From: Jann Horn <jann@thejh.net>
To: Andy Lutomirski <luto@amacapital.net>
Cc: "ksummit-discuss@lists.linuxfoundation.org"
<ksummit-discuss@lists.linuxfoundation.org>
Subject: Re: [Ksummit-discuss] [TOPIC] kernel hardening / self-protection / whatever
Date: Mon, 11 Jul 2016 19:33:29 +0200 [thread overview]
Message-ID: <20160711173329.GA8240@pc.thejh.net> (raw)
In-Reply-To: <CALCETrXtfzi=G4H+Zttv3kWcCo32V6cO9OBfdyuYT4DHvJTJLg@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2130 bytes --]
On Sun, Jul 10, 2016 at 09:28:53PM -0700, Andy Lutomirski wrote:
> Are there useful things to discuss in person about hardening? [...]
I think that an interesting question to discuss might be whether, and
if so, how, it makes sense to add restrictions to namespaces.
Namespaces, as a concept, aren't very scary when you keep in mind that
they only grant privileges to otherwise unprivileged users when they
interact with things inside their namespaces. However, in their
implementation, they are somewhat scary because they expose code to
unprivileged users that was written as code only root could reach. As
an example, have a look at NCC Group's netfilter bugs (and netfilter
in general; iirc, the filter parsing code has exponential complexity
without process death checks, which afaik shouldn't happen in any
code normal users can reach).
User namespaces alone are pretty simple. I don't know everything
about mount namespaces, but I think they also don't expose big masses
of kernel code, and IPC, PID and UTS namespaces are pretty simple.
I think that network namespaces, compared to other namespace types,
expose a lot of code. Grepping for CAP_SYS_ADMIN with
`egrep -R '(ns_capable|netlink_net_capable).*CAP_NET_ADMIN'`
returns a bunch of things, including netlink stuff, netfilter,
sysctls, AF_KEY stuff, bridges, routing, socket repair, ARP and
tunnel devices. At the same time, they are one of the lesser-used
namespace types: Containers need them, but sandboxes don't really
need them for much apart from making abstract unix sockets and
networking in general inaccessible.
For this reason, I'm wondering whether it might make sense to create
a new global capability set that specifies which capabilities should
be inherited on namespace entry / namespace access from outside
instead of being set unconditionally, and then let distros and/or
system administrators use that to e.g. restrict CAP_NET_ADMIN.
But I'm not sure whether I'd want to fly over to the US to attend
the summit, and I'm not sure whether a discussion on this would
benefit from happening in person.
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
next prev parent reply other threads:[~2016-07-11 17:41 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-11 4:28 Andy Lutomirski
2016-07-11 13:05 ` Rafael J. Wysocki
2016-07-11 16:30 ` Eric W. Biederman
2016-07-11 17:57 ` Kees Cook
2016-07-12 16:40 ` Eric W. Biederman
2016-07-21 15:54 ` Mark Rutland
2016-07-11 17:33 ` Jann Horn [this message]
2016-07-19 15:40 ` Eric W. Biederman
2016-07-20 2:14 ` Andy Lutomirski
2016-07-20 2:14 ` Eric W. Biederman
2016-07-20 6:42 ` Herbert Xu
2016-07-21 17:03 ` Eric W. Biederman
2016-07-11 17:53 ` Kees Cook
2016-07-11 18:07 ` Josh Triplett
2016-07-11 18:59 ` Kees Cook
2016-07-31 9:55 ` Paul Burton
2016-07-31 22:04 ` Kees Cook
2016-08-01 10:47 ` Mark Rutland
2016-08-01 19:42 ` Kees Cook
2016-08-03 22:53 ` Catalin Marinas
2016-08-04 5:32 ` Kees Cook
2016-08-04 5:45 ` Andy Lutomirski
2016-08-04 5:54 ` Kees Cook
2016-08-05 0:12 ` Andy Lutomirski
2016-09-08 23:54 ` Kees Cook
2016-09-09 0:42 ` Andy Lutomirski
2016-08-04 14:17 ` Dave Hansen
2016-08-04 22:29 ` Catalin Marinas
2016-08-01 9:34 ` [Ksummit-discuss] [nominations] " Mark Rutland
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160711173329.GA8240@pc.thejh.net \
--to=jann@thejh.net \
--cc=ksummit-discuss@lists.linuxfoundation.org \
--cc=luto@amacapital.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox