Re: Thoughts on tightening up user namespace creation

[Kees Cook]

On Mon, Mar 7, 2016 at 9:15 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
> Hi all-
>
> There are several users and distros that are nervous about user
> namespaces from an attack surface point of view.
>
>  - RHEL and Arch have userns disabled.
>
>  - Ubuntu requires CAP_SYS_ADMIN
>
>  - Kees periodically proposes to upstream some sysctl to control
> userns creation.

And here's another ring0 escalation flaw, made available to
unprivileged users because of userns:

https://code.google.com/p/google-security-research/issues/detail?id=758

> I think there are three main types of concerns.  First, there might be
> some as-yet-unknown semantic issues that would allow privilege
> escalation by users who create user namespaces and then confuse
> something else in the system.  Second, enabling user namespaces
> exposes a lot of attack surface to unprivileged users.  Third,
> allowing tasks to create user namespaces exposes the kernel to various
> resource exhaustion attacks that wouldn't be possible otherwise.
>
> Since I doubt we'll ever fully address the attack surface issue at
> least, would it make sense to try to come up with an upstreamable way
> to limit who can create new user namespaces and/or do various
> dangerous things with them?

The change in attack surface is _substantial_. We must have a way to
globally disable userns.

-Kees

-- 
Kees Cook
Chrome OS & Brillo Security