Re: [PATCH linux 0/3] [PATCH] userns: add sysctl "kernel.userns_group_range"

From: Eric W. Biederman
Date: Thu Jun 01 2023 - 21:41:58 EST


Paul Moore <paul@xxxxxxxxxxxxxx> writes:

> On Thu, Jun 1, 2023 at 8:14 PM Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote:
>> Paul Moore <paul@xxxxxxxxxxxxxx> writes:
>> >
>> > Given the challenges around adding access controls to userns
>> > operations, have you considered using the LSM support that was added
>> > upstream last year? The relevant LSM hook can be found in commit
>> > 7cd4c5c2101c ("security, lsm: Introduce security_create_user_ns()"),
>>
>> Paul how have you handled the real world regression I reported against
>> chromium?
>
> I don't track chromium development.

You have chosen to be the maintainer and I reported it to you.

>> Paul are you aware that the LSM hook can not be used to achieve the
>> objective of this patchset?
>
> /me shrugs
>

[snip parts about performing a group id check]

The LSM hook you added does not have the technical capability to reduce
the attack surface to mitigate bugs in the kernel. It is the
ineffectiveness of the hook not the permission check that I was
referring to.

Eric