Received: by 2002:a05:6358:e9c4:b0:b2:91dc:71ab with SMTP id hc4csp6175974rwb; Tue, 9 Aug 2022 10:19:06 -0700 (PDT) X-Google-Smtp-Source: AA6agR7XiLMxw92zKUWHk5w2DDm+YPtNt3WUa7j3fWnXJZlgf4Wu0Oj5IbtHda+8liOtu8Jh9p/k X-Received: by 2002:a17:907:6eac:b0:730:a07f:38bb with SMTP id sh44-20020a1709076eac00b00730a07f38bbmr18468612ejc.750.1660065546228; Tue, 09 Aug 2022 10:19:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660065546; cv=none; d=google.com; s=arc-20160816; b=N2mjM5TBDpq2g1Agma8P193Tlrt7x16d5TMUJsDBf2ScUFG3QyEK3d4LiVxMsl3Q1Z 1cSN5kVNKW4gIGtDle1Fhbk6ZwgDoadNYGrT3TU9sN9846pP1AEUrPpMvWTHazPoLERd AAGwnC5Xtv/SsKWXGqbwe0An2f1T7i+Mhrevks5+h8xA8rkOYM4ELa9mj+MDh3odQ676 TRx9IFjWMr4QmUPzU0QxubbaxuSFokK59SCi8v+LS0C6Y0vDYA56woEeXVmKOb96Z0hP GUsaM3AeP7SUVXiaGSoDt8HjZqMwd/6d1foW/2l4heUa1bsewrW0Mnr6rxzLWu2grEzl pdFQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=OQdzvI48V4v1B4ddrzc07g5SpSnYPX/QwedZe0qu4AI=; b=Rdq0UyI9VUhXq2Ab8eNnVimJtkrVwxW3EhetqZUbWl7U2SqbNcAb3mfX9beFPqWLzT g4VAKV0GCr31EYSrhLCAtJv3eL00mQdf+q/xo151XxjzP2aPnzecbzbywaMxD7Qn5JRE I16smK1Zjf98eOGCnFWwlsKHxRAb13H9LdB5lLz3IXV3LvZqrWNsceWrmu0paczvrqeo n6PoLEOiy2hoWvyzF3UA/zU8/F7b4gZ0OeR9x9sU2IW953GQISwcHDre35Z+Oz2g/clp tWEDYwQYMGTjvz/mkxJ1SuqZxBZf8FjztEcWIwii/s3ezkm1cAFRJvFWEykSCzfHQT2X Ig8A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=Ri2tsj0w; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l26-20020a170906231a00b007310a1b616fsi1995143eja.178.2022.08.09.10.18.39; Tue, 09 Aug 2022 10:19:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=Ri2tsj0w; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244924AbiHIQrV (ORCPT + 99 others); Tue, 9 Aug 2022 12:47:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60206 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244667AbiHIQrR (ORCPT ); Tue, 9 Aug 2022 12:47:17 -0400 Received: from mail-oi1-x22a.google.com (mail-oi1-x22a.google.com [IPv6:2607:f8b0:4864:20::22a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A5B82220EB for ; Tue, 9 Aug 2022 09:47:14 -0700 (PDT) Received: by mail-oi1-x22a.google.com with SMTP id o184so4644216oif.13 for ; Tue, 09 Aug 2022 09:47:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=OQdzvI48V4v1B4ddrzc07g5SpSnYPX/QwedZe0qu4AI=; b=Ri2tsj0wADEJ/FqtuFe8VA3SlsAf4KnPGgJj+nvCXLKG6B6UbcwkVSpbOgqTUzJfiT QPADWiyW6UkdsfosfSRM21VsttNJKppdOEl3fp32UHIUjR1qD2Qj+PDddciPoTn7PSgy 2p/I96SGe3fYfgnj3La44AANjPEePv4B8NV3JfXFvZH5vcgTjFT6fVXrrAejRt36omr1 GV2ifLxF4sMqwvPtr1sVjQrobLRJmbowbjxOzhmAxh3ri0RdahOO9XlTVS0dtmxAEoaW WbU6GKuwZ/z4LRxdcL68HvZquRVAfuGOgiix/p4keAnPKg6L68n94sAPxDxu6xuekIFX 87iA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=OQdzvI48V4v1B4ddrzc07g5SpSnYPX/QwedZe0qu4AI=; b=iNELi6F2Q6I/xSzLMNhWwUUSJXyJFFuVtJFdZJYersBhvir43GFZa3Eaq0fENeEF6a jA9dP4JRuPKZZLjfoHqEtw+uXqzUy0qPnRhSMCwRvvG6IbjF+9+saJN2kRvqyG18w1VW GFoJfMtav/3i1rjB8Uui2RSQUhB3kyLZfWngay6u3z2KBQ50zc4ezH9Gmf9cI1kphvRj WWDQeksKCXAO0j95ZIVfAKwXv+hQiJ8KkS/Yf3IzkCcS2QxRYBknuLCI27QVg+CcMfOI xmiDgLiDLyk2d6RVebeoOJTM4A12VDCZ14jjUBsTOVWUjtjCuHoLHOtE8CbfCZmFIcuh QQwA== X-Gm-Message-State: ACgBeo2cMYLtvh7zxx+grtYmRF+HOgQOrO8UvphforuhhkSW0mqvLF/7 oOr/ok/FiGGYdhp9kQ8NDYazSztyGqSLA50qx5No X-Received: by 2002:a05:6808:2389:b0:33a:cbdb:f37a with SMTP id bp9-20020a056808238900b0033acbdbf37amr10590809oib.136.1660063633970; Tue, 09 Aug 2022 09:47:13 -0700 (PDT) MIME-Version: 1.0 References: <20220801180146.1157914-1-fred@cloudflare.com> <87les7cq03.fsf@email.froward.int.ebiederm.org> <87wnbia7jh.fsf@email.froward.int.ebiederm.org> <877d3ia65v.fsf@email.froward.int.ebiederm.org> <87bksu8qs2.fsf@email.froward.int.ebiederm.org> <87czd95rjc.fsf@email.froward.int.ebiederm.org> In-Reply-To: <87czd95rjc.fsf@email.froward.int.ebiederm.org> From: Paul Moore Date: Tue, 9 Aug 2022 12:47:03 -0400 Message-ID: Subject: Re: [PATCH v4 0/4] Introduce security_create_user_ns() To: "Eric W. Biederman" Cc: Frederick Lawler , kpsingh@kernel.org, revest@chromium.org, jackmanb@chromium.org, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kafai@fb.com, songliubraving@fb.com, yhs@fb.com, john.fastabend@gmail.com, jmorris@namei.org, serge@hallyn.com, stephen.smalley.work@gmail.com, eparis@parisplace.org, shuah@kernel.org, brauner@kernel.org, casey@schaufler-ca.com, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, kernel-team@cloudflare.com, cgzones@googlemail.com, karl@bigbadwolfsecurity.