Received: by 2002:ac0:e350:0:0:0:0:0 with SMTP id g16csp117371imn; Tue, 2 Aug 2022 20:09:45 -0700 (PDT) X-Google-Smtp-Source: AGRyM1uEdQq9Pi/4zjMFaFPuJkKrVv07ji8NaG/J8hZuHkpbRO8Ds5URMsPiXONX9667dlpSplQt X-Received: by 2002:a17:907:628c:b0:6ee:70cf:d59 with SMTP id nd12-20020a170907628c00b006ee70cf0d59mr18393983ejc.402.1659496184915; Tue, 02 Aug 2022 20:09:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1659496184; cv=none; d=google.com; s=arc-20160816; b=09UStCJgjFYiB4URZA2xAcPdj5MA7fbMtOpWkn+bQe8EoyT8+WzTILwER4GGe/ShFg PLzNorotgZ4zXtJT3AvudyGgA75Vx6Im6vbb/ZZO2p8wfrvxTI2JJV17p1wdeyI8lvrf yOGs6H2ss7Gn/UL0iCmqqvuHXi2qaHW1l+N8NLG0F0oM3ddHE8jUbNcMewGp03mnbRKQ ElOr5PPjYeZ0n4wcN3KXhom6jXlERim0kD6jUgIjmJMO2Re29YULFX5mT/aCuav+QWB0 nYMIavyUz+sZK7solRhiYLecTq5hTRO/QbUZni0/re7q+0LdGx8x8J8416SJmWwbPStu aCgw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=AKd54UEEghsfwjXpz+oyC5/2q9GwxUZBaaXWayE5vh0=; b=PmsdM5ngSH7RjW4XKbyCEK0xjCloazcBSqTReUCTnO6LMRyzO1HnA4rWzRe9nJAcn7 LMfjFEdiD00g+qjAyFHZ5Vuv+q1g9apcQLmmjAZ+zTkBerORgUYVa82QNbg7ddgaESlZ awq9idAki4h0xaQGE6bChyXEjzBdaL1N3tv4ia7HT/ysrLNbnk5Z09bH0l8GPaO2f4Bu p6aDof9KPH9Oa3RavAusa33AmqHA9YmQJwPtemctdIcNEjvlUQYTqVHbPcBp4WeA6cjQ q/74FnCJMO96ve8DBFBJvWh16W0WdVwKUdIaz7pg89hOzyL7pSOawdCR5tLlHUKGv0iw 2YMw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b="qg9W/DQp"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id wy6-20020a170906fe0600b00730a3ae3954si3000256ejb.708.2022.08.02.20.09.11; Tue, 02 Aug 2022 20:09:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b="qg9W/DQp"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232116AbiHCCK0 (ORCPT + 99 others); Tue, 2 Aug 2022 22:10:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40560 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232216AbiHCCKV (ORCPT ); Tue, 2 Aug 2022 22:10:21 -0400 Received: from mail-oi1-x236.google.com (mail-oi1-x236.google.com [IPv6:2607:f8b0:4864:20::236]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 525284F182 for ; Tue, 2 Aug 2022 19:10:19 -0700 (PDT) Received: by mail-oi1-x236.google.com with SMTP id h188so18170308oia.13 for ; Tue, 02 Aug 2022 19:10:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=AKd54UEEghsfwjXpz+oyC5/2q9GwxUZBaaXWayE5vh0=; b=qg9W/DQpVQE1zuA+4brg05l1CHy54NhyVGtRCydMFzE12zh988wMgOkkr9TR0NnbD+ WwLZEYJ1Cian3j4YxJ6WBJI2n6yDUQvvjr4ehpvwK4KCp7f4yn0RdxKoUyszuGjYGU8/ s4E1AMSrnr1lDlkjPOo5wKPaIBoLHwkBvOU9km4nzASl+QT9wg5vM/8K7SAjtTtkEW29 25vFkfMoCHPaDw7h3m3M0vH4pxXB12va4kqeKDyoWrNWw4lZSEAvXXf1zX0yDfCNnWyC aH8Nd3hL8pHuRPIP8ArbTcaG9k+HPIfZ6HqKDQfDUUkpcdS83+0RZGlY6YZT3HQacIml 6HCw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=AKd54UEEghsfwjXpz+oyC5/2q9GwxUZBaaXWayE5vh0=; b=7NU5f55FJk6WyG05HJgyC45KS204f2JdydTDoNzJmMM2fnaN/pcVxuZRtMSm+iDl2W urquAYJoZtSvC371DuM0b8zUqwE8CnznXfN05S+tx6WXqmnfQKx5rbDXDV3rvRdVTbjq MWHzbIATbuksDVk7LnKWs2fDgNichOO6735nZ4YbTOsFcBTnbjvA1GzJYgmp9IqjaN2j ggNjNuv+8Z3d9T534E86KbhxL2NJGNlbcle3JCqWfBscf42N1mUoW8L8hWXKJOlsQdsp Y27Q7WBAL/t+zA4x2aWsB9X1F/MkiupQrFFzM2E3D+4goo6Mm1uYnvbC+LF6SBHvmZjf tB3g== X-Gm-Message-State: ACgBeo0rLLE8Cv4vyB8KPflE0c3l/r9urkBfvm4WnoXtJF6y23RLeKwH