Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp94484imm; Thu, 27 Sep 2018 16:45:26 -0700 (PDT) X-Google-Smtp-Source: ACcGV62jSYtX0JyQasuETyum45lNqNtwRY3auI88DRtWdxhHi5YzPtd1cGpO9Inpv/FRSOZwfcWi X-Received: by 2002:a63:5660:: with SMTP id g32-v6mr3053638pgm.227.1538091926707; Thu, 27 Sep 2018 16:45:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538091926; cv=none; d=google.com; s=arc-20160816; b=rHlQhsPiYaY4xJ4Rz3jQcAVCHlzNfrIT4mqC9qirHXVl0y+g7n2MZqdefJDA6Ow8/I isKBj8HOaxIUtGLQu5zCUHDZCzWapzqpYb0ZUA5s5mNr81GEnv0l1DBUAcseSfOCPpBB q5misF69dLC7fwMMzck3oTv4DChEmck/qrzRuRs8PSZBjrJuwzUmz1WxtdRkiXpDRdcB AwNV9PgaMO2eJjMoqB3+CAj3FaPBhTpth8VEtd85uKUpqzPXaawpxGncKsGlfZlnt2i2 FdSH+vwJkFn2h25cFQI7KiTskUQXmVCv+TMTQxtX3Ack+HBjsC1mxRK//DHpaP6FPyJd sLZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=evE17k1k4MIe/p1N5oL0nZJltIhFqZawkyfyNZX01tQ=; b=ZCnTYggnq1mi5kaRILIORKmAS8C3Ki9I95Qm9aTn2ipMUzdtk7kFENRDslE2fsauX+ oBSxH0Rj7N2yAK/a1XT35Wg9P3/TV8Kua1kAaXIBNnBrNfwpGEzTLKQ6Zq9Ivi66esq8 eV+PenFv7VwKItUyVBsGm6qZ4oXP2VMn4EiqCbCllLtl92FswQj/sdXTdwFs/oKdhDA+ cQ3/81IpYpWk63GzDSW0UfVgPKgHIbVY0ihjFvsD/0ZRaQ7zE7Y40Cj7SfxKNMXjZc5k NI5XqRekpTg/WBB28SuxhPdUn3xNAmDzFSkKS7D6bLQSKHdmb5D8c4v/ME/SMoI6aZbr Zf/w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c6-v6si3194378pfg.2.2018.09.27.16.45.09; Thu, 27 Sep 2018 16:45:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726121AbeI1GEa (ORCPT + 99 others); Fri, 28 Sep 2018 02:04:30 -0400 Received: from namei.org ([65.99.196.166]:33528 "EHLO namei.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725917AbeI1GEa (ORCPT ); Fri, 28 Sep 2018 02:04:30 -0400 Received: from localhost (localhost [127.0.0.1]) by namei.org (8.14.4/8.14.4) with ESMTP id w8RNhNEX013743; Thu, 27 Sep 2018 23:43:23 GMT Date: Fri, 28 Sep 2018 09:43:23 +1000 (AEST) From: James Morris To: "Schaufler, Casey" cc: Casey Schaufler , "kristen@linux.intel.com" , "kernel-hardening@lists.openwall.com" , "Dock, Deneen T" , "linux-kernel@vger.kernel.org" , "Hansen, Dave" , "linux-security-module@vger.kernel.org" , "selinux@tycho.nsa.gov" , "arjan@linux.intel.com" Subject: RE: [PATCH v5 5/5] sidechannel: Linux Security Module for sidechannel In-Reply-To: <99FC4B6EFCEFD44486C35F4C281DC67321463CE3@ORSMSX107.amr.corp.intel.com> Message-ID: References: <20180926203446.2004-1-casey.schaufler@intel.com> <20180926203446.2004-6-casey.schaufler@intel.com> <025d4742-5947-545e-f603-502a0c5ee03f@schaufler-ca.com> <99FC4B6EFCEFD44486C35F4C281DC67321463CE3@ORSMSX107.amr.corp.intel.com> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 27 Sep 2018, Schaufler, Casey wrote: > > > On 9/27/2018 2:45 PM, James Morris wrote: > > > > On Wed, 26 Sep 2018, Casey Schaufler wrote: > > > > > > > >> + /* > > > >> + * Namespace checks. Considered safe if: > > > >> + * cgroup namespace is the same > > > >> + * User namespace is the same > > > >> + * PID namespace is the same > > > >> + */ > > > >> + if (current->nsproxy) > > > >> + ccgn = current->nsproxy->cgroup_ns; > > > >> + if (p->nsproxy) > > > >> + pcgn = p->nsproxy->cgroup_ns; > > > >> + if (ccgn != pcgn) > > > >> + return -EACCES; > > > >> + if (current->cred->user_ns != p->cred->user_ns) > > > >> + return -EACCES; > > > >> + if (task_active_pid_ns(current) != task_active_pid_ns(p)) > > > >> + return -EACCES; > > > >> + return 0; > > > > I really don't like the idea of hard-coding namespace security semantics > > > > in an LSM. Also, I'm not sure if these semantics make any sense. > > > > > > Checks on namespaces where explicitly requested. > > > > By whom and what is the rationale? > > The rationale is to protect containers. Since those closest thing > there is to a definition of containers is "uses namespaces" that > becomes the focus. Separating them out does not make too much > sense as I would expect someone concerned with one to be concerned > with all. A lot of people will not be using user namespaces due to security concerns, so with this hard-coded logic, you are saying this case is 'safe' in a sidechannel context. Which hints at the deeper issue that containers are a userland abstraction. Protection of containers needs to be defined by userland policy. -- James Morris