Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp158343rwe; Fri, 26 Aug 2022 02:39:46 -0700 (PDT) X-Google-Smtp-Source: AA6agR6fNWH5T4/JpbxGgysyFmLn0B89Cb3xReijiw2fhgLmrVcKCSELDTk9vLXcDHfL5r9aajuZ X-Received: by 2002:a17:90b:3911:b0:1fb:1f53:fa5 with SMTP id ob17-20020a17090b391100b001fb1f530fa5mr3524649pjb.233.1661506786078; Fri, 26 Aug 2022 02:39:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661506786; cv=none; d=google.com; s=arc-20160816; b=otxV5IV2Hkhm1MKLQy7e/3v0ecOxNB2TBrOBWeIex9tjvr+DOOJwRCojdueXWjYaA2 5qHQOiJwoJjteLTp3UHj7eMIeF4DF9xrd7ElQALNmb+Z+DkKfQKTpoQidW5yuw8zabZS hT2K8SyuQPcwtsvHQQ7pOBfmm/PtsVQf7Zid1TYrMaN5xyWvvEQfic1xEHxpfok4ufRG eq3k7oXupLGfyiVSmCCwqGi4pNaQ+pqZbfLHub8k4+aUVjFvfnx3j0XkxoZEI4gx04tl JO8cxnADdh9YdERN6saYwpdVM5Tu/Omp3IhFUHeYP2u3O47S13xL5OVyOkSBy53seQZN dLaQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=9WfR61mwlG7xEw+rTgThfNinRNgyKs7+mef9MefL6PA=; b=wLzj6qsfI9ocxNnmKh0dQMdCAdK63R2dqdX9s8TBwyePtY4Kx2d1ELp+gwPZOQzC5l BGEbuxsq8PSO+MMlW8V1+8TuOUnkT27Q7Br7pVw8OqxDxN//Uk9UzsXb7hwYUmrSmo82 l9k9HpG2oCCImplruCdA2PQcrw8+2llIhrK4wQYMgZ26+7mNLpEzf4OlzXqoLPtOq5SU bf/dl2+fVpMwYT9JzT6LCWAcmYruAyg1rckCZOhxfuWss+tMUTIWJWDGkv3wxj7F7ZEl 1M+I0wWaumCZ8pNjy7OzAI2PJyw4wIJUW6vyO2akEU+KAU4PFVYdwr/DdH5RRH77lbqS SWOg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@cloudflare.com header.s=google header.b=EhvIqLiC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cloudflare.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e17-20020a056a001a9100b00535d7265923si1436623pfv.377.2022.08.26.02.39.34; Fri, 26 Aug 2022 02:39:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@cloudflare.com header.s=google header.b=EhvIqLiC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cloudflare.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245618AbiHZJLL (ORCPT + 99 others); Fri, 26 Aug 2022 05:11:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58424 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245530AbiHZJLG (ORCPT ); Fri, 26 Aug 2022 05:11:06 -0400 Received: from mail-io1-xd2c.google.com (mail-io1-xd2c.google.com [IPv6:2607:f8b0:4864:20::d2c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 36B4FCD524 for ; Fri, 26 Aug 2022 02:11:04 -0700 (PDT) Received: by mail-io1-xd2c.google.com with SMTP id p187so698754iod.8 for ; Fri, 26 Aug 2022 02:11:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=9WfR61mwlG7xEw+rTgThfNinRNgyKs7+mef9MefL6PA=; b=EhvIqLiC9BX9tHc9a+BQqpydsPIjtHyKBmBx0sofnPbgUlRgpWlCGxWIpp5JbnuFup 2kZoVj99EcwjkfBHBUZg2oipu8wdizJwB4NoGLsfzUAFh/Tk2zvveA8DFExtjEyQ8Dc/ /pVtcCgigmLtsj7Cwo14GVv+Ocdqf7No5PvDs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=9WfR61mwlG7xEw+rTgThfNinRNgyKs7+mef9MefL6PA=; b=jrRJEj9CP8JfaUwItLTslnhM1elK7HU4KVWq9iM1FRz2PF2i/Eym0ql0XobLvjOzhy dxfu5XLw+1seOsB3qIP1M7rnDXyroA1ZxZRVkyHSo8PR8NkeQR9LJdwitKWspqR2BO/s rznenitrxVBiGV16y1lpY216/yiQ0VcObnyK27Y1GXS1MwTB5O5eC7WtnwpXeih60gvA vYMIdpol5ELCkJ2If4RKPLQDjJ8WW+wuXUrCK2gi95oyjedpyAbQuy12+OQ8GWzbIIwc lnApVRzeg+NHE5K2ZTnKuLpaWD9O04sbmszhY3areAQ5PTtU4CO2K0gzh0EKWV0/OSrL /WMQ== X-Gm-Message-State: ACgBeo0Wc+8EMAjm8UqaCOR2BOPq2pIfE3seIZHFYKu4swUK2rbxF0TP 4jd/S8m6xm98B9ttL4L0NKLfKtnQy6MqyuKHIuRVcw== X-Received: by 2002:a05:6638:1244:b0:34a:1104:afa with SMTP id o4-20020a056638124400b0034a11040afamr3321877jas.244.1661505063405; Fri, 26 Aug 2022 02:11:03 -0700 (PDT) MIME-Version: 1.0 References: <8735dux60p.fsf@email.froward.int.ebiederm.org> <871qte8wy3.fsf@email.froward.int.ebiederm.org> <8735du7fnp.fsf@email.froward.int.ebiederm.org> <87tu6a4l83.fsf@email.froward.int.ebiederm.org> <20220818140521.GA1000@mail.hallyn.com> <20220819144537.GA16552@mail.hallyn.com> <875yigp4tp.fsf@email.froward.int.ebiederm.org> In-Reply-To: From: Ignat Korchagin Date: Fri, 26 Aug 2022 10:10:51 +0100 Message-ID: Subject: Re: [PATCH v5 0/4] Introduce security_create_user_ns() To: "Eric W. Biederman" Cc: "Serge E. Hallyn" , Paul Moore , Linus Torvalds , Frederick Lawler , kpsingh@kernel.org, revest@chromium.org, jackmanb@chromium.org, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kafai@fb.com, songliubraving@fb.com, yhs@fb.com, john.fastabend@gmail.com, jmorris@namei.org, stephen.smalley.work@gmail.com, eparis@parisplace.org, shuah@kernel.org, Christian Brauner , casey@schaufler-ca.com, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel , netdev , kernel-team , cgzones@googlemail.com, karl@bigbadwolfsecurity.com, tixxdz@gmail.