lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHC9VhQhBBPyZE24LM6KvYrET2huW-W_YYsyPndpNkn70Mu3Ug@mail.gmail.com>
Date:   Tue, 30 May 2023 17:58:48 -0400
From:   Paul Moore <paul@...l-moore.com>
To:     "~akihirosuda" <suda.kyoto@...il.com>
Cc:     linux-kernel@...r.kernel.org, containers@...ts.linux.dev,
        serge@...lyn.com, brauner@...nel.org, ebiederm@...ssion.com,
        akihiro.suda.cz@....ntt.co.jp
Subject: Re: [PATCH linux 0/3] [PATCH] userns: add sysctl "kernel.userns_group_range"

On Tue, May 30, 2023 at 2:50 PM ~akihirosuda <akihirosuda@....sr.ht> wrote:
>
> This sysctl limits groups who can create a new userns without
> CAP_SYS_ADMIN in the current userns, so as to mitigate potential kernel
> vulnerabilities around userns.
>
> The sysctl value format is same as "net.ipv4.ping_group_range".
>
> To disable creating new unprivileged userns, set the sysctl value to "1
> 0" in the initial userns.
>
> To allow everyone to create new userns, set the sysctl value to "0
> 4294967294". This is the default value.
>
> This sysctl replaces "kernel.unprivileged_userns_clone" that is found in
> Ubuntu [1] and Debian GNU/Linux.
>
> Link: https://git.launchpad.net/~ubuntu-
> kernel/ubuntu/+source/linux/+git/jammy/commit?id=3422764 [1]

Given the challenges around adding access controls to userns
operations, have you considered using the LSM support that was added
upstream last year?  The relevant LSM hook can be found in commit
7cd4c5c2101c ("security, lsm: Introduce security_create_user_ns()"),
and although only SELinux currently provides an access control
implementation, there is no reason you couldn't add support for your
favorite LSM, or even just a simple BPF LSM to enforce the group
controls as you've described them here.

> Akihiro Suda (3):
>   net/ipv4: split group_range logic to kernel/group_range.c
>   group_range: allow GID from 2147483648 to 4294967294
>   userns: add sysctl "kernel.userns_group_range"
>
>  include/linux/group_range.h    |  18 +++++
>  include/linux/user_namespace.h |   5 ++
>  include/net/netns/ipv4.h       |   9 +--
>  include/net/ping.h             |   6 --
>  kernel/Makefile                |   2 +-
>  kernel/fork.c                  |  24 +++++++
>  kernel/group_range.c           | 123 +++++++++++++++++++++++++++++++++
>  kernel/sysctl.c                |  30 ++++++++
>  kernel/user.c                  |   9 +++
>  net/ipv4/ping.c                |  39 +----------
>  net/ipv4/sysctl_net_ipv4.c     |  56 ++-------------
>  11 files changed, 219 insertions(+), 102 deletions(-)
>  create mode 100644 include/linux/group_range.h
>  create mode 100644 kernel/group_range.c

-- 
paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