Unprivileged Linux user namespaces is a rather controversial topic in the security community, Linux Kernel community and in software engineering in general. On one side it allows building unprivileged and sandboxed services and applications, which would otherwise require elevated privileges to successfully run and provide features to their users. Not granting privileges to such applications follows the least privilege principle and makes our systems more secure.
On the other side, this mechanism has been repeatedly used in various vulnerabilities and exploits as a starting attack vector, multiplying the damage and impact of these exploits. And since it became so popular within the offensive industry, many Linux distributions and security guidances started recommending disabling this feature altogether.
There is an ongoing debate whether unprivileged user namespaces provide more security or make the system more vulnerable. In this presentation we will review how user namespaces might help building sandboxed secure applications. But we will also show how a recently discovered Linux kernel bug turned into a security vulnerability just because user namespaces are available on the system. Finally, we will give recommendations on how to get the best of both worlds: allow well-behaved applications to utilize user namespaces for better security, while blocking the feature for potentially malicious users/code.
We'll discuss our experiences with tooling aimed at finding and fixing performance problems in a production Rust application, as experienced through the eyes of somebody who's more familiar with the Go ecosystem but grew to love Rust. We'll cover CPU and Heap profiling, and also briefly touch causal profiling.
We'll discuss our experiences with tooling aimed at finding and fixing performance problems in a production Rust application, as experienced through the eyes of somebody who's more familiar with the Go ecosystem but grew to love Rust. We'll cover CPU and Heap profiling, and also briefly touch causal profiling.
Get hands-on with security features and best practices to protect your containerized services. Learn to push and verify signed images with Docker Content Trust, and collaborate with delegation roles. Intermediate to advanced level Docker experience recommended, participants will be building and pushing with Docker during the workshop.
Led By Docker Security Experts:
Riyaz Faizullabhoy
David Lawrence
Viktor Stanchev
Experience Level: Intermediate to advanced level Docker experience recommended
Vagrant is a well-known tool for creating development environments in a simple and consistent way. Since we adopted in our organization we experienced several benefits: lower project setup times, better shared knowledge among team members, less wtf moments ;-)
In this session we’d like to share our experience, including but not limited to:advanced vagrantfile configurationvm configuration tips for dev environment: performance,
debug, tuning,
our wtf moments
puphet/phansilbe: hot or not?
packaging a box
Like many others, WordPress has been my personal blogging tool for a long time. A powerful tool for easy publishing! That is what everyone wants.
Large sites like TechCrunch and TheNextWeb use it exactly for that reason. And more enterprises seem to discover it as good solution to their too-expensive publication tools. But keeping those WordPress instances running requires skills and knowledge.
Because of WordPress extendibility and its very active community, you can do this too. This tutorial will teach you how use Ansible, Composer, WP-CLI, WP REST API, and Elasticsearch can push WordPress from a personal blogging tool into an enterprise-worthy level application. Out with FTP based SCM ... in with automated deployment, dependency management, and utterly fast search.
Spencer Christensen
There are many aspects to managing an RDBMS. Some of these are handled by an experienced DBA, but there are a good many things that any sys admin should be able to take care of if they know what to look for.
This presentation will cover basics of managing Postgres, including creating database clusters, overview of configuration, and logging. We will also look at tools to help monitor Postgres and keep an eye on what is going on. Some of the tools we will review are:
* pgtop
* pg_top
* pgfouine
* check_postgres.pl.
Check_postgres.pl is a great tool that can plug into your Nagios or Cacti monitoring systems, giving you even better visibility into your databases.
Why I like PHPStorm
Advantages of Using Docker
Client, Docker Host, Registry
Docker Usage
Solr Docker File
Every Day Docker Commands
Docker Search
One Line Scripts
Portainer
Kinematic
Docker Compose
Grafana
Coding style guide
PHPCS/MD
Documentation Rules
Xdebug
Postman
[DockerCon 2019] Hardening Docker daemon with Rootless modeAkihiro Suda
https://dockercon19.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=281879
Docker CE 19.03 is going to support "Rootless mode", which allows running the entire Docker daemon and its dependencies as a non-root user on the host, so as to protect the host from malicious containers in a simple but very strong way. Rootless mode is also attractive for users who cannot get `sudo` permission for installing Docker on shared computing machines. e.g. HPC users. In this talk, Akihiro Suda, the author of the Rootless mode (PR: moby#38050), will explain how users can get started with Rootless mode. He will also explain the implementation details of Rootless mode and planned enhancements such as LDAP integration.
DCSF19 Hardening Docker daemon with Rootless modeDocker, Inc.
Akihiro Suda, NTT Corporation
Docker CE 19.03 is going to support "Rootless mode", which allows running the entire Docker daemon and its dependencies as a non-root user on the host, so as to protect the host from malicious containers in a simple but very strong way.
Rootless mode is also attractive for users who cannot get `sudo` permission for installing Docker on shared computing machines. e.g. HPC users.
In this talk, Akihiro Suda, the author of the Rootless mode (PR: moby#38050), will explain how users can get started with Rootless mode.
He will also explain the implementation details of Rootless mode and planned enhancements such as LDAP integration.
Author: Jameel Nabbo
Company: UITSEC
This guide contain a practical hands on Linux privilege escalation techniques and methods. based on a real penetration testing experience.
Thijs Feryn - Leverage HTTP to deliver cacheable websites - Codemotion Milan ...Codemotion
How do you achieve high availability using MySQL? Master/slave replication has always been the goto strategy, but it is far from a complete solution. In this presentation, we will leverage tools like ProxySQL, Github’s Orchestrator project, and Consul to provide a single endpoint on top of master/slave replica sets that are automatically monitored, where automatic promotion of slaves happens in case of a dead master, where slave servers benefit from autofailover, and where read/write query splitting is abstracted.
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
GraphSummit Paris - The art of the possible with Graph TechnologyNeo4j
Sudhir Hasbe, Chief Product Officer, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Get hands-on with security features and best practices to protect your containerized services. Learn to push and verify signed images with Docker Content Trust, and collaborate with delegation roles. Intermediate to advanced level Docker experience recommended, participants will be building and pushing with Docker during the workshop.
Led By Docker Security Experts:
Riyaz Faizullabhoy
David Lawrence
Viktor Stanchev
Experience Level: Intermediate to advanced level Docker experience recommended
Vagrant is a well-known tool for creating development environments in a simple and consistent way. Since we adopted in our organization we experienced several benefits: lower project setup times, better shared knowledge among team members, less wtf moments ;-)
In this session we’d like to share our experience, including but not limited to:advanced vagrantfile configurationvm configuration tips for dev environment: performance,
debug, tuning,
our wtf moments
puphet/phansilbe: hot or not?
packaging a box
Like many others, WordPress has been my personal blogging tool for a long time. A powerful tool for easy publishing! That is what everyone wants.
