Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Date:   Thu, 21 Jul 2022 23:11:37 -0700
From:   Martin KaFai Lau <kafai@fb.com>
To:     Frederick Lawler <fred@cloudflare.com>
Cc:     kpsingh@kernel.org, revest@chromium.org, jackmanb@chromium.org,
        ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
        songliubraving@fb.com, yhs@fb.com, john.fastabend@gmail.com,
        jmorris@namei.org, serge@hallyn.com, paul@paul-moore.com,
        stephen.smalley.work@gmail.com, eparis@parisplace.org,
        shuah@kernel.org, brauner@kernel.org, casey@schaufler-ca.com,
        ebiederm@xmission.com, bpf@vger.kernel.org,
        linux-security-module@vger.kernel.org, selinux@vger.kernel.org,
        linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org,
        netdev@vger.kernel.org, kernel-team@cloudflare.com,
        cgzones@googlemail.com, karl@bigbadwolfsecurity.com
Subject: Re: [PATCH v3 0/4] Introduce security_create_user_ns()
Message-ID: <20220722061137.jahbjeucrljn2y45@kafai-mbp.dhcp.thefacebook.com>
References: <20220721172808.585539-1-fred@cloudflare.com>
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20220721172808.585539-1-fred@cloudflare.com>
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?ETPW4kDzs7kZljRE/+D3C/ZFCjpnlcZy5INxArRhtEzP/rbJl49+PmjkdFLU?=
 =?us-ascii?Q?SAQDmMl3DxLYT7t6ve/NRcjKnSyVDT0T8/7QvhBINXyc79z4NHs5RMxeN6i2?=
 =?us-ascii?Q?PW41XCgPxzij/9SQujJasGvGgrUGxvl4a/b7r6Jb4zJPggiXor/bijeRBjjT?=
 =?us-ascii?Q?tGJy2joKHQd6/MeqVkW0pBUuJSu2XdLP3uLTVwJ1I5Zr1f5HqQnLl+ncvq3D?=
 =?us-ascii?Q?xvyHmc7T/aPThFyR9ebkVDYRCTq21T2C2r+S1A1ZcUlNKqFK1PrU+lnj0Bvi?=
 =?us-ascii?Q?1HRFJfo/5NOqqMD3boZFrsH+BxpdxUuSVbCMw9tovaXcKASVpxLpz8okCfmf?=
 =?us-ascii?Q?ELBY/ryW/4hwYA4L1+9Q1B8z9buCzllV6iayNw62CLRrJ+FWFHXl2bmMo05f?=
 =?us-ascii?Q?F35TBspGA9C9AMYW/1e1laC8Be4IkD0Fa60lqp0WDmU0ENv9z3t1WHzv7i6w?=
 =?us-ascii?Q?o3ibUY7nbIYX1GH6evTJCYIxTY+z+kutofbekwkWSijT/y2ZFyQNVLnVcS+9?=
 =?us-ascii?Q?kPOPUbLWxiDCCAoeD/PhUTydqlH6D2AAVjsPX/iETq5Y3dPakPHBT+8tnEPO?=
 =?us-ascii?Q?dBr6oAUK+dbMyoQArJnfXBsa4w8iQmGAMlzAtJWkMMH6u7+uphom0VS/N/Yj?=
 =?us-ascii?Q?ytgykIhv309JZGA1UqQx8mpHD+QdbMq600hx4sUbe9IPOnvB6v43ysoDPcOE?=
 =?us-ascii?Q?kkuEeRvrOj4OLywXszBRQJkKjWN+qGX0hzP1B25loD3jeir5ZEyLBY5Of0Tm?=
 =?us-ascii?Q?9LMfBWJK9ZUrDXAfYvq3+azfSj52YfxOOqYDXZZT6aNZZU+5596fOd0dcNpY?=
 =?us-ascii?Q?jq3gT2B7yzBeIud3cjwc3npJL/OaJQISV1gpQPHCu8A0RonYkD3SfT+7bM/D?=
 =?us-ascii?Q?fShvVrud0YPMyvljl5VkYEyh4mtCibEKqBx0bu0HDkCtJ5lFcyYBew7WgSSh?=
 =?us-ascii?Q?S6KQKcpJjW45Qm/+x71ly01jvEB94Gq+Ep6UjH3B6/gLeNDSpD9j8T+HGxOQ?=
