From: Paul Moore <paul@paul-moore.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: "~akihirosuda" <suda.kyoto@gmail.com>,
linux-kernel@vger.kernel.org, containers@lists.linux.dev,
serge@hallyn.com, brauner@kernel.org,
akihiro.suda.cz@hco.ntt.co.jp
Subject: Re: [PATCH linux 0/3] [PATCH] userns: add sysctl "kernel.userns_group_range"
Date: Thu, 1 Jun 2023 21:01:55 -0400 [thread overview]
Message-ID: <CAHC9VhRk3WhXh-GTDSKFW3PujXiQCDy3xk4Xb9_Lo4szgQ5G6Q@mail.gmail.com> (raw)
In-Reply-To: <87fs7abu0f.fsf@email.froward.int.ebiederm.org>
On Thu, Jun 1, 2023 at 8:14 PM Eric W. Biederman <ebiederm@xmission.com> wrote:
> Paul Moore <paul@paul-moore.com> writes:
> > On Tue, May 30, 2023 at 2:50 PM ~akihirosuda <akihirosuda@git.sr.ht> wrote:
> >>
> >> This sysctl limits groups who can create a new userns without
> >> CAP_SYS_ADMIN in the current userns, so as to mitigate potential kernel
> >> vulnerabilities around userns.
> >>
> >> The sysctl value format is same as "net.ipv4.ping_group_range".
> >>
> >> To disable creating new unprivileged userns, set the sysctl value to "1
> >> 0" in the initial userns.
> >>
> >> To allow everyone to create new userns, set the sysctl value to "0
> >> 4294967294". This is the default value.
> >>
> >> This sysctl replaces "kernel.unprivileged_userns_clone" that is found in
> >> Ubuntu [1] and Debian GNU/Linux.
> >>
> >> Link: https://git.launchpad.net/~ubuntu-
> >> kernel/ubuntu/+source/linux/+git/jammy/commit?id=3422764 [1]
> >
> > Given the challenges around adding access controls to userns
> > operations, have you considered using the LSM support that was added
> > upstream last year? The relevant LSM hook can be found in commit
> > 7cd4c5c2101c ("security, lsm: Introduce security_create_user_ns()"),
>
> Paul how have you handled the real world regression I reported against
> chromium?
I don't track chromium development.
> Paul are you aware that the LSM hook can not be used to achieve the
> objective of this patchset?
/me shrugs
I thought one could look into a cred struct using a BPF LSM, which
would allow one to make access control decisions based on group ID,
but I will be the first to admit I'm not a BPF LSM expert.
Regardless, one could introduce a group ID check into a LSM if they
were so inclined.
I also find it slightly amusing that you are arguing against my reply
that was discussing *not* adding another userns control point; of all
people I thought you would be supportive of this ... /me shrugs again.
> > and although only SELinux currently provides an access control
> > implementation, there is no reason you couldn't add support for your
> > favorite LSM, or even just a simple BPF LSM to enforce the group
> > controls as you've described them here.
>
> Is there a publicly available SELinux policy that uses that LSM hook?
I have no idea, I don't track all of the publicly available SELinux
policies because frankly it doesn't matter; the SELinux feature
exists, and it is my role to support and maintain it. There are
LSM/SELinux features which are not widely exercised in general purpose
SELinux policies for various reasons, but *are* used in specialized
environments that are not often discussed on public mailing lists.
--
paul-moore.com
next prev parent reply other threads:[~2023-06-02 1:02 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-30 18:50 [PATCH linux 0/3] [PATCH] userns: add sysctl "kernel.userns_group_range" ~akihirosuda
2023-05-30 11:34 ` [PATCH linux 3/3] " ~akihirosuda
2023-05-31 4:20 ` kernel test robot
2023-05-30 14:42 ` [PATCH linux 1/3] net/ipv4: split group_range logic to kernel/group_range.c ~akihirosuda
2023-05-30 17:31 ` [PATCH linux 2/3] group_range: allow GID from 2147483648 to 4294967294 ~akihirosuda
2023-05-30 21:58 ` [PATCH linux 0/3] [PATCH] userns: add sysctl "kernel.userns_group_range" Paul Moore
2023-05-31 7:50 ` Christian Brauner
2023-06-02 0:14 ` Eric W. Biederman
2023-06-02 1:01 ` Paul Moore [this message]
2023-06-02 1:41 ` Eric W. Biederman
2023-06-02 14:50 ` Paul Moore
2023-06-02 21:02 ` Akihiro Suda
2023-06-02 0:06 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHC9VhRk3WhXh-GTDSKFW3PujXiQCDy3xk4Xb9_Lo4szgQ5G6Q@mail.gmail.com \
--to=paul@paul-moore.com \
--cc=akihiro.suda.cz@hco.ntt.co.jp \
--cc=brauner@kernel.org \
--cc=containers@lists.linux.dev \
--cc=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=suda.kyoto@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).