Alexander Larsson | 29 May 14:18 2015
Picon

netlink and user namespaces

Now that I'm using a non-privileged user namespace for my desktop
sandboxing system all kind of network status things are breaking. The
reason for this is that they use netlink to enumerated interfaces, and
to verify that the replies are from the kernel (apparently anyone can
send anyone netlink messages) this code is verifying that the
SCM_CREDENTIAL sender of the netlink messages is uid 0.

For instance: 
http://git.0pointer.net/avahi.git/commit/avahi-core/netlink.c?id=37b2be93e63ceff95698f24cd91cb11774eb621c
and:
https://git.gnome.org/browse/glib/tree/gio/gnetworkmonitornetlink.c#n340

This obviously breaks when uid is not mapped (as it can't be in an
unprivileged user namespace), as uid will be overflowuid.

Is there any other way to check that a netlink message is from the
kernel?

--

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Alexander Larsson                                            Red Hat, Inc 
       alexl@...           
alexander.larsson@... 
He's an uncontrollable skateboarding farmboy trapped in a world he never 
made. She's a strong-willed renegade schoolgirl married to the Mob. They 
fight crime! 
DHL Logistik-Team | 29 May 12:04 2015

Auslieferungsankündigung betrefend Ihre Sendung 66767426187

DHL

   DHL Sendungsverfolgung
   Sendungsnummer 66767426187
   Produkt / Service DHL PAKET
   Status vom Freitag, 29.05.2015 09:56:43 Die Auftragsdaten zu dieser
   Sendung wurden vom Absender elektronisch an DHL übermittelt.
   Zugestellt an Bevollmächtigter

   [1]Detaillierte Empfängerinformationen anzeigen
   (PDF-Dokument)
   Deutsche Post DHL - The Mail & Logistics Group

   !OExuN)S2Kd8O4%^VMrNUY!vI%A*hxF <at> NAn6#W(&g <at> 5D8$7bGKRMKnKCpetL*5L <at>  <at> mHY5%Y
   L3YS)D56D4LuoZoo3fqWgcR4zyeDYUVy5$~$^)$K3G~$AeP_FSrN9087T3wTvFnyb69BSK7
   RfX086lgiPSn$Eud)$kXPyTkWdFo <at> pV!AF$W7#eGGAHWohw2#_DrVFY5BS5#wINrG+W(G4_
   5MTaB*djw*3(xFxF <at> M1$Sp5f26Zmn*B80(+~yedatZhl1hgkeUQ+yoF&TL(pe!^qN_rwE(N
   f$C!%vj+BKwA5Z8lwYTXMUBVi*gbnXRy+ <at> MILzeBTy79x#eU^Uyxor5yIixB0~*Ee <at> fQtoc
   yV#X8uHpV7d4&976u11P%cR%CSNN4^7T <at> G6U^U_UJpxgRf0jmbunwE61NI*C#c+tO8La(Nc
   9h(tR6)Pheqi_Une^hrvg+K)!^RU0gy*Tx#3iHVx)%h459+cS8hFuXx8GQae4mRyqw(WLtQ
   WV3VG1)!YN(pyHsVNa5 <at> 9ES^vg <at> SJ8SjX8V20jQQLOa!CpGOLB9Y!6*^#41*B92L2HnO1*v
   gTe_FXeXn8J2^*FfFWI7HfqLdmh#eaH7SL54qL!XodakwkZMe_Y3*f1miMJ1h+P4ZSq224n
   53_$YMPFiRI#49Xb1)GSi~78!hm$gY8Q)zj(D(s(TZn~AuK!fbTEPoYSgiZ9InZO8ZTcTM6
   L7aVXK8LVfV~7TBim9nT0hMRowzsujZSATBpjAt8oAdxe7YvXpxZwc+SB$xpuJzF!#r#j~q
   !gOQOo4UJRWcUl7 <at> Ujb1lOM+Nbt2ANR#LI+xDX# <at> D8%Jco2U1^Bqbo_mFd4rCXSu9_JkQ!r
   Rxl&*mp4%o(y*)WX&dblfWeZQ$BqWZYdTTQhVMx0TH*Obr$9o49YLBX9&9(&NMhvJZC6E4v
   6hFB733gu <at> lFPJ)VL+&SyaIn6*jK0 <at> _ <at> $gcyGn!Cqy5W$ef$(1i0D9(%!Fk(ecN$VYQi0xE
   YjaMS <at> Yiw6keDB^puV+wq~5^y)2Q5OV)VSy2g9ULNXNXgS$7c&aQL7y84L_&Mlfaj)fF~hD
   poKrRQ63HU044LWAvIsxY14ymcqZQ+na_lw$n1&j0Wc+eB9HDvN86NBZsu#w#D$OA5LTmFH
   nbfig!!oI!#MchA^4bb6F8&7I+7SeA1+CpZauDAgV*hNam2)5rvB <at> Tf5^IC!_b8PcgnvnUi
(Continue reading)

Mr.Tep Savanna | 24 May 02:34 2015
Picon

Hello?

