On Thu, Jun 1, 2023 at 8:14 PM Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote: > Paul Moore <paul@xxxxxxxxxxxxxx> writes: > > On Tue, May 30, 2023 at 2:50 PM ~akihirosuda <akihirosuda@xxxxxxxxx> wrote: > >> > >> This sysctl limits groups who can create a new userns without > >> CAP_SYS_ADMIN in the current userns, so as to mitigate potential kernel > >> vulnerabilities around userns. > >> > >> The sysctl value format is same as "net.ipv4.ping_group_range". > >> > >> To disable creating new unprivileged userns, set the sysctl value to "1 > >> 0" in the initial userns. > >> > >> To allow everyone to create new userns, set the sysctl value to "0 > >> 4294967294". This is the default value. > >> > >> This sysctl replaces "kernel.unprivileged_userns_clone" that is found in > >> Ubuntu [1] and Debian GNU/Linux. > >> > >> Link: https://git.launchpad.net/~ubuntu- > >> kernel/ubuntu/+source/linux/+git/jammy/commit?id=3422764 [1] > > > > Given the challenges around adding access controls to userns > > operations, have you considered using the LSM support that was added > > upstream last year? The relevant LSM hook can be found in commit > > 7cd4c5c2101c ("security, lsm: Introduce security_create_user_ns()"), > > Paul how have you handled the real world regression I reported against > chromium? I don't track chromium development. > Paul are you aware that the LSM hook can not be used to achieve the > objective of this patchset? /me shrugs I thought one could look into a cred struct using a BPF LSM, which would allow one to make access control decisions based on group ID, but I will be the first to admit I'm not a BPF LSM expert. Regardless, one could introduce a group ID check into a LSM if they were so inclined. I also find it slightly amusing that you are arguing against my reply that was discussing *not* adding another userns control point; of all people I thought you would be supportive of this ... /me shrugs again. > > and although only SELinux currently provides an access control > > implementation, there is no reason you couldn't add support for your > > favorite LSM, or even just a simple BPF LSM to enforce the group > > controls as you've described them here. > > Is there a publicly available SELinux policy that uses that LSM hook? I have no idea, I don't track all of the publicly available SELinux policies because frankly it doesn't matter; the SELinux feature exists, and it is my role to support and maintain it. There are LSM/SELinux features which are not widely exercised in general purpose SELinux policies for various reasons, but *are* used in specialized environments that are not often discussed on public mailing lists. -- paul-moore.com
