Re: RFC: on adding new CLONE_* flags [WAS Re: [PATCH 0/4] clone: add CLONE_PIDFD]

From: Andy Lutomirski
Date: Wed Apr 17 2019 - 12:48:00 EST

> On Apr 17, 2019, at 5:19 AM, Florian Weimer <fweimer@xxxxxxxxxx> wrote:
> * Andy Lutomirski:
>> I would personally *love* it if distros started setting no_new_privs
>> for basically all processes.
> Wouldn't no_new_privs inhibit all security transitions, including those
> that reduce privileges? And therefore effectively reduce security?

In principle, you still can reduce privileges with no_new_privs. SELinux has a whole mechanism for privilege-reducing transitions on exec that works in no_new_privs mode. Also, all the traditional privilege dropping techniques work â setresuid(), unshare(), etc are all unaffected.

>> There seems to be some demand to be able to do large
> parts of container setup using posix_spawn, so we'll probably add
> support for things like writing to arbitrary files eventually. And of
> course, proper error reporting, so that you can figure out which file
> creation action failed.

ISTM the way to handle this is to have a way to make a container, set it up, and then clone/spawn into it. The current unshare() API is severely awkward.

Maybe the new better kernel spawn API shouldnât support unshare-like semantics at all and should instead work like setns().