Received: by 2002:ac0:da4c:0:0:0:0:0 with SMTP id a12csp412896imi;
        Fri, 22 Jul 2022 01:39:48 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1u9tdh9wNMmXtRA6CtmQm94r9MGpS5plMc7KDjhfODypioH1aQJUZ+PLRL8rV53amd2bJo/
X-Received: by 2002:a17:906:84e8:b0:72e:2f3c:6784 with SMTP id zp8-20020a17090684e800b0072e2f3c6784mr2334102ejb.390.1658479188538;
        Fri, 22 Jul 2022 01:39:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1658479188; cv=none;
        d=google.com; s=arc-20160816;
        b=JJygkz/wfONOC+d2bTw2VWzRNlJZFruU35xUvUrEiSmIJY8mJnSvKo+DXMr77OKg4D
         gnwr/I4PVsfbKmExOhiAE/kYhUxmbxiX5CQUzRgmMkFWepzuFPQDNtizrQdAPDMFYLJr
         /NeYBL7KdGpiFBOp/SECyEvfbe9QUiWqVSI3kyqP7h4rzMU0IKIHStcdQFKOvpGRLAXv
         IN1W2wt6/+kFnDSEzouT3pVugm2iqbAiCoiMe9BUaszsPIsPx8x3j2owW3OxhjpEft3I
         5lV4eNAhF27kX5roy851F6tlmsP/CZeEu899UWQ1NgEHV+DHqJry/N4IcZJObrk7AI17
         rCXw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=JYJyyfANxYL0K8SKTbmx0UeRPutall71KwwNtlfZE30=;
        b=OwiCequyEMPRA7Q7Pf8UwS25dkG9j1ZCglMVyK88j0IdSCCSm0r4cOV2WCT0ZNQDvZ
         iVAE9OgnaLJ8IIjGjq9fcUkHPLmGDvhtows+9Mvw7zyExr6sYcO0QwdzELfI4zm5bpfn
         hsaUyEz7fGfEfEFZjMF1OouLcY2VS5NdRNfQfQkFqA+x5ES64IBqNPMrJsh6bbxwu1Nj
         bQ0MQ3J+vrE+1vl1h2iJlfaoy8pJzSASRA/PvB/nO+DDHTyg95Uq2ZJ5+g4uG7ZKSbrM
         YmLJRm66fovAkpyAPXHJnoZ7uuUi6IBvJpMBVIFYQWG00MYmhbifpZCUirRVhCM94tNa
         kp5w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=CCJKmNZS;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id le14-20020a170906ae0e00b0072fac45320dsi800900ejb.357.2022.07.22.01.39.24;
        Fri, 22 Jul 2022 01:39:48 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=CCJKmNZS;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234909AbiGVIWN (ORCPT <rfc822;alizee.penel@gmail.com>
        + 99 others); Fri, 22 Jul 2022 04:22:13 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48800 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230490AbiGVIWM (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 22 Jul 2022 04:22:12 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5EDCD9E29F;
        Fri, 22 Jul 2022 01:22:11 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 112CBB8273C;
        Fri, 22 Jul 2022 08:22:10 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id A427EC341C6;
        Fri, 22 Jul 2022 08:22:02 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1658478128;
        bh=XGwOBIQ70b38PDak8j4LkJrvWTb0yE8WzAWK9ZxMX4Y=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=CCJKmNZSo0xL/TYMV2O0Ody1OFAoC7gA7iwMj9taKid7LZJ8uMkZUiXG+aKiVHAG0
         kVE4bHC3UBv5XXr2yhF27+4y27ZEI27zTB7dczgp3h3vpnq62QBoTxKnR8fvsO3e/1
         JmAGrMrEhSajJegpu6zum04O7kpgPsC82/xnxm9YcqtBRDGcCWbvTHz6C3U1kOQUJ6
         Htm1f21uYIgXWE8NbUio/BbgUJMT7Iby9CvcvJDyaNpw8+qufM5g0UnGWS8eeE/Qa9
         7bz4OfWlBbPxGPlkSZSKYdhdp9bYgYB/Bki9jzy4PB0q8LZi1rBmnPTAgZl58B3BXp
         5rwVkSjMUOjPA==
Date:   Fri, 22 Jul 2022 10:21:59 +0200
From:   Christian Brauner <brauner@kernel.org>
To:     Frederick Lawler <fred@cloudflare.com>
Cc:     kpsingh@kernel.org, revest@chromium.org, jackmanb@chromium.org,
        ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
        kafai@fb.com, songliubraving@fb.com, yhs@fb.com,
        john.fastabend@gmail.com, jmorris@namei.org, serge@hallyn.com,
        paul@paul-moore.com, stephen.smalley.work@gmail.com,
        eparis@parisplace.org, shuah@kernel.org, casey@schaufler-ca.com,
        ebiederm@xmission.com, bpf@vger.kernel.org,
        linux-security-module@vger.kernel.org, selinux@vger.kernel.org,
        linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org,
        netdev@vger.kernel.org, kernel-team@cloudflare.com,
        cgzones@googlemail.com, karl@bigbadwolfsecurity.com
Subject: Re: [PATCH v3 1/4] security, lsm: Introduce security_create_user_ns()
Message-ID: <20220722082159.jgvw7jgds3qwfyqk@wittgenstein>
References: <20220721172808.585539-1-fred@cloudflare.com>
 <20220721172808.585539-2-fred@cloudflare.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20220721172808.585539-2-fred@cloudflare.com>
X-Spam-Status: No, score=-7.8 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Jul 21, 2022 at 12:28:05PM -0500, Frederick Lawler wrote:
> Preventing user namespace (privileged or otherwise) creation comes in a
> few of forms in order of granularity:
> 
>         1. /proc/sys/user/max_user_namespaces sysctl
>         2. OS specific patch(es)
>         3. CONFIG_USER_NS
> 
> To block a task based on its attributes, the LSM hook cred_prepare is a
> good candidate for use because it provides more granular control, and
> it is called before create_user_ns():
> 
>         cred = prepare_creds()
>                 security_prepare_creds()
>                         call_int_hook(cred_prepare, ...
>         if (cred)
>                 create_user_ns(cred)
> 
> Since security_prepare_creds() is meant for LSMs to copy and prepare
> credentials, access control is an unintended use of the hook. Therefore
> introduce a new function security_create_user_ns() with an accompanying
> userns_create LSM hook.
> 
> This hook takes the prepared creds for LSM authors to write policy
> against. On success, the new namespace is applied to credentials,
> otherwise an error is returned.
> 
> Signed-off-by: Frederick Lawler <fred@cloudflare.com>
> 
> ---

Nice and straightforward,
Reviewed-by: Christian Brauner (Microsoft) <brauner@kernel.org>