Date: Fri, 10 Nov 2017 14:05:51 +0900 From: Mahesh Bandewar (महेश बंडेवार) <maheshb@...gle.com> To: "Serge E. Hallyn" <serge@...lyn.com> Cc: Mahesh Bandewar <mahesh@...dewar.net>, LKML <linux-kernel@...r.kernel.org>, Netdev <netdev@...r.kernel.org>, Kernel-hardening <kernel-hardening@...ts.openwall.com>, Linux API <linux-api@...r.kernel.org>, Kees Cook <keescook@...omium.org>, "Eric W . Biederman" <ebiederm@...ssion.com>, Eric Dumazet <edumazet@...gle.com>, David Miller <davem@...emloft.net> Subject: Re: [PATCH resend 1/2] capability: introduce sysctl for controlled user-ns capability whitelist On Fri, Nov 10, 2017 at 1:30 PM, Serge E. Hallyn <serge@...lyn.com> wrote: > Quoting Mahesh Bandewar (महेश बंडेवार) (maheshb@...gle.com): > ... >> >> >> >> ============================================================== >> >> >> >> +controlled_userns_caps_whitelist >> >> + >> >> +Capability mask that is whitelisted for "controlled" user namespaces. >> >> +Any capability that is missing from this mask will not be allowed to >> >> +any process that is attached to a controlled-userns. e.g. if CAP_NET_RAW >> >> +is not part of this mask, then processes running inside any controlled >> >> +userns's will not be allowed to perform action that needs CAP_NET_RAW >> >> +capability. However, processes that are attached to a parent user-ns >> >> +hierarchy that is *not* controlled and has CAP_NET_RAW can continue >> >> +performing those actions. User-namespaces are marked "controlled" at >> >> +the time of their creation based on the capabilities of the creator. >> >> +A process that does not have CAP_SYS_ADMIN will create user-namespaces >> >> +that are controlled. >> > >> > Hm. I think that's fine (the way 'controlled' user namespaces are >> > defined), but that is design decision in itself, and should perhaps be >> > discussed. >> > >> > Did you consider other ways? What about using CAP_SETPCAP? >> > >> I did try other ways e.g. using another bounding-set etc. but >> eventually settled with this approach because of main two properties - > > No, I meant did you try other ways of defining a controlled user > namespace, other than one which is created by a task lacking > CAP_SYS_ADMIN? > SYS_ADMIN is the capability that has been used for deciding who can or cannot create namespaces, so didn't want to create another model that may not be compatible with current model which is well understood hence no. > ... > >> >> +The value is expressed as two comma separated hex words (u32). This >> > >> > Why comma separated? whitespace ok? Leading 0x ok? What is the >> > default at boot? (Obviously the patch tells me, I'm asking for it >> > to be spelled out in the doc) >> > >> I tried multiple ways including representing capabilities in >> string/name form for better readability but didn't want to add >> additional complexities of dealing with strings and possible >> string-related-issues for this. Also didn't want to reinvent the new >> form so settled with something that is widely used (cpu >> bounding/affinity/irq mapping etc.) and is capable of handling growing >> bit set (currently 37 but possibly more later). > > Ok, thanks.
Powered by blists - more mailing lists