Re: [PATCHv3 0/2] capability controlled user-namespaces

From: Serge E. Hallyn
Date: Mon Jan 08 2018 - 01:25:02 EST


On Mon, Jan 08, 2018 at 11:35:26AM +1100, James Morris wrote:
> On Tue, 2 Jan 2018, Mahesh Bandewar (àààà ààààààà) wrote:
>
> > On Sat, Dec 30, 2017 at 12:31 AM, James Morris
> > <james.l.morris@xxxxxxxxxx> wrote:
> > > On Wed, 27 Dec 2017, Mahesh Bandewar (àààà ààààààà) wrote:
> > >
> > >> Hello James,
> > >>
> > >> Seems like I missed your name to be added into the review of this
> > >> patch series. Would you be willing be pull this into the security
> > >> tree? Serge Hallyn has already ACKed it.
> > >
> > > Sure!
> > >
> > Thank you James.
>
> I'd like to see what Eric Biederman thinks of this.
>
> Also, why do we need the concept of a controlled user-ns at all, if the
> default whitelist maintains existing behavior?

In past discussions two uses have been brought up:

1. if an 0-day is discovered which is exacerbated by a specific
privilege in user namespaces, that privilege could be turned off until a
reboot with a fixed kernel is scheduled, without fully disabling all
containers.

2. some systems may be specifically designed to run software which
only requires a few capabilities in a userns. In that case all others
could be disabled.