lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Tue, 29 Jun 2021 15:40:07 +0200
From:   Christian Brauner <christian.brauner@...ntu.com>
To:     yang.yang29@....com.cn
Cc:     mcgrof@...nel.org, keescook@...omium.org, yzaikin@...gle.com,
        linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
        menglong8.dong@...il.com
Subject: Re: [PATCH] sysctl: fix permission check while owner isn't
 GLOBAL_ROOT_UID

On Mon, Jun 28, 2021 at 09:14:10PM +0800, yang.yang29@....com.cn wrote:
> > I'm confused about what the actual problem is tbh:
> > 
> > root@h3:~# stat -c "%A %a %n" /proc/sys/net/ipv4/ip_forward
> > -rw-r--r-- 644 /proc/sys/net/ipv4/ip_forward
> > 
> > root@h3:~# echo 0 > /proc/sys/net/ipv4/ip_forward
> > 
> > root@h3:~# cat /proc/sys/net/ipv4/ip_forward
> > 0
> > 
> > root@h3:~# cat /proc/self/uid_map  
> >          0     100000 1000000000
> 
> Sorry to describe too simple. More specific:
> 1.Run dockerd with user namespace enbled
> echo dockremap:296608:65536 >  /etc/subuid;echo dockremap:296608:65536 >  /etc/subgid
> dockerd ... --userns-remap=default
> 2.Create a container
> docker run -it ... sh
> 
> Then root account in the container is 296608 account in the host:
> / # cat /proc/self/uid_map
>          0     296608      65536
> 
> In the container, /proc/sys/net/ipv4/ip_forward's owner is root, but root can't modify it:
> / # whoami
> root
> / # ls -l /proc/sys/net/ipv4/ip_forward
> -rw-r--r--    1 root     root             0 Jun 28 12:46 /proc/sys/net/ipv4/ip_forward
> / # cat /proc/sys/net/ipv4/ip_forward
> 1
> / # echo 0 > /proc/sys/net/ipv4/ip_forward
> sh: can't create /proc/sys/net/ipv4/ip_forward: Permission denied
> 
> And /proc/sys/net/ipv4/ip_forward has considerd about net namespace, 
> see net_ctl_set_ownership() in net\sysctl_net.c.
> So root in container should be able to modify /proc/sys/net/ipv4/ip_forward.
> This doesn't impact /proc/sys/net/ipv4/ip_forward in the host or other container with other net namespace.

Sorry to resort to "It works on my machine" but I just pasted you the
exact same setup and showed you that this works as expected.

So the reason here is likely that you're lacking capabilities
specifically CAP_NET_ADMIN. If I reproduce with your setup I can't even
create a dummy network device:

/ #  ip link add bla type dummy
ip: RTNETLINK answers: Operation not permitted

whereas on any unprivileged container that reatins CAP_NET_ADMIN that
just works fine.

So I would think that if you retain CAP_NET_ADMIN things will work out
just fine. Take a look at net_ctl_permissions.

There's really no reason to drop CAP_NET_ADMIN in a network namespace
that is owned by a non-initial user namespace anyway.

Christian

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