Large sites like TechCrunch and TheNextWeb use it exactly for that reason. And more enterprises seem to discover it as good solution to their too-expensive publication tools. But keeping those WordPress instances running requires skills and knowledge.
Because of WordPress extendibility and its very active community, you can do this too. This tutorial will teach you how use Ansible, Composer, WP-CLI, WP REST API, and Elasticsearch can push WordPress from a personal blogging tool into an enterprise-worthy level application. Out with FTP based SCM ... in with automated deployment, dependency management, and utterly fast search.
Spencer Christensen
There are many aspects to managing an RDBMS. Some of these are handled by an experienced DBA, but there are a good many things that any sys admin should be able to take care of if they know what to look for.
This presentation will cover basics of managing Postgres, including creating database clusters, overview of configuration, and logging. We will also look at tools to help monitor Postgres and keep an eye on what is going on. Some of the tools we will review are:
* pgtop
* pg_top
* pgfouine
* check_postgres.pl.
Check_postgres.pl is a great tool that can plug into your Nagios or Cacti monitoring systems, giving you even better visibility into your databases.
Why I like PHPStorm
Advantages of Using Docker
Client, Docker Host, Registry
Docker Usage
Solr Docker File
Every Day Docker Commands
Docker Search
One Line Scripts
Portainer
Kinematic
Docker Compose
Grafana
Coding style guide
PHPCS/MD
Documentation Rules
Xdebug
Postman
[DockerCon 2019] Hardening Docker daemon with Rootless modeAkihiro Suda
https://dockercon19.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=281879
Docker CE 19.03 is going to support "Rootless mode", which allows running the entire Docker daemon and its dependencies as a non-root user on the host, so as to protect the host from malicious containers in a simple but very strong way. Rootless mode is also attractive for users who cannot get `sudo` permission for installing Docker on shared computing machines. e.g. HPC users. In this talk, Akihiro Suda, the author of the Rootless mode (PR: moby#38050), will explain how users can get started with Rootless mode. He will also explain the implementation details of Rootless mode and planned enhancements such as LDAP integration.
DCSF19 Hardening Docker daemon with Rootless modeDocker, Inc.
Akihiro Suda, NTT Corporation
Docker CE 19.03 is going to support "Rootless mode", which allows running the entire Docker daemon and its dependencies as a non-root user on the host, so as to protect the host from malicious containers in a simple but very strong way.
Rootless mode is also attractive for users who cannot get `sudo` permission for installing Docker on shared computing machines. e.g. HPC users.
In this talk, Akihiro Suda, the author of the Rootless mode (PR: moby#38050), will explain how users can get started with Rootless mode.
He will also explain the implementation details of Rootless mode and planned enhancements such as LDAP integration.
Author: Jameel Nabbo
Company: UITSEC
This guide contain a practical hands on Linux privilege escalation techniques and methods. based on a real penetration testing experience.
Thijs Feryn - Leverage HTTP to deliver cacheable websites - Codemotion Milan ...Codemotion
How do you achieve high availability using MySQL? Master/slave replication has always been the goto strategy, but it is far from a complete solution. In this presentation, we will leverage tools like ProxySQL, Github’s Orchestrator project, and Consul to provide a single endpoint on top of master/slave replica sets that are automatically monitored, where automatic promotion of slaves happens in case of a dead master, where slave servers benefit from autofailover, and where read/write query splitting is abstracted.
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
GraphSummit Paris - The art of the possible with Graph TechnologyNeo4j
Sudhir Hasbe, Chief Product Officer, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
How to Position Your Globus Data Portal for Success Ten Good PracticesGlobus
Science gateways allow science and engineering communities to access shared data, software, computing services, and instruments. Science gateways have gained a lot of traction in the last twenty years, as evidenced by projects such as the Science Gateways Community Institute (SGCI) and the Center of Excellence on Science Gateways (SGX3) in the US, The Australian Research Data Commons (ARDC) and its platforms in Australia, and the projects around Virtual Research Environments in Europe. A few mature frameworks have evolved with their different strengths and foci and have been taken up by a larger community such as the Globus Data Portal, Hubzero, Tapis, and Galaxy. However, even when gateways are built on successful frameworks, they continue to face the challenges of ongoing maintenance costs and how to meet the ever-expanding needs of the community they serve with enhanced features. It is not uncommon that gateways with compelling use cases are nonetheless unable to get past the prototype phase and become a full production service, or if they do, they don't survive more than a couple of years. While there is no guaranteed pathway to success, it seems likely that for any gateway there is a need for a strong community and/or solid funding streams to create and sustain its success. With over twenty years of examples to draw from, this presentation goes into detail for ten factors common to successful and enduring gateways that effectively serve as best practices for any new or developing gateway.
Listen to the keynote address and hear about the latest developments from Rachana Ananthakrishnan and Ian Foster who review the updates to the Globus Platform and Service, and the relevance of Globus to the scientific community as an automation platform to accelerate scientific discovery.
In the ever-evolving landscape of technology, enterprise software development is undergoing a significant transformation. Traditional coding methods are being challenged by innovative no-code solutions, which promise to streamline and democratize the software development process.
This shift is particularly impactful for enterprises, which require robust, scalable, and efficient software to manage their operations. In this article, we will explore the various facets of enterprise software development with no-code solutions, examining their benefits, challenges, and the future potential they hold.
Launch Your Streaming Platforms in MinutesRoshan Dwivedi
The claim of launching a streaming platform in minutes might be a bit of an exaggeration, but there are services that can significantly streamline the process. Here's a breakdown:
Pros of Speedy Streaming Platform Launch Services:
No coding required: These services often use drag-and-drop interfaces or pre-built templates, eliminating the need for programming knowledge.
Faster setup: Compared to building from scratch, these platforms can get you up and running much quicker.
All-in-one solutions: Many services offer features like content management systems (CMS), video players, and monetization tools, reducing the need for multiple integrations.
Things to Consider:
Limited customization: These platforms may offer less flexibility in design and functionality compared to custom-built solutions.
Scalability: As your audience grows, you might need to upgrade to a more robust platform or encounter limitations with the "quick launch" option.
Features: Carefully evaluate which features are included and if they meet your specific needs (e.g., live streaming, subscription options).
Examples of Services for Launching Streaming Platforms:
Muvi [muvi com]
Uscreen [usencreen tv]
Alternatives to Consider:
Existing Streaming platforms: Platforms like YouTube or Twitch might be suitable for basic streaming needs, though monetization options might be limited.
