Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20171126064037.GB30279@mail.hallyn.com>
Date: Sun, 26 Nov 2017 00:40:37 -0600
From: "Serge E. Hallyn" <serge@...lyn.com>
To: Mahesh Bandewar <mahesh@...dewar.net>
Cc: LKML <linux-kernel@...r.kernel.org>, Netdev <netdev@...r.kernel.org>,
	Kernel-hardening <kernel-hardening@...ts.openwall.com>,
	Linux API <linux-api@...r.kernel.org>,
	Kees Cook <keescook@...omium.org>, Serge Hallyn <serge@...lyn.com>,
	"Eric W . Biederman" <ebiederm@...ssion.com>,
	Eric Dumazet <edumazet@...gle.com>,
	David Miller <davem@...emloft.net>,
	Mahesh Bandewar <maheshb@...gle.com>
Subject: Re: [PATCHv2 2/2] userns: control capabilities of some user
 namespaces

Quoting Mahesh Bandewar (mahesh@...dewar.net):
> From: Mahesh Bandewar <maheshb@...gle.com>
> 
> With this new notion of "controlled" user-namespaces, the controlled
> user-namespaces are marked at the time of their creation while the
> capabilities of processes that belong to them are controlled using the
> global mask.
> 
> Init-user-ns is always uncontrolled and a process that has SYS_ADMIN
> that belongs to uncontrolled user-ns can create another (child) user-
> namespace that is uncontrolled. Any other process (that either does
> not have SYS_ADMIN or belongs to a controlled user-ns) can only
> create a user-ns that is controlled.
> 
> global-capability-whitelist (controlled_userns_caps_whitelist) is used
> at the capability check-time and keeps the semantics for the processes
> that belong to uncontrolled user-ns as it is. Processes that belong to
> controlled user-ns however are subjected to different checks-
> 
>    (a) if the capability in question is controlled and process belongs
>        to controlled user-ns, then it's always denied.
>    (b) if the capability in question is NOT controlled then fall back
>        to the traditional check.
> 
> Signed-off-by: Mahesh Bandewar <maheshb@...gle.com>

Acked-by: Serge Hallyn <serge@...lyn.com>

Although a few comment addition requests below:

> ---
> v2:
>   Don't recalculate user-ns flags for every setns() call.
> v1:
>   Initial submission.
> 
>  include/linux/capability.h     |  1 +
>  include/linux/user_namespace.h | 20 ++++++++++++++++++++
>  kernel/capability.c            |  5 +++++
>  kernel/user_namespace.c        |  4 ++++
>  security/commoncap.c           |  8 ++++++++
>  5 files changed, 38 insertions(+)
> 
> diff --git a/include/linux/capability.h b/include/linux/capability.h
> index 7d79a4689625..a1fd9e460379 100644
> --- a/include/linux/capability.h
> +++ b/include/linux/capability.h
> @@ -251,6 +251,7 @@ extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns);
>  extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
>  int proc_douserns_caps_whitelist(struct ctl_table *table, int write,
>  				 void __user *buff, size_t *lenp, loff_t *ppos);

Here and at the definition below, please add a comment explaining
that a controlled cap is defined as not being in the sysctl.

> +bool is_capability_controlled(int cap);
>  
>  extern int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size);
>  
> diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
> index 3fe714da7f5a..647f825c7b5f 100644
> --- a/include/linux/user_namespace.h
> +++ b/include/linux/user_namespace.h
> @@ -23,6 +23,7 @@ struct uid_gid_map {	/* 64 bytes -- 1 cache line */
>  };
>  
>  #define USERNS_SETGROUPS_ALLOWED 1UL
> +#define USERNS_CONTROLLED	 2UL
>  
>  #define USERNS_INIT_FLAGS USERNS_SETGROUPS_ALLOWED
>  
> @@ -103,6 +104,16 @@ static inline void put_user_ns(struct user_namespace *ns)
>  		__put_user_ns(ns);
>  }
>  

Please add a comment explaining that a controlled ns
is one created by a user which did not have CAP_SYS_ADMIN
(or descended from such an ns).

> +static inline bool is_user_ns_controlled(const struct user_namespace *ns)
> +{
> +	return ns->flags & USERNS_CONTROLLED;
> +}
> +
> +static inline void mark_user_ns_controlled(struct user_namespace *ns)
> +{
> +	ns->flags |= USERNS_CONTROLLED;
> +}
> +
>  struct seq_operations;
>  extern const struct seq_operations proc_uid_seq_operations;
>  extern const struct seq_operations proc_gid_seq_operations;
> @@ -161,6 +172,15 @@ static inline struct ns_common *ns_get_owner(struct ns_common *ns)
>  {
>  	return ERR_PTR(-EPERM);
>  }
> +
> +static inline bool is_user_ns_controlled(const struct user_namespace *ns)
> +{
> +	return false;
> +}
> +
> +static inline void mark_user_ns_controlled(struct user_namespace *ns)
> +{
> +}
>  #endif
>  
>  #endif /* _LINUX_USER_H */
> diff --git a/kernel/capability.c b/kernel/capability.c
> index 4a859b7d4902..bffe249922de 100644
> --- a/kernel/capability.c
> +++ b/kernel/capability.c
> @@ -511,6 +511,11 @@ bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns)
>  }
>  
>  /* Controlled-userns capabilities routines */
> +bool is_capability_controlled(int cap)
> +{
> +	return !cap_raised(controlled_userns_caps_whitelist, cap);
> +}
> +
>  #ifdef CONFIG_SYSCTL
>  int proc_douserns_caps_whitelist(struct ctl_table *table, int write,
>  				 void __user *buff, size_t *lenp, loff_t *ppos)
> diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
> index c490f1e4313b..600c7dcb9ff7 100644
> --- a/kernel/user_namespace.c
> +++ b/kernel/user_namespace.c
> @@ -139,6 +139,10 @@ int create_user_ns(struct cred *new)
>  		goto fail_keyring;
>  
>  	set_cred_user_ns(new, ns);
> +	if (!ns_capable(parent_ns, CAP_SYS_ADMIN) ||
> +	    is_user_ns_controlled(parent_ns))
> +		mark_user_ns_controlled(ns);
> +
>  	return 0;
>  fail_keyring:
>  #ifdef CONFIG_PERSISTENT_KEYRINGS
> diff --git a/security/commoncap.c b/security/commoncap.c
> index fc46f5b85251..89103f16ac37 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -73,6 +73,14 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
>  {
>  	struct user_namespace *ns = targ_ns;
>  
> +	/* If the capability is controlled and user-ns that process
> +	 * belongs-to is 'controlled' then return EPERM and no need
> +	 * to check the user-ns hierarchy.
> +	 */
> +	if (is_user_ns_controlled(cred->user_ns) &&
> +	    is_capability_controlled(cap))
> +		return -EPERM;

I'd be curious to see the performance impact on this on a regular
workload (kernel build?) in a controlled ns.

> +
>  	/* See if cred has the capability in the target user namespace
>  	 * by examining the target user namespace and all of the target
>  	 * user namespace's parents.
> -- 
> 2.15.0.448.gf294e3d99a-goog

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.