Re: Thoughts on tightening up user namespace creation

From: Serge E. Hallyn
Date: Wed Mar 09 2016 - 14:07:38 EST


Quoting Kees Cook (keescook@xxxxxxxxxxxx):
> On Mon, Mar 7, 2016 at 9:15 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
> > Hi all-
> >
> > There are several users and distros that are nervous about user
> > namespaces from an attack surface point of view.
> >
> > - RHEL and Arch have userns disabled.
> >
> > - Ubuntu requires CAP_SYS_ADMIN
> >
> > - Kees periodically proposes to upstream some sysctl to control
> > userns creation.
>
> And here's another ring0 escalation flaw, made available to
> unprivileged users because of userns:
>
> https://code.google.com/p/google-security-research/issues/detail?id=758

Kees, I think you think this makes your point, but all it does is make
me want to argue with you and start flinging back cves against kvm,
af_unix, sctp, etc.

> > I think there are three main types of concerns. First, there might be
> > some as-yet-unknown semantic issues that would allow privilege
> > escalation by users who create user namespaces and then confuse
> > something else in the system. Second, enabling user namespaces
> > exposes a lot of attack surface to unprivileged users. Third,
> > allowing tasks to create user namespaces exposes the kernel to various
> > resource exhaustion attacks that wouldn't be possible otherwise.
> >
> > Since I doubt we'll ever fully address the attack surface issue at
> > least, would it make sense to try to come up with an upstreamable way
> > to limit who can create new user namespaces and/or do various
> > dangerous things with them?
>
> The change in attack surface is _substantial_. We must have a way to
> globally disable userns.

I'm confused. Didn't we agree a few months ago, somewhat reluctantly,
on a sysctl?