Custom Development: While more time-consuming, custom development offers the most control and flexibility for your platform.
Overall, launching a streaming platform in minutes might not be entirely realistic, but these services can significantly speed up the process compared to building from scratch. Carefully consider your needs and budget when choosing the best option for you.
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Shahin Sheidaei
Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Globus
The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.
Navigating the Metaverse: A Journey into Virtual Evolution"Donna Lenk
Join us for an exploration of the Metaverse's evolution, where innovation meets imagination. Discover new dimensions of virtual events, engage with thought-provoking discussions, and witness the transformative power of digital realms."
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns
Unlocking Business Potential: Tailored Technology Solutions by Prosigns
Discover how Prosigns, a leading technology solutions provider, partners with businesses to drive innovation and success. Our presentation showcases our comprehensive range of services, including custom software development, web and mobile app development, AI & ML solutions, blockchain integration, DevOps services, and Microsoft Dynamics 365 support.
Custom Software Development: Prosigns specializes in creating bespoke software solutions that cater to your unique business needs. Our team of experts works closely with you to understand your requirements and deliver tailor-made software that enhances efficiency and drives growth.
Web and Mobile App Development: From responsive websites to intuitive mobile applications, Prosigns develops cutting-edge solutions that engage users and deliver seamless experiences across devices.
AI & ML Solutions: Harnessing the power of Artificial Intelligence and Machine Learning, Prosigns provides smart solutions that automate processes, provide valuable insights, and drive informed decision-making.
Blockchain Integration: Prosigns offers comprehensive blockchain solutions, including development, integration, and consulting services, enabling businesses to leverage blockchain technology for enhanced security, transparency, and efficiency.
DevOps Services: Prosigns' DevOps services streamline development and operations processes, ensuring faster and more reliable software delivery through automation and continuous integration.
Microsoft Dynamics 365 Support: Prosigns provides comprehensive support and maintenance services for Microsoft Dynamics 365, ensuring your system is always up-to-date, secure, and running smoothly.
Learn how our collaborative approach and dedication to excellence help businesses achieve their goals and stay ahead in today's digital landscape. From concept to deployment, Prosigns is your trusted partner for transforming ideas into reality and unlocking the full potential of your business.
Join us on a journey of innovation and growth. Let's partner for success with Prosigns.
Software Engineering, Software Consulting, Tech Lead, Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Transaction, Spring MVC, OpenShift Cloud Platform, Kafka, REST, SOAP, LLD & HLD.
Cyaniclab : Software Development Agency Portfolio.pdfCyanic lab
CyanicLab, an offshore custom software development company based in Sweden,India, Finland, is your go-to partner for startup development and innovative web design solutions. Our expert team specializes in crafting cutting-edge software tailored to meet the unique needs of startups and established enterprises alike. From conceptualization to execution, we offer comprehensive services including web and mobile app development, UI/UX design, and ongoing software maintenance. Ready to elevate your business? Contact CyanicLab today and let us propel your vision to success with our top-notch IT solutions.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
Top 7 Unique WhatsApp API Benefits | Saudi ArabiaYara Milbes
Discover the transformative power of the WhatsApp API in our latest SlideShare presentation, "Top 7 Unique WhatsApp API Benefits." In today's fast-paced digital era, effective communication is crucial for both personal and professional success. Whether you're a small business looking to enhance customer interactions or an individual seeking seamless communication with loved ones, the WhatsApp API offers robust capabilities that can significantly elevate your experience.
In this presentation, we delve into the top 7 distinctive benefits of the WhatsApp API, provided by the leading WhatsApp API service provider in Saudi Arabia. Learn how to streamline customer support, automate notifications, leverage rich media messaging, run scalable marketing campaigns, integrate secure payments, synchronize with CRM systems, and ensure enhanced security and privacy.
2. @ignatkn
$ whoami
● Linux team at Cloudflare
● Systems security and performance
● Low-level programming
3. @ignatkn
● How containers contain: Linux namespaces
● Unprivileged user namespaces
● Linux application sandboxing (Google Chrome example)
● Linux bugs under Linux namespaces
● Policing user namespaces
● Fine grained user namespace creation with BPF
28. @ignatkn
Mount namespaces example
ignat@dev:~$ mount | grep ^tmpfs
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,inode64)
tmpfs on /run type tmpfs
(rw,nosuid,nodev,size=13162688k,nr_inodes=819200,mode=755,inode64)
tmpfs on /run/lock type tmpfs
(rw,nosuid,nodev,noexec,relatime,size=5120k,inode64)
tmpfs on /run/user/1000 type tmpfs
