Received: by 2002:ac0:da4c:0:0:0:0:0 with SMTP id a12csp586446imi; Fri, 22 Jul 2022 05:31:15 -0700 (PDT) X-Google-Smtp-Source: AGRyM1tprA4/1ShI0cdwhoKn4VChNh7rN8hgx66AW+F8VH9KgytXIqJMiFsS4dbqv1BZ6QZm5XPA X-Received: by 2002:a17:907:d88:b0:72b:1127:33f5 with SMTP id go8-20020a1709070d8800b0072b112733f5mr275293ejc.725.1658493075134; Fri, 22 Jul 2022 05:31:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658493075; cv=none; d=google.com; s=arc-20160816; b=CH9Kc+c6Comh9Qh0tkc8+RJqYhuNAxVVuwsBGoEgN7KvMQ84b9RaORTek+EHJIgItO 8/Z92MnGTN+UAPys+z0XuVBL+ul0+Nq9ge7L14PeUH2dSTdQHul90LbtE/LJHj2xVnLb Tqg6LZgwcXzVpD1hTvVPk/ODiJaS7LcTps1WjL2o+u7ML3BosuYWy/Czj6ofBzK4Xp01 fBjWPTwTsKXwXhTgYQj94QYLH+XL0a9S6QqYtDEpgoROFDgY64rABJ6HDZoYtIBup+42 FcV3GAFAVxRjseJOnAajBDhRC2+EwoUw5FGzOxrTy/txSsEhBYQqszYgKB7AJssZM9Bt wVxQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version:subject :user-agent:references:in-reply-to:message-id:date:cc:to:from :dkim-signature; bh=kIKMl7lknNmrR7/g3+eBdSau4//c4Zzr0QaeUiEir7A=; b=cKjNu1vx1AIuAJ3/B3vgstGLVSzxkQc6G6bdgd3ObIxaG3rufLgw5VaGKlkbHomHRI HHwezDn5iknlKy7ojH4oRd5blAMyOtyzjn+TxC3i09oj26MNiuFNoozYR/5MBDCyO21M 4n/LIn/snsvQBrgNm6/h+RQZJ7uJsm3gMCiGRD1KzLqVmn/oLsg/GRlOWxKH403h8Oy4 Bk37h+3KAkcczPlJzpHx5y/fX6GEpkjFE4i5ODw32c5u6cmZtG8nanpjOF/Hcv1L4E6e 3OcdbagtXrOpXgvdQ0XU+geJ6CfImfyagfOoxkdfF7N1jLF7e5VBKH2cljNbBUla7DF4 WmPA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=cHhHjmla; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id oz30-20020a1709077d9e00b006f38560fe61si6363829ejc.94.2022.07.22.05.30.49; Fri, 22 Jul 2022 05:31:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=cHhHjmla; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231902AbiGVMUU (ORCPT + 99 others); Fri, 22 Jul 2022 08:20:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43780 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229704AbiGVMUR (ORCPT ); Fri, 22 Jul 2022 08:20:17 -0400 Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7201813F54 for ; Fri, 22 Jul 2022 05:20:15 -0700 (PDT) Received: by mail-qt1-x82e.google.com with SMTP id r24so3342416qtx.6 for ; Fri, 22 Jul 2022 05:20:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=from:to:cc:date:message-id:in-reply-to:references:user-agent :subject:mime-version:content-transfer-encoding; bh=kIKMl7lknNmrR7/g3+eBdSau4//c4Zzr0QaeUiEir7A=; b=cHhHjmlahYQ+EmtKYhfCB8KTNgvpM7+cBXuWAwrqR7qvzNU8+HhLRnTdPxxvFVeHh3 1nUaRHsHw8NQy+w+KEbL1WitYxDtz85JVMIVI6ao9QwCutRBsbMgBOX4RICVcuV9E3oe AWc4nmne8ushnOtD6AFil/8ViyNXbqrdkinYxQ3k4aucoZdSrbdYliPQjWq0MBJj/Bn8 JL9k1d5L3NzOCtYoIbyj6v7UD2hB1lFi0USJqy10hnlWJwfYP2r/1IG2soYO4rnBxTgq H4IMse2/xdiaEKZwKqcUw9ZoKLvnfHoeFJLzprkjkdjavu6OyvtAFHUEfzaDx+u7Zpd5 vOhQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:date:message-id:in-reply-to :references:user-agent:subject:mime-version :content-transfer-encoding; bh=kIKMl7lknNmrR7/g3+eBdSau4//c4Zzr0QaeUiEir7A=; b=EEuH+RWVbHVU+ZTq6yensx0Y/txf8sut8OXv9JesJ0X5MKaJY+N4VGJ4DEUhkkLZG6 l4chjrtNH4dleM+FdX4IXRLfBDgABfQ2Rtqsji8vZL7zVAY7Umg1GbURR8oK1NiY8wN+ 4GcMV0u2/V+1NikxdYNvslCy66aXF/SSAYva/Gseh7Hsb6y7MUGniHArsbX2JxHQIHgj wXiwNKqxajgyN0w7ETYLCPQ+w1X9SOMY8jPELeEFnyMdKHvyS5FQrrFjSGyDeWUKrvo/ Zgzv1Un8coXQCZ3vidcuaqxz3I7PyzWo4IkRJr4xn7tebobZ98BuKD+1wV6ntAvF+Owk tbsQ== X-Gm-Message-State: AJIora+QLoXUl6871JyjaL26v+0KmY+PPKwEQNCvKY4M3671nKmsb9zd e4qmbX9ZiCB3bIScqBG9IWu2 X-Received: by 2002:ac8:7f8e:0:b0:31f:10bc:f5d7 with SMTP id z14-20020ac87f8e000000b0031f10bcf5d7mr140040qtj.561.1658492414525; Fri, 22 Jul 2022 05:20:14 -0700 (PDT) Received: from [10.130.209.145] (mobile-166-170-54-234.mycingular.net. [166.170.54.234]) by smtp.gmail.com with ESMTPSA id m1-20020a05620a24c100b006b259b5dd12sm3456272qkn.53.2022.07.22.05.20.11 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Fri, 22 Jul 2022 05:20:13 -0700 (PDT) From: Paul Moore To: Martin KaFai Lau , Frederick Lawler CC: , , , , , , , , , , , , , , , , , , , , , , , , , Date: Fri, 22 Jul 2022 08:20:10 -0400 Message-ID: <18225d94bf0.28e3.85c95baa4474aabc7814e68940a78392@paul-moore.com> In-Reply-To: <20220722061137.jahbjeucrljn2y45@kafai-mbp.dhcp.thefacebook.com> References: <20220721172808.585539-1-fred@cloudflare.com> <20220722061137.jahbjeucrljn2y45@kafai-mbp.dhcp.thefacebook.com> User-Agent: AquaMail/1.37.0 (build: 103700163) Subject: Re: [PATCH v3 0/4] Introduce security_create_user_ns() MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On July 22, 2022 2:12:03 AM Martin KaFai Lau wrote: > On Thu, Jul 21, 2022 at 12:28:04PM -0500, Frederick Lawler wrote: >> While creating a LSM BPF MAC policy to block user namespace creation, we >> used the LSM cred_prepare hook because that is the closest hook to preve= nt >> a call to create_user_ns(). >> >> The calls look something like this: >> >> cred =3D prepare_creds() >> security_prepare_creds() >> call_int_hook(cred_prepare, ... >> if (cred) >> create_user_ns(cred) >> >> We noticed that error codes were not propagated from this hook and >> introduced a patch [1] to propagate those errors. >> >> The discussion notes that security_prepare_creds() >> is not appropriate for MAC policies, and instead the hook is >> meant for LSM authors to prepare credentials for mutation. [2] >> >> Ultimately, we concluded that a better course of action is to introduce >> a new security hook for LSM authors. [3] >> >> This patch set first introduces a new security_create_user_ns() function >> and userns_create LSM hook, then marks the hook as sleepable in BPF. > Patch 1 and 4 still need review from the lsm/security side. This patchset is in my review queue and assuming everything checks out, I e= xpect to merge it after the upcoming merge window closes. I would also need an ACK from the BPF LSM folks, but they're CC'd on this p= atchset. -- paul-moore.com