From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from gandalf.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id 8A0835A0265 for ; Mon, 17 Oct 2022 06:22:50 +0200 (CEST) Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4MrP3m3MKhz4xG5; Mon, 17 Oct 2022 15:22:44 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=201602; t=1665980564; bh=XlloeZnkEXxBR11EDoUXvESWRxiupcgjSS2PlAPZwPs=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=fsX8Ft03idEE1ALWQNGr8CmPhEtWYuS/18uyXtuelR3dXdOimMDGIa++uwTMRwZ3y fXCwP2HhkQ5SghHCO2lgyNHl1f3kvjyDmGVz9OedfbCudNSL+KWiz4vdpGHmzjZ7ld FNQuhGZBJAhwyqcuZFV8UVCaBmrxyPu3NSyTjYL4= Date: Mon, 17 Oct 2022 14:20:51 +1100 From: David Gibson To: Stefano Brivio Subject: Re: Alas for CAP_NET_BIND_SERVICE Message-ID: References: <20221012075432.09e33625@elisabeth> <20221012124707.70755587@elisabeth> <20221013065426.618e88b5@elisabeth> <20221016114646.6733393a@elisabeth> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="YIS/ZJL1MXVCeAR4" Content-Disposition: inline In-Reply-To: <20221016114646.6733393a@elisabeth> Message-ID-Hash: B6TRJ2OBQCAHK5LU75HVXAOG7OKIR5IR X-Message-ID-Hash: B6TRJ2OBQCAHK5LU75HVXAOG7OKIR5IR X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top X-Mailman-Version: 3.3.3 Precedence: list List-Id: Development discussion and patches for passt Archived-At: <> Archived-At: List-Archive: <> List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --YIS/ZJL1MXVCeAR4 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Oct 16, 2022 at 11:46:46AM +0200, Stefano Brivio wrote: > On Fri, 14 Oct 2022 13:54:28 +1100 > David Gibson wrote: >=20 > > On Thu, Oct 13, 2022 at 06:54:26AM +0200, Stefano Brivio wrote: > > > On Thu, 13 Oct 2022 11:34:04 +1100 > > > David Gibson wrote: > > > =20 > > > > On Wed, Oct 12, 2022 at 12:47:07PM +0200, Stefano Brivio wrote: =20 > > > > > On Wed, 12 Oct 2022 20:31:20 +1100 > > > > > David Gibson wrote: [snip] > > > > > It would be equivalent if we just inherited capabilities from the > > > > > parent as opposed to file capabilities -- that's what I meant. > > > > >=20 > > > > > I think it's a bit early to decide to drop those, though. Right n= ow > > > > > pasta isn't really used as a stand-alone tool (even though I > > > > > actually do that, I find it very convenient also for totally unre= lated > > > > > purposes). > > > > >=20 > > > > > Should we see some use cases, then we could make a more informed > > > > > decision. > > > > > =20 > > > > > > You can do the same thing with passt, though it's fiddlier > > > > > > (you'd need a shim to translate qemu socket protocol before plu= gging > > > > > > it into the server). =20 > > > > >=20 > > > > > Oh, you mean running pasta plus a shim plus qemu? Because with pa= sst I > > > > > don't understand how you'd pass that kind of stuff over AF_UNIX..= =2E =20 > > > >=20 > > > > No qemu necessary. Make your bogus server, but instead of directly > > > > listen()ing on a low port, have it connect to a Unix socket and wait > > > > for SYN packets to a low port in qemu protocol. Then use passt to > > > > turn your Unix socket into a real listen()ing socket on the host. = =20 > > >=20 > > > ...here. But the environment I had in mind was a rather controller on= e, > > > with KSM policies that would normally prevent you from even having yo= ur > > > bogus server. > > >=20 > > > Well, that would be the case for KubeVirt at least: three binaries and > > > not much margin to play tricks. =20 > >=20 > > Ok, but even then using the file capability rather than the sysctl > > only makes a difference if the attacker: > > * CAN escape confinement enough to make socket calls in the netns > > where we would be setting the sysctl > > * CAN'T escape confinment enough to exec() passt >=20 > Hmm, I'm thinking about another fact. Now we don't drop the capability > after binding ports, but that's anyway not effective in the parent > namespace because of what you mentioned, which implies that we can just > bind configured ports. Sorry, I don't follow what you're saying here. > There might be a relevant difference between binding a port 25, a less > usable 53 or 67, or a more innocent 443. In practice, if somebody uses > the sysctl, they might very well be setting it to 0, instead. >=20 > By the way, I just realised, after these changes we should double check > the AppArmor and SELinux profiles we ship as examples. >=20 > I don't think it's urgent, because in the worst case they should be too > restrictive rather than the opposite -- see the current AppArmor > "capability" directive and the SELinux "allow passt_t self:capability" > enforcement. --=20 David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson --YIS/ZJL1MXVCeAR4 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoULxWu4/Ws0dB+XtgypY4gEwYSIFAmNMygAACgkQgypY4gEw YSKtsxAAyTjLJ6sYZ/EewLH99MZtveFV86+zHnAlyW2GZgrx2Pu2G10o3GUDqCN2 zGj5mD6ZSMeUqWaF3Azjr/WZQHCDEawiK+Q1WZu7idHUfOF6Nx3LulBiKD+C5jvQ nEJnkoIeQxk/j/EasH0vswkm39Trf9f5+vW00cHntf+FqmB5cysmpXW6jXQn6FPq tHFZAg39Qpl8LCvoi6zSiSul4qv7HNd87co66YanuT2qcDSReZfHs9WCCKxRFKN9 hayDhz7PyHU2UC6IYX6WllDopPNeGJfv/33r9SxQxIEIMBpduqfg63od0kRh7+Ay YaOOm1wXPEz11xvDViGfazhWFoCjOTrYPKPzex7XyiWsvqYXo24wSLI/qwn23pdQ 6H15lyibUaj/drsbV2bQBqUAKC+I/V+642IKa1WDdNTbDpVuVIUK5meaUyOc6ADH tA7/UBDyqqsDWeHoYDgbDxL6IIqIn/pTYJwwEuddOm/ug05pJo/LZlFjcLV3E5Iw Bek8VLaiCtjmWTKjtWTbNOjEgOvC0uAdcZEdFW2/F8gG8JEOSJ3M+ad6gJjBHA0+ rYqjAMDsbhc/IcuNL8NniMPR+e3T+xVlH724v3R/r27j1p0lfQocwwKzdlbxNY7N PdShqGirGWpy6Jh7dIU/xsffEPy8CkevBTMDqemgEHe3YwDtL6M= =A1ZK -----END PGP SIGNATURE----- --YIS/ZJL1MXVCeAR4--