lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:   Sun, 24 May 2020 15:32:14 +0300
From:   Idan Yadgar <idanyadgar@...il.com>
To:     dhowells@...hat.com
Cc:     gregkh@...uxfoundation.org, tglx@...utronix.de,
        allison@...utok.net, armijn@...ldur.nl,
        linux-kernel@...r.kernel.org
Subject: Capabilities are list when creating a user namespace

Hello,

A process which changes its user namespace (unshare or setns), or a
process that is created by clone with the CLONE_NEWUSER flag has all
capabilities inside the new namespace, and loses all its capabilities
in the parent/previous user namespace.
This poses an issue because some operations require a capability in a
user namespace other then the current one for the process. The man
states multiple times that a system call requires a capability in the
initial user namespace (for example, open_by_handle_at requires
CAP_DAC_READ_SEARCH in the initial user namespace), but this cannot
happen unless the process is owned by root, thus preventing
open_by_handle_at to be run inside a user namespace.

Solving this problem can be done by allowing (via prctl or any other
mechanism) a task to save its
capabilities for a given user namespace, even when it isn't a member
in that namespace.

We would like to hear some thoughts about this issue and our proposed solution.

Powered by blists - more mailing lists