Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp2038672rwb; Sun, 14 Aug 2022 19:40:56 -0700 (PDT) X-Google-Smtp-Source: AA6agR7yZEGbuLCbDVVzmvX0J/mWVxWEmXwhuRedzFAOH/+CIc1akiWZCjZGL/kRRcts70HiXFUa X-Received: by 2002:aa7:d712:0:b0:43d:3651:7217 with SMTP id t18-20020aa7d712000000b0043d36517217mr12682131edq.79.1660531256346; Sun, 14 Aug 2022 19:40:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660531256; cv=none; d=google.com; s=arc-20160816; b=gu3zrbf/7Np6LDS4bGs09cWOHG2amDU8RbFmZVogRItLrJqbTv9iv8LL/8cfegPNyW 6EIK5kXvI2o5XuiZ/AU7lD2PoIfHP0aUXPN8r6GEoiak9+lpVqoC29kpAb9N0yODr3xH GcC/uwJASxV+brNZ4+ucEbI0XIoSGZuBuzTJ0UFgBr9+Ob9eRA/pWE/wz+O9PyZP8a2O QTPFyKWFAqyRg4+8YuMuxXKBj+bvFcPlGy6sjV94gHo9GfTyzhrmPm+dfogtoN2HXPpz gB+VXswL7uyBlTynRsKLvEGquqBZQpNatApxVbUD6hZZnyAqEhpqxj044C9JppX1IdKB 3KWg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=rKW04FaMDWlNTKaTacFyl18vVqIzuIE+w07IJVIvyZM=; b=BusTJL9B9Tmz8Y0GhPXlpNBmj9cLTTv+T//zS+k1xkVUNKunn0NHe4jSdD5F0FmyVh wcNg2VShZMgLDeANsbqjDwRA9KiLB7vQjxJkvaZflqWXEUymUPlgm4Sp/0RPmlPtxffv 7GTTJEjVPACH8nXsKU4+vkt9/dwno9gzsRo+chIn7Invm4DjNMmowmzQPXvdL28h3pG9 cIZWL+FRbFoYIYGxVbHQgohdTY89abhxNP4IkdFnL4UFNWT2dTkIs0lufVHoz1rHiCyM MjK6ELLf9BQO87JFrw4HMjZdEWju0xpWtNztcQtJDOwMRpaGOnDw0Rb/79C73TlhsoM7 kbsg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=0jUHyBYu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hb32-20020a170907162000b00736ce5254f9si4239815ejc.335.2022.08.14.19.40.31; Sun, 14 Aug 2022 19:40:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=0jUHyBYu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232629AbiHOCdI (ORCPT + 99 others); Sun, 14 Aug 2022 22:33:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59424 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231889AbiHOCdG (ORCPT ); Sun, 14 Aug 2022 22:33:06 -0400 Received: from mail-oa1-x36.google.com (mail-oa1-x36.google.com [IPv6:2001:4860:4864:20::36]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D328413D44 for ; Sun, 14 Aug 2022 19:33:03 -0700 (PDT) Received: by mail-oa1-x36.google.com with SMTP id 586e51a60fabf-10e6bdbe218so6937896fac.10 for ; Sun, 14 Aug 2022 19:33:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=rKW04FaMDWlNTKaTacFyl18vVqIzuIE+w07IJVIvyZM=; b=0jUHyBYurBxt6DRoAGI0tPLbdwq8QIJsKw7J6a4Op/+9xD+nIyf0dK0wJ7rPnfTq2i NSJvgBTl+8AkLsBjYlKlyuaxDMkNUlYhs/+z2HQnC5hHxmTcduBCI+AHAwPc+R7t9trj KXAijqp+0i9YdXfrzZqpprg6bYtuy30+eIQM05alUjdeky6TD3PDUne1lBj2I32oWOG6 ez2BRA/6nu/5Q4AjgERGga2f76iujz1PeWL9w0Vbht1AOF6TtFmcWZT/4icZI3P+1tiZ 12Rp1ZxPzP9Jqw/ddSAaGrl2xTsxCHQJjehriM7ybsI4vUgaqO/2H/uoGhsNDT3ppDQz 4jcg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=rKW04FaMDWlNTKaTacFyl18vVqIzuIE+w07IJVIvyZM=; b=kf1PYp3f9C8zgZbI0l5MI+N00DZ+dpWlt7QnnTSiElhrk1tbryMyixMgDCqDeIIIHj dWfLmDdfXSzkZYAjhrDqNbXsBFhJCqR5peFGBerIAea0FeyOyflmkmOTPInAY5YLnUhY MaPhEPJx/FOEWV+/tzMUuvdSJqyIzD5Xv8gZbnn9wsTpxSAqjUSvC+iJTa18EG1Ogufa IwIpbMaM12INhtw3TTZp4UfbmOVY8w5Wqq2H5loaS2g0YLU6Z5Hytz8TxLyFuC0TqdZ3 9a5tAeSKqzLOj8J+Un2iyLKwcS2ysMp6Z333alDulKdsSDRc+jyJ1/28Io7iPbWSsyfJ AyXw== X-Gm-Message-State: ACgBeo3FlEYWAYh52BzTXeG6uqYUUf64TmDohWQ4mfsDVIj+bVKGWcjT zGgnHu3xAC8wvXOMT4iVXXGS6c/gyZLICRQAXFy/ X-Received: by 2002:a05:6870:b41e:b0:116:5dc7:192a with SMTP id x30-20020a056870b41e00b001165dc7192amr6039900oap.136.1660530782624; Sun, 14 Aug 2022 19:33:02 -0700 (PDT) MIME-Version: 1.0 References: <20220801180146.1157914-1-fred@cloudflare.com> <87les7cq03.fsf@email.froward.int.ebiederm.org> <87wnbia7jh.fsf@email.froward.int.ebiederm.org> <20220814155508.GA7991@mail.hallyn.com> In-Reply-To: <20220814155508.GA7991@mail.hallyn.com> From: Paul Moore Date: Sun, 14 Aug 2022 22:32:51 -0400 Message-ID: Subject: Re: [PATCH v4 0/4] Introduce security_create_user_ns() To: "Serge E. Hallyn" Cc: "Eric W. Biederman" , Frederick Lawler , kpsingh@kernel.org, revest@chromium.org, jackmanb@chromium.org, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kafai@fb.com, songliubraving@fb.com, yhs@fb.com, john.fastabend@gmail.com, jmorris@namei.org, stephen.smalley.work@gmail.com, eparis@parisplace.org, shuah@kernel.org, brauner@kernel.org, casey@schaufler-ca.com, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, kernel-team@cloudflare.com, cgzones@googlemail.com, karl@bigbadwolfsecurity.