Received: by 2002:a05:6358:e9c4:b0:b2:91dc:71ab with SMTP id hc4csp5141125rwb;
        Mon, 8 Aug 2022 12:59:22 -0700 (PDT)
X-Google-Smtp-Source: AA6agR4Ppb4hlcNvCcEAcDFxJ6ef2n8JnFIF64c8lywpc52b2hprFJFEnH0xHVhla3A62H3unP1I
X-Received: by 2002:a63:c012:0:b0:41c:1148:ec9 with SMTP id h18-20020a63c012000000b0041c11480ec9mr16457685pgg.444.1659988762310;
        Mon, 08 Aug 2022 12:59:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1659988762; cv=none;
        d=google.com; s=arc-20160816;
        b=mQhP8wGphG86jnAripNOUYUSXXIuBIi/4Ze+OVk5UfcRCiP2Y+cEUJ5NDPSui50kme
         lY4GtwWueSbTqkxbg9YYqhEzbT4GwqyC+AvSi49Ot06m7MBKXQQ3tCVvANC5RdYyt7rw
         +E7oA970/2ZsybWQdnjkMxbWfQoZZff+SghGg/uJMuto7dv1CkTE+KkVf/LGYswK4Js9
         xUsZ6E4T6wQX2vyVPx//1qx+XpL2fZJ95QtP6F8MzcOPh5yXoW6R6XX19b2RPYAIrs4U
         /MtqssVrBMHu7t6TQwD91R0atHUSeswYIOTQC0C3XmzxMaIzwJtH0vzbwvSpRmS9ku3e
         k8KQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=QwPM4PLFy7X803pVMJ9DSGZMitNho7+Gl2Q9QGtgFJk=;
        b=QpQCwWK1XQT82rQ5gfVf0IgNaSYfZnouNm8SuNaTofWL7xGvfuTFhk+wjxHpuOfH6J
         BqLfam7ASOcrKrnqFH5ThvE2LOBdumhhsJ3JRJNnsRm3X9mUUce6DJwPM8tKhSifc7TM
         dppwt3XODGq+IZT1QjLeBX6WWxEHaLXQOnmLtFiDdJNm7PzJ6ExGDfLM55zUiCWYjOJ5
         OOG9MjhfTSiz2ON22rVGOQFdSRmneSQYM/6FjWsAZ9/nIMxo3kNXEOTTYU8k4ksvRPJP
         AQdwG+gLRuBSjkjOAM2INinvCHyTg1mk59Gwywm5H4STsvZOfgl+7BbySuo8q3wVfkiM
         UEBQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=olY0JcNA;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id h12-20020a170902748c00b0016da78aeff7si11738038pll.215.2022.08.08.12.59.08;
        Mon, 08 Aug 2022 12:59:22 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=olY0JcNA;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S243784AbiHHTuD (ORCPT <rfc822;andreas.gruenbacher@gmail.com>
        + 99 others); Mon, 8 Aug 2022 15:50:03 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55102 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233008AbiHHTuB (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 8 Aug 2022 15:50:01 -0400
Received: from mail-oi1-x22f.google.com (mail-oi1-x22f.google.com [IPv6:2607:f8b0:4864:20::22f])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2DB4A19001
        for <linux-kernel@vger.kernel.org>; Mon,  8 Aug 2022 12:50:00 -0700 (PDT)
Received: by mail-oi1-x22f.google.com with SMTP id u9so11491266oiv.12
        for <linux-kernel@vger.kernel.org>; Mon, 08 Aug 2022 12:50:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20210112.gappssmtp.com; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc;
        bh=QwPM4PLFy7X803pVMJ9DSGZMitNho7+Gl2Q9QGtgFJk=;
        b=olY0JcNAoCo8R9DUOtQIxIyIBWxL/XAUSCfilx+gzRsD/WOa/M0smejqhtiS+OWqNE
         8GenNiemn6WZ/oFwff7rnzJqA7NzD0lE87S7L5KP3mlynm9SCJodgasGHAu2J2iSAp1v
         beRUGT/4tib/2O5XL2vq1d2UMH/t3HtmqrWkxiQUUFNYD9VUWNa/8tGrDeqsB3grdYcF
         QpEnLJj7gGvhshKmUFmDGJE1hFXqdDUW/lSXksjJVzuRbbYJGI6tU4OImoaI3o3ht1Fx
         c8sDU1ezvw9WgzUjISOqzIypyKU/u+CZGy5XcYzw1OjfErMFGH2IH+4Tmykcvuf+veIp
         8JiA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc;
        bh=QwPM4PLFy7X803pVMJ9DSGZMitNho7+Gl2Q9QGtgFJk=;
        b=iN137a1vscOpb+n6NTHJjH63aIzyIkBL5NlYIW6Ox8kmrcRI2Z8MFtkBbDqJt9i6hM
         pHbCK5drKuWHec/0Y3Tdz/hFTErinU+1ETfl3QWPpkY8DPmPg4FFQksD5s6pW2G+nmfD
         Nd9rrA4U5pBokf1240pfJ7ATdPMFaJr7LRp+mCiS9ZBGNmjkk8/3CUnz9pTdkNowa3oM
         1+3mIgKCYt+s9e6x0vxNWJaMqVHz1Pd4RujBk5Pj4DNoBPIa7DfjENt5mS1yGWCeca2+
         WUNpjBiC/0UnPyMXU9OocIaRDAohklonNtVuHGp6ZFXoGEdlTR+IhJyxfSNBm2NPat/g
         Vbdg==
X-Gm-Message-State: ACgBeo0ZlMInFssTgRmm2hErDmJt5WR9Ef8STqHLP5RsvSdiMwVNHrpQ
        jctIcsPlWcpHKFgEXlW0828o45cjFNV/5WLyqW//
X-Received: by 2002:a05:6808:3087:b0:33a:a6ae:7bf7 with SMTP id
 bl7-20020a056808308700b0033aa6ae7bf7mr11960352oib.41.1659988199456; Mon, 08
 Aug 2022 12:49:59 -0700 (PDT)
MIME-Version: 1.0
References: <20220801180146.1157914-1-fred@cloudflare.com> <87les7cq03.fsf@email.froward.int.ebiederm.org>