usnwkwRrSnAyqYsNLbAL1pnJgwp6arNCf03R+lm7 X-Received: by 2002:a05:6808:2389:b0:33a:cbdb:f37a with SMTP id bp9-20020a056808238900b0033acbdbf37amr928281oib.136.1659492618285; Tue, 02 Aug 2022 19:10:18 -0700 (PDT) MIME-Version: 1.0 References: <20220801180146.1157914-1-fred@cloudflare.com> <87les7cq03.fsf@email.froward.int.ebiederm.org> In-Reply-To: <87les7cq03.fsf@email.froward.int.ebiederm.org> From: Paul Moore Date: Tue, 2 Aug 2022 22:10:07 -0400 Message-ID: Subject: Re: [PATCH v4 0/4] Introduce security_create_user_ns() To: "Eric W. Biederman" Cc: Frederick Lawler , kpsingh@kernel.org, revest@chromium.org, jackmanb@chromium.org, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kafai@fb.com, songliubraving@fb.com, yhs@fb.com, john.fastabend@gmail.com, jmorris@namei.org, serge@hallyn.com, stephen.smalley.work@gmail.com, eparis@parisplace.org, shuah@kernel.org, brauner@kernel.org, casey@schaufler-ca.com, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, kernel-team@cloudflare.com, cgzones@googlemail.com, karl@bigbadwolfsecurity.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Aug 1, 2022 at 10:56 PM Eric W. Biederman wrote: > Frederick Lawler writes: > > > While creating a LSM BPF MAC policy to block user namespace creation, we > > used the LSM cred_prepare hook because that is the closest hook to prevent > > a call to create_user_ns(). > > Re-nack for all of the same reasons. > AKA This can only break the users of the user namespace. > > Nacked-by: "Eric W. Biederman" > > You aren't fixing what your problem you are papering over it by denying > access to the user namespace. > > Nack Nack Nack. > > Stop. > > Go back to the drawing board. > > Do not pass go. > > Do not collect $200. If you want us to take your comments seriously Eric, you need to provide the list with some constructive feedback that would allow Frederick to move forward with a solution to the use case that has been proposed. You response above may be many things, but it is certainly not that. We've heard from different users now that there are very real use cases for this LSM hook. I understand you are concerned about adding additional controls to user namespaces, but these are controls requested by real users, and the controls being requested (LSM hooks, with BPF and SELinux implementations) are configurable by the *users* at *runtime*. This patchset does not force additional restrictions on user namespaces, it provides a mechanism that *users* can leverage to add additional granularity to the access controls surrounding user namespaces. Eric, if you have a different approach in mind to adding a LSM hook to user namespace creation I think we would all very much like to hear about it. However, if you do not have any suggestions along those lines, and simply want to NACK any effort to add a LSM hook to user namespace creation, I think we all understand your point of view and respectfully disagree. Barring any new approaches or suggestions, I think Frederick's patches look reasonable and I still plan on merging them into the LSM next branch when the merge window closes. -- paul-moore.com