(rw,nosuid,nodev,relatime,size=6581340k,nr_inodes=1645335,mode=700,uid=1000,gid
=1000,inode64)
ignat@dev:~$
29. @ignatkn
Mount namespaces example
ignat@dev:~$ mount | grep ^tmpfs
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,inode64)
tmpfs on /run type tmpfs
(rw,nosuid,nodev,size=13162688k,nr_inodes=819200,mode=755,inode64)
tmpfs on /run/lock type tmpfs
(rw,nosuid,nodev,noexec,relatime,size=5120k,inode64)
tmpfs on /run/user/1000 type tmpfs
(rw,nosuid,nodev,relatime,size=6581340k,nr_inodes=1645335,mode=700,uid=1000,gid
=1000,inode64)
ignat@dev:~$ sudo unshare --mount
root@dev:/home/ignat#
30. @ignatkn
Mount namespaces example
ignat@dev:~$ mount | grep ^tmpfs
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,inode64)
tmpfs on /run type tmpfs
(rw,nosuid,nodev,size=13162688k,nr_inodes=819200,mode=755,inode64)
tmpfs on /run/lock type tmpfs
(rw,nosuid,nodev,noexec,relatime,size=5120k,inode64)
tmpfs on /run/user/1000 type tmpfs
(rw,nosuid,nodev,relatime,size=6581340k,nr_inodes=1645335,mode=700,uid=1000,gid
=1000,inode64)
ignat@dev:~$ sudo unshare --mount
root@dev:/home/ignat# umount /run/user/1000
root@dev:/home/ignat#
31. @ignatkn
Mount namespaces example
ignat@dev:~$ mount | grep ^tmpfs
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,inode64)
tmpfs on /run type tmpfs
(rw,nosuid,nodev,size=13162688k,nr_inodes=819200,mode=755,inode64)
tmpfs on /run/lock type tmpfs
(rw,nosuid,nodev,noexec,relatime,size=5120k,inode64)
tmpfs on /run/user/1000 type tmpfs
(rw,nosuid,nodev,relatime,size=6581340k,nr_inodes=1645335,mode=700,uid=1000,gid
=1000,inode64)
ignat@dev:~$ sudo unshare --mount
root@dev:/home/ignat# umount /run/user/1000
root@dev:/home/ignat# mountpoint /run/user/1000
/run/user/1000 is not a mountpoint
root@dev:/home/ignat#
32. @ignatkn
Mount namespaces example
ignat@dev:~$ mount | grep ^tmpfs
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,inode64)
tmpfs on /run type tmpfs
(rw,nosuid,nodev,size=13162688k,nr_inodes=819200,mode=755,inode64)
tmpfs on /run/lock type tmpfs
(rw,nosuid,nodev,noexec,relatime,size=5120k,inode64)
tmpfs on /run/user/1000 type tmpfs
(rw,nosuid,nodev,relatime,size=6581340k,nr_inodes=1645335,mode=700,uid=1000,gid
=1000,inode64)
ignat@dev:~$ sudo unshare --mount
root@dev:/home/ignat# umount /run/user/1000
root@dev:/home/ignat# mountpoint /run/user/1000
/run/user/1000 is not a mountpoint
root@dev:/home/ignat# exit
logout
ignat@dev:~$
33. @ignatkn
Mount namespaces example
ignat@dev:~$ mount | grep ^tmpfs
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,inode64)
tmpfs on /run type tmpfs
(rw,nosuid,nodev,size=13162688k,nr_inodes=819200,mode=755,inode64)
tmpfs on /run/lock type tmpfs
(rw,nosuid,nodev,noexec,relatime,size=5120k,inode64)
tmpfs on /run/user/1000 type tmpfs
(rw,nosuid,nodev,relatime,size=6581340k,nr_inodes=1645335,mode=700,uid=1000,gid
=1000,inode64)
ignat@dev:~$ sudo unshare --mount
root@dev:/home/ignat# umount /run/user/1000
root@dev:/home/ignat# mountpoint /run/user/1000
/run/user/1000 is not a mountpoint
root@dev:/home/ignat# exit
logout
ignat@dev:~$ mountpoint /run/user/1000
/run/user/1000 is a mountpoint
49. @ignatkn
Network namespaces example
ignat@dev:~$ ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode
DEFAULT group default qlen 1000
link/ether 52:54:00:e6:15:a5 brd ff:ff:ff:ff:ff:ff
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode
DEFAULT group default
link/ether 02:42:ec:9d:a8:8f brd ff:ff:ff:ff:ff:ff
ignat@dev:~$
50. @ignatkn
Network namespaces example
ignat@dev:~$ ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode
DEFAULT group default qlen 1000
link/ether 52:54:00:e6:15:a5 brd ff:ff:ff:ff:ff:ff
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode
DEFAULT group default
link/ether 02:42:ec:9d:a8:8f brd ff:ff:ff:ff:ff:ff
ignat@dev:~$ sudo unshare --net
root@dev:/home/ignat#
51. @ignatkn
Network namespaces example
ignat@dev:~$ ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode
DEFAULT group default qlen 1000
link/ether 52:54:00:e6:15:a5 brd ff:ff:ff:ff:ff:ff
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode
DEFAULT group default
link/ether 02:42:ec:9d:a8:8f brd ff:ff:ff:ff:ff:ff
ignat@dev:~$ sudo unshare --net
root@dev:/home/ignat# ip link
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
root@dev:/home/ignat#
52. @ignatkn
Network namespaces example
ignat@dev:~$ ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode
DEFAULT group default qlen 1000
link/ether 52:54:00:e6:15:a5 brd ff:ff:ff:ff:ff:ff
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode
DEFAULT group default
link/ether 02:42:ec:9d:a8:8f brd ff:ff:ff:ff:ff:ff
ignat@dev:~$ sudo unshare --net
root@dev:/home/ignat# ip link
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
root@dev:/home/ignat# ip link set lo up
root@dev:/home/ignat#
53. @ignatkn
Network namespaces example
ignat@dev:~$ ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode
DEFAULT group default qlen 1000
link/ether 52:54:00:e6:15:a5 brd ff:ff:ff:ff:ff:ff
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode
DEFAULT group default
link/ether 02:42:ec:9d:a8:8f brd ff:ff:ff:ff:ff:ff
ignat@dev:~$ sudo unshare --net
root@dev:/home/ignat# ip link
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
root@dev:/home/ignat# ip link set lo up
root@dev:/home/ignat# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
57. @ignatkn
Network namespaces example
ignat@dev:~$ root@dev:/home/ignat# ip link add right
type veth peer left netns 1
root@dev:/home/ignat# ip link show right
2: right@if5: <BROADCAST,MULTICAST> mtu
1500 qdisc noop state DOWN mode DEFAULT
group default qlen 1000
link/ether 06:45:05:83:b7:e8 brd
