Re: [PATCH] userns/capability: Add user namespace capability

Andy Lutomirski writes: > At the risk of pointing out a can of worms, the attack surface also > includes things like the iptables configuration APIs, parsers, and > filter/conntrack/action modules. It is worth noting that module auto-load does not happen if the triggering code does not have the

Re: [PATCH] userns/capability: Add user namespace capability

On Thu, Oct 22, 2015 at 1:45 PM, Eric W. Biederman wrote: > > Thank you for a creative solution to a problem that you perceive. I > appreciate it when people aim to solve problems they see. > > Tobias Markus writes: > >> On 17.10.2015 23:55, Serge E. Hallyn wrote: >>> On Sat, Oct 17, 2015 at

Re: [PATCH] userns/capability: Add user namespace capability

Thank you for a creative solution to a problem that you perceive. I appreciate it when people aim to solve problems they see. Tobias Markus writes: > On 17.10.2015 23:55, Serge E. Hallyn wrote: >> On Sat, Oct 17, 2015 at 05:58:04PM +0200, Tobias Markus wrote: >>> Add capability

Re: [PATCH] userns/capability: Add user namespace capability

On Wed, Oct 21, 2015 at 12:13 PM, Austin S Hemmelgarn wrote: > On 2015-10-21 14:53, Andy Lutomirski wrote: >> >> On Oct 19, 2015 7:25 AM, "Austin S Hemmelgarn" >> wrote: >>> >>> >>> On 2015-10-17 11:58, Tobias Markus wrote: Add capability CAP_SYS_USER_NS. Tasks having

Re: [PATCH] userns/capability: Add user namespace capability

On Thu, Oct 22, 2015 at 1:45 PM, Eric W. Biederman wrote: > > Thank you for a creative solution to a problem that you perceive. I > appreciate it when people aim to solve problems they see. > > Tobias Markus writes: > >> On 17.10.2015 23:55, Serge E.

Re: [PATCH] userns/capability: Add user namespace capability

Andy Lutomirski writes: > At the risk of pointing out a can of worms, the attack surface also > includes things like the iptables configuration APIs, parsers, and > filter/conntrack/action modules. It is worth noting that module auto-load does not happen if the triggering

Re: [PATCH] userns/capability: Add user namespace capability

Thank you for a creative solution to a problem that you perceive. I appreciate it when people aim to solve problems they see. Tobias Markus writes: > On 17.10.2015 23:55, Serge E. Hallyn wrote: >> On Sat, Oct 17, 2015 at 05:58:04PM +0200, Tobias Markus wrote: >>> Add

Re: [PATCH] userns/capability: Add user namespace capability

On Wed, Oct 21, 2015 at 12:13 PM, Austin S Hemmelgarn wrote: > On 2015-10-21 14:53, Andy Lutomirski wrote: >> >> On Oct 19, 2015 7:25 AM, "Austin S Hemmelgarn" >> wrote: >>> >>> >>> On 2015-10-17 11:58, Tobias Markus wrote: Add

Re: [PATCH] userns/capability: Add user namespace capability

On 2015-10-21 14:53, Andy Lutomirski wrote: On Oct 19, 2015 7:25 AM, "Austin S Hemmelgarn" wrote: On 2015-10-17 11:58, Tobias Markus wrote: Add capability CAP_SYS_USER_NS. Tasks having CAP_SYS_USER_NS are allowed to create a new user namespace when calling clone or unshare with

Re: [PATCH] userns/capability: Add user namespace capability

On Oct 19, 2015 7:25 AM, "Austin S Hemmelgarn" wrote: > > On 2015-10-17 11:58, Tobias Markus wrote: >> >> Add capability CAP_SYS_USER_NS. >> Tasks having CAP_SYS_USER_NS are allowed to create a new user namespace >> when calling clone or unshare with CLONE_NEWUSER. >> >> Rationale: >> >> Linux

Re: [PATCH] userns/capability: Add user namespace capability

On Oct 19, 2015 7:25 AM, "Austin S Hemmelgarn" wrote: > > On 2015-10-17 11:58, Tobias Markus wrote: >> >> Add capability CAP_SYS_USER_NS. >> Tasks having CAP_SYS_USER_NS are allowed to create a new user namespace >> when calling clone or unshare with CLONE_NEWUSER. >> >>

