees Cook 2016-01-28 8:56 ` Serge E. Hallyn 2016-01-28 12:53 ` Austin S. Hemmelgarn
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=CALCETrWYRvqhyCwx5RX6L3TEYCfW0j6ThFUc+ASL7BpxgO5dEQ@mail.gmail.com \ --to=luto@amacapital.net \ --cc=akpm@linux-foundation.org \ --cc=dhowells@redhat.com \ --cc=dvyukov@google.com \ --cc=ebiederm@xmission.com \ --cc=edumazet@google.com \ --cc=glider@google.com \ --cc=kcc@google.com \ --cc=keescook@chromium.org \ --cc=kernel-hardening@lists.openwall.com \ --cc=linux-doc@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=mszeredi@suse.cz \ --cc=richard@nod.at \ --cc=robert@swiecki.net \ --cc=sasha.levin@oracle.com \ --cc=viro@zeniv.linux.org.uk \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.