Hello?

I am Mr. Tep Savanna ,the managing Director of a financial firm here in South East Asia. I am contacting for a
good proposal that will benefit both of us if you are interested and trustworthy, please reply back and
let's benefit from this golden opportunity.You are my first contact, and
I am contacting you because I need to do the deal with someone outside my country for security reasons, it's
not the type of deal you let someone around you to be aware of My banks do not even know that i am contacting
you.I will explain better the process as a banker when I see your
response, I shall wait for days and if I do not hear from you, I shall look for another person.

Regards,
Mr, Tep Savanna
COFINE MACHINERY | 23 May 06:25 2015

plastic recycling machine supplier

Dearfriends!Hopethisletterfindsyouwe=ll!MynameissnowfromZHANGJIAGANGCOFINEMACHINERCO.LTDCHINA.W=eareawasteplasticrecyclingmachinemanufacturer.Wecanoff=eryouthefollowingmachine,1.PE/PPfil=m/bagandsolidwashingline(200-1000KG/H)2.PETbottlewashing=line(300-2000KG/H).3.HDPE/PPbottlewashingline(300-2000KG/H)=.4.PE/PPfilm/baggranulatingline(100-600KG/H).5.PETb=ottleflakegranulatingline(100-500KG/H).6.PVC=/PS/ABSgranulatingline(100-600KG/H)7.Plasticshredderandcru=sher.Ourcompanyh=adproducethesemachinemorethan15yearsandhaveadvantagetechnic=alandrichexperienceaboutit.Allthedetailinformationplea=sevisitour
websiteww=w.cofinemachine.com . orcheck thevideoonyoutub=echeckhere.Ifyouar=einterestedinourmachine,pleaseletmeknow,Iwillsendyouquot=ationassoonaspossible.&nbs=p;BestregardsSnow
_______________________________________________
Containers mailing list
Containers@...
https://lists.linuxfoundation.org/mailman/listinfo/containers
Lukasz Pawelczyk | 21 May 13:53 2015

[PATCH 0/8] Smack namespace

Hello,

Some time ago I sent a Smack namespace documentation and a preliminary
LSM namespace for RFC. I've been suggested that there shouldn't be a
separate LSM namespace and that it should live within user namespace.
And this version does. This is a complete set of patches required for
Smack namespace.

This was designed with a collaboration of Smack maintainer Casey
Schaufler.

Smack namespace have been implemented using user namespace hooks added
by one of the patches. To put some context to it I paste here a
documentation on what Smack namespace wants to achieve.

LSM hooks themselves are documented in the security.h file inside the
patch.

The patches are based on:
https://github.com/cschaufler/smack-next/tree/smack-for-4.2-stacked

===================================================================

--- What is a Smack namespace ---

Smack namespace was developed to make it possible for Smack to work
nicely with Linux containers where there is a full operating system
with its own init inside the namespace. Such a system working with
Smack expects to have at least partially working SMACK_MAC_ADMIN to be
able to change labels of processes and files. This is required to be
(Continue reading)

Alexander Larsson | 18 May 16:39 2015
Picon

Kernel panic with user namespaces

If I build and run the attached break-kernel.c as a user i get this
kernel panic on the fedora 4.0.3 kernel:

