| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 9 Mar 2016 13:07:25 -0600 From: "Serge E. Hallyn" <serge@...lyn.com> To: Kees Cook <keescook@...omium.org> Cc: Andy Lutomirski <luto@...capital.net>, Colin Walters <walters@...bum.org>, Linux Containers <containers@...ts.linux-foundation.org>, Serge Hallyn <serge.hallyn@...ntu.com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, Seth Forshee <seth.forshee@...onical.com>, Stephane Graber <stgraber@...ntu.com>, "Eric W. Biederman" <ebiederm@...ssion.com> Subject: Re: Thoughts on tightening up user namespace creation Quoting Kees Cook (keescook@...omium.org): > On Mon, Mar 7, 2016 at 9:15 PM, Andy Lutomirski <luto@...capital.net> wrote: > > Hi all- > > > > There are several users and distros that are nervous about user > > namespaces from an attack surface point of view. > > > > - RHEL and Arch have userns disabled. > > > > - Ubuntu requires CAP_SYS_ADMIN > > > > - Kees periodically proposes to upstream some sysctl to control > > userns creation. > > And here's another ring0 escalation flaw, made available to > unprivileged users because of userns: > > https://code.google.com/p/google-security-research/issues/detail?id=758 Kees, I think you think this makes your point, but all it does is make me want to argue with you and start flinging back cves against kvm, af_unix, sctp, etc. > > I think there are three main types of concerns. First, there might be > > some as-yet-unknown semantic issues that would allow privilege > > escalation by users who create user namespaces and then confuse > > something else in the system. Second, enabling user namespaces > > exposes a lot of attack surface to unprivileged users. Third, > > allowing tasks to create user namespaces exposes the kernel to various > > resource exhaustion attacks that wouldn't be possible otherwise. > > > > Since I doubt we'll ever fully address the attack surface issue at > > least, would it make sense to try to come up with an upstreamable way > > to limit who can create new user namespaces and/or do various > > dangerous things with them? > > The change in attack surface is _substantial_. We must have a way to > globally disable userns. I'm confused. Didn't we agree a few months ago, somewhat reluctantly, on a sysctl?
Powered by blists - more mailing lists