From: Jonathan Calmels <jcalmels@3xx0.net>
To: John Johansen <john.johansen@canonical.com>
Cc: Jarkko Sakkinen <jarkko@kernel.org>,
Casey Schaufler <casey@schaufler-ca.com>,
brauner@kernel.org, ebiederm@xmission.com,
Luis Chamberlain <mcgrof@kernel.org>,
Kees Cook <keescook@chromium.org>,
Joel Granados <j.granados@samsung.com>,
Serge Hallyn <serge@hallyn.com>,
Paul Moore <paul@paul-moore.com>,
James Morris <jmorris@namei.org>,
David Howells <dhowells@redhat.com>,
containers@lists.linux.dev, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org, keyrings@vger.kernel.org
Subject: Re: [PATCH 0/3] Introduce user namespace capabilities
Date: Tue, 21 May 2024 17:45:07 -0700 [thread overview]
Message-ID: <7psuqchpr5njlcqb3koeyqz3y2jhuc44vfeockygdarqyc3eyu@qpmujctxfmak> (raw)
In-Reply-To: <872c8eb0-894b-413a-8e35-130984a87bba@canonical.com>
On Tue, May 21, 2024 at 07:45:20AM GMT, John Johansen wrote:
> On 5/21/24 07:12, Jarkko Sakkinen wrote:
> > On Tue May 21, 2024 at 4:57 PM EEST, John Johansen wrote:
> > > > One tip: I think this is wrong forum to present namespace ideas in the
> > > > first place. It would be probably better to talk about this with e.g.
> > > > systemd or podman developers, and similar groups. There's zero evidence
> > > > of the usefulness. Then when you go that route and come back with actual
> > > > users, things click much more easily. Now this is all in the void.
> > > >
> > > > BR, Jarkko
> > >
> > > Jarkko,
> > >
> > > this is very much the right forum. User namespaces exist today. This
> > > is a discussion around trying to reduce the exposed kernel surface
> > > that is being used to attack the kernel.
> >
> > Agreed, that was harsh way to put it. What I mean is that if this
> > feature was included, would it be enabled by distributions?
> >
> Enabled, maybe? It requires the debian distros to make sure their
> packaging supports xattrs correctly. It should be good but it isn't
> well exercised. It also requires the work to set these on multiple
> applications. From experience we are talking 100s.
>
> It will break out of repo applications, and require an extra step for
> users to enable. Ubuntu is already breaking these but for many, of the
> more popular ones they are shipping profiles so the users don't have
> to take an extra step. Things like appimages remain broken and wil
> require an approach similar to the Mac with unverified software
> downloaded from the internet.
>
> Nor does this fix the bwrap, unshare, ... use case. Which means the
> distro is going to have to continue shipping an alternate solution
> that covers those. For Ubuntu atm this is just an extra point of
> friction but I expect we would still end up enabling it to tick the
> checkbox at some point if it goes into the upstream kernel.
I'm not sure I understand your point here and how this relates to xattrs.
This patchset has nothing to do with file capabilities. The userns
capability set is purely a process based capability set and in no way
influenced by file attributes.
> > This user base part or potential user space part is not very well
> > described in the cover letter. I.e. "motivation" to put it short.
> >
> yes the cover letter needs work
Yes, it's been mentioned several times already.
While not in the cover letter, the motivation is stated in the first
patch and provides several references to past discussions on the topic.
This is nothing new, this subject has been contentious for years now and
discussed over and over on these lists (Eric would know :)). As
mentioned in the patch also, this recently warranted the inclusion of
new LSM hooks.
But again, I wrongfully assumed that this problem was well understood
and still relatively fresh, that's my bad.
> > I mean the technical details are really in detail in this patch set but
> > it would help to digest them if there was some even rough description
> > how this would be deployed.
> >
> yes
Yes, this was purposefully left out so as not to influence any specific
implementation. There is a mention of where this could be done (i.e.
init, pam), but at the end of the day, this is going to depend on each
use case.
Having said that, since it appears to be confusing, maybe we could add
some of the examples I sent out in this thread or the other ones.
I want to reiterate that this is a generic capability set, this is not
magic switch you turn on to secure the whole system.
Its implementation is going to vary across environments and it is going
to be dictated by your threat model.