Re: [PATCH] userns/capability: Add user namespace capability

On 2015-10-21 14:53, Andy Lutomirski wrote: On Oct 19, 2015 7:25 AM, "Austin S Hemmelgarn" wrote: On 2015-10-17 11:58, Tobias Markus wrote: Add capability CAP_SYS_USER_NS. Tasks having CAP_SYS_USER_NS are allowed to create a new user namespace when calling clone or

Re: [PATCH] userns/capability: Add user namespace capability

On 2015-10-17 11:58, Tobias Markus wrote: Add capability CAP_SYS_USER_NS. Tasks having CAP_SYS_USER_NS are allowed to create a new user namespace when calling clone or unshare with CLONE_NEWUSER. Rationale: Linux 3.8 saw the introduction of unpriviledged user namespaces, allowing unpriviledged

Re: [PATCH] userns/capability: Add user namespace capability

Am 19.10.2015 um 14:36 schrieb Yves-Alexis Perez: > On dim., 2015-10-18 at 20:41 -0500, Serge E. Hallyn wrote: >> We shouldn't need a long-term solution. Your concern is bugs. After >> some time surely we'll feel that we have achieved a stable solution? > > But this is actually the whole point:

Re: [PATCH] userns/capability: Add user namespace capability

On dim., 2015-10-18 at 20:41 -0500, Serge E. Hallyn wrote: > We shouldn't need a long-term solution.  Your concern is bugs.  After > some time surely we'll feel that we have achieved a stable solution? But this is actually the whole point: we need a long term solution, because they will always be

Re: [PATCH] userns/capability: Add user namespace capability

Am 19.10.2015 um 14:36 schrieb Yves-Alexis Perez: > On dim., 2015-10-18 at 20:41 -0500, Serge E. Hallyn wrote: >> We shouldn't need a long-term solution. Your concern is bugs. After >> some time surely we'll feel that we have achieved a stable solution? > > But this is actually the whole point:

Re: [PATCH] userns/capability: Add user namespace capability

On dim., 2015-10-18 at 20:41 -0500, Serge E. Hallyn wrote: > We shouldn't need a long-term solution.  Your concern is bugs.  After > some time surely we'll feel that we have achieved a stable solution? But this is actually the whole point: we need a long term solution, because they will always be

Re: [PATCH] userns/capability: Add user namespace capability

On 2015-10-17 11:58, Tobias Markus wrote: Add capability CAP_SYS_USER_NS. Tasks having CAP_SYS_USER_NS are allowed to create a new user namespace when calling clone or unshare with CLONE_NEWUSER. Rationale: Linux 3.8 saw the introduction of unpriviledged user namespaces, allowing unpriviledged

Re: [PATCH] userns/capability: Add user namespace capability

On Sun, Oct 18, 2015 at 10:13:54PM +0200, Tobias Markus wrote: > On 17.10.2015 23:55, Serge E. Hallyn wrote: > > On Sat, Oct 17, 2015 at 05:58:04PM +0200, Tobias Markus wrote: > >> Add capability CAP_SYS_USER_NS. > >> Tasks having CAP_SYS_USER_NS are allowed to create a new user namespace > >>

Re: [PATCH] userns/capability: Add user namespace capability

On 18 Oct 2015 22:13, Tobias Markus wrote: > On 17.10.2015 22:17, Richard Weinberger wrote: > > On Sat, Oct 17, 2015 at 5:58 PM, Tobias Markus wrote: > >> One question remains though: Does this break userspace executables that > >> expect being able to create user namespaces without priviledge?