ff:ff:ff:ff:ff:ff link-netnsid 0
root@dev:/home/ignat#
58. @ignatkn
Network namespaces example
ignat@dev:~$ sudo ip link show left
5: left@if2: <BROADCAST,MULTICAST> mtu 1500
qdisc noop state DOWN mode DEFAULT group
default qlen 1000
ignat@dev:~$
root@dev:/home/ignat# ip link add right
type veth peer left netns 1
root@dev:/home/ignat# ip link show right
2: right@if5: <BROADCAST,MULTICAST> mtu
1500 qdisc noop state DOWN mode DEFAULT
group default qlen 1000
link/ether 06:45:05:83:b7:e8 brd
ff:ff:ff:ff:ff:ff link-netnsid 0
root@dev:/home/ignat#
59. @ignatkn
Network namespaces example
ignat@dev:~$ sudo ip link show left
5: left@if2: <BROADCAST,MULTICAST> mtu 1500
qdisc noop state DOWN mode DEFAULT group
default qlen 1000
ignat@dev:~$
root@dev:/home/ignat# ip link add right
type veth peer left netns 1
root@dev:/home/ignat# ip link show right
2: right@if5: <BROADCAST,MULTICAST> mtu
1500 qdisc noop state DOWN mode DEFAULT
group default qlen 1000
link/ether 06:45:05:83:b7:e8 brd
ff:ff:ff:ff:ff:ff link-netnsid 0
root@dev:/home/ignat# ip address add dev
right 192.168.1.7/24
root@dev:/home/ignat#
60. @ignatkn
Network namespaces example
ignat@dev:~$ sudo ip link show left
5: left@if2: <BROADCAST,MULTICAST> mtu 1500
qdisc noop state DOWN mode DEFAULT group
default qlen 1000
ignat@dev:~$
root@dev:/home/ignat# ip link add right
type veth peer left netns 1
root@dev:/home/ignat# ip link show right
2: right@if5: <BROADCAST,MULTICAST> mtu
1500 qdisc noop state DOWN mode DEFAULT
group default qlen 1000
link/ether 06:45:05:83:b7:e8 brd
ff:ff:ff:ff:ff:ff link-netnsid 0
root@dev:/home/ignat# ip address add dev
right 192.168.1.7/24
root@dev:/home/ignat# ip link set right up
root@dev:/home/ignat#
61. @ignatkn
Network namespaces example
ignat@dev:~$ sudo ip link show left
5: left@if2: <BROADCAST,MULTICAST> mtu 1500
qdisc noop state DOWN mode DEFAULT group
default qlen 1000
ignat@dev:~$ sudo ip address add dev left
192.168.1.3/24
ignat@dev:~$
root@dev:/home/ignat# ip link add right
type veth peer left netns 1
root@dev:/home/ignat# ip link show right
2: right@if5: <BROADCAST,MULTICAST> mtu
1500 qdisc noop state DOWN mode DEFAULT
group default qlen 1000
link/ether 06:45:05:83:b7:e8 brd
ff:ff:ff:ff:ff:ff link-netnsid 0
root@dev:/home/ignat# ip address add dev
right 192.168.1.7/24
root@dev:/home/ignat# ip link set right up
root@dev:/home/ignat#
62. @ignatkn
Network namespaces example
ignat@dev:~$ sudo ip link show left
5: left@if2: <BROADCAST,MULTICAST> mtu 1500
qdisc noop state DOWN mode DEFAULT group
default qlen 1000
ignat@dev:~$ sudo ip address add dev left
192.168.1.3/24
ignat@dev:~$ sudo ip link set left up
ignat@dev:~$
root@dev:/home/ignat# ip link add right
type veth peer left netns 1
root@dev:/home/ignat# ip link show right
2: right@if5: <BROADCAST,MULTICAST> mtu
1500 qdisc noop state DOWN mode DEFAULT
group default qlen 1000
link/ether 06:45:05:83:b7:e8 brd
ff:ff:ff:ff:ff:ff link-netnsid 0
root@dev:/home/ignat# ip address add dev
right 192.168.1.7/24
root@dev:/home/ignat# ip link set right up
root@dev:/home/ignat#
63. @ignatkn
Network namespaces example
ignat@dev:~$ sudo ip link show left
5: left@if2: <BROADCAST,MULTICAST> mtu 1500
qdisc noop state DOWN mode DEFAULT group
default qlen 1000
ignat@dev:~$ sudo ip address add dev left
192.168.1.3/24
ignat@dev:~$ sudo ip link set left up
ignat@dev:~$ ping -c 1 192.168.1.7
PING 192.168.1.7 (192.168.1.7) 56(84) bytes of data.
64 bytes from 192.168.1.7: icmp_seq=1 ttl=64 time=0.118
ms
--- 192.168.1.7 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time
0ms
rtt min/avg/max/mdev = 0.118/0.118/0.118/0.000 ms
ignat@dev:~$
root@dev:/home/ignat# ip link add right
type veth peer left netns 1
root@dev:/home/ignat# ip link show right
2: right@if5: <BROADCAST,MULTICAST> mtu
1500 qdisc noop state DOWN mode DEFAULT
group default qlen 1000
link/ether 06:45:05:83:b7:e8 brd
ff:ff:ff:ff:ff:ff link-netnsid 0
root@dev:/home/ignat# ip address add dev
right 192.168.1.7/24
root@dev:/home/ignat# ip link set right up
root@dev:/home/ignat#
64. @ignatkn
Network namespaces example
ignat@dev:~$ sudo ip link show left
5: left@if2: <BROADCAST,MULTICAST> mtu 1500
qdisc noop state DOWN mode DEFAULT group
default qlen 1000
ignat@dev:~$ sudo ip address add dev left
192.168.1.3/24
ignat@dev:~$ sudo ip link set left up
ignat@dev:~$ ping -c 1 192.168.1.7
PING 192.168.1.7 (192.168.1.7) 56(84) bytes of data.
64 bytes from 192.168.1.7: icmp_seq=1 ttl=64 time=0.118
ms
--- 192.168.1.7 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time
0ms
rtt min/avg/max/mdev = 0.118/0.118/0.118/0.000 ms
ignat@dev:~$
root@dev:/home/ignat# ip link add right
type veth peer left netns 1
root@dev:/home/ignat# ip link show right
2: right@if5: <BROADCAST,MULTICAST> mtu
1500 qdisc noop state DOWN mode DEFAULT
group default qlen 1000
link/ether 06:45:05:83:b7:e8 brd
ff:ff:ff:ff:ff:ff link-netnsid 0
root@dev:/home/ignat# ip address add dev
right 192.168.1.7/24
root@dev:/home/ignat# ip link set right up
root@dev:/home/ignat# exit
logout
ignat@dev:~$
65. @ignatkn
Network namespaces example
ignat@dev:~$ sudo ip link show left
5: left@if2: <BROADCAST,MULTICAST> mtu 1500
qdisc noop state DOWN mode DEFAULT group
default qlen 1000
ignat@dev:~$ sudo ip address add dev left
192.168.1.3/24
ignat@dev:~$ sudo ip link set left up
ignat@dev:~$ ping -c 1 192.168.1.7
PING 192.168.1.7 (192.168.1.7) 56(84) bytes of data.
64 bytes from 192.168.1.7: icmp_seq=1 ttl=64 time=0.118
ms
--- 192.168.1.7 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time
0ms
rtt min/avg/max/mdev = 0.118/0.118/0.118/0.000 ms
ignat@dev:~$ sudo ip link show left
Device "left" does not exist.
