Received: by 2002:ac0:e350:0:0:0:0:0 with SMTP id g16csp2040403imn; Mon, 1 Aug 2022 09:01:05 -0700 (PDT) X-Google-Smtp-Source: AA6agR7yOK2K7hnVIqED5ceeNALhRZnyngCudytoIsQMbgoXBi7EkYBjHGa3n4qJSaeDXbytTmx/ X-Received: by 2002:a17:902:f70f:b0:16c:e07c:667d with SMTP id h15-20020a170902f70f00b0016ce07c667dmr17618197plo.138.1659369665286; Mon, 01 Aug 2022 09:01:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1659369665; cv=none; d=google.com; s=arc-20160816; b=ZSmMzyWoWL3meFF0U+tG4GZiDsvwhOWtpBGxQBE34hrJGCZmFB8JILTPb9dUiIwTmO yRL6l1coFgySV1yBz9X+2klc66qDpBjZbCz+71Jmyfs+YKrRa2V2sOBRydz5+lPSuq8H jtRlhAN/nfmE58WuWMUunw2400xBUQNknOC2mU1oTU40wq38ej3VP0ptWSa5LnkbgEpm HVVue2rdu8KARBctCI6XVxNa2NOK8xZwjagQn833HNavY7FLoAkgN1RXWDjAN6M3iJ8H 9x4Klnr2y5IqtIi4MzJhqrlh0q68h8JDgqSMHZLRR+b0rJQYuygfT6EyK3rVOAm3WR6W 0LyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=4KphHhaoyXc371JKTPQphkPCqA2NS8jh1IIkyTneq4o=; b=07MZohDePKpKySo1TTpZUpUYZrZ8pK8c16vKO3/Xbs6semZ6mOwYMrBhK/XqV3Ijps /ZhrBZTSRNnDpYTnSOmCiSuoBLdqke/PP9d9hM/Dqm0Kq1plS6bOn2WVTvj/3S6/BXRb Jp7drUa4k7xgY+a38xsdh+gBtid9shps7VlVUuZLIl6YtpAk7p1VthHHOoxPvXaOMuMr FfTcYGHmxbcpPjnY4At39JOt+J4g01M/48B959e6LjvbjEyUPPVHhUATa5q/BoEAe1xA 7qvLfjlB/AMXy34ARd45Hjah7nHcn32UFKpZuXKxMg36EzEjNKKFW6meOl6jFkQWUOS2 ifEw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b="62EB/TFA"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hg22-20020a17090b301600b001f0311d12d0si15227423pjb.185.2022.08.01.09.00.49; Mon, 01 Aug 2022 09:01:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b="62EB/TFA"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233396AbiHAPTv (ORCPT + 99 others); Mon, 1 Aug 2022 11:19:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53692 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232357AbiHAPTs (ORCPT ); Mon, 1 Aug 2022 11:19:48 -0400 Received: from mail-ot1-x32b.google.com (mail-ot1-x32b.google.com [IPv6:2607:f8b0:4864:20::32b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B8D3F3337D for ; Mon, 1 Aug 2022 08:19:46 -0700 (PDT) Received: by mail-ot1-x32b.google.com with SMTP id cb12-20020a056830618c00b00616b871cef3so8421673otb.5 for ; Mon, 01 Aug 2022 08:19:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=4KphHhaoyXc371JKTPQphkPCqA2NS8jh1IIkyTneq4o=; b=62EB/TFA4EuJYasg0ku1Dzr9dF033+9r1gXM0z+QJ7j/FuTK5jhbf38GBxyKpAP1ji 7Drz7ejxjN9DxPHD/ANUEK6L3cZPI9kd1/4JsiNCkcd8r0EE7Y31h8eUk8Q4T4JCYL3I wG9l4kSHTD9SNnUXEVcwOcs77YOob6wKHSNIg0dih6qNHzqlFov+sSv9NIQMHsPnI7y5 H4PYESNlKNYjX61q+2qeK+YdhaBuvc/wNy56XLdYm/ndygfjSy8HPh0I7D2XR9miZcy5 E6TRQoilJz8V5YJiz//4+CWH/Ith4r/ncRDxeHNXkGgVVHLxKgv/rSkb4eGyDgYXYkRb 1VlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=4KphHhaoyXc371JKTPQphkPCqA2NS8jh1IIkyTneq4o=; b=EptLstm7YvRjCJUxA5dk1N/DlhVPw+Pdftl1u3GsCGUzESMz6IcqeFgS66I5GNaCKA 2B+QEHVzu0rPxKZxo3aGsMWNPNyizg758BjWoFAGAHJfQhc61bKlQqI7eF26TVH7l7aW 37oli6XwV7hhwTynacCIXPPvDfL9K9MnLBxrSyYcGvQhH6f7gXoE43jAEDY3YK3s6DTw 4cl6JyxTdjJtQGd3b2xHbriy9ach+xdRIz4PUWzqTBJ47HUGHKrofM/22hlRaEh6nuTF Eurd5PLJ/71keGjHA/CCwo2+RevelG3qs0RKa/G64KLPK0YboMTpO8aJFuxr1W6zr+Uf s0+g== X-Gm-Message-State: ACgBeo02MXW0016Djhj8koQYvmh9S9WP//qpfHI24reFNh24YDJMcVn1 woDZ5XGDmVhg+ymprHiIzTq7j1PJZtYnR4w4nFtR X-Received: by 2002:a9d:7a99:0:b0:629:805:bca4 with SMTP id l25-20020a9d7a99000000b006290805bca4mr2748972otn.26.1659367185883; Mon, 01 Aug 2022 08:19:45 -0700 (PDT) MIME-Version: 