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 9, 2022 at 12:08 PM Eric W. Biederman wrote: > Paul Moore writes: > > On Mon, Aug 8, 2022 at 3:43 PM Eric W. Biederman wrote: > >> "Eric W. Biederman" writes: > >> > Paul Moore writes: > >> > > >> >>> I did provide constructive feedback. My feedback to his problem > >> >>> was to address the real problem of bugs in the kernel. > >> >> > >> >> We've heard from several people who have use cases which require > >> >> adding LSM-level access controls and observability to user namespace > >> >> creation. This is the problem we are trying to solve here; if you do > >> >> not like the approach proposed in this patchset please suggest another > >> >> implementation that allows LSMs visibility into user namespace > >> >> creation. > >> > > >> > Please stop, ignoring my feedback, not detailing what problem or > >> > problems you are actually trying to be solved, and threatening to merge > >> > code into files that I maintain that has the express purpose of breaking > >> > my users. > >> > > >> > You just artificially constrained the problems, so that no other > >> > solution is acceptable. On that basis alone I am object to this whole > >> > approach to steam roll over me and my code. > >> > >> If you want an example of what kind of harm it can cause to introduce a > >> failure where no failure was before I invite you to look at what > >> happened with sendmail when setuid was modified to fail, when changing > >> the user of a process would cause RLIMIT_NPROC to be exceeded. > > > > I think we are all familiar with the sendmail capabilities bug and the > > others like it, but using that as an excuse to block additional access > > controls seems very weak. The Linux Kernel is very different from > > when the sendmail bug hit (what was that, ~20 years ago?), with > > advancements in capabilities and other discretionary controls, as well > > as mandatory access controls which have enabled Linux to be certified > > through a number of third party security evaluations. > > If you are familiar with scenarios like that then why is there not > being due diligence performed to ensure that userspace won't break? What level of due diligence would satisfy you Eric? This feels very much like an unbounded ask that can be used to permanently block any effort to add any form of additional access control around user namespace creation. If that isn't the case, and this request is being made in good faith, please elaborate on what you believe would be sufficient analysis of this patch? Personally, the fact that the fork()/clone() variants and the unshare() syscall all can fail and return error codes to userspace seems like a reasonable level of safety. If userspace is currently ignoring the return values of fork/clone/unshare that is a problem independent of this patchset. Even looking at the existing create_user_ns() function shows several cases where the user namespace code can forcibly error out due to access controls, memory pressure, etc. I also see that additional restrictions were put on user namespace creation after it was introduced, e.g. the chroot restriction; I'm assuming that didn't break "your" users? If you can describe the analysis you did on that change, perhaps we can do the same for this patchset and call it sufficient, yes? > >> I am not arguing that what you are proposing is that bad but unexpected > >> failures cause real problems, and at a minimum that needs a better > >> response than: "There is at least one user that wants a failure here". > > > > Let me fix that for you: "There are multiple users who want to have > > better visibility and access control for user namespace creation." > > Visibility sure. Design a proper hook for that. All the proposed hook > can do is print an audit message. It can't allocate or manage any state > as there is not the corresponding hook when a user namespace is freed. > So the proposed hook is not appropriate for increasing visibility. Auditing very much increases visibility. Look at what the BPF LSM can do, observability is one of its primary goals. > Access control. Not a chance unless it is carefully designed and > reviewed. See the above. The relevant syscalls already have the risk of failure, if userspace is assuming fork/clone/unshare/etc. will never fail then that application is broken independent of this discussion. -- paul-moore.com