From: "Eric W. Biederman" <ebiederm@xmission.com>
To: Paul Moore <paul@paul-moore.com>
Cc: "~akihirosuda" <suda.kyoto@gmail.com>,
linux-kernel@vger.kernel.org, containers@lists.linux.dev,
serge@hallyn.com, brauner@kernel.org,
akihiro.suda.cz@hco.ntt.co.jp
Subject: Re: [PATCH linux 0/3] [PATCH] userns: add sysctl "kernel.userns_group_range"
Date: Thu, 01 Jun 2023 20:41:42 -0500 [thread overview]
Message-ID: <87ilc67i95.fsf@email.froward.int.ebiederm.org> (raw)
In-Reply-To: <CAHC9VhRk3WhXh-GTDSKFW3PujXiQCDy3xk4Xb9_Lo4szgQ5G6Q@mail.gmail.com> (Paul Moore's message of "Thu, 1 Jun 2023 21:01:55 -0400")
Paul Moore <paul@paul-moore.com> writes:
> On Thu, Jun 1, 2023 at 8:14 PM Eric W. Biederman <ebiederm@xmission.com> wrote:
>> Paul Moore <paul@paul-moore.com> writes:
>> >
>> > Given the challenges around adding access controls to userns
>> > operations, have you considered using the LSM support that was added
>> > upstream last year? The relevant LSM hook can be found in commit
>> > 7cd4c5c2101c ("security, lsm: Introduce security_create_user_ns()"),
>>
>> Paul how have you handled the real world regression I reported against
>> chromium?
>
> I don't track chromium development.
You have chosen to be the maintainer and I reported it to you.
>> Paul are you aware that the LSM hook can not be used to achieve the
>> objective of this patchset?
>
> /me shrugs
>
[snip parts about performing a group id check]
The LSM hook you added does not have the technical capability to reduce
the attack surface to mitigate bugs in the kernel. It is the
ineffectiveness of the hook not the permission check that I was
referring to.
Eric
next prev parent reply other threads:[~2023-06-02 2:20 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-30 18:50 [PATCH linux 0/3] [PATCH] userns: add sysctl "kernel.userns_group_range" ~akihirosuda
2023-05-30 11:34 ` [PATCH linux 3/3] " ~akihirosuda
2023-05-31 4:20 ` kernel test robot
2023-05-30 14:42 ` [PATCH linux 1/3] net/ipv4: split group_range logic to kernel/group_range.c ~akihirosuda
2023-05-30 17:31 ` [PATCH linux 2/3] group_range: allow GID from 2147483648 to 4294967294 ~akihirosuda
2023-05-30 21:58 ` [PATCH linux 0/3] [PATCH] userns: add sysctl "kernel.userns_group_range" Paul Moore
2023-05-31 7:50 ` Christian Brauner
2023-06-02 0:14 ` Eric W. Biederman
2023-06-02 1:01 ` Paul Moore
2023-06-02 1:41 ` Eric W. Biederman [this message]
2023-06-02 14:50 ` Paul Moore
2023-06-02 21:02 ` Akihiro Suda
2023-06-02 0:06 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ilc67i95.fsf@email.froward.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=akihiro.suda.cz@hco.ntt.co.jp \
--cc=brauner@kernel.org \
--cc=containers@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=suda.kyoto@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).