| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 11 Jan 2011 06:43:42 +0000 From: "Serge E. Hallyn" <serge@...lyn.com> To: LSM <linux-security-module@...r.kernel.org> Cc: James Morris <jmorris@...ei.org>, Kees Cook <kees.cook@...onical.com>, containers@...ts.linux-foundation.org, kernel list <linux-kernel@...r.kernel.org>, "Eric W. Biederman" <ebiederm@...ssion.com>, Alexey Dobriyan <adobriyan@...il.com>, Michael Kerrisk <mtk.manpages@...il.com>, serge@...lyn.com, Bastian Blank <bastian@...di.eu.org> Subject: userns: targeted capabilities v4 This version addresses feedback from and bugs pointed out by Bastian. It also adds user namespace checks in fs/namei.c. If a task reads a file owned by another user_ns, it gets the world access rights to that file. Since inodes don't yet have a user namespace, we just declare that init_user_ns owns them all. So if you are root in a child user namespace, you effectively are roaming the system as user nobody. See http://www.spinics.net/lists/linux-containers/msg09716.html and http://www.spinics.net/lists/linux-containers/msg08486.html for prior discussions. [ Intro to v3 follows ] The core of the set is patch 2, originally conceived and implemented by Eric Biederman. The concept is to target capabilities at user namespaces. A task's capabilities are now contextualized as follows (previously, capabilities had no context): 1. For a task in the initial user namespace, the calculated capabilities (pi, pe, pp) are available to act upon any user namespace. 2. For a task in a child user namespace, the calculated capabilities are available to act only on its own or any descendent user namespace. It has no capabilities to any parent or unrelated user namespaces. 3. If a user A creates a new user namespace, that user has all capabilities to that new user namespace and any of its descendents. (Contrast this with a user namespace created by another user B in the same user namespace, to which this user A has only his calculated capabilities) All existing 'capable' checks are automatically converted to checks against the initial user namespace. The rest of the patches begin to enable capabilities in child user namespaces to setuid, setgid, set hostnames, kill tasks, and do ptrace. My next step would be to re-introduce a part of a several year old patchset which assigns a userns to a superblock (and hence to inodes), and grants 'user other' permissions to any task whose uid does not map to the target userns. (By default, this will be all but the initial userns) thanks, -serge -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists