Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

On Fri, Nov 10, 2017 at 1:46 PM, Serge E. Hallyn wrote: > Quoting Eric W. Biederman (ebied...@xmission.com): >> single sandbox. I am not at all certain that the capabilities is the >> proper place to limit code reachability. > > Right, I keep having this gut feeling that there

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

On Fri, Nov 10, 2017 at 1:46 PM, Serge E. Hallyn wrote: > Quoting Eric W. Biederman (ebied...@xmission.com): >> single sandbox. I am not at all certain that the capabilities is the >> proper place to limit code reachability. > > Right, I keep having this gut feeling that there is another way we

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

Quoting Eric W. Biederman (ebied...@xmission.com): > single sandbox. I am not at all certain that the capabilities is the > proper place to limit code reachability. Right, I keep having this gut feeling that there is another way we should be doing that. Maybe based on ksplice or perf, or maybe

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

Quoting Eric W. Biederman (ebied...@xmission.com): > single sandbox. I am not at all certain that the capabilities is the > proper place to limit code reachability. Right, I keep having this gut feeling that there is another way we should be doing that. Maybe based on ksplice or perf, or maybe

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

On Fri, Nov 10, 2017 at 6:58 AM, Eric W. Biederman wrote: > "Mahesh Bandewar (महेश बंडेवार)" writes: > >> [resend response as earlier one failed because of formatting issues] >> >> On Thu, Nov 9, 2017 at 12:21 PM, Serge E. Hallyn

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

On Fri, Nov 10, 2017 at 6:58 AM, Eric W. Biederman wrote: > "Mahesh Bandewar (महेश बंडेवार)" writes: > >> [resend response as earlier one failed because of formatting issues] >> >> On Thu, Nov 9, 2017 at 12:21 PM, Serge E. Hallyn wrote: >>> >>> On Thu, Nov 09, 2017 at 09:55:41AM +0900, Mahesh

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

"Mahesh Bandewar (महेश बंडेवार)" writes: > [resend response as earlier one failed because of formatting issues] > > On Thu, Nov 9, 2017 at 12:21 PM, Serge E. Hallyn wrote: >> >> On Thu, Nov 09, 2017 at 09:55:41AM +0900, Mahesh Bandewar (महेश बंडेवार) >>

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

"Mahesh Bandewar (महेश बंडेवार)" writes: > [resend response as earlier one failed because of formatting issues] > > On Thu, Nov 9, 2017 at 12:21 PM, Serge E. Hallyn wrote: >> >> On Thu, Nov 09, 2017 at 09:55:41AM +0900, Mahesh Bandewar (महेश बंडेवार) >> wrote: >> > On Thu, Nov 9, 2017 at 4:02

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

On 11/09/2017 01:05 PM, Serge E. Hallyn wrote: Would the existing capability bounding set not suffice for that? The 'permanent' bounding set turns out to not be a good fit for the problem being discussed in this thread, but please feel free to start a new thread if you want to discuss your use

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

On 11/09/2017 01:05 PM, Serge E. Hallyn wrote: Would the existing capability bounding set not suffice for that? The 'permanent' bounding set turns out to not be a good fit for the problem being discussed in this thread, but please feel free to start a new thread if you want to discuss your use

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

Quoting chris hyser (chris.hy...@oracle.com): > On 11/06/2017 10:23 PM, Serge E. Hallyn wrote: > >I think I definately prefer what I mentioned in the email to Boris. > >Basically a "permanent capability bounding set". The normal bounding > >set gets reset to a full set on every new user_ns

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

Quoting chris hyser (chris.hy...@oracle.com): > On 11/06/2017 10:23 PM, Serge E. Hallyn wrote: > >I think I definately prefer what I mentioned in the email to Boris. > >Basically a "permanent capability bounding set". The normal bounding > >set gets reset to a full set on every new user_ns

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

On 11/06/2017 10:23 PM, Serge E. Hallyn wrote: I think I definately prefer what I mentioned in the email to Boris. Basically a "permanent capability bounding set". The normal bounding set gets reset to a full set on every new user_ns creation. In this proposal, it would instead be set to the

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

On 11/06/2017 10:23 PM, Serge E. Hallyn wrote: I think I definately prefer what I mentioned in the email to Boris. Basically a "permanent capability bounding set". The normal bounding set gets reset to a full set on every new user_ns creation. In this proposal, it would instead be set to the

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

Quoting Mahesh Bandewar (महेश बंडेवार) (mahe...@google.com): > Of course. Let's take an example of the CVE that I have mentioned in > my cover-letter - > CVE-2017-7308(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7308). > It's well documented and even has a >

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

Quoting Mahesh Bandewar (महेश बंडेवार) (mahe...@google.com): > Of course. Let's take an example of the CVE that I have mentioned in > my cover-letter - > CVE-2017-7308(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7308). > It's well documented and even has a >

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

[resend response as earlier one failed because of formatting issues] On Thu, Nov 9, 2017 at 12:21 PM, Serge E. Hallyn wrote: > > On Thu, Nov 09, 2017 at 09:55:41AM +0900, Mahesh Bandewar (महेश बंडेवार) > wrote: > > On Thu, Nov 9, 2017 at 4:02 AM, Christian Brauner > >

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

[resend response as earlier one failed because of formatting issues] On Thu, Nov 9, 2017 at 12:21 PM, Serge E. Hallyn wrote: > > On Thu, Nov 09, 2017 at 09:55:41AM +0900, Mahesh Bandewar (महेश बंडेवार) > wrote: > > On Thu, Nov 9, 2017 at 4:02 AM, Christian Brauner > > wrote: > > > On Wed, Nov

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

On Thu, Nov 09, 2017 at 09:55:41AM +0900, Mahesh Bandewar (महेश बंडेवार) wrote: > On Thu, Nov 9, 2017 at 4:02 AM, Christian Brauner > wrote: > > On Wed, Nov 08, 2017 at 03:09:59AM -0800, Mahesh Bandewar (महेश बंडेवार) > > wrote: > >> Sorry folks I was traveling

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

On Thu, Nov 09, 2017 at 09:55:41AM +0900, Mahesh Bandewar (महेश बंडेवार) wrote: > On Thu, Nov 9, 2017 at 4:02 AM, Christian Brauner > wrote: > > On Wed, Nov 08, 2017 at 03:09:59AM -0800, Mahesh Bandewar (महेश बंडेवार) > > wrote: > >> Sorry folks I was traveling and seems like lot happened on

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

On Thu, Nov 9, 2017 at 4:02 AM, Christian Brauner wrote: > On Wed, Nov 08, 2017 at 03:09:59AM -0800, Mahesh Bandewar (महेश बंडेवार) > wrote: >> Sorry folks I was traveling and seems like lot happened on this thread. :p >> >> I will try to response few of these

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

On Thu, Nov 9, 2017 at 4:02 AM, Christian Brauner wrote: > On Wed, Nov 08, 2017 at 03:09:59AM -0800, Mahesh Bandewar (महेश बंडेवार) > wrote: >> Sorry folks I was traveling and seems like lot happened on this thread. :p >> >> I will try to response few of these comments selectively - >> >> > The

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

On Wed, Nov 08, 2017 at 03:09:59AM -0800, Mahesh Bandewar (महेश बंडेवार) wrote: > Sorry folks I was traveling and seems like lot happened on this thread. :p > > I will try to response few of these comments selectively - > > > The thing that makes me hesitate with this set is that it is a > >

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

On Wed, Nov 08, 2017 at 03:09:59AM -0800, Mahesh Bandewar (महेश बंडेवार) wrote: > Sorry folks I was traveling and seems like lot happened on this thread. :p > > I will try to response few of these comments selectively - > > > The thing that makes me hesitate with this set is that it is a > >

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

Sorry folks I was traveling and seems like lot happened on this thread. :p I will try to response few of these comments selectively - > The thing that makes me hesitate with this set is that it is a > permanent new feature to address what (I hope) is a temporary > problem. I agree this is

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

Sorry folks I was traveling and seems like lot happened on this thread. :p I will try to response few of these comments selectively - > The thing that makes me hesitate with this set is that it is a > permanent new feature to address what (I hope) is a temporary > problem. I agree this is

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

On Mon, Nov 06, 2017 at 07:01:58PM -0500, Boris Lukashev wrote: > On Mon, Nov 6, 2017 at 6:39 PM, Serge E. Hallyn wrote: > > Quoting Boris Lukashev (blukas...@sempervictus.com): > >> On Mon, Nov 6, 2017 at 5:14 PM, Serge E. Hallyn wrote: > >> > Quoting Daniel

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

On Mon, Nov 06, 2017 at 07:01:58PM -0500, Boris Lukashev wrote: > On Mon, Nov 6, 2017 at 6:39 PM, Serge E. Hallyn wrote: > > Quoting Boris Lukashev (blukas...@sempervictus.com): > >> On Mon, Nov 6, 2017 at 5:14 PM, Serge E. Hallyn wrote: > >> > Quoting Daniel Micay (danielmi...@gmail.com): > >>

