Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp45012imm; Thu, 27 Sep 2018 15:40:46 -0700 (PDT) X-Google-Smtp-Source: ACcGV63Lh0ytkpEDctLP7YJ/4qkMHFcP/TWVaPoFu+doQs569p1YC/hXUi6/a1YXg4D6uz4oyQIu X-Received: by 2002:a17:902:44:: with SMTP id 62-v6mr13343800pla.181.1538088045981; Thu, 27 Sep 2018 15:40:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538088045; cv=none; d=google.com; s=arc-20160816; b=GlSDr3LFWozKuvgKORXGFLdDjqdzhOQtDqsQT2b913wZ+wvA6pz76EZjlKq6XSY1SW R2pASk88kQd0U5IEx2Wd4s25HsuRcn2s96wq3Amb1Q4DDqxl4/nBFLtTecjsdjZ0CmlY PEWdZHhm/Opp6Ov6xa2nNR5ZnsXQh7S+49ibJQ4ElaMCTAx1vnL3Xb6kTG+2HT1o7Rdr CaZgcIt86iVHVw8JbGLxCXsHf9DtuCNJqcacWSmxjkLx9nes7uDNT+dIGGgJ38Hiwne+ zUgK7khzNSFi0/n9imH8XPxNm2XJ06vi28VVdMYnDy6JBOkXdTE/aZWuVX4v6f8JrtZO ElOg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=gu/V/5AeFqOjUHP4KrsoWRnZhdZ49eEN4aPSNl3n/4w=; b=vHn0ZYZg4gMnbz9+Q/ug3yQelYlSvXMR2dxUlJfeFaWfa3wupgOPQo3vEaM61pusBv cWp2r+wRmWpiR6+v7rrdbNlyPHie/v9NFGuqvybC7Ng5l3nQrt1uSdYqCGGcxwVb64UN 1uLpWzFq1Ip5c6eMovAOKT+3MMbZx4ZMwu8FISqNNKGHwFjIfdWKAGbaiL+LAFgKQ9nF /dLSreuS1JW7QkHgwKcol/zgdaMc6kbXvuyQ0sipXB1hUCzpyvJETOU68hHYv6NsMrn6 tSJcSP9+ofNZQVXHbpF1qMZMKbC8xvxoLaNAZx+0922IWqvewXtCVD9CgK2bW7CvKTzg EcAg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=IuiqhkhY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b11-v6si2017190plb.273.2018.09.27.15.40.25; Thu, 27 Sep 2018 15:40:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=IuiqhkhY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728629AbeI1FAf (ORCPT + 99 others); Fri, 28 Sep 2018 01:00:35 -0400 Received: from sonic302-28.consmr.mail.gq1.yahoo.com ([98.137.68.154]:35187 "EHLO sonic302-28.consmr.mail.gq1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725972AbeI1FAe (ORCPT ); Fri, 28 Sep 2018 01:00:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1538087999; bh=gu/V/5AeFqOjUHP4KrsoWRnZhdZ49eEN4aPSNl3n/4w=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=IuiqhkhYQms9xgITyBiH9fw9sf4V769/Dx/u9UiRR3t3lDJbyQQP1UF6afEarPr/lkqoSzrHNPlmyxmp8rhLCjARC6Mv5TM6tJqEXW07ZqBz85c+Mc2g0p6eG8PpMzzWcwXJ5XP42jelVtntVg+qpBUgi7oU5p9NJegsdDWlUxHRYQfJPr9cDnuisFYrKzrX36ZrmUBfR6wEaRdt/BqabN2qK17496shliIWwksnrOFGPIl8kCjMz+C1LD1LIlWn21Ml68iUm1vwZHPMpWGNZ0/FvBgXnlErKp8NBqVPa+ozr1uykTWsG3Or56exRehWprpY81N8kmtr58BTFJ5iag== X-YMail-OSG: 74OYVFsVM1kfz6Yr_9XFOwE5euxgXu2vtdkb1875vd4autfRxmG0FRDUOCu1OzS k3tAVm6mFZGFR2fwMJDHOtMBVFxw1UCM.7aBYt6t35kksLEpW2Jn1lebkviEbKzJkeqSbjU1pq9s 61fvFV8CYWkKLA0Cfk4Hgjja1SK2.Y_OaNcwhnf7jKUdy2ZaVu5WWeYPabMm57Lxnq_ucV1GGG37 Llfq82OYuJO463b2AZcdktAjz5xqNZD0yZUktMewlvO3dkCeoilUYRPiv0XTvgvcPaoP6Y1iNshF P7pz8v6BAqL2HvkSArYcMrUSywWUoSSkdS73_HM_NVoXQQ3qEQMpmPtwbuNzyuefgZjkDfOMzeG. 