| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAFUG7CcEy9a=RxBQZJR-C_2VuhZXrzJ_QxJnrSxdM=ox36DsXQ@mail.gmail.com>
Date: Mon, 6 Nov 2017 18:17:21 -0500
From: Boris Lukashev <blukashev@...pervictus.com>
To: "Serge E. Hallyn" <serge@...lyn.com>
Cc: Daniel Micay <danielmicay@...il.com>,
Mahesh Bandewar (महेश बंडेवार)
<maheshb@...gle.com>, Mahesh Bandewar <mahesh@...dewar.net>,
LKML <linux-kernel@...r.kernel.org>,
Netdev <netdev@...r.kernel.org>,
Kernel-hardening <kernel-hardening@...ts.openwall.com>,
Linux API <linux-api@...r.kernel.org>,
Kees Cook <keescook@...omium.org>,
"Eric W . Biederman" <ebiederm@...ssion.com>,
Eric Dumazet <edumazet@...gle.com>,
David Miller <davem@...emloft.net>
Subject: Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control
capabilities of some user namespaces
On Mon, Nov 6, 2017 at 5:14 PM, Serge E. Hallyn <serge@...lyn.com> wrote:
> Quoting Daniel Micay (danielmicay@...il.com):
>> Substantial added attack surface will never go away as a problem. There
>> aren't a finite number of vulnerabilities to be found.
>
> There's varying levels of usefulness and quality. There is code which I
> want to be able to use in a container, and code which I can't ever see a
> reason for using there. The latter, especially if it's also in a
> staging driver, would be nice to have a toggle to disable.
>
> You're not advocating dropping the added attack surface, only adding a
> way of dealing with an 0day after the fact. Privilege raising 0days can
> exist anywhere, not just in code which only root in a user namespace can
> exercise. So from that point of view, ksplice seems a more complete
> solution. Why not just actually fix the bad code block when we know
> about it?
>
> Finally, it has been well argued that you can gain many new caps from
> having only a few others. Given that, how could you ever be sure that,
> if an 0day is found which allows root in a user ns to abuse
> CAP_NET_ADMIN against the host, just keeping CAP_NET_ADMIN from them
> would suffice? It seems to me that the existing control in
> /proc/sys/kernel/unprivileged_userns_clone might be the better duct tape
> in that case.
>
> -serge
This seems to be heading toward "we need full zones in Linux" with
their own procfs and sysfs namespace and a stricter isolation model
for resources and capabilities. So long as things can happen in a
namespace which have a privileged relationship with host resources,
this is going to be cat-and-mouse to one degree or another.
Containers and namespaces dont have a one-to-one relationship, so i'm
not sure that's the best term to use in the kernel security context
since there's a bunch of userspace and implementation delta across the
different systems (with their own security models and so forth).
Without accounting for what a specific implementation may or may not
do, and only looking at "how do we reduce privileged impact on parent
context from unprivileged namespaces," this patch does seem to provide
a logical way of reducing the privileges available in such a namespace
and often needed to mount escapes/impact parent context.
-Boris
--
Boris Lukashev
Systems Architect
Semper Victus
Powered by blists - more mailing lists