Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp96390imm; Thu, 27 Sep 2018 16:48:27 -0700 (PDT) X-Google-Smtp-Source: ACcGV60FZ7t/Oy2d+ZxGfawSl3ZTXu8nl+N6Ko02YgUvH22BPMU15xFlBIGyMFuP2wCfjzkTDyC/ X-Received: by 2002:a62:c502:: with SMTP id j2-v6mr14026666pfg.194.1538092107332; Thu, 27 Sep 2018 16:48:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538092107; cv=none; d=google.com; s=arc-20160816; b=FBEWWOX940K9PRkP8LuLP1quj1AoPP+rToX4GFH+4OZkqy7PXifTCSRnTU5PAkK52/ tB1MC445X4ovXl9L0BpJfZGnzAZD0s7TXYCxNIAXwX6hoyRHuxWuecxkls6E5KHsENpT NdiPpgfch0m7tzZRvb/J5V8hAh5xXfnvEDFHM11Le36TvZnhAHul2gwHkDucuqEDtHAL 3IZ3wHQp9pGd0imdfDrJvm3rTbx/wgqTh6hc2J/CiYsJPKrCdNMOKbzoyfL3NEjVwxeW M1C4kIXKC2aNNCNy+Y/Ri1UX6qohXXVZDLTwxPNMM7jG6FE3yV/YQR3p6KmOmMtU0iwd QAOA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=WZthzNMGJzXPWrh3q4JbA1otK2sBWap9CYwk3FTi2D8=; b=ErTI11N497/tQYIfG8kMpWf3ZIfvhmBs6IFESaYvl3WwfuVPVQiF2MZOREStTnAHXL aYOV92McrWrt5e3VkEucpyxT78F8TAPIfOJlI+UeSgDkaMvKAAGV6r4XwqD4pGNdH0Vc effg8Tx2WFgJUg77PA/5RqMSd9G4u0/vkMdyNZoP7q6/xb4Kwrzto6xSXmjlPNeFhNfz USvuVSNCh5R+FZNOh/oYwoziYft9OgXPIvixgScb8NRAfuy3fa2pcv4gDZQffIk/bo41 X06Evg3x+xLobGf5+Wj4rbnOkPFbeGDOCj9s4vUctzH168oPBe3g1oDxYqDCEUsFPc81 hbJg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=BCjAUAE7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o67-v6si3230127pga.597.2018.09.27.16.48.11; Thu, 27 Sep 2018 16:48:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=BCjAUAE7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726100AbeI1GIz (ORCPT + 99 others); Fri, 28 Sep 2018 02:08:55 -0400 Received: from mail-ot1-f65.google.com ([209.85.210.65]:33689 "EHLO mail-ot1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725957AbeI1GIz (ORCPT ); Fri, 28 Sep 2018 02:08:55 -0400 Received: by mail-ot1-f65.google.com with SMTP id m23-v6so4358243otf.0 for ; Thu, 27 Sep 2018 16:48:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WZthzNMGJzXPWrh3q4JbA1otK2sBWap9CYwk3FTi2D8=; b=BCjAUAE7buk+SgyamvxrNRtFEldwbG+SnkeAD1llNn/CKTGtxDfJFwbLFEbyvuIkxd 4QT3Ew8JJ7hi6Hp++TbSGPtRNC9sr7D8GCDaE7OmVZNFmSQZfS0TC3Pk0qIUBE2uxkvQ z8liqCJIeLaBfiEWmBmEK+FvfnGPDMI3u6n6Zuq+FtjvnF2p4BIC+o71QQVAJ4L2T+2S IL/0fr3ray6sJ9x+CtBHv9jSsM2DjMdsucSaX0fGPDtdoch25sqdOcMXV7c69NIw6fiM rU/yKW1rToDvyEKRnVwmE2X54bshYT9Cy9VpusmXYKn57Jh7E6SMqnMFhUw4Qka6HejW RQyw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WZthzNMGJzXPWrh3q4JbA1otK2sBWap9CYwk3FTi2D8=; b=VAMVs8wc/T1uFrgIElAs8MizMsU+ZVkOE4+yIzsZfwcyIw+jx5FxsDPfdwlBaZ9R6Q 58RanbgUWX0EiWcJaqB4oY4o8c/G+TO7RNtnVKiE7vvV/iyGkazSB+QqV5ON9Mt5AYXF 2QfI/gG9MEZoCtnp3t/DZmLY+9yI6rLmbHm11pGtCYQeJaDQmQ1GMozgYi6JUpSnk4rE zD4HP+ED1qH7IHfRqCcQSF5aqgLKIY0vkuGZNkFiEJqnwDbbxv97cwJM614pepNswVf3 W1gxldfWbYLRLaaFij9r1ySpsinvr3fSMwkBGpf5VETNx5xqsybHZHsK+rypCDWwqsZo 9CfA== X-Gm-Message-State: ABuFfohRWDrdGBPELLkgB+YaSU3Yt1f3+Ath+h5+MNVEd/vpyLRtulNq