maj 18 16:33:36 nano kernel: BUG: unable to handle kernel NULL pointer dereference at           (null)
maj 18 16:33:36 nano kernel: IP: [<ffffffff81250288>] pin_remove+0x58/0xc0
maj 18 16:33:36 nano kernel: PGD 1cc973067 PUD 1d727b067 PMD 0 
maj 18 16:33:36 nano kernel: Oops: 0002 [#1] SMP 
maj 18 16:33:36 nano kernel: Modules linked in: rfcomm fuse ccm xt_CHECKSUM ipt_MASQUERADE
nf_nat_masquerade_ipv4 nf_conntrack_netbios_ns nf_conntrack_broadcast ip6t_rpfilter
ip6t_REJECT nf_reject_ipv6 xt_conntrack ebtable_nat ebtable_broute bridge stp llc ebtable_filter
ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle
ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_nat nf_conntrack_ipv4
nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw bnep
arc4 intel_rapl iosf_mbi x86_pkg_temp_thermal coretemp kvm iwlmvm snd_hda_codec_realtek mac80211
snd_hda_codec_hdmi snd_hda_codec_generic vfat fat iTCO_wdt iTCO_vendor_support snd_hda_intel
snd_hda_controller snd_hda_codec crct10dif_pclmul snd_hwdep crc32_pclmu
 l snd_seq iwlwifi crc32c_intel
maj 18 16:33:36 nano kernel:  snd_seq_device uvcvideo ghash_clmulni_intel videobuf2_vmalloc snd_pcm
videobuf2_core cfg80211 videobuf2_memops v4l2_common videodev thinkpad_acpi snd_timer serio_raw
btusb media hid_multitouch bluetooth snd lpc_ich mfd_core i2c_i801 mei_me cdc_acm tpm_tis shpchp mei
tpm soundcore wmi rfkill i2c_designware_platform i2c_designware_core nfsd auth_rpcgss nfs_acl
lockd grace sunrpc cdc_mbim cdc_wdm cdc_ncm usbnet mii i915 i2c_algo_bit drm_kms_helper e1000e drm ptp
pps_core video
maj 18 16:33:36 nano kernel: CPU: 2 PID: 2662 Comm: break-kernel Not tainted 4.0.3-201.fc21.x86_64 #1
maj 18 16:33:36 nano kernel: Hardware name: LENOVO 20A7005RUK/20A7005RUK, BIOS GRET42WW (1.19 ) 11/20/2014
maj 18 16:33:36 nano kernel: task: ffff8800a1a893e0 ti: ffff8801cafb4000 task.ti: ffff8801cafb4000
maj 18 16:33:36 nano kernel: RIP: 0010:[<ffffffff81250288>]  [<ffffffff81250288>] pin_remove+0x58/0xc0
maj 18 16:33:36 nano kernel: RSP: 0018:ffff8801cafb7e08  EFLAGS: 00010246
maj 18 16:33:36 nano kernel: RAX: 0000000000000000 RBX: ffff880212b09f20 RCX: 000000000000011a
maj 18 16:33:36 nano kernel: RDX: 0000000000000000 RSI: 0000000000000005 RDI: ffffffff82004a70
(Continue reading)

Eric W. Biederman | 14 May 19:30 2015

[CFT][PATCH 0/10] Making new mounts of proc and sysfs as safe as bind mounts


The code is currently available at:

   git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git for-testing

   HEAD: a524faf520600968e58bbc732063fccf2fdf9199 mnt: Update fs_fully_visible to test for
permanently empty directories

The problem:  Mounting a new instance of proc of sysfs can allow things
that a bind mount of those filesystems would not.

That is the cases I am dealing with are:
     unshare --user --net --mount ; mount -t sysfs ...
     unshare --user --pid --mount ; mount -t proc ...

The big change is that this set of changes enforces the preservation of
locked mount flags, from the existing mount to the current mount.  Which
means that if proc was mounted read-only the current current will allow
a new instance of proc to be mounted read-write, and this set of changes
enforces that proc remain read-only.

The other gotcha is that the current code does not properly detect empty
directories so to prevent things slipping through the cracks this set of
changes annotates all mount points where nothing will be revealed if
the filesystem mounted on top is removed.

Enforcing the administrators policy can actually matter in the real
world as has been shown by the recent docker issue.

With this patchset I have two concerns:
(Continue reading)

Richard Guy Briggs | 12 May 22:02 2015
Picon

[PATCH V7 00/10] namespaces: log namespaces per task

The purpose is to track namespace instances in use by logged processes from the
perspective of init_*_ns by logging the namespace IDs (namespace device ID and
namespace inode).

1/10 exposes proc's ns entries structure which lists a number of useful
operations per namespace type for other subsystems to use.

2/10 creates and switches to a dedicated inode pool for the namespace
filesystem.

3/10 add the nsfs device ID to ns_common for each namespace instance for quick
access.

4/10 provides an example of usage for audit_log_task_info() which is used by
syscall audits, among others.

