Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp4123791iog; Tue, 28 Jun 2022 09:26:41 -0700 (PDT) X-Google-Smtp-Source: AGRyM1tY1GW7Ixv0/FdeIT/w7tZY+AACfWP/Ms0Z3p/jfzjzQrLF+3wBndV+ftBZCf+Lgpq8uMru X-Received: by 2002:a63:6c86:0:b0:3fd:ae53:3881 with SMTP id h128-20020a636c86000000b003fdae533881mr17762953pgc.507.1656433601113; Tue, 28 Jun 2022 09:26:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1656433601; cv=none; d=google.com; s=arc-20160816; b=E8huh8TGJNY+on4GX7CnztnP8RCTqbqLMX5hQpupcJfTeuRiSxIfBaUTwVbHwW3ZwI ltc2oH3qfFgq43YDB/AyLKJ7HFgTcRbImdZbVtUo7Q+EA9bN279ybckF12nrt7WKsJA2 yD4csW4qxWZFlX04EmGPcp3d2MlEb6SdJaufkVPaNppAyYQLs+aC8oGwUGRNayrhgdeF 6uV0WKShx2e8FnS9q9wEkZVLNauxOofqYle9JdcLzHw/MYDviLxbFi+pAgu2ySq3ZK3l I0KxNYBADLA73V7UBo3w9TkdvZKAjUvVxXS7WjZq01z5b5Mrcnja0m7EHf8qLcecOkzq tm2Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=6uA1Cpz6+8Eo99r51xLoJOk2QJU9n4QHuutej5Wtl3U=; b=cSCa3SUj33fk/3hbkJT5KrmusSfnQpagGnfmjYTWtzt9QDxFiOiKaL7k5yZp2aQjaj nQlO8aL9oCjWrbD2GzrSTrmY9EwgrdmAI4IpgMIowQEq5XIr1svNgYpzwGt+AkE0HE5Z HuNY9lw2+QqFl0PN9pJD6k6fagXusGjB+6khPwdD5TXx0PctJ3+YcHaGqL8dnruyG4Bp KbBeRvxM+c1l16xuNs7Ugi4L1ZDBTLR/j6zSogj2pMDHqMXxKGFqpgyFF5Sfx+7xYa7t YwyJ+YittZJ0zspCRhOzWCijPr/6D+YW705VR0WO+D212nADSwIxwLZhRmKEcg4mW1r2 4EVQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=RthYxAUp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l184-20020a6388c1000000b0040cfc09baa7si18670089pgd.749.2022.06.28.09.26.25; Tue, 28 Jun 2022 09:26:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=RthYxAUp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236230AbiF1QUq (ORCPT + 99 others); Tue, 28 Jun 2022 12:20:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41498 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232951AbiF1QUG (ORCPT ); Tue, 28 Jun 2022 12:20:06 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 24C773AA73 for ; Tue, 28 Jun 2022 09:12:40 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id C8BDFB81F14 for ; Tue, 28 Jun 2022 16:12:38 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7252AC341CC for ; Tue, 28 Jun 2022 16:12:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1656432757; bh=EIP5j5pZ7wbFNo8siwNKuft7SrlYIU0lHe3T+ppJNCY=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=RthYxAUpkMhtCPVpjqK/2tyQbKXMLwVyHDoez99UtKDcFb4i7v/gA+J0j79uGS05+ JmBwd5N8KOjpUWYgdyPSEcR9LDD4l4m5LDMxFXzIVFYP81P/+k9gYmetUTpowsrObO swu7ITNGRhlx3cW8/JVzyWwoJZ7qipXr7+YPZkMHKjFB32WNM8n+wc78dcfwsohPhp zFf06R5P+++x/7X7p6mwEvht4NCmX4EIurJINw0Z7A6Xqh5jebH0IjlwuQWR0Fy/MS CukYIpGb9G+tBIEa0P7mqUUfmNf/8s4bK/GhrfEfxiju9wLSpPMS+KaqLFT7QtJkf8 yDYVUCsB4z/mA== Received: by mail-yw1-f175.google.com with SMTP id 00721157ae682-3137316bb69so122011937b3.10 for ; Tue, 28 Jun 2022 09:12:37 -0700 (PDT) X-Gm-Message-State: AJIora8LJ508j9d6NjpihHMRpdBq9Vlb0fUU1C8SpM7tfJJlEHJklrcu Tx+sTsUQBCWdLodqSo57nLkxKh+pZYcNdIKnZvS6PQ== X-Received: by 2002:a81:1b4b:0:b0:317:a2dd:31fa with SMTP id b72-20020a811b4b000000b00317a2dd31famr22481892ywb.476.1656432756482; Tue, 28 Jun 2022 09:12:36 -0700 (PDT) MIME-Version: 1.0 References: <20220621233939.993579-1-fred@cloudflare.com> <20220627121137.cnmctlxxtcgzwrws@wittgenstein> <6a8fba0a-c9c9-61ba-793a-c2e0c2924f88@iogearbox.net> <685096bb-af0a-08c0-491a-e176ac009e85@schaufler-ca.com> <9ae473c4-cd42-bb45-bce2-8aa2e4784a43@cloudflare.com> In-Reply-To: From: KP Singh Date: Tue, 28 Jun 2022 18:12:25 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 0/2] Introduce security_create_user_ns() To: Casey Schaufler Cc: Frederick Lawler , Paul Moore , Daniel Borkmann , Christian Brauner , revest@chromium.org, jackmanb@chromium.org, ast@kernel.org, andrii@kernel.org, kafai@fb.com, songliubraving@fb.com, yhs@fb.com, john.fastabend@gmail.com, jmorris@namei.org, serge@hallyn.com, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@cloudflare.