[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87fs7abu0f.fsf@email.froward.int.ebiederm.org>
Date: Thu, 01 Jun 2023 19:14:08 -0500
From: "Eric W. Biederman" <ebiederm@...ssion.com>
To: Paul Moore <paul@...l-moore.com>
Cc: "~akihirosuda" <suda.kyoto@...il.com>,
linux-kernel@...r.kernel.org, containers@...ts.linux.dev,
serge@...lyn.com, brauner@...nel.org, akihiro.suda.cz@....ntt.co.jp
Subject: Re: [PATCH linux 0/3] [PATCH] userns: add sysctl
"kernel.userns_group_range"
Paul Moore <paul@...l-moore.com> writes:
> On Tue, May 30, 2023 at 2:50 PM ~akihirosuda <akihirosuda@....sr.ht> wrote:
>>
>> This sysctl limits groups who can create a new userns without
>> CAP_SYS_ADMIN in the current userns, so as to mitigate potential kernel
>> vulnerabilities around userns.
>>
>> The sysctl value format is same as "net.ipv4.ping_group_range".
>>
>> To disable creating new unprivileged userns, set the sysctl value to "1
>> 0" in the initial userns.
>>
>> To allow everyone to create new userns, set the sysctl value to "0
>> 4294967294". This is the default value.
>>
>> This sysctl replaces "kernel.unprivileged_userns_clone" that is found in
>> Ubuntu [1] and Debian GNU/Linux.
>>
>> Link: https://git.launchpad.net/~ubuntu-
>> kernel/ubuntu/+source/linux/+git/jammy/commit?id=3422764 [1]
>
> Given the challenges around adding access controls to userns
> operations, have you considered using the LSM support that was added
> upstream last year? The relevant LSM hook can be found in commit
> 7cd4c5c2101c ("security, lsm: Introduce security_create_user_ns()"),
Paul how have you handled the real world regression I reported against
chromium?
Paul are you aware that the LSM hook can not be used to achieve the
objective of this patchset?
> and although only SELinux currently provides an access control
> implementation, there is no reason you couldn't add support for your
> favorite LSM, or even just a simple BPF LSM to enforce the group
> controls as you've described them here.
Is there a publicly available SELinux policy that uses that LSM hook?
Eric
Powered by blists - more mailing lists