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Aug 25, 2022 at 8:19 PM Paul Moore wrote: > > On Thu, Aug 25, 2022 at 2:15 PM Eric W. Biederman wrote: > > Paul Moore writes: > > > On Fri, Aug 19, 2022 at 10:45 AM Serge E. Hallyn wrote: > > >> I am hoping we can come up with > > >> "something better" to address people's needs, make everyone happy, and > > >> bring forth world peace. Which would stack just fine with what's here > > >> for defense in depth. > > >> > > >> You may well not be interested in further work, and that's fine. I need > > >> to set aside a few days to think on this. > > > > > > I'm happy to continue the discussion as long as it's constructive; I > > > think we all are. My gut feeling is that Frederick's approach falls > > > closest to the sweet spot of "workable without being overly offensive" > > > (*cough*), but if you've got an additional approach in mind, or an > > > alternative approach that solves the same use case problems, I think > > > we'd all love to hear about it. > > > > I would love to actually hear the problems people are trying to solve so > > that we can have a sensible conversation about the trade offs. > > Here are several taken from the previous threads, it's surely not a > complete list, but it should give you a good idea: > > https://lore.kernel.org/linux-security-module/CAHC9VhQnPAsmjmKo-e84XDJ1wmaOFkTKPjjztsOa9Yrq+AeAQA@mail.gmail.com/ > > > As best I can tell without more information people want to use > > the creation of a user namespace as a signal that the code is > > attempting an exploit. > > Some use cases are like that, there are several other use cases that > go beyond this; see all of our previous discussions on this > topic/patchset. As has been mentioned before, there are use cases > that require improved observability, access control, or both. > > > As such let me propose instead of returning an error code which will let > > the exploit continue, have the security hook return a bool. With true > > meaning the code can continue and on false it will trigger using SIGSYS > > to terminate the program like seccomp does. > > Having the kernel forcibly exit the process isn't something that most > LSMs would likely want. I suppose we could modify the hook/caller so > that *if* an LSM wanted to return SIGSYS the system would kill the > process, but I would want that to be something in addition to > returning an error code like LSMs normally do (e.g. EACCES). I would also add here that seccomp allows more flexibility than just delivering SIGSYS to a violating application. We can program seccomp bpf to: * deliver a signal * return a CUSTOM error code (and BTW somehow this does not trigger any requirements to change userapi or document in manpages: in my toy example in [1] I'm delivering ENETDOWN from a uname(2) system call, which is not documented in the man pages, but totally valid from a seccomp usage perspective) * do-nothing, but log the action So I would say the seccomp reference supports the current approach more than the alternative approach of delivering SIGSYS as technically an LSM implementation of the hook (at least in-kernel one) can chose to deliver a signal to a task via kernel-api, but BPF-LSM (and others) can deliver custom error codes and log the actions as well. Ignat > -- > paul-moore.com [1]: https://blog.cloudflare.com/sandboxing-in-linux-with-zero-lines-of-code/