 =?us-ascii?Q?stVmcwDPit8sEEUg3iyb5Vi0RaL7NKgN3NuEz1iZqti+xcMCPygPVk/ATTh3?=
 =?us-ascii?Q?+e0ZpwGkUpgpRwCzmpxJ/VTMG4iWY2vYSMEPbXcoljVX7f8Hy8S0GRhpURAr?=
 =?us-ascii?Q?9yZf4qp/jogxEaWmNF/XXIxrpZ2zE/94kIV6qVtIt1aybooyFQj+MXQKf2V/?=
 =?us-ascii?Q?/R5GOOwW/5bbuCEjpvt+XFsl4Pg1G3mNo7V0s2qgwGhRLeHW1xuFRbujq0KC?=
 =?us-ascii?Q?QWVmPdqDhgIt7rpxaPBwlXxnNCShWOzjGKN82vtGxgEyKvvLXne2zfI7elkV?=
 =?us-ascii?Q?/3CHz68Hl9yUzacIdDJx+aIVxoDiUNvR5E6+xp9GE71FC4aRNqavjQcnC4Hv?=
 =?us-ascii?Q?zmK5WZZAaXbTa/LvrIG/4goSAsg0CR5J9ioU3Mm56ZPZgr/j6onuVMBb2YJM?=
 =?us-ascii?Q?f0ELEctrOWIYeY9vqdC9a7zdOWQPb/+F/GAy2cUeRUM/1WMpXPs+tQ5+oEqV?=
 =?us-ascii?Q?x4NEkAeyJNShCujlmMgQyuS8sHDMO7GIdffRD+jTWcbw0e+64sJWWifLIzTi?=
 =?us-ascii?Q?YiWVP0qjG1ewWA5lrZJTXZNrI6WPv1fPoPUIWlrjRi7vQVevSqqJfZTQpcdP?=
 =?us-ascii?Q?Ww=3D=3D?=
X-OriginatorOrg: fb.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9ea058df-5384-4944-8ba1-08da6ba90a8f
X-MS-Exchange-CrossTenant-AuthSource: MW4PR15MB4475.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jul 2022 06:11:39.9201
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: JKjWgYOy+UI/ylJd3yKQMh5paPyf5epSIudMvJ3JCzOpkFxFKQ6wcjqbGhirMS/p
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR15MB4328
X-Proofpoint-GUID: fNgtJ6KDVgM05xSMF9OI1uMuWXKF2vjY
X-Proofpoint-ORIG-GUID: fNgtJ6KDVgM05xSMF9OI1uMuWXKF2vjY
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1
 definitions=2022-07-21_28,2022-07-21_02,2022-06-22_01
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Jul 21, 2022 at 12:28:04PM -0500, Frederick Lawler wrote:
> While creating a LSM BPF MAC policy to block user namespace creation, we
> used the LSM cred_prepare hook because that is the closest hook to prevent
> a call to create_user_ns().
> 
> The calls look something like this:
> 
>     cred = prepare_creds()
>         security_prepare_creds()
>             call_int_hook(cred_prepare, ...
>     if (cred)
>         create_user_ns(cred)
> 
> We noticed that error codes were not propagated from this hook and
> introduced a patch [1] to propagate those errors.
> 
> The discussion notes that security_prepare_creds()
> is not appropriate for MAC policies, and instead the hook is
> meant for LSM authors to prepare credentials for mutation. [2]
> 
> Ultimately, we concluded that a better course of action is to introduce
> a new security hook for LSM authors. [3]
> 
> This patch set first introduces a new security_create_user_ns() function
> and userns_create LSM hook, then marks the hook as sleepable in BPF.
Patch 1 and 4 still need review from the lsm/security side.