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

On Mon, Nov 06, 2017 at 09:16:03PM -0500, Daniel Micay wrote: > On Mon, 2017-11-06 at 16:14 -0600, Serge E. Hallyn wrote: > > Quoting Daniel Micay (danielmi...@gmail.com): > > > Substantial added attack surface will never go away as a problem. > > > There > > > aren't a finite number of

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

On Mon, Nov 06, 2017 at 09:16:03PM -0500, Daniel Micay wrote: > On Mon, 2017-11-06 at 16:14 -0600, Serge E. Hallyn wrote: > > Quoting Daniel Micay (danielmi...@gmail.com): > > > Substantial added attack surface will never go away as a problem. > > > There > > > aren't a finite number of

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

On Mon, 2017-11-06 at 16:14 -0600, Serge E. Hallyn wrote: > Quoting Daniel Micay (danielmi...@gmail.com): > > Substantial added attack surface will never go away as a problem. > > There > > aren't a finite number of vulnerabilities to be found. > > There's varying levels of usefulness and

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

On Mon, 2017-11-06 at 16:14 -0600, Serge E. Hallyn wrote: > Quoting Daniel Micay (danielmi...@gmail.com): > > Substantial added attack surface will never go away as a problem. > > There > > aren't a finite number of vulnerabilities to be found. > > There's varying levels of usefulness and

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

On Mon, Nov 6, 2017 at 6:39 PM, Serge E. Hallyn wrote: > Quoting Boris Lukashev (blukas...@sempervictus.com): >> On Mon, Nov 6, 2017 at 5:14 PM, Serge E. Hallyn wrote: >> > Quoting Daniel Micay (danielmi...@gmail.com): >> >> Substantial added attack surface

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

On Mon, Nov 6, 2017 at 6:39 PM, Serge E. Hallyn wrote: > Quoting Boris Lukashev (blukas...@sempervictus.com): >> On Mon, Nov 6, 2017 at 5:14 PM, Serge E. Hallyn wrote: >> > Quoting Daniel Micay (danielmi...@gmail.com): >> >> Substantial added attack surface will never go away as a problem. There

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

Quoting Boris Lukashev (blukas...@sempervictus.com): > On Mon, Nov 6, 2017 at 5:14 PM, Serge E. Hallyn wrote: > > Quoting Daniel Micay (danielmi...@gmail.com): > >> Substantial added attack surface will never go away as a problem. There > >> aren't a finite number of

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

Quoting Boris Lukashev (blukas...@sempervictus.com): > On Mon, Nov 6, 2017 at 5:14 PM, Serge E. Hallyn wrote: > > Quoting Daniel Micay (danielmi...@gmail.com): > >> Substantial added attack surface will never go away as a problem. There > >> aren't a finite number of vulnerabilities to be found.

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

On Mon, Nov 6, 2017 at 5:14 PM, Serge E. Hallyn wrote: > Quoting Daniel Micay (danielmi...@gmail.com): >> Substantial added attack surface will never go away as a problem. There >> aren't a finite number of vulnerabilities to be found. > > There's varying levels of usefulness

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

On Mon, Nov 6, 2017 at 5:14 PM, Serge E. Hallyn wrote: > Quoting Daniel Micay (danielmi...@gmail.com): >> Substantial added attack surface will never go away as a problem. There >> aren't a finite number of vulnerabilities to be found. > > There's varying levels of usefulness and quality. There

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

On Mon, Nov 06, 2017 at 04:14:18PM -0600, Serge Hallyn wrote: > Quoting Daniel Micay (danielmi...@gmail.com): > > Substantial added attack surface will never go away as a problem. There > > aren't a finite number of vulnerabilities to be found. > > There's varying levels of usefulness and

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

On Mon, Nov 06, 2017 at 04:14:18PM -0600, Serge Hallyn wrote: > Quoting Daniel Micay (danielmi...@gmail.com): > > Substantial added attack surface will never go away as a problem. There > > aren't a finite number of vulnerabilities to be found. > > There's varying levels of usefulness and

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

Quoting Daniel Micay (danielmi...@gmail.com): > Substantial added attack surface will never go away as a problem. There > aren't a finite number of vulnerabilities to be found. There's varying levels of usefulness and quality. There is code which I want to be able to use in a container, and code

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

Quoting Daniel Micay (danielmi...@gmail.com): > Substantial added attack surface will never go away as a problem. There > aren't a finite number of vulnerabilities to be found. There's varying levels of usefulness and quality. There is code which I want to be able to use in a container, and code

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

Substantial added attack surface will never go away as a problem. There aren't a finite number of vulnerabilities to be found.

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

Substantial added attack surface will never go away as a problem. There aren't a finite number of vulnerabilities to be found.