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-7.5 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jun 28, 2022 at 6:02 PM Casey Schaufler wrote: > > On 6/28/2022 8:14 AM, Frederick Lawler wrote: > > On 6/27/22 6:18 PM, Casey Schaufler wrote: > >> On 6/27/2022 3:27 PM, Paul Moore wrote: > >>> On Mon, Jun 27, 2022 at 6:15 PM Daniel Borkmann wrote: > >>>> On 6/27/22 11:56 PM, Paul Moore wrote: > >>>>> On Mon, Jun 27, 2022 at 8:11 AM Christian Brauner wrote: > >>>>>> On Thu, Jun 23, 2022 at 11:21:37PM -0400, Paul Moore wrote: > >>>>> ... > >>>>> > >>>>>>> This is one of the reasons why I usually like to see at least one LSM > >>>>>>> implementation to go along with every new/modified hook. The > >>>>>>> implementation forces you to think about what information is necessary > >>>>>>> to perform a basic access control decision; sometimes it isn't always > >>>>>>> obvious until you have to write the access control :) > >>>>>> I spoke to Frederick at length during LSS and as I've been given to > >>>>>> understand there's a eBPF program that would immediately use this new > >>>>>> hook. Now I don't want to get into the whole "Is the eBPF LSM hook > >>>>>> infrastructure an LSM" but I think we can let this count as a legitimate > >>>>>> first user of this hook/code. > >>>>> Yes, for the most part I don't really worry about the "is a BPF LSM a > >>>>> LSM?" question, it's generally not important for most discussions. > >>>>> However, there is an issue unique to the BPF LSMs which I think is > >>>>> relevant here: there is no hook implementation code living under > >>>>> security/. While I talked about a hook implementation being helpful > >>>>> to verify the hook prototype, it is also helpful in providing an > >>>>> in-tree example for other LSMs; unfortunately we don't get that same > >>>>> example value when the initial hook implementation is a BPF LSM. > >>>> I would argue that such a patch series must come together with a BPF > >>>> selftest which then i) contains an in-tree usage example, ii) adds BPF > >>>> CI test coverage. Shipping with a BPF selftest at least would be the > >>>> usual expectation. > >>> I'm not going to disagree with that, I generally require matching > >>> tests for new SELinux kernel code, but I was careful to mention code > >>> under 'security/' and not necessarily just a test implementation :) I > >>> don't want to get into a big discussion about it, but I think having a > >>> working implementation somewhere under 'security/' is more > >>> discoverable for most LSM folks. > >> > >> I agree. It would be unfortunate if we added a hook explicitly for eBPF > >> only to discover that the proposed user needs something different. The > >> LSM community should have a chance to review the code before committing > >> to all the maintenance required in supporting it. > >> > >> Is there a reference on how to write an eBPF security module? > > > > There's a documentation page that briefly touches on a BPF LSM implementation [1]. > > That's a brief touch, alright. I'll grant that the LSM interface isn't > especially well documented for C developers, but we have done tutorials > and have multiple examples. I worry that without an in-tree example for > eBPF we might well be setting developers up for spectacular failure. > Casey, Daniel and I are recommending an in-tree example, it will be in BPF selftests and we will CC you on the reviews. Frederick, is that okay with you? > > > >> There should be something out there warning the eBPF programmer of the > >> implications of providing a secid_to_secctx hook for starters. > >> > > > > Links: > > 1. https://docs.kernel.org/bpf/prog_lsm.html?highlight=bpf+lsm# > >