Date: Thu, 9 Nov 2017 22:30:10 -0600 From: "Serge E. Hallyn" <serge@...lyn.com> To: Mahesh Bandewar (महेश बंडेवार) <maheshb@...gle.com> Cc: "Serge E. Hallyn" <serge@...lyn.com>, Mahesh Bandewar <mahesh@...dewar.net>, LKML <linux-kernel@...r.kernel.org>, Netdev <netdev@...r.kernel.org>, Kernel-hardening <kernel-hardening@...ts.openwall.com>, Linux API <linux-api@...r.kernel.org>, Kees Cook <keescook@...omium.org>, "Eric W . Biederman" <ebiederm@...ssion.com>, Eric Dumazet <edumazet@...gle.com>, David Miller <davem@...emloft.net> Subject: Re: [PATCH resend 1/2] capability: introduce sysctl for controlled user-ns capability whitelist Quoting Mahesh Bandewar (महेश बंडेवार) (maheshb@...gle.com): ... > >> > >> ============================================================== > >> > >> +controlled_userns_caps_whitelist > >> + > >> +Capability mask that is whitelisted for "controlled" user namespaces. > >> +Any capability that is missing from this mask will not be allowed to > >> +any process that is attached to a controlled-userns. e.g. if CAP_NET_RAW > >> +is not part of this mask, then processes running inside any controlled > >> +userns's will not be allowed to perform action that needs CAP_NET_RAW > >> +capability. However, processes that are attached to a parent user-ns > >> +hierarchy that is *not* controlled and has CAP_NET_RAW can continue > >> +performing those actions. User-namespaces are marked "controlled" at > >> +the time of their creation based on the capabilities of the creator. > >> +A process that does not have CAP_SYS_ADMIN will create user-namespaces > >> +that are controlled. > > > > Hm. I think that's fine (the way 'controlled' user namespaces are > > defined), but that is design decision in itself, and should perhaps be > > discussed. > > > > Did you consider other ways? What about using CAP_SETPCAP? > > > I did try other ways e.g. using another bounding-set etc. but > eventually settled with this approach because of main two properties - No, I meant did you try other ways of defining a controlled user namespace, other than one which is created by a task lacking CAP_SYS_ADMIN? ... > >> +The value is expressed as two comma separated hex words (u32). This > > > > Why comma separated? whitespace ok? Leading 0x ok? What is the > > default at boot? (Obviously the patch tells me, I'm asking for it > > to be spelled out in the doc) > > > I tried multiple ways including representing capabilities in > string/name form for better readability but didn't want to add > additional complexities of dealing with strings and possible > string-related-issues for this. Also didn't want to reinvent the new > form so settled with something that is widely used (cpu > bounding/affinity/irq mapping etc.) and is capable of handling growing > bit set (currently 37 but possibly more later). Ok, thanks.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.