root@dev:/home/ignat# ip link add right
type veth peer left netns 1
root@dev:/home/ignat# ip link show right
2: right@if5: <BROADCAST,MULTICAST> mtu
1500 qdisc noop state DOWN mode DEFAULT
group default qlen 1000
link/ether 06:45:05:83:b7:e8 brd
ff:ff:ff:ff:ff:ff link-netnsid 0
root@dev:/home/ignat# ip address add dev
right 192.168.1.7/24
root@dev:/home/ignat# ip link set right up
root@dev:/home/ignat# exit
logout
ignat@dev:~$
94. @ignatkn
User namespaces example
ignat@dev:~$ id
uid=1000(ignat) gid=1000(ignat) groups=1000(ignat),990(docker)
ignat@dev:~$ unshare --user
nobody@dev:~$ id
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
nobody@dev:~$
95. @ignatkn
User namespaces example
ignat@dev:~$ id
uid=1000(ignat) gid=1000(ignat) groups=1000(ignat),990(docker)
ignat@dev:~$ unshare --user
nobody@dev:~$ id
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
nobody@dev:~$ exit
logout
ignat@dev:~$
96. @ignatkn
User namespaces example
ignat@dev:~$ id
uid=1000(ignat) gid=1000(ignat) groups=1000(ignat),990(docker)
ignat@dev:~$ unshare --user
nobody@dev:~$ id
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
nobody@dev:~$ exit
logout
ignat@dev:~$ unshare --user --map-user=1 --map-group=1
daemon@dev:~$
97. @ignatkn
User namespaces example
ignat@dev:~$ id
uid=1000(ignat) gid=1000(ignat) groups=1000(ignat),990(docker)
ignat@dev:~$ unshare --user
nobody@dev:~$ id
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
nobody@dev:~$ exit
logout
ignat@dev:~$ unshare --user --map-user=1 --map-group=1
daemon@dev:~$ id
uid=1(daemon) gid=1(daemon) groups=1(daemon),65534(nogroup)
daemon@dev:~$
98. @ignatkn
User namespaces example
ignat@dev:~$ id
uid=1000(ignat) gid=1000(ignat) groups=1000(ignat),990(docker)
ignat@dev:~$ unshare --user
nobody@dev:~$ id
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
nobody@dev:~$ exit
logout
ignat@dev:~$ unshare --user --map-user=1 --map-group=1
daemon@dev:~$ id
uid=1(daemon) gid=1(daemon) groups=1(daemon),65534(nogroup)
daemon@dev:~$ exit
logout
ignat@dev:~$
99. @ignatkn
User namespaces example
ignat@dev:~$ id
uid=1000(ignat) gid=1000(ignat) groups=1000(ignat),990(docker)
ignat@dev:~$ unshare --user
nobody@dev:~$ id
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
nobody@dev:~$ exit
logout
ignat@dev:~$ unshare --user --map-user=1 --map-group=1
daemon@dev:~$ id
uid=1(daemon) gid=1(daemon) groups=1(daemon),65534(nogroup)
daemon@dev:~$ exit
logout
ignat@dev:~$ unshare --user --map-user=1337
I have no name!@dev:~$
100. @ignatkn
User namespaces example
ignat@dev:~$ id
uid=1000(ignat) gid=1000(ignat) groups=1000(ignat),990(docker)
ignat@dev:~$ unshare --user
nobody@dev:~$ id
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
nobody@dev:~$ exit
logout
ignat@dev:~$ unshare --user --map-user=1 --map-group=1
daemon@dev:~$ id
uid=1(daemon) gid=1(daemon) groups=1(daemon),65534(nogroup)
daemon@dev:~$ exit
logout
ignat@dev:~$ unshare --user --map-user=1337
I have no name!@dev:~$ id
uid=1337 gid=65534(nogroup) groups=65534(nogroup)
I have no name!@dev:~$
102. @ignatkn
User namespaces example
ignat@dev:~$ id
uid=1000(ignat) gid=1000(ignat) groups=1000(ignat),990(docker)
ignat@dev:~$ unshare --user
nobody@dev:~$ id
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
nobody@dev:~$ exit
logout
ignat@dev:~$ unshare --user --map-user=1 --map-group=1
daemon@dev:~$ id
uid=1(daemon) gid=1(daemon) groups=1(daemon),65534(nogroup)
daemon@dev:~$ exit
logout
ignat@dev:~$ unshare --user --map-user=1337
I have no name!@dev:~$ id
uid=1337 gid=65534(nogroup) groups=65534(nogroup)
I have no name!@dev:~$ exit
logout
ignat@dev:~$
103. @ignatkn
User namespaces example
ignat@dev:~$ id
uid=1000(ignat) gid=1000(ignat) groups=1000(ignat),990(docker)
ignat@dev:~$ unshare --user
nobody@dev:~$ id
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
nobody@dev:~$ exit
logout
ignat@dev:~$ unshare --user --map-user=1 --map-group=1
daemon@dev:~$ id
uid=1(daemon) gid=1(daemon) groups=1(daemon),65534(nogroup)
daemon@dev:~$ exit
logout
ignat@dev:~$ unshare --user --map-user=1337
I have no name!@dev:~$ id
uid=1337 gid=65534(nogroup) groups=65534(nogroup)
I have no name!@dev:~$ exit
logout
ignat@dev:~$ unshare --user --map-root-user
root@dev:~#
104. @ignatkn
User namespaces example
ignat@dev:~$ id
uid=1000(ignat) gid=1000(ignat) groups=1000(ignat),990(docker)
ignat@dev:~$ unshare --user
nobody@dev:~$ id
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
nobody@dev:~$ exit
logout
ignat@dev:~$ unshare --user --map-user=1 --map-group=1
daemon@dev:~$ id
uid=1(daemon) gid=1(daemon) groups=1(daemon),65534(nogroup)
daemon@dev:~$ exit
logout
ignat@dev:~$ unshare --user --map-user=1337
I have no name!@dev:~$ id
uid=1337 gid=65534(nogroup) groups=65534(nogroup)
I have no name!@dev:~$ exit
logout
ignat@dev:~$ unshare --user --map-root-user
root@dev:~# id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
147. @ignatkn
container
(mount, pid, network)
Chrome multi process sandboxing model
seccomp
container
(mount, pid, network)
seccomp
container
(mount, pid, network)
seccomp
process
address
space
process
address
space
148. @ignatkn
container
(mount, pid, network)
Chrome multi process sandboxing model
seccomp
container
(mount, pid, network)
seccomp
container
(mount, pid, network)
seccomp
process
address
space
process
address
space
https://chromium.googlesource.com
/chromium/src/+/lkgr/docs/linux/san
dboxing.md#The-setuid-sandbox
149. @ignatkn
Some other users
● https://rootlesscontaine.rs/
● allows unprivileged users to fully manage a container
runtime
150. @ignatkn
Some other users
● https://rootlesscontaine.rs/
