Re: Thoughts on tightening up user namespace creation

From: Kees Cook
Date: Wed Mar 09 2016 - 14:12:28 EST


On Wed, Mar 9, 2016 at 11:07 AM, Serge E. Hallyn <serge@xxxxxxxxxx> wrote:
> Quoting Kees Cook (keescook@xxxxxxxxxxxx):
>> On Mon, Mar 7, 2016 at 9:15 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
>> > Hi all-
>> >
>> > There are several users and distros that are nervous about user
>> > namespaces from an attack surface point of view.
>> >
>> > - RHEL and Arch have userns disabled.
>> >
>> > - Ubuntu requires CAP_SYS_ADMIN
>> >
>> > - Kees periodically proposes to upstream some sysctl to control
>> > userns creation.
>>
>> And here's another ring0 escalation flaw, made available to
>> unprivileged users because of userns:
>>
>> https://code.google.com/p/google-security-research/issues/detail?id=758
>
> Kees, I think you think this makes your point, but all it does is make
> me want to argue with you and start flinging back cves against kvm,
> af_unix, sctp, etc.

I can run a distro kernel without kvm and sctp, because I can leave
their modules unloaded. There is no such option for userns.

The last af_unix CVEs I see were 2 from 2013, and before that, 2010.
There's no comparison here on frequency.

>> > I think there are three main types of concerns. First, there might be
>> > some as-yet-unknown semantic issues that would allow privilege
>> > escalation by users who create user namespaces and then confuse
>> > something else in the system. Second, enabling user namespaces
>> > exposes a lot of attack surface to unprivileged users. Third,
>> > allowing tasks to create user namespaces exposes the kernel to various
>> > resource exhaustion attacks that wouldn't be possible otherwise.
>> >
>> > Since I doubt we'll ever fully address the attack surface issue at
>> > least, would it make sense to try to come up with an upstreamable way
>> > to limit who can create new user namespaces and/or do various
>> > dangerous things with them?
>>
>> The change in attack surface is _substantial_. We must have a way to
>> globally disable userns.
>
> I'm confused. Didn't we agree a few months ago, somewhat reluctantly,
> on a sysctl?

No, Eric refused it and wanted finer-grained controls.

-Kees

--
Kees Cook
Chrome OS & Brillo Security