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Aug 14, 2022 at 11:55 AM Serge E. Hallyn wrote: > On Mon, Aug 08, 2022 at 03:16:16PM -0400, Paul Moore wrote: > > On Mon, Aug 8, 2022 at 2:56 PM Eric W. Biederman wrote: > > > Paul Moore writes: > > > > On Mon, Aug 1, 2022 at 10:56 PM Eric W. Biederman wrote: > > > >> Frederick Lawler writes: > > > >> > > > >> > While creating a LSM BPF MAC policy to block user namespace creation, we > > > >> > used the LSM cred_prepare hook because that is the closest hook to prevent > > > >> > a call to create_user_ns(). > > > >> > > > >> Re-nack for all of the same reasons. > > > >> AKA This can only break the users of the user namespace. > > > >> > > > >> Nacked-by: "Eric W. Biederman" > > > >> > > > >> You aren't fixing what your problem you are papering over it by denying > > > >> access to the user namespace. > > > >> > > > >> Nack Nack Nack. > > > >> > > > >> Stop. > > > >> > > > >> Go back to the drawing board. > > > >> > > > >> Do not pass go. > > > >> > > > >> Do not collect $200. > > > > > > > > If you want us to take your comments seriously Eric, you need to > > > > provide the list with some constructive feedback that would allow > > > > Frederick to move forward with a solution to the use case that has > > > > been proposed. You response above may be many things, but it is > > > > certainly not that. > > > > > > I did provide constructive feedback. My feedback to his problem > > > was to address the real problem of bugs in the kernel. > > > > We've heard from several people who have use cases which require > > adding LSM-level access controls and observability to user namespace > > creation. This is the problem we are trying to solve here; if you do > > not like the approach proposed in this patchset please suggest another > > implementation that allows LSMs visibility into user namespace > > creation. > > Regarding the observability - can someone concisely lay out why just > auditing userns creation would not suffice? Userspace could decide > what to report based on whether the creating user_ns == /proc/1/ns/user... One of the selling points of the BPF LSM is that it allows for various different ways of reporting and logging beyond audit. However, even if it was limited to just audit I believe that provides some useful justification as auditing fork()/clone() isn't quite the same and could be difficult to do at scale in some configurations. I haven't personally added a BPF LSM program to the kernel so I can't speak to the details on what is possible, but I'm sure others on the To/CC line could help provide more information if that is important to you. > Regarding limiting the tweaking of otherwise-privileged code by > unprivileged users, i wonder whether we could instead add smarts to > ns_capable(). The existing security_capable() hook is eventually called by ns_capable(): ns_capable() ns_capable_common() security_capable(const struct cred *cred, struct user_namespace *ns, int cap, unsigned int opts); ... I'm not sure what additional smarts would be useful here? [side note: SELinux does actually distinguish between capability checks in the initial user namespace vs child namespaces] > Point being, uid mapping would still work, but we'd > break the "privileged against resources you own" part of user > namespaces. I would want it to default to allow, but then when a > 0-day is found which requires reaching ns_capable() code, admins > could easily prevent exploitation until reboot from a fixed kernel. That assumes that everything you care about is behind a capability check, which is probably going to be correct in a lot of the cases, but I think it would be a mistake to assume that is always going to be true. -- paul-moore.com