Re: [GIT PULL] LSM patches for v6.1

From: Eric W. Biederman
Date: Wed Oct 05 2022 - 08:59:38 EST

Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> writes:

> On Tue, Oct 4, 2022 at 1:55 PM Linus Torvalds
> <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
>> So this whole "don't do this" approach you have is not acceptable.
> Side note: if we have a security hook for "create random file", then
> the notion that creating a whole new namespace somehow must not have
> any security hooks because it's *so* special is just ridiculous.
> I also note that right now USER_NS is both "default n" and "if not
> sure, say 'n'" in the Kconfig files, even though obviously that ship
> has sailed long ago.

Definitely. I did try and slow the up take as long as I could when
the code was maturing.

> So originally it might have been a reasonable expectation to say "only
> enable this if you're doing containers in servers", but that clearly
> isn't the case any more. So we basically take USER_NS for granted, but
> the fact that people might want chrome to use it for sandboxing does
> *not* mean that randomly we want any CLONE_NEWNS to just be ok,
> regardless of how trusted (or not) the case is.

Most importantly chrome shows how the mechanism this patch is using to
deny user space applications is one that ``breaks'' userspace. AKA
causing to silently fall back on less tested code paths that existed
before user namespaces were common. Any application that does this
uses less trusted code paths.

I am pretty certain that the code should be sending a fatal signal
instead of returning an error code on user namespace creation. I
unfortunately hadn't realized the implications until this conversation.

That said Chrome and sandboxing I think is a reasonable case to look at
to demonstrate the trade-offs. This is not all about increased kernel
attack surface, user namespaces also enable reduced attack surface in
sandboxes, which can make applications safer.