From: ebiederm@xmission.com (Eric W. Biederman)
To: Kees Cook <keescook@chromium.org>
Cc: "Andrew Morton" <akpm@linux-foundation.org>,
"Al Viro" <viro@zeniv.linux.org.uk>,
"Richard Weinberger" <richard@nod.at>,
"Andy Lutomirski" <luto@amacapital.net>,
"Robert Święcki" <robert@swiecki.net>,
"Dmitry Vyukov" <dvyukov@google.com>,
"David Howells" <dhowells@redhat.com>,
"Miklos Szeredi" <mszeredi@suse.cz>,
"Kostya Serebryany" <kcc@google.com>,
"Alexander Potapenko" <glider@google.com>,
"Eric Dumazet" <edumazet@google.com>,
"Sasha Levin" <sasha.levin@oracle.com>,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com
Subject: Re: [PATCH 0/2] sysctl: allow CLONE_NEWUSER to be disabled
Date: Fri, 22 Jan 2016 21:02:40 -0600 [thread overview]
Message-ID: <8737tp0zhr.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <1453502345-30416-1-git-send-email-keescook@chromium.org> (Kees Cook's message of "Fri, 22 Jan 2016 14:39:03 -0800")
Kees Cook <keescook@chromium.org> writes:
> There continues to be unexpected side-effects and security exposures
> via CLONE_NEWUSER. For many end-users running distro kernels with
> CONFIG_USER_NS enabled, there is no way to disable this feature when
> desired. As such, this creates a sysctl to restrict CLONE_NEWUSER so
> admins not running containers or Chrome can avoid the risks of this
> feature.
I don't actually think there do continue to be unexpected side-effects
and security exposures with CLONE_NEWUSER. It takes a while for all of
the fixes to trickle out to distros. At most what I have seen recently
are problems with other kernel interfaces being amplified with user
namespaces. AKA the current mess with devpts, and the unexpected
issues with bind mounts in mount namespaces.
I have a couple of concerns with a sysctl.
1) As user namespaces settle out this sysctl has the potential to
decrease the security of the system overall as sandboxing
features of the kernel will not be available to unprivileged
applications.
Web browsing with chrome will be less safe for example.
2) I strongly suspect the granularity of a sysctl is wrong for access to
user namespaces on a production system.
In general I suspect what we want is something like seccomp. I
believe all of the relevant bits are in registers. I actually
thought that was enough for seccomp. Does seccomp not work for
some reason?
3) A sysctl breeds a false sense of security in thinking that if a
security issue is discovered you can just flip a switch, disable
all new user namespaces and you won't be vulnerable.
In fact most of the issues in the past have only required being in
a user namespace to trigger. Which means any containers or user
namespaces that already exist could be used to exploit any new
found issue. Which means that a I don't think a sysctl will give
the desired level of protection.
In my analysis of the issues to date I don't know of anything
short of a reboot that would meaninfully remove the threat.
4) With applications like docker coming on-line I don't think a
restriction to processes with capabilities is actually meaninful
for restricting access to user namespaces.
So I have concerns about both efficacy and usability with the proposed
sysctl.
So to keep this productive. Please tell me about the threat model
you envision, and how you envision knobs in the kernel being used to
counter those threats.
Eric
next prev parent reply other threads:[~2016-01-23 3:12 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-22 22:39 Kees Cook
2016-01-22 22:39 ` [PATCH 1/2] sysctl: expand use of proc_dointvec_minmax_sysadmin Kees Cook
2016-01-23 3:10 ` Eric W. Biederman
2016-01-23 22:25 ` [kernel-hardening] " Jann Horn
2016-01-24 1:20 ` Eric W. Biederman
2016-01-24 1:43 ` Al Viro
2016-01-24 1:56 ` Jann Horn
2016-01-24 6:02 ` Eric W. Biederman
2016-01-24 6:32 ` Jann Horn
2016-01-24 6:44 ` Eric W. Biederman
2016-01-22 22:39 ` [PATCH 2/2] sysctl: allow CLONE_NEWUSER to be disabled Kees Cook
2016-01-22 22:47 ` Robert Święcki
2016-01-22 22:50 ` Kees Cook
2016-01-22 22:55 ` Robert Święcki
2016-01-22 23:00 ` Kees Cook
2016-01-23 0:44 ` Serge Hallyn
2016-01-23 0:44 ` Serge Hallyn
2016-01-23 0:59 ` [kernel-hardening] " Ben Hutchings
2016-01-24 20:59 ` Kees Cook
2016-01-24 22:20 ` Andy Lutomirski
2016-01-25 18:51 ` Kees Cook
2016-01-22 22:49 ` [PATCH 0/2] " Richard Weinberger
2016-01-23 3:02 ` Eric W. Biederman [this message]
2016-01-24 20:57 ` Kees Cook
2016-01-26 7:38 ` [kernel-hardening] " Serge Hallyn
2016-01-24 22:22 ` Andy Lutomirski
2016-01-25 18:51 ` Kees Cook
2016-01-25 18:53 ` Andy Lutomirski
2016-01-25 18:56 ` Kees Cook
2016-01-25 19:33 ` Eric W. Biederman
2016-01-25 22:34 ` Kees Cook
2016-01-25 23:33 ` Andy Lutomirski
2016-01-26 2:27 ` [kernel-hardening] " Daniel Micay
2016-01-26 4:57 ` Eric W. Biederman
2016-01-26 14:38 ` Josh Boyer
2016-01-26 14:46 ` Austin S. Hemmelgarn
2016-01-26 14:56 ` Josh Boyer
2016-01-26 17:20 ` [kernel-hardening] " Serge Hallyn
2016-01-26 19:56 ` Josh Boyer
2016-01-26 20:11 ` Austin S. Hemmelgarn
2016-01-26 17:15 ` Serge Hallyn
2016-01-26 18:09 ` Austin S. Hemmelgarn
2016-01-26 18:27 ` Andy Lutomirski
2016-01-26 18:45 ` Austin S. Hemmelgarn
2016-01-26 23:15 ` Kees Cook
2016-01-26 23:13 ` Kees Cook
2016-01-27 10:27 ` Eric W. Biederman
2016-01-27 12:32 ` Austin S. Hemmelgarn
2016-01-28 14:41 ` Robert Święcki
2016-01-26 16:37 ` Kees Cook
2016-01-28 8:56 ` [kernel-hardening] " Serge E. Hallyn
2016-01-28 12:53 ` Austin S. Hemmelgarn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8737tp0zhr.fsf@x220.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=akpm@linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=glider@google.com \
--cc=kcc@google.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mszeredi@suse.cz \
--cc=richard@nod.at \
--cc=robert@swiecki.net \
--cc=sasha.levin@oracle.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Powered by JetHome