| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240610130540.GC2193924@mail.hallyn.com> Date: Mon, 10 Jun 2024 08:05:40 -0500 From: "Serge E. Hallyn" <serge@...lyn.com> To: Jonathan Calmels <jcalmels@...0.net> Cc: "Serge E. Hallyn" <serge@...lyn.com>, brauner@...nel.org, ebiederm@...ssion.com, Jonathan Corbet <corbet@....net>, Paul Moore <paul@...l-moore.com>, James Morris <jmorris@...ei.org>, KP Singh <kpsingh@...nel.org>, Matt Bobrowski <mattbobrowski@...gle.com>, Alexei Starovoitov <ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net>, Andrii Nakryiko <andrii@...nel.org>, Martin KaFai Lau <martin.lau@...ux.dev>, Eduard Zingerman <eddyz87@...il.com>, Song Liu <song@...nel.org>, Yonghong Song <yonghong.song@...ux.dev>, John Fastabend <john.fastabend@...il.com>, Stanislav Fomichev <sdf@...gle.com>, Hao Luo <haoluo@...gle.com>, Jiri Olsa <jolsa@...nel.org>, Luis Chamberlain <mcgrof@...nel.org>, Kees Cook <kees@...nel.org>, Joel Granados <j.granados@...sung.com>, John Johansen <john.johansen@...onical.com>, David Howells <dhowells@...hat.com>, Jarkko Sakkinen <jarkko@...nel.org>, Stephen Smalley <stephen.smalley.work@...il.com>, Ondrej Mosnacek <omosnace@...hat.com>, Mykola Lysenko <mykolal@...com>, Shuah Khan <shuah@...nel.org>, containers@...ts.linux.dev, linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org, linux-doc@...r.kernel.org, linux-security-module@...r.kernel.org, bpf@...r.kernel.org, apparmor@...ts.ubuntu.com, keyrings@...r.kernel.org, selinux@...r.kernel.org, linux-kselftest@...r.kernel.org Subject: Re: [PATCH v2 2/4] capabilities: Add securebit to restrict userns caps On Mon, Jun 10, 2024 at 02:46:06AM -0700, Jonathan Calmels wrote: > On Sun, Jun 09, 2024 at 09:33:01PM GMT, Serge E. Hallyn wrote: > > On Sun, Jun 09, 2024 at 03:43:35AM -0700, Jonathan Calmels wrote: > > > This patch adds a new capability security bit designed to constrain a > > > task’s userns capability set to its bounding set. The reason for this is > > > twofold: > > > > > > - This serves as a quick and easy way to lock down a set of capabilities > > > for a task, thus ensuring that any namespace it creates will never be > > > more privileged than itself is. > > > - This helps userspace transition to more secure defaults by not requiring > > > specific logic for the userns capability set, or libcap support. > > > > > > Example: > > > > > > # capsh --secbits=$((1 << 8)) --drop=cap_sys_rawio -- \ > > > -c 'unshare -r grep Cap /proc/self/status' > > > CapInh: 0000000000000000 > > > CapPrm: 000001fffffdffff > > > CapEff: 000001fffffdffff > > > CapBnd: 000001fffffdffff > > > CapAmb: 0000000000000000 > > > CapUNs: 000001fffffdffff > > > > But you are not (that I can see, in this or the previous patch) > > keeping SECURE_USERNS_STRICT_CAPS in securebits on the next > > level unshare. Though I think it's ok, because by then both > > cap_userns and cap_bset are reduced and cap_userns can't be > > expanded. (Sorry, just thinking aloud here) > > Right this is safe to reset, but maybe we do keep it if the secbit is > locked? This is kind of a special case compared to the other bits. I don't think it would be worth the extra complication in the secbits code, and it's semantically very different from the cap_userns. > > > + /* Limit userns capabilities to our parent's bounding set. */ > > > > In the case of userns_install(), it will be the target user namespace > > creator's bounding set, right? Not "our parent's"? > > Good point, I should reword this comment.
Powered by blists - more mailing lists