Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp1087204rwe; Thu, 25 Aug 2022 15:21:47 -0700 (PDT) X-Google-Smtp-Source: AA6agR6eIZsKMHQhOGcoq25RNbB4193BvZ8ZLHYaql1QK781w0DvQqJNVd88GXfVtk6aIO1uxiI6 X-Received: by 2002:a17:906:794c:b0:73d:b881:e3fe with SMTP id l12-20020a170906794c00b0073db881e3femr3514970ejo.570.1661466107506; Thu, 25 Aug 2022 15:21:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661466107; cv=none; d=google.com; s=arc-20160816; b=EaOoaUnr1KJ2X0DBdIRsuk5max9mjodoekUfSD3Mjwzq4H8cqbh4RhqC44iphGTR2X H6gy+Zy1m08CVAlhyqRsTQJI7BkS0f01FYpmySlNLyo/J+ml4oaDXhqXcSMnYEQqitx5 nDUvfq2iTBFXHBtZ+zXqzJ2YSc40BBayMCxbqho70e5gIjYfP0rxcoRhFsiCYKbhS7xU LhCzvK4g+EtfGhTh71qTu7oqlbWpl7H95pO4AnNi0gY8N44LWGHH6XAE+bIfWoPRDhdU guVEjgTmYgocfcY9VJZuitJsesIpfnKDpP4SzXv1g8sm+xb6guQHV1XH1ux+i0Wi6Yhh ow4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=aL/AGV/8w/lD0tdUyUfzE8bvL9UFhy5bQRgnqnJx79U=; b=02QvVEjWSCV5LrSUeqMmmO2QSWHR2cLTcxuFAWUyTS1QGevp5FPoN0+SLuKiyKx7se MxnZf5OHFbLGTuz7VjLz8M1z1/QIubTqfl0+1LgzEMW3VTd7NdxRmRNafp2SMfrI1Zjf m0SdvYjv0vkE4wTVuGOWMvC3/zoJC1scCSG4Y0NIy4YaEbZwcv8wBXJmxGiofgOG/Skh O6FeLzGZXhYumVbK6HEO33qkzJCCdZw4G/0eLSGbUSxfBDsVmmEWI3aoL144spD/LbHQ f5jjun9XvHXqlt6ILZuCUob8VZysclh+WbMxHUIEm1aFV4vqt6gkt4i2vw3czK5KXTS3 XANw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=A2e2m7ez; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n13-20020a05640205cd00b0044622fc1d8dsi410762edx.183.2022.08.25.15.21.22; Thu, 25 Aug 2022 15:21:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=A2e2m7ez; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241973AbiHYWLN (ORCPT + 99 others); Thu, 25 Aug 2022 18:11:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42040 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243442AbiHYWLI (ORCPT ); Thu, 25 Aug 2022 18:11:08 -0400 Received: from mail-oi1-x22a.google.com (mail-oi1-x22a.google.com [IPv6:2607:f8b0:4864:20::22a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 377175A168 for ; Thu, 25 Aug 2022 15:11:04 -0700 (PDT) Received: by mail-oi1-x22a.google.com with SMTP id j5so24985931oih.6 for ; Thu, 25 Aug 2022 15:11:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=aL/AGV/8w/lD0tdUyUfzE8bvL9UFhy5bQRgnqnJx79U=; b=A2e2m7ezoKBimHZ8/7VLP9dvWoH+EEf72LSF6b2eTN1goiRhAcaNEsH4aMIAdBMdDV Sw/W7FpIPVqOMojVjC6ABvS48bY7IGsqTB01A6M4cCeZegPyYFUg8EvR7s2s2aFc3LfC z98HdbmOEF6zR2mb4maMNOTJIQx37xA1hXWqy0Flnmpa2q0qc0mZ4IjJcJjpsZqyBmBD rjFiFyzF51Ai9kLcPbBi7LM4LWruE51HRS6Gbc7TLQMhiWeLDnQON4DYd5MxrMEUZmvg /tbF2C/V+pKnI850Af/7RerFaYyycqS4Iek09hpd2OxY6oJVEZTGKeKOi62YstibIH/C kMRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=aL/AGV/8w/lD0tdUyUfzE8bvL9UFhy5bQRgnqnJx79U=; b=U811UkeGKBSBQCPp6Y7SzrEjUnelqG4daKtmFSIW+WviclAazixMb6fyAefyqZ+NSe iLEfzA+0RnwwvTcYPvzuSs93tT4+cqfZZFd1qZzQRE/x9utp93+daj1LiwXff3jlBlzx m7XoQe70rEa2gPEchMmZs0S8OZJQJz6JCo3OCqRM3fPwOm0fFuf+SJIPsUX2aeWn6Ztq IhI758Dbgp5nlrs6t6CRciHip3Qa+TyEdB5AAp/xOEV/Rm/TXIwU+t3EqJao3FKCMOP5 o423UmtKnbZWGjXmM14UDEUU1KcfeN5UV5HVm/uEZci02AnODFcliv2i+9jgBd1jl4R8 /+PA== X-Gm-Message-State: ACgBeo1h57yk5tI+kguUo+zAYDQvZgsCgiPHvgQSePAVwmKqIugEBC5+ 4pf3rrGXByKS5dCX3A1HSGemC+5m/7uWX+6QpcCc X-Received: by 2002:aca:b7d5:0:b0:343:c478:91c6 with SMTP id h204-20020acab7d5000000b00343c47891c6mr444622oif.136.1661465463480; Thu, 25 Aug 2022 15:11:03 -0700 (PDT) MIME-Version: 1.0 References: <8735dux60p.fsf@email.froward.int.ebiederm.org> <871qte8wy3.fsf@email.froward.int.ebiederm.org> <8735du7fnp.fsf@email.froward.int.ebiederm.org> <87tu6a4l83.fsf@email.froward.int.ebiederm.org> <20220818140521.GA1000@mail.hallyn.com> <20220819144537.GA16552@mail.hallyn.com> <875yigp4tp.fsf@email.froward.int.ebiederm.org> <0D14C118-E644-4D7B-84C0-CA7752DC0605@fb.com> In-Reply-To: <0D14C118-E644-4D7B-84C0-CA7752DC0605@fb.com> From: Paul Moore Date: Thu, 25 Aug 2022 18:10:52 -0400 Message-ID: Subject: Re: [PATCH v5 0/4] Introduce security_create_user_ns() To: Song Liu Cc: "Eric W. Biederman" , "Serge E. Hallyn" , Linus Torvalds , Frederick Lawler , KP Singh , "revest@chromium.org" , "jackmanb@chromium.org" , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin Lau , Yonghong Song , John Fastabend , James Morris , "stephen.smalley.work@gmail.com" , "eparis@parisplace.org" , Shuah