qswzxFpgXkL9Uem5TwMGlo7k4hHCbPMMNfYkqvT+bw== X-Received: by 2002:a9d:2843:: with SMTP id h3-v6mr8861996otd.230.1538092085510; Thu, 27 Sep 2018 16:48:05 -0700 (PDT) MIME-Version: 1.0 References: <20180926203446.2004-1-casey.schaufler@intel.com> <20180926203446.2004-6-casey.schaufler@intel.com> <025d4742-5947-545e-f603-502a0c5ee03f@schaufler-ca.com> <99FC4B6EFCEFD44486C35F4C281DC67321463CE3@ORSMSX107.amr.corp.intel.com> In-Reply-To: From: Jann Horn Date: Fri, 28 Sep 2018 01:47:39 +0200 Message-ID: Subject: Re: [PATCH v5 5/5] sidechannel: Linux Security Module for sidechannel To: James Morris Cc: Casey Schaufler , Casey Schaufler , kristen@linux.intel.com, Kernel Hardening , deneen.t.dock@intel.com, kernel list , Dave Hansen , linux-security-module , selinux@tycho.nsa.gov, Arjan van de Ven Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Sep 28, 2018 at 1:43 AM James Morris wrote: > On Thu, 27 Sep 2018, Schaufler, Casey wrote: > > > > On 9/27/2018 2:45 PM, James Morris wrote: > > > > > On Wed, 26 Sep 2018, Casey Schaufler wrote: > > > > > > > > > >> + /* > > > > >> + * Namespace checks. Considered safe if: > > > > >> + * cgroup namespace is the same > > > > >> + * User namespace is the same > > > > >> + * PID namespace is the same > > > > >> + */ > > > > >> + if (current->nsproxy) > > > > >> + ccgn = current->nsproxy->cgroup_ns; > > > > >> + if (p->nsproxy) > > > > >> + pcgn = p->nsproxy->cgroup_ns; > > > > >> + if (ccgn != pcgn) > > > > >> + return -EACCES; > > > > >> + if (current->cred->user_ns != p->cred->user_ns) > > > > >> + return -EACCES; > > > > >> + if (task_active_pid_ns(current) != task_active_pid_ns(p)) > > > > >> + return -EACCES; > > > > >> + return 0; > > > > > I really don't like the idea of hard-coding namespace security semantics > > > > > in an LSM. Also, I'm not sure if these semantics make any sense. > > > > > > > > Checks on namespaces where explicitly requested. > > > > > > By whom and what is the rationale? > > > > The rationale is to protect containers. Since those closest thing > > there is to a definition of containers is "uses namespaces" that > > becomes the focus. Separating them out does not make too much > > sense as I would expect someone concerned with one to be concerned > > with all. > > A lot of people will not be using user namespaces due to security > concerns, Ugh. > so with this hard-coded logic, you are saying this case is > 'safe' in a sidechannel context. > > Which hints at the deeper issue that containers are a userland > abstraction. Protection of containers needs to be defined by userland > policy. Or just compare mount namespaces additionally/instead. I think that containers will always use those, because AFAIK nobody uses chroot() for containers, given that the kernel makes absolutely no security guarantees about chroot().