Re: [PATCH] userns/capability: Add user namespace capability

Am 18.10.2015 um 23:49 schrieb Tobias Markus: > But before we continue arguing endlessly, I just got an idea: What about > adding a sysctl to enable/disable enforcement of the hypothetical > CAP_SYS_USER_NS, just like with /proc/sys/kernel/kptr_restrict and > CAP_SYSLOG? Would also prevent any

Re: [PATCH] userns/capability: Add user namespace capability

On 18.10.2015 22:48, Richard Weinberger wrote: > Am 18.10.2015 um 22:41 schrieb Tobias Markus: >> On 18.10.2015 22:21, Richard Weinberger wrote: >>> Am 18.10.2015 um 22:13 schrieb Tobias Markus: On 17.10.2015 22:17, Richard Weinberger wrote: > On Sat, Oct 17, 2015 at 5:58 PM, Tobias

Re: [PATCH] userns/capability: Add user namespace capability

Am 18.10.2015 um 22:41 schrieb Tobias Markus: > On 18.10.2015 22:21, Richard Weinberger wrote: >> Am 18.10.2015 um 22:13 schrieb Tobias Markus: >>> On 17.10.2015 22:17, Richard Weinberger wrote: On Sat, Oct 17, 2015 at 5:58 PM, Tobias Markus wrote: > One question remains though: Does

Re: [PATCH] userns/capability: Add user namespace capability

On 18.10.2015 22:21, Richard Weinberger wrote: > Am 18.10.2015 um 22:13 schrieb Tobias Markus: >> On 17.10.2015 22:17, Richard Weinberger wrote: >>> On Sat, Oct 17, 2015 at 5:58 PM, Tobias Markus wrote: One question remains though: Does this break userspace executables that expect being

Re: [PATCH] userns/capability: Add user namespace capability

Am 18.10.2015 um 22:13 schrieb Tobias Markus: > On 17.10.2015 22:17, Richard Weinberger wrote: >> On Sat, Oct 17, 2015 at 5:58 PM, Tobias Markus wrote: >>> One question remains though: Does this break userspace executables that >>> expect being able to create user namespaces without priviledge?

Re: [PATCH] userns/capability: Add user namespace capability

On 17.10.2015 22:17, Richard Weinberger wrote: > On Sat, Oct 17, 2015 at 5:58 PM, Tobias Markus wrote: >> One question remains though: Does this break userspace executables that >> expect being able to create user namespaces without priviledge? Since >> creating user namespaces without

Re: [PATCH] userns/capability: Add user namespace capability

On 17.10.2015 23:55, Serge E. Hallyn wrote: > On Sat, Oct 17, 2015 at 05:58:04PM +0200, Tobias Markus wrote: >> Add capability CAP_SYS_USER_NS. >> Tasks having CAP_SYS_USER_NS are allowed to create a new user namespace >> when calling clone or unshare with CLONE_NEWUSER. >> >> Rationale: >> >>

Re: [PATCH] userns/capability: Add user namespace capability

Am 18.10.2015 um 22:41 schrieb Tobias Markus: > On 18.10.2015 22:21, Richard Weinberger wrote: >> Am 18.10.2015 um 22:13 schrieb Tobias Markus: >>> On 17.10.2015 22:17, Richard Weinberger wrote: On Sat, Oct 17, 2015 at 5:58 PM, Tobias Markus wrote: > One question

Re: [PATCH] userns/capability: Add user namespace capability

On 17.10.2015 23:55, Serge E. Hallyn wrote: > On Sat, Oct 17, 2015 at 05:58:04PM +0200, Tobias Markus wrote: >> Add capability CAP_SYS_USER_NS. >> Tasks having CAP_SYS_USER_NS are allowed to create a new user namespace >> when calling clone or unshare with CLONE_NEWUSER. >> >> Rationale: >> >>

Re: [PATCH] userns/capability: Add user namespace capability

On 17.10.2015 22:17, Richard Weinberger wrote: > On Sat, Oct 17, 2015 at 5:58 PM, Tobias Markus wrote: >> One question remains though: Does this break userspace executables that >> expect being able to create user namespaces without priviledge? Since >> creating user namespaces

Re: [PATCH] userns/capability: Add user namespace capability

Am 18.10.2015 um 23:49 schrieb Tobias Markus: > But before we continue arguing endlessly, I just got an idea: What about > adding a sysctl to enable/disable enforcement of the hypothetical > CAP_SYS_USER_NS, just like with /proc/sys/kernel/kptr_restrict and > CAP_SYSLOG? Would also prevent any

