lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87ilc67i95.fsf@email.froward.int.ebiederm.org>
Date:   Thu, 01 Jun 2023 20:41:42 -0500
From:   "Eric W. Biederman" <ebiederm@...ssion.com>
To:     Paul Moore <paul@...l-moore.com>
Cc:     "~akihirosuda" <suda.kyoto@...il.com>,
        linux-kernel@...r.kernel.org, containers@...ts.linux.dev,
        serge@...lyn.com, brauner@...nel.org, akihiro.suda.cz@....ntt.co.jp
Subject: Re: [PATCH linux 0/3] [PATCH] userns: add sysctl
 "kernel.userns_group_range"

Paul Moore <paul@...l-moore.com> writes:

> On Thu, Jun 1, 2023 at 8:14 PM Eric W. Biederman <ebiederm@...ssion.com> wrote:
>> Paul Moore <paul@...l-moore.com> writes:
>> >
>> > Given the challenges around adding access controls to userns
>> > operations, have you considered using the LSM support that was added
>> > upstream last year?  The relevant LSM hook can be found in commit
>> > 7cd4c5c2101c ("security, lsm: Introduce security_create_user_ns()"),
>>
>> Paul how have you handled the real world regression I reported against
>> chromium?
>
> I don't track chromium development.

You have chosen to be the maintainer and I reported it to you.

>> Paul are you aware that the LSM hook can not be used to achieve the
>> objective of this patchset?
>
> /me shrugs
>

[snip parts about performing a group id check]

The LSM hook you added does not have the technical capability to reduce
the attack surface to mitigate bugs in the kernel.  It is the
ineffectiveness of the hook not the permission check that I was
referring to.

Eric

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