9hoIdM7iaHMCG3qi2j6D8Mo_z_iDZB5XN875C1zVyc9fXl3Cqq6Gee5i8eOFQZdyuIcNaxf769JZ njGZ_srvsGy2v_lO_1Zjiw8hvHf6_nPJR6WEHqCmfHWae5EfvmXCU8C3xjEqRx1qPwxBAuWm4xfW 6UVO1A77iDLztegWS3C2y97sHGMIO4LFXnq8HYXf9p.L5lCnwMT.ihkeINQsHunaq9dnPCjCXwsj zgSagW4h_wYfUPr11z7CThxwhK.uOR8dlNy5bM1DHX6tfp3quDSIDK4Ke3pRLOWz9FPGD95NtXBr mIRyVAnXmbDq1tZ.PAP4KTtDwhNgkbtw68cp03rXkNQw1V5aAQFpkJBkA7whXP5VpR8hc9TcG36C o1x.Q2N2ASKYysSylL7YszFCA4uC4oj3Mk8rFK5GRXR43JJUnl17a.xEAE6IoXwLR4KD9OoCk6Hb 1ePVw6TBV_UQXN6tZsbetND600KiW0_hYQ2HnYmQfpIBvbt39yn5xI.DSyNN0WS5eGzbPiQPyTqP 5RyTCXSvTX2m6CRglygqyfOXa6bcVrAxoiexq02GgX8m01Mt3pQrKsDLTwyBEOyNwypCmGCJjyhc Pi9g2A0_kowTpigoJEj8XxfsoxOAaqFqNJ1.uOgpI_DmbSjvlpC7m9xjtckuDPLhSNj3cCorFaEH t4WG0QdTEBbGnsPpbUYPMwpRbGzw- Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.gq1.yahoo.com with HTTP; Thu, 27 Sep 2018 22:39:59 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.102]) ([67.169.65.224]) by smtp425.mail.gq1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID cf8ac775da837c7d6fbb27fa852c5a63; Thu, 27 Sep 2018 22:39:54 +0000 (UTC) Subject: Re: [PATCH v5 5/5] sidechannel: Linux Security Module for sidechannel To: James Morris , Casey Schaufler Cc: kristen@linux.intel.com, kernel-hardening@lists.openwall.com, deneen.t.dock@intel.com, linux-kernel@vger.kernel.org, dave.hansen@intel.com, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, arjan@linux.intel.com References: <20180926203446.2004-1-casey.schaufler@intel.com> <20180926203446.2004-6-casey.schaufler@intel.com> From: Casey Schaufler Message-ID: <025d4742-5947-545e-f603-502a0c5ee03f@schaufler-ca.com> Date: Thu, 27 Sep 2018 15:39:54 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 9/27/2018 2:45 PM, James Morris wrote: > On Wed, 26 Sep 2018, Casey Schaufler wrote: > >> + /* >> + * Namespace checks. Considered safe if: >> + * cgroup namespace is the same >> + * User namespace is the same >> + * PID namespace is the same >> + */ >> + if (current->nsproxy) >> + ccgn = current->nsproxy->cgroup_ns; >> + if (p->nsproxy) >> + pcgn = p->nsproxy->cgroup_ns; >> + if (ccgn != pcgn) >> + return -EACCES; >> + if (current->cred->user_ns != p->cred->user_ns) >> + return -EACCES; >> + if (task_active_pid_ns(current) != task_active_pid_ns(p)) >> + return -EACCES; >> + return 0; > I really don't like the idea of hard-coding namespace security semantics > in an LSM. Also, I'm not sure if these semantics make any sense. Checks on namespaces where explicitly requested. I think these are the most sensible, but I'm willing to be educated. I was also requested to check on potential issues between containers, but as there is no kernel concept of containers this is the best I see we can do. > It least make it user configurable. Would you have a suggested granularity? I could have a configuration option for each of cgroups, user and pid namespaces but that's getting to be a lot of knobs to twist.