Return-Path: <linux-kernel-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0EA09C4332F
	for <linux-kernel@archiver.kernel.org>; Thu, 16 Dec 2021 16:28:55 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236540AbhLPQ2x (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Thu, 16 Dec 2021 11:28:53 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45032 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229539AbhLPQ2w (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 16 Dec 2021 11:28:52 -0500
Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 16EAAC061574;
        Thu, 16 Dec 2021 08:28:52 -0800 (PST)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id C04C0B82499;
        Thu, 16 Dec 2021 16:28:50 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0945EC36AE4;
        Thu, 16 Dec 2021 16:28:42 +0000 (UTC)
Date:   Thu, 16 Dec 2021 17:28:38 +0100
From:   Christian Brauner <christian.brauner@ubuntu.com>
To:     Stefan Berger <stefanb@linux.vnet.ibm.com>
Cc:     linux-integrity@vger.kernel.org, zohar@linux.ibm.com,
        serge@hallyn.com, containers@lists.linux.dev,
        dmitry.kasatkin@gmail.com, ebiederm@xmission.com,
        krzysztof.struczynski@huawei.com, roberto.sassu@huawei.com,
        mpeters@redhat.com, lhinds@redhat.com, lsturman@redhat.com,
        puiterwi@redhat.com, jejb@linux.ibm.com, jamjoom@us.ibm.com,
        linux-kernel@vger.kernel.org, paul@paul-moore.com, rgb@redhat.com,
        linux-security-module@vger.kernel.org, jmorris@namei.org,
        Stefan Berger <stefanb@linux.ibm.com>,
        James Bottomley <James.Bottomley@HansenPartnership.com>
Subject: Re: [PATCH v7 10/14] securityfs: Extend securityfs with namespacing
 support
Message-ID: <20211216162838.pst35cnqlu36i7t6@wittgenstein>
References: <20211216054323.1707384-1-stefanb@linux.vnet.ibm.com>
 <20211216054323.1707384-11-stefanb@linux.vnet.ibm.com>
 <20211216134027.33sprdmhol2tbctf@wittgenstein>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20211216134027.33sprdmhol2tbctf@wittgenstein>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Dec 16, 2021 at 02:40:27PM +0100, Christian Brauner wrote:
> On Thu, Dec 16, 2021 at 12:43:19AM -0500, Stefan Berger wrote:
> > From: Stefan Berger <stefanb@linux.ibm.com>
> > 
> > Extend 'securityfs' for support of IMA namespacing so that each
> > IMA (user) namespace can have its own front-end for showing the currently
> > active policy, the measurement list, number of violations and so on.
> > 
> > Drop the addition dentry reference to enable simple cleanup of dentries
> > upon umount.
> > 
> > Prevent mounting of an instance of securityfs in another user namespace
> > than it belongs to. Also, prevent accesses to directories when another
> > user namespace is active than the one that the instance of securityfs
> > belongs to.
> > 
> > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> > Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
> > ---
> >  security/inode.c | 37 ++++++++++++++++++++++++++++++++++---
> >  1 file changed, 34 insertions(+), 3 deletions(-)
> > 
> > diff --git a/security/inode.c b/security/inode.c
> > index fee01ff4d831..a0d9f086e3d5 100644
> > --- a/security/inode.c
> > +++ b/security/inode.c
> > @@ -26,6 +26,29 @@
> >  static struct vfsmount *init_securityfs_mount;
> >  static int init_securityfs_mount_count;
> >  
> > +static int securityfs_permission(struct user_namespace *mnt_userns,
> > +				 struct inode *inode, int mask)
> > +{
> > +	int err;
> > +
> > +	err = generic_permission(&init_user_ns, inode, mask);
> > +	if (!err) {
> > +		if (inode->i_sb->s_user_ns != current_user_ns())
> > +			err = -EACCES;
> 
> I really think the correct semantics is to grant all callers access
> whose user namespace is the same as or an ancestor of the securityfs
> userns. It's weird to deny access to callers who are located in an
> ancestor userns.
> 
> For example, a privileged process on the host should be allowed to setns
> to the userns of an unprivileged container and inspect its securityfs

s/userns/mntns/

> instance.
> 
> We're mostly interested to block such as scenarios where two sibling
> unprivileged containers are created in the initial userns and an fd
> proxy or something funnels a file descriptor from one sibling container
> to the another one and the receiving sibling container can use readdir()
> or openat() on this fd. (I'm not even convinced that this is actually a
> problem but stricter semantics at the beginning can't hurt. We can
> always relax this later.)
>