For example, John's threat model of securing a multi-user Ubuntu Desktop
is going to be very different than say securing a server where all the
userspace is fixed and known.
The former might require additional integration with the LSM subsystem.
Thankfully, this patch should synergize well with it.
Fundamentally, and at its core, it's very simple. Serge put it nicely:
> If you want root in a child user namespace to not have CAP_MAC_ADMIN,
> you drop it from your pU. Simple as that.
From there, you can imagine any integration you want in userspace and
ways to enforce your own policies.
TLDR, this is a first step towards empowering userspace with control
over capabilities granted by a userns. At present, the kernel does not
offer ways to do this. By itself, it is not a comprehensive solution
designed to thwart threat actors. However, it gives userspace the option
to do so.
next prev parent reply other threads:[~2024-05-22 0:40 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-16 9:22 [PATCH 0/3] Introduce user namespace capabilities Jonathan Calmels
2024-05-16 9:22 ` [PATCH 1/3] capabilities: " Jonathan Calmels
2024-05-16 12:27 ` Jarkko Sakkinen
2024-05-16 22:07 ` John Johansen
2024-05-17 10:51 ` Jonathan Calmels
2024-05-17 11:59 ` John Johansen
2024-05-18 3:50 ` Jonathan Calmels
2024-05-18 12:27 ` John Johansen
2024-05-19 1:33 ` Jonathan Calmels
2024-05-17 11:32 ` Eric W. Biederman
2024-05-17 11:55 ` Jonathan Calmels
2024-05-17 12:48 ` John Johansen
2024-05-17 14:22 ` Eric W. Biederman
2024-05-17 18:02 ` Jonathan Calmels
2024-05-21 15:52 ` John Johansen
2024-05-20 3:30 ` Serge E. Hallyn
2024-05-20 3:36 ` Serge E. Hallyn
2024-05-16 9:22 ` [PATCH 2/3] capabilities: add securebit for strict userns caps Jonathan Calmels
2024-05-16 12:42 ` Jarkko Sakkinen
2024-05-20 3:38 ` Serge E. Hallyn
2024-05-16 9:22 ` [PATCH 3/3] capabilities: add cap userns sysctl mask Jonathan Calmels
2024-05-16 12:44 ` Jarkko Sakkinen
2024-05-20 3:38 ` Serge E. Hallyn
2024-05-20 13:30 ` Tycho Andersen
2024-05-20 19:25 ` Jonathan Calmels
2024-05-20 21:13 ` Tycho Andersen
2024-05-20 22:12 ` Jarkko Sakkinen
2024-05-21 14:29 ` Tycho Andersen
2024-05-21 14:45 ` Jarkko Sakkinen
2024-05-16 13:30 ` [PATCH 0/3] Introduce user namespace capabilities Ben Boeckel
2024-05-16 13:36 ` Jarkko Sakkinen
2024-05-17 10:00 ` Jonathan Calmels
2024-05-16 16:23 ` Paul Moore
2024-05-16 17:18 ` Jarkko Sakkinen
2024-05-16 19:07 ` Casey Schaufler
2024-05-16 19:29 ` Jarkko Sakkinen
2024-05-16 19:31 ` Jarkko Sakkinen
2024-05-16 20:00 ` Jarkko Sakkinen
2024-05-17 11:42 ` Jonathan Calmels
2024-05-17 17:53 ` Casey Schaufler
2024-05-17 19:11 ` Jonathan Calmels
2024-05-18 11:08 ` Jarkko Sakkinen
2024-05-18 11:17 ` Jarkko Sakkinen
2024-05-18 11:21 ` Jarkko Sakkinen
2024-05-21 13:57 ` John Johansen
2024-05-21 14:12 ` Jarkko Sakkinen
2024-05-21 14:45 ` John Johansen
2024-05-22 0:45 ` Jonathan Calmels [this message]
2024-05-31 7:43 ` John Johansen
2024-05-18 12:20 ` Serge Hallyn
2024-05-19 17:03 ` Casey Schaufler
2024-05-20 0:54 ` Jonathan Calmels
2024-05-21 14:29 ` John Johansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7psuqchpr5njlcqb3koeyqz3y2jhuc44vfeockygdarqyc3eyu@qpmujctxfmak \
--to=jcalmels@3xx0.net \
--cc=brauner@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=containers@lists.linux.dev \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=j.granados@samsung.com \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).