Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp1682876rwb;
        Sun, 14 Aug 2022 09:26:32 -0700 (PDT)
X-Google-Smtp-Source: AA6agR6cpRGdVJMAoXNP7m5WAXvzfWjaX79nH5cYYDzw4L3qkCiaMpT+u1CHlRcBZkoeqHN32JNb
X-Received: by 2002:a63:5f17:0:b0:427:8dbf:52b8 with SMTP id t23-20020a635f17000000b004278dbf52b8mr4308599pgb.64.1660494391817;
        Sun, 14 Aug 2022 09:26:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1660494391; cv=none;
        d=google.com; s=arc-20160816;
        b=lWPoIkWf0zP6T+QunM06n4+SjNu/YzMOhx8PupRlbPyLZYRhxuKxa8MvceTNm/Ll7n
         pXvvRJBMxfc9BjwqBOzsObMyWC2+WeTWu51NlmigAeVK6jc3DmbPVVVT7Ta+yAYWvtct
         ycX/ZfBgxlVVhxGMWd8bmXt7J/Lc0xV6psOftDI8s7m3vh3okDrWd2iolUYy4inyMEKZ
         541tiP4bvX7P36+GkIZVf52WSxH/KF73AoOL0jeClG18BsYWXASIT7OPkQmSPv0yHinm
         amd0bfdqoc3YJ1PU/Q3Yyu3ZpBALo7zCiXOyaBUE1g1d3vBBHVcwVLhhzSDSPdaPC57D
         EOtg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:user-agent:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date;
        bh=Od5U4O1nKzpcLsmddDKjU9d7GL/drGmy44u+Szj/YE4=;
        b=clkrflp7ucPeT9k8l2rHljIluMNiP4Q7oPthJi7qkugdSGbX/2VfVtbyAFmSEjNHws
         8NyCdHv0NUeqZF/fpptOjNuLZUOQEgneLzNvpCMYj6ybkcG9crc5YgTMpiBPqtOx/jm3
         LoQq/+r0NGl7ldYvjPpRj9xw5FPQolePOx57IYKw/n0bDUYlJ1ddRAcMz3Jii6f5baW/
         IKJMnzEyMeO4VnrzAhXXC9hyJki0CVIN747XE9vJYW56itHisUCOQ4Bc0LND9tyhOd+s
         +6onm2nuaUuGzjYri9A8YfKh7/fosO379ljqEqFCQ/sP7IMsIdkzF+8WVGRvU07/wTsM
         eZLw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id h2-20020a63b002000000b00415b6092468si7865071pgf.586.2022.08.14.09.26.20;
        Sun, 14 Aug 2022 09:26:31 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S240939AbiHNQVO (ORCPT <rfc822;andreqb@gmail.com> + 99 others);
        Sun, 14 Aug 2022 12:21:14 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50652 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S241079AbiHNQUp (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 14 Aug 2022 12:20:45 -0400
Received: from mail.hallyn.com (mail.hallyn.com [178.63.66.53])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 455D7F35;
        Sun, 14 Aug 2022 09:09:29 -0700 (PDT)
Received: by mail.hallyn.com (Postfix, from userid 1001)
        id A8678F8A; Sun, 14 Aug 2022 10:55:08 -0500 (CDT)
Date:   Sun, 14 Aug 2022 10:55:08 -0500
From:   "Serge E. Hallyn" <serge@hallyn.com>
To:     Paul Moore <paul@paul-moore.com>
Cc:     "Eric W. Biederman" <ebiederm@xmission.com>,
        Frederick Lawler <fred@cloudflare.com>, kpsingh@kernel.org,
        revest@chromium.org, jackmanb@chromium.org, ast@kernel.org,
        daniel@iogearbox.net, andrii@kernel.org, kafai@fb.com,
        songliubraving@fb.com, yhs@fb.com, john.fastabend@gmail.com,
        jmorris@namei.org, serge@hallyn.com,
        stephen.smalley.work@gmail.com, eparis@parisplace.org,
        shuah@kernel.org, brauner@kernel.org, casey@schaufler-ca.com,
        bpf@vger.kernel.org, linux-security-module@vger.kernel.org,
        selinux@vger.kernel.org, linux-kselftest@vger.kernel.org,
        linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
        kernel-team@cloudflare.com, cgzones@googlemail.com,
        karl@bigbadwolfsecurity.com
Subject: Re: [PATCH v4 0/4] Introduce security_create_user_ns()
Message-ID: <20220814155508.GA7991@mail.hallyn.com>
References: <20220801180146.1157914-1-fred@cloudflare.com>
 <87les7cq03.fsf@email.froward.int.ebiederm.org>
 <CAHC9VhRpUxyxkPaTz1scGeRm+i4KviQQA7WismOX2q5agzC+DQ@mail.gmail.com>
 <87wnbia7jh.fsf@email.froward.int.ebiederm.org>
 <CAHC9VhS3udhEecVYVvHm=tuqiPGh034-xPqXYtFjBk23+p-Szg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAHC9VhS3udhEecVYVvHm=tuqiPGh034-xPqXYtFjBk23+p-Szg@mail.gmail.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS,
        SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no
        version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Aug 08, 2022 at 03:16:16PM -0400, Paul Moore wrote:
> On Mon, Aug 8, 2022 at 2:56 PM Eric W. Biederman <ebiederm@xmission.com> wrote:
> > Paul Moore <paul@paul-moore.com> writes:
> > > On Mon, Aug 1, 2022 at 10:56 PM Eric W. Biederman <ebiederm@xmission.com> wrote:
> > >> Frederick Lawler <fred@cloudflare.com> writes:
> > >>
> > >> > While creating a LSM BPF MAC policy to block user namespace creation, we
> > >> > used the LSM cred_prepare hook because that is the closest hook to prevent
> > >> > a call to create_user_ns().
> > >>
> > >> Re-nack for all of the same reasons.
> > >> AKA This can only break the users of the user namespace.
> > >>
> > >> Nacked-by: "Eric W. Biederman" <ebiederm@xmission.com>
> > >>
> > >> You aren't fixing what your problem you are papering over it by denying
> > >> access to the user namespace.
> > >>
> > >> Nack Nack Nack.
> > >>
> > >> Stop.
> > >>
> > >> Go back to the drawing board.
> > >>
> > >> Do not pass go.
> > >>
> > >> Do not collect $200.
> > >
> > > If you want us to take your comments seriously Eric, you need to
> > > provide the list with some constructive feedback that would allow
> > > Frederick to move forward with a solution to the use case that has
> > > been proposed.  You response above may be many things, but it is
> > > certainly not that.
> >
> > I did provide constructive feedback.  My feedback to his problem
> > was to address the real problem of bugs in the kernel.
> 
> We've heard from several people who have use cases which require
> adding LSM-level access controls and observability to user namespace
> creation.  This is the problem we are trying to solve here; if you do
> not like the approach proposed in this patchset please suggest another
> implementation that allows LSMs visibility into user namespace
> creation.

Regarding the observability - can someone concisely lay out why just
auditing userns creation would not suffice?  Userspace could decide
what to report based on whether the creating user_ns == /proc/1/ns/user...

Regarding limiting the tweaking of otherwise-privileged code by
unprivileged users, i wonder whether we could instead add smarts to
ns_capable().  Point being, uid mapping would still work, but we'd
break the "privileged against resources you own" part of user
namespaces.  I would want it to default to allow, but then when a
0-day is found which requires reaching ns_capable() code, admins 
could easily prevent exploitation until reboot from a fixed kernel.