| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2804dd75-50fd-481c-8867-bc6cea7ab986@schaufler-ca.com> Date: Thu, 16 May 2024 12:07:07 -0700 From: Casey Schaufler <casey@...aufler-ca.com> To: Jonathan Calmels <jcalmels@...0.net>, brauner@...nel.org, ebiederm@...ssion.com, Luis Chamberlain <mcgrof@...nel.org>, Kees Cook <keescook@...omium.org>, Joel Granados <j.granados@...sung.com>, Serge Hallyn <serge@...lyn.com>, Paul Moore <paul@...l-moore.com>, James Morris <jmorris@...ei.org>, David Howells <dhowells@...hat.com>, Jarkko Sakkinen <jarkko@...nel.org>, Casey Schaufler <casey@...aufler-ca.com> Cc: containers@...ts.linux.dev, linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org, linux-security-module@...r.kernel.org, keyrings@...r.kernel.org Subject: Re: [PATCH 0/3] Introduce user namespace capabilities On 5/16/2024 2:22 AM, Jonathan Calmels wrote: > It's that time of the year again where we debate security settings for user > namespaces ;) > > I’ve been experimenting with different approaches to address the gripe > around user namespaces being used as attack vectors. > After invaluable feedback from Serge and Christian offline, this is what I > came up with. > > There are obviously a lot of things we could do differently but I feel this > is the right balance between functionality, simplicity and security. This > also serves as a good foundation and could always be extended if the need > arises in the future. > > Notes: > > - Adding a new capability set is far from ideal, but trying to reuse the > existing capability framework was deemed both impractical and > questionable security-wise, so here we are. I suggest that adding a capability set for user namespaces is a bad idea: - It is in no way obvious what problem it solves - It is not obvious how it solves any problem - The capability mechanism has not been popular, and relying on a community (e.g. container developers) to embrace it based on this enhancement is a recipe for failure - Capabilities are already more complicated than modern developers want to deal with. Adding another, special purpose set, is going to make them even more difficult to use. > - We might want to add new capabilities for some of the checks instead of > reusing CAP_SETPCAP every time. Serge mentioned something like > CAP_SYS_LIMIT? > > - In the last patch, we could decide to have stronger requirements and > perform checks inside cap_capable() in case we want to retroactively > prevent capabilities in old namespaces, this might be an overreach though > so I left it out. > > I'm also not fond of the ulong logic for setting the sysctl parameter, on > the other hand, the usermodhelper code always uses two u32s which makes it > very confusing to set in userspace. > > > Jonathan Calmels (3): > capabilities: user namespace capabilities > capabilities: add securebit for strict userns caps > capabilities: add cap userns sysctl mask > > fs/proc/array.c | 9 ++++ > include/linux/cred.h | 3 ++ > include/linux/securebits.h | 1 + > include/linux/user_namespace.h | 7 +++ > include/uapi/linux/prctl.h | 7 +++ > include/uapi/linux/securebits.h | 11 ++++- > kernel/cred.c | 3 ++ > kernel/sysctl.c | 10 ++++ > kernel/umh.c | 16 +++++++ > kernel/user_namespace.c | 83 ++++++++++++++++++++++++++++++--- > security/commoncap.c | 59 +++++++++++++++++++++++ > security/keys/process_keys.c | 3 ++ > 12 files changed, 204 insertions(+), 8 deletions(-) >
Powered by blists - more mailing lists