Re: Thoughts on tightening up user namespace creation

From: Kees Cook
Date: Wed Mar 09 2016 - 13:14:52 EST

On Mon, Mar 7, 2016 at 9:15 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
> Hi all-
> There are several users and distros that are nervous about user
> namespaces from an attack surface point of view.
> - RHEL and Arch have userns disabled.
> - Ubuntu requires CAP_SYS_ADMIN
> - Kees periodically proposes to upstream some sysctl to control
> userns creation.

And here's another ring0 escalation flaw, made available to
unprivileged users because of userns:

> I think there are three main types of concerns. First, there might be
> some as-yet-unknown semantic issues that would allow privilege
> escalation by users who create user namespaces and then confuse
> something else in the system. Second, enabling user namespaces
> exposes a lot of attack surface to unprivileged users. Third,
> allowing tasks to create user namespaces exposes the kernel to various
> resource exhaustion attacks that wouldn't be possible otherwise.
> Since I doubt we'll ever fully address the attack surface issue at
> least, would it make sense to try to come up with an upstreamable way
> to limit who can create new user namespaces and/or do various
> dangerous things with them?

The change in attack surface is _substantial_. We must have a way to
globally disable userns.


Kees Cook
Chrome OS & Brillo Security