● allows unprivileged users to fully manage a container
runtime
● systemd-coredump
● forks itself into a unprivileged container to process
coredumps
151. @ignatkn
Some other users
● https://rootlesscontaine.rs/
● allows unprivileged users to fully manage a container
runtime
● systemd-coredump
● forks itself into a unprivileged container to process
coredumps
● various testing frameworks, fake root applications etc
171. @ignatkn
Promoting the bug to a security vulnerability
ignat@buggy:~$ uname -r
6.1.5-cloudflare-2023.1.4
ignat@buggy:~$
172. @ignatkn
Promoting the bug to a security vulnerability
ignat@buggy:~$ uname -r
6.1.5-cloudflare-2023.1.4
ignat@buggy:~$ id
uid=1000(ignat) gid=1000(ignat) groups=1000(ignat),990(docker),994(kvm)
ignat@buggy:~$
173. @ignatkn
Promoting the bug to a security vulnerability
ignat@buggy:~$ uname -r
6.1.5-cloudflare-2023.1.4
ignat@buggy:~$ id
uid=1000(ignat) gid=1000(ignat) groups=1000(ignat),990(docker),994(kvm)
ignat@buggy:~$ unshare --user --map-root-user --net
root@buggy:~#
174. @ignatkn
Promoting the bug to a security vulnerability
ignat@buggy:~$ uname -r
6.1.5-cloudflare-2023.1.4
ignat@buggy:~$ id
uid=1000(ignat) gid=1000(ignat) groups=1000(ignat),990(docker),994(kvm)
ignat@buggy:~$ unshare --user --map-root-user --net
root@buggy:~# ip link set lo up
root@buggy:~#
175. @ignatkn
Promoting the bug to a security vulnerability
ignat@buggy:~$ uname -r
6.1.5-cloudflare-2023.1.4
ignat@buggy:~$ id
uid=1000(ignat) gid=1000(ignat) groups=1000(ignat),990(docker),994(kvm)
ignat@buggy:~$ unshare --user --map-root-user --net
root@buggy:~# ip link set lo up
root@buggy:~# tc qdisc replace dev lo root handle 1: htb default 1
root@buggy:~#
176. @ignatkn
Promoting the bug to a security vulnerability
ignat@buggy:~$ uname -r
6.1.5-cloudflare-2023.1.4
ignat@buggy:~$ id
uid=1000(ignat) gid=1000(ignat) groups=1000(ignat),990(docker),994(kvm)
ignat@buggy:~$ unshare --user --map-root-user --net
root@buggy:~# ip link set lo up
root@buggy:~# tc qdisc replace dev lo root handle 1: htb default 1
root@buggy:~# tc class add dev lo parent 1: classid 1:1 htb rate 10mbit
root@buggy:~#
177. @ignatkn
Promoting the bug to a security vulnerability
ignat@buggy:~$ uname -r
6.1.5-cloudflare-2023.1.4
ignat@buggy:~$ id
uid=1000(ignat) gid=1000(ignat) groups=1000(ignat),990(docker),994(kvm)
ignat@buggy:~$ unshare --user --map-root-user --net
root@buggy:~# ip link set lo up
root@buggy:~# tc qdisc replace dev lo root handle 1: htb default 1
root@buggy:~# tc class add dev lo parent 1: classid 1:1 htb rate 10mbit
root@buggy:~# tc qdisc add dev lo parent 1:1 handle 10: noqueue
root@buggy:~#
178.
179. @ignatkn
Promoting the bug to a security vulnerability
ignat@buggy:~$ uname -r
6.1.5-cloudflare-2023.1.4
ignat@buggy:~$ id
uid=1000(ignat) gid=1000(ignat) groups=1000(ignat),990(docker),994(kvm)
ignat@buggy:~$ unshare --user --map-root-user --net
root@buggy:~# ip link set lo up
root@buggy:~# tc qdisc replace dev lo root handle 1: htb default 1
root@buggy:~# tc class add dev lo parent 1: classid 1:1 htb rate 10mbit
root@buggy:~# tc qdisc add dev lo parent 1:1 handle 10: noqueue
root@buggy:~#
180. @ignatkn
Promoting the bug to a security vulnerability
ignat@buggy:~$ uname -r
6.1.5-cloudflare-2023.1.4
ignat@buggy:~$ id
uid=1000(ignat) gid=1000(ignat) groups=1000(ignat),990(docker),994(kvm)
ignat@buggy:~$ unshare --user --map-root-user --net
root@buggy:~# ip link set lo up
root@buggy:~# tc qdisc replace dev lo root handle 1: htb default 1
root@buggy:~# tc class add dev lo parent 1: classid 1:1 htb rate 10mbit
root@buggy:~# tc qdisc add dev lo parent 1:1 handle 10: noqueue
root@buggy:~# ping -I lo -w 1 -c 1 1.1.1.1
ping: Warning: source address might be selected on device other than: lo
PING 1.1.1.1 (1.1.1.1) from 0.0.0.0 lo: 56(84) bytes of data.
[ 342.000820][ T412] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 342.005797][ T412] #PF: supervisor instruction fetch in kernel mode
[ 342.011184][ T412] #PF: error_code(0x0010) - not-present page
[ 342.017450][ T412] PGD 0 P4D 0
[ 342.021725][ T412] Oops: 0010 [#1] PREEMPT SMP NOPTI
[ 342.026103][ T412] CPU: 0 PID: 412 Comm: ping Not tainted 6.1.5-cloudflare-2023.1.4 #1
[ 342.030754][ T412] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.16.2-debian-1.16.2-1 04/01/2014
...
183. @ignatkn
Why does it happen?
int some_kernel_func(void)
{
if (!capable(CAP_SYS_ADMIN))
return -EPERM;
/* do some privileged stuff */
}
184. @ignatkn
Why does it happen?
int some_kernel_func(void)
{
if (!capable(CAP_SYS_ADMIN))
return -EPERM;
/* do some privileged stuff */
}
185. @ignatkn
Why does it happen?
int some_kernel_func(void)
{
if (!capable(CAP_SYS_ADMIN))
return -EPERM;
/* do some privileged stuff */
}
186. @ignatkn
Why does it happen?
int some_kernel_func(void)
{
if (!capable(CAP_SYS_ADMIN))
return -EPERM;
/* do some privileged stuff */
}
may contain
bugs
198. @ignatkn
Making unprivileged user namespaces privileged again
We need to disable
unprivileged user
namespaces, because they
create more vulnerabilities.
199. @ignatkn
Making unprivileged user namespaces privileged again
We need to disable
unprivileged user
namespaces, because they
create more vulnerabilities.
We need to keep unprivileged
user namespaces, because
they allow for more secure
designs.
220. @ignatkn
We need a new hook
https://lwn.net/Articles/903580/
We need to keep unprivileged
user namespaces, because
they allow for more secure
designs.
221. @ignatkn
We need a new hook
https://lwn.net/Articles/903580/
We need to keep unprivileged
user namespaces, because
they allow for more secure
designs.
