Paul Moore paul@paul-moore.com writes:
On Fri, Aug 19, 2022 at 10:45 AM Serge E. Hallyn serge@hallyn.com wrote:
I am hoping we can come up with "something better" to address people's needs, make everyone happy, and bring forth world peace. Which would stack just fine with what's here for defense in depth.
You may well not be interested in further work, and that's fine. I need to set aside a few days to think on this.
I'm happy to continue the discussion as long as it's constructive; I think we all are. My gut feeling is that Frederick's approach falls closest to the sweet spot of "workable without being overly offensive" (*cough*), but if you've got an additional approach in mind, or an alternative approach that solves the same use case problems, I think we'd all love to hear about it.
I would love to actually hear the problems people are trying to solve so that we can have a sensible conversation about the trade offs.
As best I can tell without more information people want to use the creation of a user namespace as a signal that the code is attempting an exploit.
As such let me propose instead of returning an error code which will let the exploit continue, have the security hook return a bool. With true meaning the code can continue and on false it will trigger using SIGSYS to terminate the program like seccomp does.
I am not super fond of that idea, but it means that userspace code is not expected to deal with the situation, and the only conversation a userspace application developer needs to enter into with a system administrator or security policy developer is one to prove they are not exploit code. Plus it makes much more sense to kill an exploit immediately instead of letting it run.
In general when addressing code coverage concerns I think it makes more sense to use the security hooks to implement some variety of the principle of least privilege and only give applications access to the kernel facilities they are known to use.
As far as I can tell creating a user namespace does not increase the attack surface. It is the creation of the other namespaces from a user namespace that begins to do that. So in general I would think restrictions should be in places they matter.
Just like the bugs that have exploits that involve the user namespace are not user namespace bugs, but instead they are bugs in other subsystems that just happen to go through the user namespace as the easiest path to the buggy code, not the only path to the buggy code.
Eric