From: James Bottomley <James.Bottomley@Hansenpartnership.com>
To: Andrew Vagin <avagin@virtuozzo.com>,
"Eric W. Biederman" <ebiederm@xmission.com>
Cc: Linux API <linux-api@vger.kernel.org>,
Containers <containers@lists.linux-foundation.org>,
lkml <linux-kernel@vger.kernel.org>,
criu@openvz.org,
"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
Subject: Re: [CRIU] Introspecting userns relationships to other namespaces?
Date: Sat, 09 Jul 2016 19:32:04 +0900 [thread overview]
Message-ID: <e3fe9c3c-ecae-4795-8dbc-72362f4606a5@email.android.com> (raw)
In-Reply-To: <20160709072627.GA7480@outlook.office365.com>
On July 9, 2016 4:26:28 PM GMT+09:00, Andrew Vagin <avagin@virtuozzo.com> wrote:
>On Fri, Jul 08, 2016 at 10:05:18PM -0500, Eric W. Biederman wrote:
>> James Bottomley <James.Bottomley@HansenPartnership.com> writes:
>>
>> > On Fri, 2016-07-08 at 18:52 -0500, Eric W. Biederman wrote:
>> >> James Bottomley <James.Bottomley@Hansenpartnership.com> writes:
>> >>
>> >> > On July 8, 2016 1:38:19 PM PDT, Andrew Vagin
><avagin@virtuozzo.com>
>> >> > wrote:
>> >>
>> >> > > What do you think about the idea to mount nsfs and be able to
>> >> > > look up any alive namespace by inum:
>> >> >
>> >> > I think I like it. It will give us a way to enter any extant
>> >> > namespace. It will work for Eric's fs namespaces as well.
>Perhaps
>> >> > a /process/ns/<inum> Directory?
>> >
>> > As you understood, I meant /proc/ns/<inum> (damn mobile phone
>> > completions).
>> >
>> >> *Shivers*
>> >>
>> >> That makes it very easy to bypass any existing controls that exist
>
>> >> for getting at namespaces. It is true that everything of that
>kind
>> >> is directory based but still.
>> >>
>> >> Plus I think it would serve as information leak to information
>> >> outside of the container.
>> >>
>> >> An operation to get a user namespace file descriptor from some
>kernel
>> >> object sounds reasonably sane.
>> >>
>> >> A great big list of things sounds about as scary as it can get.
>This
>> >> is not the time to be making it easier to escape from containers.
>> >
>> > To be honest, I think this argument is rubbish. If we're afraid of
>> > giving out a list of all the namespaces, it means we're afraid
>there's
>> > some security bug and we're trying to obscure it by making the list
>> > hard to get. All we've done is allayed fears about the bug but the
>> > hackers still know the portals to get through.
>> >
>> > If such a bug exists, it will be possible to exploit it by simply
>> > reconstructing the information from the individual process
>directories,
>> > so obscurity doesn't protect us and all it does is give us a false
>> > sense of security. If such a bug doesn't exist, then all the
>security
>> > mechanisms currently in place (like no re-entry to prior namespace)
>> > should protect us and we can give out the list.
>> >
>> > Let's deal with the world as we'd like it to be (no obscure
>namespace
>> > bugs) and accept the consequences and the responsibility for fixing
>> > them if we turn out to be slightly incorrect. We'll end up in a
>far
>> > better place than security by obscurity would land us.
>>
>> No. That is not the fear. The permission checks on
>/proc/self/ns/xxx
>> are different than if the namespace is bind mounted somewhere.
>>
>> That was done deliberately and with a reasonable amount of
>forethought.
>> You are asking to throw those permission checks out. The answer is
>no.
>>
>> Furthermore there is a much clearer reason not to go with a list of
>all
>> namespaces. A list of all namespaces breaks CRIU. As you have
>described
>> it the list will change depending upon which machine you restore a
>> checkpoint on. I honestly don't know what kind of havoc that will
>cause
>> but it is certainly something we won't be able to checkpoint no
>matter
>> how hard we try.
>
>It's right. I hadn't thought about this.
Me neither. Sorry for the prior outburst.
I think this means we're back to exposing owning userns in the /proc /<pid >/ns directory.
>>
>> A global list of namespaces especially of the kind that you can open
>> and get a handle to the namespace is just not appropriate.
