Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp1682876rwb; Sun, 14 Aug 2022 09:26:32 -0700 (PDT) X-Google-Smtp-Source: AA6agR6cpRGdVJMAoXNP7m5WAXvzfWjaX79nH5cYYDzw4L3qkCiaMpT+u1CHlRcBZkoeqHN32JNb X-Received: by 2002:a63:5f17:0:b0:427:8dbf:52b8 with SMTP id t23-20020a635f17000000b004278dbf52b8mr4308599pgb.64.1660494391817; Sun, 14 Aug 2022 09:26:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660494391; cv=none; d=google.com; s=arc-20160816; b=lWPoIkWf0zP6T+QunM06n4+SjNu/YzMOhx8PupRlbPyLZYRhxuKxa8MvceTNm/Ll7n pXvvRJBMxfc9BjwqBOzsObMyWC2+WeTWu51NlmigAeVK6jc3DmbPVVVT7Ta+yAYWvtct ycX/ZfBgxlVVhxGMWd8bmXt7J/Lc0xV6psOftDI8s7m3vh3okDrWd2iolUYy4inyMEKZ 541tiP4bvX7P36+GkIZVf52WSxH/KF73AoOL0jeClG18BsYWXASIT7OPkQmSPv0yHinm amd0bfdqoc3YJ1PU/Q3Yyu3ZpBALo7zCiXOyaBUE1g1d3vBBHVcwVLhhzSDSPdaPC57D EOtg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=Od5U4O1nKzpcLsmddDKjU9d7GL/drGmy44u+Szj/YE4=; b=clkrflp7ucPeT9k8l2rHljIluMNiP4Q7oPthJi7qkugdSGbX/2VfVtbyAFmSEjNHws 8NyCdHv0NUeqZF/fpptOjNuLZUOQEgneLzNvpCMYj6ybkcG9crc5YgTMpiBPqtOx/jm3 LoQq/+r0NGl7ldYvjPpRj9xw5FPQolePOx57IYKw/n0bDUYlJ1ddRAcMz3Jii6f5baW/ IKJMnzEyMeO4VnrzAhXXC9hyJki0CVIN747XE9vJYW56itHisUCOQ4Bc0LND9tyhOd+s +6onm2nuaUuGzjYri9A8YfKh7/fosO379ljqEqFCQ/sP7IMsIdkzF+8WVGRvU07/wTsM eZLw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h2-20020a63b002000000b00415b6092468si7865071pgf.586.2022.08.14.09.26.20; Sun, 14 Aug 2022 09:26:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240939AbiHNQVO (ORCPT + 99 others); Sun, 14 Aug 2022 12:21:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50652 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241079AbiHNQUp (ORCPT ); Sun, 14 Aug 2022 12:20:45 -0400 Received: from mail.hallyn.com (mail.hallyn.com [178.63.66.53]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 455D7F35; Sun, 14 Aug 2022 09:09:29 -0700 (PDT) Received: by mail.hallyn.com (Postfix, from userid 1001) id A8678F8A; Sun, 14 Aug 2022 10:55:08 -0500 (CDT) Date: Sun, 14 Aug 2022 10:55:08 -0500 From: "Serge E. Hallyn" To: Paul Moore Cc: "Eric W. Biederman" , Frederick Lawler , kpsingh@kernel.org, revest@chromium.org, jackmanb@chromium.org, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kafai@fb.com, songliubraving@fb.com, yhs@fb.com, john.fastabend@gmail.com, jmorris@namei.org, serge@hallyn.com, stephen.smalley.work@gmail.com, eparis@parisplace.org, shuah@kernel.org, brauner@kernel.org, casey@schaufler-ca.com, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, kernel-team@cloudflare.com, cgzones@googlemail.com, karl@bigbadwolfsecurity.com Subject: Re: [PATCH v4 0/4] Introduce security_create_user_ns() Message-ID: <20220814155508.GA7991@mail.hallyn.com> References: <20220801180146.1157914-1-fred@cloudflare.com> <87les7cq03.fsf@email.froward.int.ebiederm.org> <87wnbia7jh.fsf@email.froward.int.ebiederm.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.4 (2018-02-28) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Aug 08, 2022 at 03:16:16PM -0400, Paul Moore wrote: > On Mon, Aug 8, 2022 at 2:56 PM Eric W. Biederman wrote: > > Paul Moore writes: > > > On Mon, Aug 1, 2022 at 10:56 PM Eric W. Biederman wrote: > > >> Frederick Lawler writes: > > >> > > >> > While creating a LSM BPF MAC policy to block user namespace creation, we > > >> > used the LSM cred_prepare hook because that is the closest hook to prevent > > >> > a call to create_user_ns(). > > >> > > >> Re-nack for all of the same reasons. > > >> AKA This can only break the users of the user namespace. > > >> > > >> Nacked-by: "Eric W. Biederman" > > >> > > >> You aren't fixing what your problem you are papering over it by denying > > >> access to the user namespace. > > >> > > >> Nack Nack Nack. > > >> > > >> Stop. > > >> > > >> Go back to the drawing board. > > >> > > >> Do not pass go. > > >> > > >> Do not collect $200. > > > > > > If you want us to take your comments seriously Eric, you need to > > > provide the list with some constructive feedback that would allow > > > Frederick to move forward with a solution to the use case that has > > > been proposed. You response above may be many things, but it is > > > certainly not that. > > > > I did provide constructive feedback. My feedback to his problem > > was to address the real problem of bugs in the kernel. > > We've heard from several people who have use cases which require > adding LSM-level access controls and observability to user namespace > creation. This is the problem we are trying to solve here; if you do > not like the approach proposed in this patchset please suggest another > implementation that allows LSMs visibility into user namespace > creation. Regarding the observability - can someone concisely lay out why just auditing userns creation would not suffice? Userspace could decide what to report based on whether the creating user_ns == /proc/1/ns/user... Regarding limiting the tweaking of otherwise-privileged code by unprivileged users, i wonder whether we could instead add smarts to ns_capable(). Point being, uid mapping would still work, but we'd break the "privileged against resources you own" part of user namespaces. I would want it to default to allow, but then when a 0-day is found which requires reaching ns_capable() code, admins could easily prevent exploitation until reboot from a fixed kernel.