232. @ignatkn
Using the new userns_create hook from Linux 6.1
ignat@dev:~$ clang -O2 -target bpf -I/usr/include
-I/usr/include/x86_64-linux-gnu -c userns.c -o userns.o
ignat@dev:~$
233. @ignatkn
Using the new userns_create hook from Linux 6.1
ignat@dev:~$ clang -O2 -target bpf -I/usr/include
-I/usr/include/x86_64-linux-gnu -c userns.c -o userns.o
ignat@dev:~$ /sbin/bpftool gen skeleton userns.o >
userns.skel.h
ignat@dev:~$
235. @ignatkn
Using the new userns_create hook from Linux 6.1
ignat@dev:~$ cat load.c
#include "userns.skel.h"
int main(void)
{
struct userns *skel = userns__open_and_load();
if (!skel)
return 1;
userns__attach(skel);
getchar();
return 0;
}
236. @ignatkn
Using the new userns_create hook from Linux 6.1
ignat@dev:~$ cat load.c
#include "userns.skel.h"
int main(void)
{
struct userns *skel = userns__open_and_load();
if (!skel)
return 1;
userns__attach(skel);
getchar();
return 0;
}
237. @ignatkn
Using the new userns_create hook from Linux 6.1
ignat@dev:~$ cat load.c
#include "userns.skel.h"
int main(void)
{
struct userns *skel = userns__open_and_load();
if (!skel)
return 1;
userns__attach(skel);
getchar();
return 0;
}
238. @ignatkn
Using the new userns_create hook from Linux 6.1
ignat@dev:~$ clang -O2 -target bpf -I/usr/include
-I/usr/include/x86_64-linux-gnu -c userns.c -o userns.o
ignat@dev:~$ /sbin/bpftool gen skeleton userns.o >
userns.skel.h
ignat@dev:~$
239. @ignatkn
Using the new userns_create hook from Linux 6.1
ignat@dev:~$ clang -O2 -target bpf -I/usr/include
-I/usr/include/x86_64-linux-gnu -c userns.c -o userns.o
ignat@dev:~$ /sbin/bpftool gen skeleton userns.o >
userns.skel.h
ignat@dev:~$ gcc -o load load.c -lbpf
ignat@dev:~$
240. @ignatkn
Using the new userns_create hook from Linux 6.1
ignat@dev:~$ clang -O2 -target bpf -I/usr/include
-I/usr/include/x86_64-linux-gnu -c userns.c -o userns.o
ignat@dev:~$ /sbin/bpftool gen skeleton userns.o >
userns.skel.h
ignat@dev:~$ gcc -o load load.c -lbpf
ignat@dev:~$ sudo ./load
241. @ignatkn
Using the new userns_create hook from Linux 6.1
ignat@dev:~$ clang -O2 -target bpf -I/usr/include
-I/usr/include/x86_64-linux-gnu -c userns.c -o userns.o
ignat@dev:~$ /sbin/bpftool gen skeleton userns.o >
userns.skel.h
ignat@dev:~$ gcc -o load load.c -lbpf
ignat@dev:~$ sudo ./load
ignat@dev:~$
242. @ignatkn
Using the new userns_create hook from Linux 6.1
ignat@dev:~$ clang -O2 -target bpf -I/usr/include
-I/usr/include/x86_64-linux-gnu -c userns.c -o userns.o
ignat@dev:~$ /sbin/bpftool gen skeleton userns.o >
userns.skel.h
ignat@dev:~$ gcc -o load load.c -lbpf
ignat@dev:~$ sudo ./load
ignat@dev:~$ unshare --user --map-root-user
unshare: unshare failed: Operation not permitted
ignat@dev:~$
243. @ignatkn
Using the new userns_create hook from Linux 6.1
ignat@dev:~$ clang -O2 -target bpf -I/usr/include
-I/usr/include/x86_64-linux-gnu -c userns.c -o userns.o
ignat@dev:~$ /sbin/bpftool gen skeleton userns.o >
userns.skel.h
ignat@dev:~$ gcc -o load load.c -lbpf
ignat@dev:~$ sudo ./load
ignat@dev:~$ unshare --user --map-root-user
unshare: unshare failed: Operation not permitted
ignat@dev:~$ cp /usr/bin/unshare ./trusted
ignat@dev:~$
244. @ignatkn
Using the new userns_create hook from Linux 6.1
ignat@dev:~$ clang -O2 -target bpf -I/usr/include
-I/usr/include/x86_64-linux-gnu -c userns.c -o userns.o
ignat@dev:~$ /sbin/bpftool gen skeleton userns.o >
userns.skel.h
ignat@dev:~$ gcc -o load load.c -lbpf
ignat@dev:~$ sudo ./load
ignat@dev:~$ unshare --user --map-root-user
unshare: unshare failed: Operation not permitted
ignat@dev:~$ cp /usr/bin/unshare ./trusted
ignat@dev:~$ ./trusted --user --map-root-user
root@dev:~#
245. @ignatkn
Using the new userns_create hook from Linux 6.1
ignat@dev:~$ clang -O2 -target bpf -I/usr/include
-I/usr/include/x86_64-linux-gnu -c userns.c -o userns.o
ignat@dev:~$ /sbin/bpftool gen skeleton userns.o >
userns.skel.h
ignat@dev:~$ gcc -o load load.c -lbpf
ignat@dev:~$ sudo ./load
ignat@dev:~$ unshare --user --map-root-user
unshare: unshare failed: Operation not permitted
ignat@dev:~$ cp /usr/bin/unshare ./trusted
ignat@dev:~$ ./trusted --user --map-root-user
root@dev:~# exit
logout
ignat@dev:~$
246. @ignatkn
Conclusions
● Unprivileged user namespaces are a nice building block in Linux
allowing for better application sandboxing, rootless containers and
reduced need for setuid programs
247. @ignatkn
Conclusions
● Unprivileged user namespaces are a nice building block in Linux
allowing for better application sandboxing, rootless containers and
reduced need for setuid programs
● However, uncontrolled namespaces may widen the system attack
surface by escalating simple kernel bugs to security vulnerabilities
248. @ignatkn
Conclusions
● Unprivileged user namespaces are a nice building block in Linux
allowing for better application sandboxing, rootless containers and
reduced need for setuid programs
● However, uncontrolled namespaces may widen the system attack
surface by escalating simple kernel bugs to security vulnerabilities
● We can still get best of both worlds by utilizing Linux Security
modules to provide fine-grained application access to unprivileged
user namespace functionality
249. @ignatkn
Conclusions
● Unprivileged user namespaces are a nice building block in Linux
allowing for better application sandboxing, rootless containers and
reduced need for setuid programs
● However, uncontrolled namespaces may widen the system attack
surface by escalating simple kernel bugs to security vulnerabilities
● We can still get best of both worlds by utilizing Linux Security
modules to provide fine-grained application access to unprivileged
user namespace functionality
● BPF-LSM is a new-ish more developer friendly LSM, which allows
programmable security policies to enhance Linux system security