Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp4092058iog; Tue, 28 Jun 2022 08:49:10 -0700 (PDT) X-Google-Smtp-Source: AGRyM1virA5ZlrJ+6ziUGOVZ9/KEFQduIb2lTX+hjSeSb91nOKVM7RXLNTwrg/PAxBcsHq6Woagt X-Received: by 2002:a17:902:d50b:b0:16a:2cb3:74f7 with SMTP id b11-20020a170902d50b00b0016a2cb374f7mr4403001plg.6.1656431350457; Tue, 28 Jun 2022 08:49:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1656431350; cv=none; d=google.com; s=arc-20160816; b=j7uCwONh4AeGh9GXOfzEgBhdVl91QDMKUsnTR4R24O3a/HPsHM/VoeDtUND7eB6Cw2 YsE/EOVO0vzcrlqXi4c6b1We82P2U53vA8tEIcpkzp71K7RwukPHKJE+NxQP20dozAVf 6Hff9AvhCoage32vDhbJUjkyBOOgvOT+8WWc+aUPPIdVw74Cg/6uIAoCFi7aV/EylQwc 9mqo6Xs1tjscgvRUEqV4QvD1B/03TwI6AV9QTGtks2H9AteYhPvcajWq6K9TNALo+fAD iyHCWj/VPbFNUt5IRVTVb+tsfrpl6ETCdN9V+7lnpxR/2o6CFbSLlGQ14rfZyaPWXevm pfMw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=nkzH7QSCl1imbm0hTXo9/+3Qp+0BlsSEHJNs0Hc1eaw=; b=D6+lktjzOHxhfX7Q4tUe8A6OZIDateB7eLWo2kRmoVqFzOr/0vduVbDU0PbyYWoXzy bgsKo4m2fosUdJE8u3/p/t19rpBNG7MsuJyYjHnutSlFDLFJKwacOwuGuPUWrFqBPHkZ EdVm++2Le/R8/9tyRSmTIjrnwunIcz2vtmHQCBA9JzmVbqIWn/qmONQJ+VH60dHb2gLW 16SBMYBbDGiOMsU/kTrFG0lxpq+Lz2eRGV+k0pQhD02zJAYws6j81OPeUuHSra+JAbeT 0dMeb7Yp/VG6IPtxtaxcUwfrsGihaWmmTOyKjy3/A0wwBFoFb0c3YdqQUQN9oeHRIx4F oQnQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=aD8bxTii; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u5-20020a170902e80500b001624d7f36acsi21049901plg.592.2022.06.28.08.48.56; Tue, 28 Jun 2022 08:49:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=aD8bxTii; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346752AbiF1PNg (ORCPT + 99 others); Tue, 28 Jun 2022 11:13:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45776 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1348022AbiF1PNU (ORCPT ); Tue, 28 Jun 2022 11:13:20 -0400 Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8D06C22516 for ; Tue, 28 Jun 2022 08:13:18 -0700 (PDT) Received: by mail-wr1-x431.google.com with SMTP id o16so18197368wra.4 for ; Tue, 28 Jun 2022 08:13:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nkzH7QSCl1imbm0hTXo9/+3Qp+0BlsSEHJNs0Hc1eaw=; b=aD8bxTii7KraGvmGddDVz/h1eUvPQScBefVu6lWh/XtQN+Th6l5JP38j8mh5PCWdmv ivZ+GOyT4NUp1vLuyf+936OpdtcUm93bHpPi/NuCfFfm9Ht/LcTtKHv5Q5Yhmrn9dtI1 DbqUWvbHd1kOs0y+XGs08N7elWB5WONLt3db+86TV1L3ttSyMEATkEOGkfE/9ammqFfM YlIZ37RjNf7L/JuCA45BZCscPEPc4su/4Vkz3qWt+jDTW8HagxPkpNB/jjKDzQyESgYb gkCorOJB2nwBj2fHqE0wlStR2mdVfAcAbwZML5gfsfYZSV0vXSjyiF7jzoJyJyQFSRlu 6hCQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nkzH7QSCl1imbm0hTXo9/+3Qp+0BlsSEHJNs0Hc1eaw=; b=izoLb4Odrtty6BB38dytDH1t5fsqgNqzwMNS1w+WNy2hB8HevJP3BKC2plYnptXVLE EsqfyLFHeDwbY9qjBWRv2Oiwf74oBwaFgbtgAEQmrwJmOSpQVlieQtgbQmiNCNlEUhwp enScrgVu+aRZ6A+NM97AHuphGMcBWabcjHcubjDsGU1ORhxmo3m7JUuSN2BmQM2GQkKk ln2VBrUM8QYGGjtOWkW9qDaa55yAzUiNi92dFkGM5O/R8U/9gjvcLYXEYNcOSHYGbR2+ i/cY2ogSYEo/bx7juBPtVfxAkeI6cOGIVGrWeVfprfijBZflYhtboGawpmGm3FSqKxbm 0Tow== X-Gm-Message-State: AJIora/V6FA4cRcGXaQ2UbC2dKp8Z+x7IQ4YeFUhtESeTzK6nV/myP3x 1F200drPV7/QBUY7Gs+0U/B2w/G4ARF8YRRNMfVhw5XKg5Sb X-Received: by 2002:adf:f186:0:b0:21b:960b:8f9 with SMTP id h6-20020adff186000000b0021b960b08f9mr19216576wro.70.1656429197096; Tue, 28 Jun 2022 08:13:17 -0700 (PDT) MIME-Version: 1.0 References: <20220621233939.993579-1-fred@cloudflare.com> <20220627121137.cnmctlxxtcgzwrws@wittgenstein> <6a8fba0a-c9c9-61ba-793a-c2e0c2924f88@iogearbox.net> In-Reply-To: From: Paul Moore Date: Tue, 28 Jun 2022 11:13:05 -0400 Message-ID: Subject: Re: [PATCH 0/2] Introduce security_create_user_ns() To: Frederick Lawler Cc: Daniel Borkmann , Christian Brauner , Casey Schaufler , kpsingh@kernel.org, revest@chromium.org, jackmanb@chromium.org, ast@kernel.org, andrii@kernel.org, kafai@fb.com, songliubraving@fb.com, yhs@fb.com, john.fastabend@gmail.com, jmorris@namei.org, serge@hallyn.com, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@cloudflare.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jun 28, 2022 at 11:11 AM Frederick Lawler wrote: > On 6/27/22 5:15 PM, Daniel Borkmann wrote: > > On 6/27/22 11:56 PM, Paul Moore wrote: > >> On Mon, Jun 27, 2022 at 8:11 AM Christian Brauner > >> wrote: > >>> On Thu, Jun 23, 2022 at 11:21:37PM -0400, Paul Moore wrote: > >> > >> ... > >> > >>>> This is one of the reasons why I usually like to see at least one LSM > >>>> implementation to go along with every new/modified hook. The > >>>> implementation forces you to think about what information is necessary > >>>> to perform a basic access control decision; sometimes it isn't always > >>>> obvious until you have to write the access control :) > >>> > >>> I spoke to Frederick at length during LSS and as I've been given to > >>> understand there's a eBPF program that would immediately use this new > >>> hook. Now I don't want to get into the whole "Is the eBPF LSM hook > >>> infrastructure an LSM" but I think we can let this count as a legitimate > >>> first user of this hook/code. > >> > >> Yes, for the most part I don't really worry about the "is a BPF LSM a > >> LSM?" question, it's generally not important for most discussions. > >> However, there is an issue unique to the BPF LSMs which I think is > >> relevant here: there is no hook implementation code living under > >> security/. While I talked about a hook implementation being helpful > >> to verify the hook prototype, it is also helpful in providing an > >> in-tree example for other LSMs; unfortunately we don't get that same > >> example value when the initial hook implementation is a BPF LSM. > > > > I would argue that such a patch series must come together with a BPF > > selftest which then i) contains an in-tree usage example, ii) adds BPF > > CI test coverage. Shipping with a BPF selftest at least would be the > > usual expectation. > > Sounds good. I'll add both a eBPF selftest and SELinux implementation > for v2. Thanks Daniel! -- paul-moore.com