lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 9 Oct 2020 23:26:06 -0500
From:   "Serge E. Hallyn" <serge@...lyn.com>
To:     Christian Brauner <christian.brauner@...ntu.com>
Cc:     containers@...ts.linux-foundation.org,
        Alexander Mihalicyn <alexander@...alicyn.com>,
        Mrunal Patel <mpatel@...hat.com>, Wat Lim <watl@...gle.com>,
        Aleksa Sarai <cyphar@...har.com>,
        Pavel Tikhomirov <ptikhomirov@...tuozzo.com>,
        Geoffrey Thomas <geofft@...reload.com>,
        "Eric W. Biederman" <ebiederm@...ssion.com>,
        Joseph Christopher Sible <jcsible@...t.org>,
        Mickaël Salaün <mic@...ikod.net>,
        Vivek Goyal <vgoyal@...hat.com>,
        Giuseppe Scrivano <gscrivan@...hat.com>,
        Andy Lutomirski <luto@...capital.net>,
        Stephane Graber <stgraber@...ntu.com>,
        Kees Cook <keescook@...omium.org>,
        Sargun Dhillon <sargun@...gun.me>,
        Josh Triplett <josh@...htriplett.org>,
        linux-kernel@...r.kernel.org
Subject: Re: LPC 2020 Hackroom Session: summary and next steps for isolated
 user namespaces

> 3. Find a way to allow setgroups() in a user namespace while keeping
>    in mind the case of groups used for negative access control.
>    This was suggested by Josh Triplett and Geoffrey Thomas. Their idea was to
>    investigate adding a prctl() to allow setgroups() to be called in a user
>    namespace at the cost of restricting paths to the most restrictive
>    permission. So if something is 0707 it needs to be treated as if it's 0000
>    even though the caller is not in its owning group which is used for negative
>    access control (how these new semantics will interact with ACLs will also
>    need to be looked into).

I should probably think this through more, but for this problem, would it
not suffice to add a new prevgroups grouplist to the struct cred, maybe
struct group_info *locked_groups, and every time an unprivileged task creates
a new user namespace, add all its current groups to this list?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