Khan , "brauner@kernel.org" , Casey Schaufler , bpf , LSM List , "selinux@vger.kernel.org" , "open list:KERNEL SELFTEST FRAMEWORK" , LKML , Networking , "kernel-team@cloudflare.com" , "cgzones@googlemail.com" , "karl@bigbadwolfsecurity.com" , "tixxdz@gmail.com" Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Aug 25, 2022 at 5:58 PM Song Liu wrote: > > On Aug 25, 2022, at 12:19 PM, Paul Moore wrote: > > > > On Thu, Aug 25, 2022 at 2:15 PM Eric W. Biederman wrote: > >> Paul Moore writes: > >>> On Fri, Aug 19, 2022 at 10:45 AM Serge E. Hallyn wrote: > >>>> I am hoping we can come up with > >>>> "something better" to address people's needs, make everyone happy, and > >>>> bring forth world peace. Which would stack just fine with what's here > >>>> for defense in depth. > >>>> > >>>> You may well not be interested in further work, and that's fine. I need > >>>> to set aside a few days to think on this. > >>> > >>> I'm happy to continue the discussion as long as it's constructive; I > >>> think we all are. My gut feeling is that Frederick's approach falls > >>> closest to the sweet spot of "workable without being overly offensive" > >>> (*cough*), but if you've got an additional approach in mind, or an > >>> alternative approach that solves the same use case problems, I think > >>> we'd all love to hear about it. > >> > >> I would love to actually hear the problems people are trying to solve so > >> that we can have a sensible conversation about the trade offs. > > > > Here are several taken from the previous threads, it's surely not a > > complete list, but it should give you a good idea: > > > > https://lore.kernel.org/linux-security-module/CAHC9VhQnPAsmjmKo-e84XDJ1wmaOFkTKPjjztsOa9Yrq+AeAQA@mail.gmail.com/ > > > >> As best I can tell without more information people want to use > >> the creation of a user namespace as a signal that the code is > >> attempting an exploit. > > > > Some use cases are like that, there are several other use cases that > > go beyond this; see all of our previous discussions on this > > topic/patchset. As has been mentioned before, there are use cases > > that require improved observability, access control, or both. > > > >> As such let me propose instead of returning an error code which will let > >> the exploit continue, have the security hook return a bool. With true > >> meaning the code can continue and on false it will trigger using SIGSYS > >> to terminate the program like seccomp does. > > > > Having the kernel forcibly exit the process isn't something that most > > LSMs would likely want. I suppose we could modify the hook/caller so > > that *if* an LSM wanted to return SIGSYS the system would kill the > > process, but I would want that to be something in addition to > > returning an error code like LSMs normally do (e.g. EACCES). > > I am new to user_namespace and security work, so please pardon me if > anything below is very wrong. > > IIUC, user_namespace is a tool that enables trusted userspace code to > control the behavior of untrusted (or less trusted) userspace code. > Failing create_user_ns() doesn't make the system more reliable. > Specifically, we call create_user_ns() via two paths: fork/clone and > unshare. For both paths, we need the userspace to use user_namespace, > and to honor failed create_user_ns(). > > On the other hand, I would echo that killing the process is not > practical in some use cases. Specifically, allowing the application to > run in a less secure environment for a short period of time might be > much better than killing it and taking down the whole service. Of > course, there are other cases that security is more important, and > taking down the whole service is the better choice. > > I guess the ultimate solution is a way to enforce using user_namespace > in the kernel (if it ever makes sense...). The LSM framework, and the BPF and SELinux LSM implementations in this patchset, provide a mechanism to do just that: kernel enforced access controls using flexible security policies which can be tailored by the distro, solution provider, or end user to meet the specific needs of their use case. -- paul-moore.com