1.0 References: <20220721172808.585539-1-fred@cloudflare.com> <20220722061137.jahbjeucrljn2y45@kafai-mbp.dhcp.thefacebook.com> <18225d94bf0.28e3.85c95baa4474aabc7814e68940a78392@paul-moore.com> In-Reply-To: From: Paul Moore Date: Mon, 1 Aug 2022 11:19:35 -0400 Message-ID: Subject: Re: [PATCH v3 0/4] Introduce security_create_user_ns() To: Frederick Lawler , kpsingh@kernel.org Cc: Martin KaFai Lau , revest@chromium.org, jackmanb@chromium.org, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, songliubraving@fb.com, yhs@fb.com, john.fastabend@gmail.com, jmorris@namei.org, serge@hallyn.com, stephen.smalley.work@gmail.com, eparis@parisplace.org, shuah@kernel.org, brauner@kernel.org, casey@schaufler-ca.com, ebiederm@xmission.com, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, kernel-team@cloudflare.com, cgzones@googlemail.com, karl@bigbadwolfsecurity.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Aug 1, 2022 at 9:13 AM Frederick Lawler wrote: > On 7/22/22 7:20 AM, Paul Moore wrote: > > On July 22, 2022 2:12:03 AM Martin KaFai Lau wrote: > > > >> On Thu, Jul 21, 2022 at 12:28:04PM -0500, Frederick Lawler wrote: > >>> While creating a LSM BPF MAC policy to block user namespace creation, we > >>> used the LSM cred_prepare hook because that is the closest hook to prevent > >>> a call to create_user_ns(). > >>> > >>> The calls look something like this: > >>> > >>> cred = prepare_creds() > >>> security_prepare_creds() > >>> call_int_hook(cred_prepare, ... > >>> if (cred) > >>> create_user_ns(cred) > >>> > >>> We noticed that error codes were not propagated from this hook and > >>> introduced a patch [1] to propagate those errors. > >>> > >>> The discussion notes that security_prepare_creds() > >>> is not appropriate for MAC policies, and instead the hook is > >>> meant for LSM authors to prepare credentials for mutation. [2] > >>> > >>> Ultimately, we concluded that a better course of action is to introduce > >>> a new security hook for LSM authors. [3] > >>> > >>> This patch set first introduces a new security_create_user_ns() function > >>> and userns_create LSM hook, then marks the hook as sleepable in BPF. > >> Patch 1 and 4 still need review from the lsm/security side. > > > > This patchset is in my review queue and assuming everything checks out, I expect to merge it after the upcoming merge window closes. > > > > I would also need an ACK from the BPF LSM folks, but they're CC'd on this patchset. > > Based on last weeks comments, should I go ahead and put up v4 for > 5.20-rc1 when that drops, or do I need to wait for more feedback? In general it rarely hurts to make another revision, and I think you've gotten some decent feedback on this draft, especially around the BPF LSM tests; I think rebasing on Linus tree after the upcoming io_uring changes are merged would be a good idea. Although as a reminder to the BPF LSM folks - I'm looking at you KP Singh :) - I need an ACK from you guys before I merge the BPF related patches (patches {2,3}/4). For the record, I think the SELinux portion of this patchset (path 4/4) is fine. There is the issue of Eric's NACK, but I believe the responses that followed his comment sufficiently addressed those concerns and it has now been a week with no further comment from Eric; we should continue to move forward with this. -- paul-moore.com