Received: by 2002:ac0:e350:0:0:0:0:0 with SMTP id g16csp368197imn; Wed, 3 Aug 2022 07:19:19 -0700 (PDT) X-Google-Smtp-Source: AA6agR6H+gPA7p2ySzW1zhAXnlFWL/RSy6YmcCAXexv3+nZfA4bO5vF7YzSg60DS83X7/t0cUuN2 X-Received: by 2002:a17:902:7845:b0:16e:ea31:3354 with SMTP id e5-20020a170902784500b0016eea313354mr14829676pln.17.1659536359096; Wed, 03 Aug 2022 07:19:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1659536359; cv=none; d=google.com; s=arc-20160816; b=hdTOC2XBP7BDaT1nZjvKEIVuNOp8xB7gKqt/Z74VpG2+TaIqI98J6j7milaf3zJkgb Cev3ni7KMo7TUGk+RnIOKEofmysZ79PNmJE2kUGD/ZJPgFm60p03Km3E42nuc/tcEMnV UCON33TCIs69dLZJe/PopdMMvW0cLqEHsCE5bnvcBn7nuMdIx3AFND4hdgDVajQqQXTD jNIO1dDdQPqLF1jILEve+OqwEFa4cgN2mrCjszFcevE0Fw/wXmZVneVutY5O6/eUHOyQ suHBmmmi8ls++eQV5uhWANA8ZpI8DNxwPtIFewCMhFG4Yy+zD2hv3CvutgQdDsanDaIe mAHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=0qI80nKbtNInC7TnaqV1RRwJ5MKOkQCfQlYI1Abu+68=; b=m6tCrMvfrMyRn1CNMjRtX2TeEv6tgE1YVWonTGgxCXjtjzfY/gvKL52Fiaa4wkI2Y1 vFzfBqDRhyzmvCD8L1H+L3r/FWlDlf5mvqVsS/R3ItnsRSfbnHV/nePWhXDlPfYXbkWa YYAjdZ9XMeBvJSm/3KzMII/E668AkNXPClk09vsChy7Oy4kxshtcDDT7wJ6M3+LXriH5 mWOSvbDL7bUpAwgtohktPnJ3+H+F2CulM7ya8BTpeO3jIY0De+0PNrwHCxa/zMN2GXOc 0+/xt9ytEke7R8TTChMFM1XU1UUfxmcEtIOvD427AhefEJEGgXYzHoBUfJ2gEU8V/Nzj lPxw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@cloudflare.com header.s=google header.b=jtodadUy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cloudflare.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g21-20020a056a000b9500b0052b17fa6f49si2966229pfj.262.2022.08.03.07.19.03; Wed, 03 Aug 2022 07:19:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@cloudflare.com header.s=google header.b=jtodadUy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cloudflare.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237679AbiHCNNc (ORCPT + 99 others); Wed, 3 Aug 2022 09:13:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37872 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237776AbiHCNNa (ORCPT ); Wed, 3 Aug 2022 09:13:30 -0400 Received: from mail-oi1-x230.google.com (mail-oi1-x230.google.com [IPv6:2607:f8b0:4864:20::230]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1DFD0186E0 for ; Wed, 3 Aug 2022 06:13:17 -0700 (PDT) Received: by mail-oi1-x230.google.com with SMTP id q184so890959oif.1 for ; Wed, 03 Aug 2022 06:13:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc; bh=0qI80nKbtNInC7TnaqV1RRwJ5MKOkQCfQlYI1Abu+68=; b=jtodadUycK+1LkDSYjWv8XqXchbrV8seFLSfpmqa6P3sOQ/of4IOcRUxXS1Bd4JQBX YhmbqlC+yxW9CTOk4i0D6sxWl0tLx5O0b/6PobzrrG7Khc1GwbaSCbDxfaFKRBlVF//X yBzwRrxphm+rRMuCnO5lQIVW1fkXROZV4I73U= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc; bh=0qI80nKbtNInC7TnaqV1RRwJ5MKOkQCfQlYI1Abu+68=; b=r6/2oGXLr0WesHsl4xWosSwERBI9p0Lxb6adTeBnRAC9czzALcfjI7oluIRX5c6qo1 h6qpTra5w/56ZFWs2uKIYMeyTc+uaINoJECALtagDqnoocmly76sXHCivRif1H/Qw7R5 FNxD5Z7c2BcVAAOsCfZT8EhIH3tu9NJz4DTzP1W1UU0c5OA6rX0omnBCx0rG8WUBdgww GfGK48exRXNfEcMw2rV6sO1vBsJj7Yl6V9U/9y4KitA5xohz8p75JHcLITw546d6ZLEO wQ9FqWmIqErfKIjf5xhi6SgwQFTKUwe8gG/nuwkGVxSi5WR5ceFBNPyQb/NgZhejkMjr Tp2A== X-Gm-Message-State: ACgBeo1keCnp/aXwlFUTE4en2zruMvtPydTsILXJAYv4NHcOfgmS5uGc w0LRJF/Dw8mDs/MJ5uXupxcacg== X-Received: by 2002:a05:6808:143:b0:33a:d513:1443 with SMTP id h3-20020a056808014300b0033ad5131443mr1620237oie.43.1659532396382; Wed, 03 Aug 2022 06:13:16 -0700 (PDT) Received: from [192.168.0.41] ([184.4.90.121]) by smtp.gmail.com with ESMTPSA id t26-20020a0568080b3a00b0033a3e6e7ce9sm3539763oij.10.2022.08.03.06.13.15 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 03 Aug 2022 06:13:16 -0700 (PDT) Message-ID: <11578cfd-3d19-8bda-b36e-5e522e7c4490@cloudflare.com> Date: Wed, 3 Aug 2022 08:13:15 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Subject: Re: [PATCH v4 1/4] security, lsm: Introduce security_create_user_ns() Content-Language: en-US To: KP Singh Cc: revest@chromium.org, jackmanb@chromium.org, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kafai@fb.com, songliubraving@fb.com, yhs@fb.com, john.fastabend@gmail.com, jmorris@namei.org, serge@hallyn.com, paul@paul-moore.com, stephen.smalley.work@gmail.com, eparis@parisplace.org, shuah@kernel.org, brauner@kernel.org, casey@schaufler-ca.com, ebiederm@xmission.com, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, kernel-team@cloudflare.com, cgzones@googlemail.com, karl@bigbadwolfsecurity.com References: <20220801180146.1157914-1-fred@cloudflare.com> <20220801180146.1157914-2-fred@cloudflare.com> From: Frederick Lawler In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 8/2/22 4:47 PM, KP Singh wrote: > On Mon, Aug 1, 2022 at 8:02 PM Frederick Lawler wrote: >> >> Preventing user namespace (privileged or otherwise) creation comes in a >> few of forms in order of granularity: >> >> 1. /proc/sys/user/max_user_namespaces sysctl >> 2. OS specific patch(es) >> 3. CONFIG_USER_NS >> >> To block a task based on its attributes, the LSM hook cred_prepare is a >> good candidate for use because it provides more granular control, and >> it is called before create_user_ns(): >> >> cred = prepare_creds() >> security_prepare_creds() >> call_int_hook(cred_prepare, ... >> if (cred) >> create_user_ns(cred) >> >> Since security_prepare_creds() is meant for LSMs to copy and prepare >> credentials, access control is an unintended use of the hook. Therefore >> introduce a new function security_create_user_ns() with an accompanying >> userns_create LSM hook. >> >> This hook takes the prepared creds for LSM authors to write policy >> against. On success, the new namespace is applied to credentials, >> otherwise an error is returned. >> >> Signed-off-by: Frederick Lawler >> Reviewed-by: Christian Brauner (Microsoft) > > Reviewed-by: KP Singh > > This looks useful, and I would also like folks to consider the > observability aspects of BPF LSM as > brought up here: > > https://lore.kernel.org/all/CAEiveUdPhEPAk7Y0ZXjPsD=Vb5hn453CHzS9aG-tkyRa8bf_eg@mail.gmail.com/ > > Frederick, what about adding the observability aspects to the commit > description as well. Agreed. I'll include that in v5. > > - KP > >> >> --- >> Changes since v3: >> - No changes >> Changes since v2: >> - Rename create_user_ns hook to userns_create >> Changes since v1: >> - Changed commit wording >> - Moved execution to be after id mapping check >> - Changed signature to only accept a const struct cred * >> --- >> include/linux/lsm_hook_defs.h | 1 + >> include/linux/lsm_hooks.h | 4 ++++ >> include/linux/security.h | 6 ++++++ >> kernel/user_namespace.c | 5 +++++ >> security/security.c | 5 +++++ >> 5 files changed, 21 insertions(+) >> >> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h >> index eafa1d2489fd..7ff93cb8ca8d 100644 >> --- a/include/linux/lsm_hook_defs.h >> +++ b/include/linux/lsm_hook_defs.h >> @@ -223,6 +223,7 @@ LSM_HOOK(int, -ENOSYS, task_prctl, int option, unsigned long arg2, >> unsigned long arg3, unsigned long arg4, unsigned long arg5) >> LSM_HOOK(void, LSM_RET_VOID, task_to_inode, struct task_struct *p, >> struct inode *inode) >> +LSM_HOOK(int, 0, userns_create, const struct cred *cred) >> LSM_HOOK(int, 0, ipc_permission, struct kern_ipc_perm *ipcp, short flag) >> LSM_HOOK(void, LSM_RET_VOID, ipc_getsecid, struct kern_ipc_perm *ipcp, >> u32 *secid) >> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h >> index 91c8146649f5..54fe534d0e01 100644 >> --- a/include/linux/lsm_hooks.h >> +++ b/include/linux/lsm_hooks.h >> @@ -799,6 +799,10 @@ >> * security attributes, e.g. for /proc/pid inodes. >> * @p contains the task_struct for the task. >> * @inode contains the inode structure for the inode. >> + * @userns_create: >> + * Check permission prior to creating a new user namespace. >> + * @cred points to prepared creds. >> + * Return 0 if successful, otherwise < 0 error code. >> * >> * Security hooks for Netlink messaging. >> * >> diff --git a/include/linux/security.h b/include/linux/security.h >> index 7fc4e9f49f54..a195bf33246a 100644 >> --- a/include/linux/security.h >> +++ b/include/linux/security.h >> @@ -435,6 +435,7 @@ int security_task_kill(struct task_struct *p, struct kernel_siginfo *info, >> int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, >> unsigned long arg4, unsigned long arg5); >> void security_task_to_inode(struct task_struct *p, struct inode *inode); >> +int security_create_user_ns(const struct cred *cred); >> int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag); >> void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid); >> int security_msg_msg_alloc(struct msg_msg *msg); >> @@ -1185,6 +1186,11 @@ static inline int security_task_prctl(int option, unsigned long arg2, >> static inline void security_task_to_inode(struct task_struct *p, struct inode *inode) >> { } >> >> +static inline int security_create_user_ns(const struct cred *cred) >> +{ >> + return 0; >> +} >> + >> static inline int security_ipc_permission(struct kern_ipc_perm *ipcp, >> short flag) >> { >> diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c >> index 5481ba44a8d6..3f464bbda0e9 100644 >> --- a/kernel/user_namespace.c >> +++ b/kernel/user_namespace.c >> @@ -9,6 +9,7 @@ >> #include >> #include >> #include >> +#include >> #include >> #include >> #include >> @@ -113,6 +114,10 @@ int create_user_ns(struct cred *new) >> !kgid_has_mapping(parent_ns, group)) >> goto fail_dec; >> >> + ret = security_create_user_ns(new); >> + if (ret < 0) >> + goto fail_dec; >> + >> ret = -ENOMEM; >> ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL); >> if (!ns) >> diff --git a/security/security.c b/security/security.c >> index 188b8f782220..ec9b4696e86c 100644 >> --- a/security/security.c >> +++ b/security/security.c >> @@ -1903,6 +1903,11 @@ void security_task_to_inode(struct task_struct *p, struct inode *inode) >> call_void_hook(task_to_inode, p, inode); >> } >> >> +int security_create_user_ns(const struct cred *cred) >> +{ >> + return call_int_hook(userns_create, 0, cred); >> +} >> + >> int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag) >> { >> return call_int_hook(ipc_permission, 0, ipcp, flag); >> -- >> 2.30.2 >>