On Mon, Apr 24, 2017 at 7:25 AM, Djalal Harouni <tixxdz@xxxxxxxxx> wrote: > On Sat, Apr 22, 2017 at 9:29 PM, Kees Cook <keescook@xxxxxxxxxxxx> wrote: >> On Fri, Apr 21, 2017 at 11:51 PM, Andy Lutomirski <luto@xxxxxxxxxx> wrote: >>> On Fri, Apr 21, 2017 at 5:12 PM, Djalal Harouni <tixxdz@xxxxxxxxx> wrote: >>>> On Sat, Apr 22, 2017 at 1:51 AM, Andy Lutomirski <luto@xxxxxxxxxx> wrote: >>>> > [...] >>>> * DCCP use after free CVE-2017-6074 >>>> * n_hldc CVE-2017-2636 >>>> * XFRM framework CVE-2017-7184 >>>> * L2TPv3 CVE-2016-10200 >>>> >>>> Most of these need CAP_NET_ADMIN to be autoloaded, however we also >>>> need CAP_NET_ADMIN for other things... therefore it is better to have >>>> an extra facility that could coexist with CAP_NET_ADMIN and other >>>> sandbox features. >>>> >>> >>> I agree that the feature is important, but I think your implementation >>> is needlessly dangerous. I imagine that the main uses that you care >>> about involve containers. How about doing it in a safer way that >>> works for containers? I can think of a few. For example: >>> >>> 1. A sysctl that, if set, prevents autoloading outside the root >>> userns. This isn't very flexible at all, but it might work. >>> >>> 2. Your patch, but require privilege within the calling namespace to >>> set the prctl. >> >> How about CAP_SYS_ADMIN || no_new_privs? >> >> -Kees >> > > Yes I can update as per Andy suggestion to require privileges inside > the calling namespace to set prctl. Other options that are not prctl > based have more variants, that make them hard to use. > > So I would got with CAP_SYS_ADMIN in the calling userns || > no_new_privs , I would have said CAP_SYS_MODULE in the userns but it > seems better to standardize on CAP_SYS_ADMIN to set the prctl. Andy's concern is that it would provide an escalation from SYS_MODULE to SYS_ADMIN through some privileged process being tricked through a missing API provided by modules, so we have to use either SYS_ADMIN || nnp. -Kees -- Kees Cook Pixel Security -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
