| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240610124855.GA2193924@mail.hallyn.com> Date: Mon, 10 Jun 2024 07:48:55 -0500 From: "Serge E. Hallyn" <serge@...lyn.com> To: Jonathan Calmels <jcalmels@...0.net> Cc: "Serge E. Hallyn" <serge@...lyn.com>, Andrew Morgan <morgan@...nel.org>, brauner@...nel.org, ebiederm@...ssion.com, Jonathan Corbet <corbet@....net>, Paul Moore <paul@...l-moore.com>, James Morris <jmorris@...ei.org>, KP Singh <kpsingh@...nel.org>, Matt Bobrowski <mattbobrowski@...gle.com>, Alexei Starovoitov <ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net>, Andrii Nakryiko <andrii@...nel.org>, Martin KaFai Lau <martin.lau@...ux.dev>, Eduard Zingerman <eddyz87@...il.com>, Song Liu <song@...nel.org>, Yonghong Song <yonghong.song@...ux.dev>, John Fastabend <john.fastabend@...il.com>, Stanislav Fomichev <sdf@...gle.com>, Hao Luo <haoluo@...gle.com>, Jiri Olsa <jolsa@...nel.org>, Luis Chamberlain <mcgrof@...nel.org>, Kees Cook <kees@...nel.org>, Joel Granados <j.granados@...sung.com>, John Johansen <john.johansen@...onical.com>, David Howells <dhowells@...hat.com>, Jarkko Sakkinen <jarkko@...nel.org>, Stephen Smalley <stephen.smalley.work@...il.com>, Ondrej Mosnacek <omosnace@...hat.com>, Mykola Lysenko <mykolal@...com>, Shuah Khan <shuah@...nel.org>, containers@...ts.linux.dev, linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org, linux-doc@...r.kernel.org, linux-security-module@...r.kernel.org, bpf@...r.kernel.org, apparmor@...ts.ubuntu.com, keyrings@...r.kernel.org, selinux@...r.kernel.org, linux-kselftest@...r.kernel.org Subject: Re: [PATCH v2 1/4] capabilities: Add user namespace capabilities On Mon, Jun 10, 2024 at 01:47:13AM -0700, Jonathan Calmels wrote: > On Sun, Jun 09, 2024 at 08:50:24PM GMT, Serge E. Hallyn wrote: > > On Sun, Jun 09, 2024 at 03:43:34AM -0700, Jonathan Calmels wrote: > > > Attackers often rely on user namespaces to get elevated (yet confined) > > > privileges in order to target specific subsystems (e.g. [1]). Distributions > > > > I'd modify this to say "in order to target *bugs* in specific subsystems" :) > > Ack > > > > This effectively mimics the inheritable set rules and means that, by > > > default, only root in the user namespace can regain userns capabilities > > > previously dropped: > > > > Something about this last sentence feels wrong, but I'm not sure what > > the best alternative would be. As is, though, it makes it sound as though > > root in the userns can always regain previously dropped capabilities, but > > that's not true if dropped in ancestor ns, or if root also dropped the > > bits from its bounding set (right?). > > Right, the wording is a little bit confusing here I admit. > What I meant to say is that if a cap is dropped in a *given* namespace, > then it can only be regained by root there. But yes, caps can never be > regained from ancestors ns. I'll try to rephrase it. > > BTW, this is rather strict, but I think that's what we want right, Yes, > something simple? Alternative would be to have a new cap masked off by > default, but if granted to a userns, allows you to regain ancestors > caps. we absolutely do not want to allow regaining caps dropped in an ancestor namespace. thanks, -serge
Powered by blists - more mailing lists