Re: [PATCH v2 1/4] capabilities: Add user namespace capabilities

2024-06-15 Thread Serge E. Hallyn
On Tue, Jun 11, 2024 at 01:20:40AM -0700, Jonathan Calmels wrote: > On Mon, Jun 10, 2024 at 08:00:57AM GMT, Serge E. Hallyn wrote: > > > > Now, one thing that does occur to me here is that there is a > > very mild form of sendmail-capabilities vulnerability that > > could happen here. Unpriv user

Re: [PATCH v2 1/4] capabilities: Add user namespace capabilities

2024-06-11 Thread Jonathan Calmels
On Mon, Jun 10, 2024 at 08:00:57AM GMT, Serge E. Hallyn wrote: > > Now, one thing that does occur to me here is that there is a > very mild form of sendmail-capabilities vulnerability that > could happen here. Unpriv user joe can drop CAP_SYS_ADMIN > from cap_userns, then run a setuid-root progra

Re: [PATCH v2 1/4] capabilities: Add user namespace capabilities

2024-06-10 Thread Serge E. Hallyn
On Sun, Jun 09, 2024 at 03:43:34AM -0700, Jonathan Calmels wrote: > Attackers often rely on user namespaces to get elevated (yet confined) > privileges in order to target specific subsystems (e.g. [1]). Distributions > have been pretty adamant that they need a way to configure these, most of > them

Re: [PATCH v2 1/4] capabilities: Add user namespace capabilities

2024-06-10 Thread Serge E. Hallyn
On Mon, Jun 10, 2024 at 01:47:13AM -0700, Jonathan Calmels wrote: > On Sun, Jun 09, 2024 at 08:50:24PM GMT, Serge E. Hallyn wrote: > > On Sun, Jun 09, 2024 at 03:43:34AM -0700, Jonathan Calmels wrote: > > > Attackers often rely on user namespaces to get elevated (yet confined) > > > privileges in o

Re: [PATCH v2 1/4] capabilities: Add user namespace capabilities

2024-06-10 Thread Jonathan Calmels
On Sun, Jun 09, 2024 at 08:50:24PM GMT, Serge E. Hallyn wrote: > On Sun, Jun 09, 2024 at 03:43:34AM -0700, Jonathan Calmels wrote: > > Attackers often rely on user namespaces to get elevated (yet confined) > > privileges in order to target specific subsystems (e.g. [1]). Distributions > > I'd modi

Re: [PATCH v2 1/4] capabilities: Add user namespace capabilities

2024-06-09 Thread Serge E. Hallyn
On Sun, Jun 09, 2024 at 03:43:34AM -0700, Jonathan Calmels wrote: (Adding amorgan as he doesn't seem to be on cc list) > Attackers often rely on user namespaces to get elevated (yet confined) > privileges in order to target specific subsystems (e.g. [1]). Distributions I'd modify this to say "in

[PATCH v2 1/4] capabilities: Add user namespace capabilities

2024-06-09 Thread Jonathan Calmels
Attackers often rely on user namespaces to get elevated (yet confined) privileges in order to target specific subsystems (e.g. [1]). Distributions have been pretty adamant that they need a way to configure these, most of them carry out-of-tree patches to do so, or plainly refuse to enable them. As