>>
>> I know inode numbers comes darn close to names but they aren't really
>> names and if it comes to it we can figure out how to preserve an
>> applications view of it all across a checkpoint/restart. So far it
>> hasn't proven necessary to preserve any inode numbers across
>> checkpoint/restart but again it is theoretically possible if it
>becomes
>> necessary.
>>
>> Throwing away checkpoint/restart support for the sake of
>> checkpoint/restart is a no-go.
>>
>> Containers fundamentally imply you don't have global visibility,
>> and that is a good thing.
>
>All these thoughts about security make me thinking that kcmp is what we
>should use here. It's maybe something like this:
>
>kcmp(pid1, pid2, KCMP_NS_USERNS, fd1, fd2)
>
>- to check if userns of the fd1 namepsace is equal to the fd2 userns
>
>kcmp(pid1, pid2, KCMP_NS_PARENT, fd1, fd2)
>
>- to check if a parent namespace of the fd1 pidns is equal to fd pidns.
>
>fd1 and fd2 is file descriptors to namespace files.
>
>So if we want to build a hierarchy, we need to collect all namespaces
>and then enumerate them to check dependencies with help of kcmp.
Sure, but we need a method for opening the filehandles first .. .
James
>>
>> Eric
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
next prev parent reply other threads:[~2016-07-09 10:33 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <c2a26220-69f2-f2f5-491a-e43abd9a6f92@gmail.com>
[not found] ` <87r3b7pxja.fsf@x220.int.ebiederm.org>
2016-07-06 8:41 ` Introspecting userns relationships to other namespaces? Michael Kerrisk (man-pages)
2016-07-06 14:13 ` Serge E. Hallyn
2016-07-06 15:46 ` Eric W. Biederman
2016-07-08 1:57 ` [CRIU] " Andrew Vagin
2016-07-08 7:44 ` Eric W. Biederman
2016-07-08 14:35 ` James Bottomley
2016-07-08 20:38 ` Andrew Vagin
2016-07-08 20:50 ` W. Trevor King
2016-07-08 22:19 ` James Bottomley
2016-07-08 22:19 ` James Bottomley
2016-07-08 23:52 ` Eric W. Biederman
2016-07-09 0:15 ` James Bottomley
2016-07-09 3:05 ` Eric W. Biederman
2016-07-09 7:26 ` Andrew Vagin
2016-07-09 10:31 ` James Bottomley
2016-07-09 10:32 ` James Bottomley [this message]
2016-07-09 18:15 ` Eric W. Biederman
2016-07-09 18:29 ` Eric W. Biederman
2016-07-13 0:08 ` Andrew Vagin
2016-07-13 3:59 ` W. Trevor King
2016-07-07 8:15 ` Michael Kerrisk (man-pages)
2016-07-07 13:36 ` Serge E. Hallyn
2016-07-07 15:01 ` James Bottomley
2016-07-07 18:21 ` Michael Kerrisk (man-pages)
2016-07-07 18:24 ` Serge E. Hallyn
2016-07-07 19:17 ` James Bottomley
2016-07-08 2:16 ` [CRIU] " Andrew Vagin
2016-07-08 3:00 ` Andrew Vagin
2016-07-08 3:26 ` James Bottomley
2016-07-08 5:26 ` W. Trevor King
2016-07-08 6:16 ` W. Trevor King
2016-07-08 6:54 ` Andrew Vagin
2016-07-08 7:18 ` W. Trevor King
2016-07-08 5:41 ` [CRIU] " Andrei Vagin
2016-07-08 5:47 ` Andrei Vagin
2016-07-08 6:07 ` James Bottomley
2016-07-08 11:17 ` Michael Kerrisk (man-pages)
2016-07-08 3:20 ` James Bottomley
2016-07-08 6:09 ` Andrew Vagin
2016-07-08 11:11 ` Michael Kerrisk (man-pages)
2016-07-09 3:15 ` W. Trevor King
2016-07-09 3:13 ` Eric W. Biederman
2016-07-10 5:36 ` [CRIU] " Andrew Vagin
2016-07-10 20:29 ` Eric W. Biederman
2016-07-10 21:06 ` James Bottomley
2016-07-11 20:55 ` Andrew Vagin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e3fe9c3c-ecae-4795-8dbc-72362f4606a5@email.android.com \
--to=james.bottomley@hansenpartnership.com \
--cc=avagin@virtuozzo.com \
--cc=containers@lists.linux-foundation.org \
--cc=criu@openvz.org \
--cc=ebiederm@xmission.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mtk.manpages@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).