Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp491062rwe; Fri, 26 Aug 2022 08:38:37 -0700 (PDT) X-Google-Smtp-Source: AA6agR6/y/ujiPP2EC7ynjBK1oSRsGnjBnseXivlCfZzr03Sk2//8Ds5R+2gfn+uS+K5OK8/Q0bH X-Received: by 2002:a05:6402:90e:b0:443:ec4b:2b03 with SMTP id g14-20020a056402090e00b00443ec4b2b03mr7051172edz.71.1661528317279; Fri, 26 Aug 2022 08:38:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661528317; cv=none; d=google.com; s=arc-20160816; b=unrsPBP7nZ7IOJcDrWzm4lx5PlEGXANQWBICUmms85855mpl4SgwQND3Pfteg3TlDT Krly2QtqsQC4VK/IuKVfD03T89PQkZ8xeX8mzvxBCHyv1QDOIN2HbSat/28xEceLxzDE rMvuoRFvOxrvdRhW6mvsQvQ2y0uzTW/Fz8Ic9jxp/K966Zdfm+qW67n2mBQB5MD6ogbL W2hTjtbyPk4g5LOLKY1+rHsfaHwu9Z6OxPSSGA+p8GusL0thdAPykcRrAw5Y+kVPO7Yb onzTouvlTVaU2SaX0zyQc9oHIknB9pKuPsQe5JQsi5JTby/nPqbekFiGdORRpjWVPYEq eD5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=MWZMc/+7Wyi/uH5iBX0ev6WW8TlaXh1EF/RFAjrq9cc=; b=QbCg2OQgMd0PCw+kdairGMzanC0N3kE1hNF7NXciAxS57/Q9CpNoEkC7cP78Powzgj NuJlQQ20bHVt1f7jX2lz6gDUn1mf7CEj72cuk12IH6st0g78ErUBVuFw2C0U8j+SEbHO +xunxRtyJMxVJTK5CQd1LfGu+KbRpfN3giVCv4HdzW2pF34bx6vzej3nd9fPQRVtwiI8 R13oI46LZHHhQvIFjaVRWeeV5F6Tx6DsLyJDOrtNIA29luAGZZ0cqOE43HH/cNb94RJb k0fdvbD4J/rim5LAJhi2GrwwaVhYLNRJnZAiIKUPWyHgZDK5ZtPboh76KSKBmABfb8ct cYDA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=O7KZCB0y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id r5-20020a50c005000000b004477532706bsi1560174edb.517.2022.08.26.08.38.10; Fri, 26 Aug 2022 08:38:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=O7KZCB0y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344581AbiHZPTU (ORCPT + 99 others); Fri, 26 Aug 2022 11:19:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46096 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344571AbiHZPSy (ORCPT ); Fri, 26 Aug 2022 11:18:54 -0400 Received: from mail-ot1-x330.google.com (mail-ot1-x330.google.com [IPv6:2607:f8b0:4864:20::330]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 56C15E1A87 for ; Fri, 26 Aug 2022 08:13:01 -0700 (PDT) Received: by mail-ot1-x330.google.com with SMTP id h20-20020a056830165400b00638ac7ddba5so1197576otr.4 for ; Fri, 26 Aug 2022 08:13:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=MWZMc/+7Wyi/uH5iBX0ev6WW8TlaXh1EF/RFAjrq9cc=; b=O7KZCB0y1/yc3jLe5isYu8f/xlGryRQKFSDsS5+Hm9S2iSPTWg+/tkKRDJLMXqshhb +us7nVxANSqnydDjRDeuP/shH3xeBXZADJo3AVQV9nalnGzdZLGI6merUmjQoJjxUBCM DXrIOH91I9znXlCTNFB4gBesUnzcpxaogynP+8rVz+EbUHCgWuDPQcf7sEuC9LsM8Xvk UhzSK1m6W2F8HmZd6k+A7t06IkgtlVlv3EFIompATN0RSz1vsylQMclGBndBQXwxz9nK hJ2Adpznn4iVgzfZAfIjJOpwzy850Ob5dnoVTQh5W9UDec2uMqZNMK7/94JTxpJy2pUA 1A2g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=MWZMc/+7Wyi/uH5iBX0ev6WW8TlaXh1EF/RFAjrq9cc=; b=d0fwhX4qiURAH4nEnHF+yfE1Ccz5UA9iaUg3OBX+UeFnrDqGLwviELKJBhGpfg9b+1 v+GW7Wt4ITe3LPx9swsjN2ALBxVk3YBSOhfLGBTk/VBMgMsB5XaqpbJIauJ4pvlTOV/j 1oNQ6rQx3aic7PWloWw/n0lc4XIYmfEB6eLfDrP0W++YqkWf2e6Qlir3teTlXLUjbNM/ ve94vbOEB6A/DSZFAwXz5oKF/U7L1tHWrD+VyBx9IKxeKsIqEA3s4GoKlEeBG3LPl3UF 5v+11CDVmnH8lD4i+TcInieS8NCHCPOszACJkF37sXkRxt6H6OeD1fyxkdvVWFbrEcqJ jM+A== X-Gm-Message-State: ACgBeo3Covnoczon/pO/QqecNZ7O9tJqRGWl8PycTILgBRwce8EGFdUL MwCDzR1dzbKiVN/FZemQoDSutJg5pCNrCwUyw7JA