Re: [PATCH] userns/capability: Add user namespace capability

On 18.10.2015 22:48, Richard Weinberger wrote: > Am 18.10.2015 um 22:41 schrieb Tobias Markus: >> On 18.10.2015 22:21, Richard Weinberger wrote: >>> Am 18.10.2015 um 22:13 schrieb Tobias Markus: On 17.10.2015 22:17, Richard Weinberger wrote: > On Sat, Oct 17, 2015 at 5:58 PM, Tobias

Re: [PATCH] userns/capability: Add user namespace capability

Am 18.10.2015 um 22:13 schrieb Tobias Markus: > On 17.10.2015 22:17, Richard Weinberger wrote: >> On Sat, Oct 17, 2015 at 5:58 PM, Tobias Markus wrote: >>> One question remains though: Does this break userspace executables that >>> expect being able to create user namespaces

Re: [PATCH] userns/capability: Add user namespace capability

On 18.10.2015 22:21, Richard Weinberger wrote: > Am 18.10.2015 um 22:13 schrieb Tobias Markus: >> On 17.10.2015 22:17, Richard Weinberger wrote: >>> On Sat, Oct 17, 2015 at 5:58 PM, Tobias Markus wrote: One question remains though: Does this break userspace executables that

Re: [PATCH] userns/capability: Add user namespace capability

On 18 Oct 2015 22:13, Tobias Markus wrote: > On 17.10.2015 22:17, Richard Weinberger wrote: > > On Sat, Oct 17, 2015 at 5:58 PM, Tobias Markus wrote: > >> One question remains though: Does this break userspace executables that > >> expect being able to create user namespaces

Re: [PATCH] userns/capability: Add user namespace capability

On Sun, Oct 18, 2015 at 10:13:54PM +0200, Tobias Markus wrote: > On 17.10.2015 23:55, Serge E. Hallyn wrote: > > On Sat, Oct 17, 2015 at 05:58:04PM +0200, Tobias Markus wrote: > >> Add capability CAP_SYS_USER_NS. > >> Tasks having CAP_SYS_USER_NS are allowed to create a new user namespace > >>

Re: [PATCH] userns/capability: Add user namespace capability

On Sat, Oct 17, 2015 at 05:58:04PM +0200, Tobias Markus wrote: > Add capability CAP_SYS_USER_NS. > Tasks having CAP_SYS_USER_NS are allowed to create a new user namespace > when calling clone or unshare with CLONE_NEWUSER. > > Rationale: > > Linux 3.8 saw the introduction of unpriviledged user

Re: [PATCH] userns/capability: Add user namespace capability

On Sat, Oct 17, 2015 at 5:58 PM, Tobias Markus wrote: > One question remains though: Does this break userspace executables that > expect being able to create user namespaces without priviledge? Since > creating user namespaces without CAP_SYS_ADMIN was not possible before > Linux 3.8, programs

[PATCH] userns/capability: Add user namespace capability

Add capability CAP_SYS_USER_NS. Tasks having CAP_SYS_USER_NS are allowed to create a new user namespace when calling clone or unshare with CLONE_NEWUSER. Rationale: Linux 3.8 saw the introduction of unpriviledged user namespaces, allowing unpriviledged users (without CAP_SYS_ADMIN) to be a

Re: [PATCH] userns/capability: Add user namespace capability

On Sat, Oct 17, 2015 at 5:58 PM, Tobias Markus wrote: > One question remains though: Does this break userspace executables that > expect being able to create user namespaces without priviledge? Since > creating user namespaces without CAP_SYS_ADMIN was not possible before >

[PATCH] userns/capability: Add user namespace capability

Add capability CAP_SYS_USER_NS. Tasks having CAP_SYS_USER_NS are allowed to create a new user namespace when calling clone or unshare with CLONE_NEWUSER. Rationale: Linux 3.8 saw the introduction of unpriviledged user namespaces, allowing unpriviledged users (without CAP_SYS_ADMIN) to be a

Re: [PATCH] userns/capability: Add user namespace capability

On Sat, Oct 17, 2015 at 05:58:04PM +0200, Tobias Markus wrote: > Add capability CAP_SYS_USER_NS. > Tasks having CAP_SYS_USER_NS are allowed to create a new user namespace > when calling clone or unshare with CLONE_NEWUSER. > > Rationale: > > Linux 3.8 saw the introduction of unpriviledged user