Proposed output format:
This differs slightly from Aristeu's patch because of the label conflict with
"pid=" due to including it in existing records rather than it being a seperate
record.  "pid=" here is the target pid for a potentially unactivated task for
which the nsproxy has been created.  It has now returned to being a seperate
record.  The nsfs device major/minor are listed in hexadecimal and namespace
IDs are the ns inode.
	type=NS_INFO msg=audit(1408577535.306:82): pid=310 dev=00:03 netns=7 utsns=3 ipcns=4 pidns=1
userns=2 mntns=5

5/10 change audit startup from __initcall to subsys_initcall to get it started
earlier to be able to receive initial namespace log messages.

6/10 tracks the creation and deletion of namespaces, listing the type of
(Continue reading)

Ben Hutchings | 10 May 19:59 2015
Picon

[stable] Locked mount and loopback mount fixes

Why were these not cc'd to stable?  Was this an oversight, or are they
simply not needed for fixing any known bugs?

commit cd4a40174b71acd021877341684d8bb1dc8ea4ae
Author: Eric W. Biederman <ebiederm@...>
Date:   Wed Jan 7 14:28:26 2015 -0600

    mnt: Fail collect_mounts when applied to unmounted mounts

commit 820f9f147dcce2602eefd9b575bbbd9ea14f0953
Author: Eric W. Biederman <ebiederm@...>
Date:   Thu Apr 2 16:35:48 2015 -0500

    fs_pin: Allow for the possibility that m_list or s_list go unused.

Ben.

--

-- 
Ben Hutchings
When in doubt, use brute force. - Ken Thompson
_______________________________________________
Containers mailing list
Containers@...
https://lists.linuxfoundation.org/mailman/listinfo/containers
Eric W. Biederman | 9 May 22:54 2015

[GIT PULL] userns: proc and sysfs mount fix


Linus,

Please pull the for-linus branch from the git tree:

   git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git for-linus

   HEAD: 7e96c1b0e0f495c5a7450dc4aa7c9a24ba4305bd mnt: Fix fs_fully_visible to verify the root
directory is visible

Eric Windish recently reported a really bug that allows mounting fresh
copies of proc and sysfs when it really should not be allowed.  The code
attempted to verify that proc and sysfs were fully visible but there is
a test missing to ensure that the root of the filesystem is visible.
Doh!

The following patch fixes that.

This fixes a containment issue that the docker folks are seeing.

I see one or two more issues that I would like to correct in the check
for mounting proc and sysfs but those look like they have a non-trivial
chance of breaking working user space so they are going to need more
review and testing before I send them your way.

commit 7e96c1b0e0f495c5a7450dc4aa7c9a24ba4305bd
Author: Eric W. Biederman <ebiederm@...>
Date:   Fri May 8 16:36:50 2015 -0500

    mnt: Fix fs_fully_visible to verify the root directory is visible
(Continue reading)

张伟伟 | 7 May 10:23 2015

Container House // Prefab House

Dear Sir / Madam,  

How are you?  

  
This is Amanda from AIDA Container House factory(China). I learn from your website to know you are dealing
in container house. So write to you in the hope of cooperation with you.  

Here listed our prefab house feature below:
*Lower Usage Costs                                   You can use our house over again.  
*Easy Installation and Dismounting       Takes very little time on installation and dismounting.Operate only
by four step OK. So you don't need to take money on installation,dismounting.                            
*Lower Delivery Costs                               One Truck load 18-23 set in by one time.   
*Small Storage Room                                 For 100m2 room,you can put 100 set prefab house.  

Datasheet
1, Size: 3 M * 6 M * 2.6 M, 2.4 M * 6 M * 2.6 M (length * width * height)
2, Thickness of the plate 75 mm, 50 mm, phenolic foam of fire prevention or (rock wool), Colour-Steel
Complex Sheet
3, Tap: 100 mm channel steel, galvanized square steel, adopts carbon dioxide protection welding,
security firm.
4, Standardized assembled parts, convenient and quick assembly.
5, Framework using electrostatic spray,Rust Corrosion Resistance, beautiful and durable.
6, Floor, plastic floor (PVC) floor,  Consolidated Compound Floor and solid wood floor, anti-static
floor, etc. 

  
Kindly check please and thanks very much for your time.

If you are interested in our container house / Prefab house.Welcome to contact me. 24 Hours available for
(Continue reading)


Gmane