X-Received: by 2002:a05:6830:449e:b0:638:c72b:68ff with SMTP id r30-20020a056830449e00b00638c72b68ffmr1561158otv.26.1661526780412; Fri, 26 Aug 2022 08:13:00 -0700 (PDT) MIME-Version: 1.0 References: <8735dux60p.fsf@email.froward.int.ebiederm.org> <871qte8wy3.fsf@email.froward.int.ebiederm.org> <8735du7fnp.fsf@email.froward.int.ebiederm.org> <87tu6a4l83.fsf@email.froward.int.ebiederm.org> <20220818140521.GA1000@mail.hallyn.com> <20220819144537.GA16552@mail.hallyn.com> <875yigp4tp.fsf@email.froward.int.ebiederm.org> In-Reply-To: From: Paul Moore Date: Fri, 26 Aug 2022 11:12:49 -0400 Message-ID: Subject: Re: [PATCH v5 0/4] Introduce security_create_user_ns() To: Ignat Korchagin Cc: "Eric W. Biederman" , "Serge E. Hallyn" , Linus Torvalds , Frederick Lawler , kpsingh@kernel.org, revest@chromium.org, jackmanb@chromium.org, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kafai@fb.com, songliubraving@fb.com, yhs@fb.com, john.fastabend@gmail.com, jmorris@namei.org, stephen.smalley.work@gmail.com, eparis@parisplace.org, shuah@kernel.org, Christian Brauner , casey@schaufler-ca.com, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel , netdev , kernel-team , cgzones@googlemail.com, karl@bigbadwolfsecurity.com, tixxdz@gmail.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Aug 26, 2022 at 5:11 AM Ignat Korchagin wrote: > I would also add here that seccomp allows more flexibility than just > delivering SIGSYS to a violating application. We can program seccomp > bpf to: > * deliver a signal > * return a CUSTOM error code (and BTW somehow this does not trigger > any requirements to change userapi or document in manpages: in my toy > example in [1] I'm delivering ENETDOWN from a uname(2) system call, > which is not documented in the man pages, but totally valid from a > seccomp usage perspective) > * do-nothing, but log the action > > So I would say the seccomp reference supports the current approach > more than the alternative approach of delivering SIGSYS as technically > an LSM implementation of the hook (at least in-kernel one) can chose > to deliver a signal to a task via kernel-api, but BPF-LSM (and others) > can deliver custom error codes and log the actions as well. I agree that seccomp mode 2 allows for more flexibility than was mentioned earlier, however seccomp filtering has some limitations in this particular case which can be an issue for some. The first, and perhaps most important, is that some of the information that a seccomp filter might want to inspect is effectively hidden with the clone3(2) syscall due to the clone_args struct; this would make it difficult for a seccomp filter to identify namespace related operations. The second issue is that a seccomp mode 2 based approach requires the applications themselves to "Do The Right Thing" and ensure that the proper seccomp filter is loaded into the kernel before the target fork()/clone()/unshare() call is executed; a LSM which implements a proper mandatory access control mechanism does not rely on the application, it enforces the system's security policy regardless of what actions userspace performs. -- paul-moore.com