 <CAHC9VhRpUxyxkPaTz1scGeRm+i4KviQQA7WismOX2q5agzC+DQ@mail.gmail.com>
 <87wnbia7jh.fsf@email.froward.int.ebiederm.org> <CAHC9VhS3udhEecVYVvHm=tuqiPGh034-xPqXYtFjBk23+p-Szg@mail.gmail.com>
 <877d3ia65v.fsf@email.froward.int.ebiederm.org>
In-Reply-To: <877d3ia65v.fsf@email.froward.int.ebiederm.org>
From:   Paul Moore <paul@paul-moore.com>
Date:   Mon, 8 Aug 2022 15:49:48 -0400
Message-ID: <CAHC9VhSKmqn5wxF3BZ67Z+-CV7sZzdnO+JODq48rZJ4WAe8ULA@mail.gmail.com>
Subject: Re: [PATCH v4 0/4] Introduce security_create_user_ns()
To:     "Eric W. Biederman" <ebiederm@xmission.com>
Cc:     Frederick Lawler <fred@cloudflare.com>, kpsingh@kernel.org,
        revest@chromium.org, jackmanb@chromium.org, ast@kernel.org,
        daniel@iogearbox.net, andrii@kernel.org, kafai@fb.com,
        songliubraving@fb.com, yhs@fb.com, john.fastabend@gmail.com,
        jmorris@namei.org, serge@hallyn.com,
        stephen.smalley.work@gmail.com, eparis@parisplace.org,
        shuah@kernel.org, brauner@kernel.org, casey@schaufler-ca.com,
        bpf@vger.kernel.org, linux-security-module@vger.kernel.org,
        selinux@vger.kernel.org, linux-kselftest@vger.kernel.org,
        linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
        kernel-team@cloudflare.com, cgzones@googlemail.com,
        karl@bigbadwolfsecurity.com
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE,
        T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Aug 8, 2022 at 3:26 PM Eric W. Biederman <ebiederm@xmission.com> wrote:
> Paul Moore <paul@paul-moore.com> writes:
> >> I did provide constructive feedback.  My feedback to his problem
> >> was to address the real problem of bugs in the kernel.
> >
> > We've heard from several people who have use cases which require
> > adding LSM-level access controls and observability to user namespace
> > creation.  This is the problem we are trying to solve here; if you do
> > not like the approach proposed in this patchset please suggest another
> > implementation that allows LSMs visibility into user namespace
> > creation.
>
> Please stop, ignoring my feedback, not detailing what problem or
> problems you are actually trying to be solved, and threatening to merge
> code into files that I maintain that has the express purpose of breaking
> my users.

I've heard you talk about bugs being the only reason why people would
want to ever block user namespaces, but I think we've all seen use
cases now where it goes beyond that.  However, even if it didn't, the
need to build high confidence/assurance systems where big chunks of
functionality can be disabled based on a security policy is a very
real use case, and this patchset would help enable that.  I've noticed
you like to talk about these hooks being a source of "regressions",
but access controls are not regressions Eric, they are tools that
system builders, administrators, and users use to secure their
systems.

From my perspective, I believe that addresses your feedback around
"fix the bugs" and "this is a regression", which is the only thing
I've noted from your responses in this thread and others, but if I'm
missing something more technical please let me/us know.

> You just artificially constrained the problems, so that no other
> solution is acceptable.

There is a real need to be able to gain both additional visibility and
access control over user namespace creation, please suggest the
approach(es) you would find acceptable.

> On that basis alone I am object to this whole
> approach to steam roll over me and my code.

I saw that choice of wording in your last email and thought it a bit
curious, so I did a quick git log dump on kernel/user_namespace.c and
I see approximately 31 contributors to that one file.  I've always
thought of the open source maintainer role as more of a "steward" and
less of an "owner", but that's just my opinion.

-- 
paul-moore.com