[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240516092213.6799-1-jcalmels@3xx0.net>
Date: Thu, 16 May 2024 02:22:02 -0700
From: Jonathan Calmels <jcalmels@...0.net>
To: brauner@...nel.org,
ebiederm@...ssion.com,
Luis Chamberlain <mcgrof@...nel.org>,
Kees Cook <keescook@...omium.org>,
Joel Granados <j.granados@...sung.com>,
Serge Hallyn <serge@...lyn.com>,
Paul Moore <paul@...l-moore.com>,
James Morris <jmorris@...ei.org>,
David Howells <dhowells@...hat.com>,
Jarkko Sakkinen <jarkko@...nel.org>
Cc: containers@...ts.linux.dev,
Jonathan Calmels <jcalmels@...0.net>,
linux-kernel@...r.kernel.org,
linux-fsdevel@...r.kernel.org,
linux-security-module@...r.kernel.org,
keyrings@...r.kernel.org
Subject: [PATCH 0/3] Introduce user namespace capabilities
It's that time of the year again where we debate security settings for user
namespaces ;)
I’ve been experimenting with different approaches to address the gripe
around user namespaces being used as attack vectors.
After invaluable feedback from Serge and Christian offline, this is what I
came up with.
There are obviously a lot of things we could do differently but I feel this
is the right balance between functionality, simplicity and security. This
also serves as a good foundation and could always be extended if the need
arises in the future.
Notes:
- Adding a new capability set is far from ideal, but trying to reuse the
existing capability framework was deemed both impractical and
questionable security-wise, so here we are.
- We might want to add new capabilities for some of the checks instead of
reusing CAP_SETPCAP every time. Serge mentioned something like
CAP_SYS_LIMIT?
- In the last patch, we could decide to have stronger requirements and
perform checks inside cap_capable() in case we want to retroactively
prevent capabilities in old namespaces, this might be an overreach though
so I left it out.
I'm also not fond of the ulong logic for setting the sysctl parameter, on
the other hand, the usermodhelper code always uses two u32s which makes it
very confusing to set in userspace.
Jonathan Calmels (3):
capabilities: user namespace capabilities
capabilities: add securebit for strict userns caps
capabilities: add cap userns sysctl mask
fs/proc/array.c | 9 ++++
include/linux/cred.h | 3 ++
include/linux/securebits.h | 1 +
include/linux/user_namespace.h | 7 +++
include/uapi/linux/prctl.h | 7 +++
include/uapi/linux/securebits.h | 11 ++++-
kernel/cred.c | 3 ++
kernel/sysctl.c | 10 ++++
kernel/umh.c | 16 +++++++
kernel/user_namespace.c | 83 ++++++++++++++++++++++++++++++---
security/commoncap.c | 59 +++++++++++++++++++++++
security/keys/process_keys.c | 3 ++
12 files changed, 204 insertions(+), 8 deletions(-)
--
2.45.0
Powered by blists - more mailing lists