Re: [PATCH 1/3] capabilities: user namespace capabilities

[John Johansen]

On 5/17/24 20:50, Jonathan Calmels wrote:
> On Fri, May 17, 2024 at 04:59:41AM GMT, John Johansen wrote:
> > On 5/17/24 03:51, Jonathan Calmels wrote:
> > > This new capability set would be a universal thing that could be
> > > leveraged today without modification to userspace. Moreover, it’s a
> > > simple framework that can be extended.
> >
> > I would argue that is a problem. Userspace has to change for this to be
> > secure. Is it an improvement over the current state yes.
>
> Well, yes and no. With those patches, I can lock down things today on my
> system and I don't need to change anything.
sure, same as with the big no user ns toggle. This is finer and allows
selectively enabling on a per application basis.

> For example I can decide that none of my rootless containers started
> under SSH will get CAP_NET_ADMIN:
>
> # echo "auth optional pam_cap.so" >> /etc/pam.d/sshd
> # echo "!cap_net_admin $USER"     >> /etc/security/capability.conf
> # capsh --secbits=$((1 << 8)) -- -c /usr/sbin/sshd
>
> $ ssh localhost 'unshare -r capsh --current'
> Current: =ep cap_net_admin-ep
> Current IAB: !cap_net_admin
>
> Or I can decide than I don't ever want CAP_SYS_RAWIO in my namespaces:
>
> # sysctl -w cap_bound_userns_mask=0x1fffffdffff
>
> This doesn't require changes to userspace.
> Now, granted if you want to have finer-grained controls, it will require
> *some* changes in *some* places (e.g. adding new systemd property like
> UserNSSet=).

yep

> > > Well that’s the thing, from past conversations, there is a lot of
> > > disagreement about restricting namespaces. By restricting the
> > > capabilities granted by namespaces instead, we’re actually treating the
> > > root cause of most concerns.
> > no disagreement there. This is actually Ubuntu's posture with user namespaces
> > atm. Where the user namespace is allowed but the capabilities within it
> > are denied.
> >
> > It does however when not handled correctly result in some very odd failures
> > and would be easier to debug if the use of user namespaces were just
> > cleanly denied.
>
> Yes but as we established it depends on the use case, both are not
> mutually exclusive.
yep

> > its not so much the capabilities set as the inheritable part that is
> > problematic. Yes I am well aware of where that is required but I question
> > that capabilities provides the needed controls here.
>
> Again, I'm not opposed to doing this with LSMs. I just think both could
> work well together. We already do that with standard capabilities vs
> LSMs, both have their strength and weaknesses.
yes, don't get me wrong I am not necessarily advocating an LSM solution
as being necessary. I just want to make sure the trade-offs of the
capabilities solution get discussed to help evaluate whether extending
the current capability model is worth it.

> It's always a tradeoff, do you want a setting that's universal and
> coarse, or do you want one that's tailored to specific things but less
> ubiquitous.
yep

> It's also a tradeoff on usability. If this doesn't get used in practice,
> then there is no point.
agreed

> I would argue that even though capabilities are complicated, they are
> more widely understood than LSMs. Are capabilities insufficient in
> certain scenarios, absolutely, and that's usually where LSMs come in.
hrmmm, I am not sure I would agree with capabilities are better understood
than LSMs, At the base level of capability(X) to get permission yes, but
the whole permitting, bounding, ... Really I think most people are just
confused by both

> > > This is possible with the security bit introduced in the second patch.
> > > The idea of having those separate is that a service which has dropped
> > > its capabilities can still create a fully privileged user namespace.
> >
> > yes, which is the problem. Not that we don't do that with say setuid
> > applications, but the difference is that they were known to be doing
> > something dangerous and took measures around that.
> >
> > We are starting from a different posture here. Where applications have
> > assumed that user namespaces where safe and no measures were needed.
> > Tools like unshare and bwrap if set to allow user namespaces in their
> > fcaps will allow exploits a trivial by-pass.
>
> Agreed, but we can't really walk back this decision unfortunately.

And that is partly the crux of the issue, if we can't walk back the
decision then the solution becomes more complex

> At least with this patch series system administrators have the ability
> to limit such tools.
agreed

> > What I was trying to get at is two points.
> > 1. The written description wasn't clear enough, leaving room for
> >     ambiguity.
> > 2. That I quest that the behavior should be allowed given the
> >     current set of tools that use user namespaces. It reduces exploit
> >     codes ability to directly use unprivileged user namespaces but
> >     makes it all to easy to by-pass the restriction because of the
> >     behavior of the current tool set. ie. user space has to change.
>
> > But again, I believe the fcaps behavior is wrong, because of the state of
> > current software. If this had been a proposal where there was no existing
> > software infrastructure I would be starting from a different stance.
>
> As mentioned above, userspace doesn't necessarily have to change. I'm
> also not sure what you mean by easy to by-pass? If I mask off some
> capabilities system wide or in a given process tree, I know for a fact
> that no namespace will ever get those capabilities.

so by-pass will very much depend on the system but from a distro pov
we pretty much have to have bwrap enabled if users want to use flatpaks
(and they do), same story for several other tools. Since this basically
means said tools need to be available by default, most systems the
distro is installed on are vulnerable by default. The trivial by-pass
then becomes the exploit running its payload through one of these tools,
and yes I have tested it.

Could a distro disable these tools by default, and require the user/admin
to enable them, yes though there would be a lot of friction, push back,
and in the end most systems would still end up with them enabled.

With the capibilities approach can a user/admin make their system
more secure than the current situation, absolutely.

Note, that regardless of what happens with patch 1, and 2. I think we
either need the big sysctl toggle, or a version of your patch 3