Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp516436rwe; Fri, 26 Aug 2022 09:05:29 -0700 (PDT) X-Google-Smtp-Source: AA6agR6nMPYowkheyKPMz1GnFBoYfkWOGScXu9KpHGsgiInlY04BBMru8XgNlFmsUYx2NtWazjES X-Received: by 2002:a63:5d4e:0:b0:41d:2966:74e7 with SMTP id o14-20020a635d4e000000b0041d296674e7mr3676806pgm.526.1661529929012; Fri, 26 Aug 2022 09:05:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661529929; cv=none; d=google.com; s=arc-20160816; b=AYzffAMyJ4Pd893XDM8+xfWDy5yy21vsdzvu6MVRhcmR7YpOqNvmCY0XI+Nh5dm664 ySM4WCxAvJuvld8Zw3R6uQ1s2eW9taUO44MvfHWVSJaZQ1seNfanabdMffmhg5Xy17LF nAGl1cqaiT5GzR3uI19uMDlQwz0PFN/NQEgekWe2612NYfcmIztyF3F9R57ePUVOOK8a soCyHonY8oQe8RVD4Go0J92YKZ4jWG4copXXA+NmXgf0aHkBvZtBw2V0g0eHEcrSiSkG QItWKf6Nzvb1KVKeT6/WN5Do82W68S5KkqKxDuaAIwwiewuux/gAGD21FndGGaWAMpGR xICA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=tRhd/2/uHL0VX0F4GeRi6SnOKLBFJo3Q7T6F3F0TR3s=; b=Ortu0Y67SDmxlUqyyTYBxA3iUx4FW5p5kL+1wGS04QL35/Bbmnxi0MyoQ6suJeNkx8 cv7XFDlUgn7lw/03EEGFRtuZ7lZZVwqNw3i5VIaLGHFUvsoCPWlrdpH54AvRR2JcJp7v cDm3DL/jQULgRROLb+RoYxciGU+8usISub8sDUDJsHpZ9VEHVev5kHYHJRIGBBJeuJYL 4iU9eJyPTOyaXlcio0qKyNcnVYbQDw/gUCzXxwE+u5tZIGNKrorPtT0OUeOyqroAGooU SSKaHah4q8xjaIN7e/+tZ11spzi0KoJ4Y9LDX54RSrUdNz7zeubagIjfb+5MX4ycD6Ff e5QQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=orhQFJns; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id v7-20020a655687000000b0042b4d1b0dcbsi1998457pgs.216.2022.08.26.09.05.16; Fri, 26 Aug 2022 09:05:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=orhQFJns; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237173AbiHZPCY (ORCPT + 99 others); Fri, 26 Aug 2022 11:02:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54046 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235677AbiHZPCS (ORCPT ); Fri, 26 Aug 2022 11:02:18 -0400 Received: from mail-ot1-x332.google.com (mail-ot1-x332.google.com [IPv6:2607:f8b0:4864:20::332]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5E587D9D5E for ; Fri, 26 Aug 2022 08:02:15 -0700 (PDT) Received: by mail-ot1-x332.google.com with SMTP id o15-20020a9d718f000000b00638c1348012so1182833otj.2 for ; Fri, 26 Aug 2022 08:02:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=tRhd/2/uHL0VX0F4GeRi6SnOKLBFJo3Q7T6F3F0TR3s=; b=orhQFJnsjMOMEl1XYB+lStIgrX4ra7SL0ABeZSgcWzIJcW65G6IzHoIBENxN8sseM4 CoAsY/870bHVS0FlrCS9ipyA4VCGdNf5nQmNvDdLVx/azkoX2x2btuKOCv48mV3Y+ylC hjOEY0WAesEQlmTkAi55NKTX05lKq3t4syAEoUszo9ZiAbZqfxhsJM1fiF+/x+BAX6xJ OhogR1k6QWDtXqvaxG0/7agNJPwoah7vt6vcOG6dsUJJ8o8LNiRCMkdEVCa8OF1yY7jg gaR+VqCefuGhBiOdD9DAtM6o+3mqXrjCWTrlKKX3Ss8zz4QhR0+UGbOcoaRVxTModdNe kJBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=tRhd/2/uHL0VX0F4GeRi6SnOKLBFJo3Q7T6F3F0TR3s=; b=4JO0yBe72SVKE/bPYzv2/1Apt5CfVRv5iXS0lFGJDdD8WZwLKgLHRyPc4BdCSSmlzc 11W5iYhU5kLoRRcO00TW/nXe1YjFGfjWqVRyzh0Ny0+WelgYOhpTEk3R1iWBFilC7444 lfBISRDteTqWghsKkG+V0twZUYDiaq+3m/gtiWbYjBYc0ZMLgkvlXH+IYGuUSrDaHiPu cMImqSbe/vYYh6GTQIiG4hLHVVQ+vcQ1lJ0jTeMar9YCWZptit3rYb9jhwksdZKYYNWM BMeP+x3rcLnSg0zKDzJhyxVDozz74W+aF7NV0Y5hpqjjXBrVcb8FU6yKfbTxc1+GGk8N zdwQ== X-Gm-Message-State: ACgBeo0uBzvmBd2i3RElKU5CYDJmRj3peuu+7HQoTW+qSdNaX/YRuyEk PhlAKgQdhmzsZbZCdNRRpbEgC6iiSuWVs9oO/bBX X-Received: by 2002:a9d:2de3:0:b0:638:e210:c9da with SMTP id g90-20020a9d2de3000000b00638e210c9damr1506204otb.69.1661526134578; Fri, 26 Aug 2022 08:02:14 -0700 (PDT) MIME-Version: 1.0 References: <8735dux60p.fsf@email.froward.int.ebiederm.org> <871qte8wy3.fsf@email.froward.int.ebiederm.org> <8735du7fnp.fsf@email.froward.int.ebiederm.org> <87tu6a4l83.fsf@email.froward.int.ebiederm.org> <20220818140521.GA1000@mail.hallyn.com> <20220819144537.GA16552@mail.hallyn.com> <875yigp4tp.fsf@email.froward.int.ebiederm.org> <0D14C118-E644-4D7B-84C0-CA7752DC0605@fb.com> In-Reply-To: From: Paul Moore Date: Fri, 26 Aug 2022 11:02:03 -0400 Message-ID: Subject: Re: [PATCH v5 0/4] Introduce security_create_user_ns() To: Song Liu Cc: "Eric W. Biederman" , "Serge E. Hallyn" , Linus Torvalds , Frederick Lawler , KP Singh , "revest@chromium.org" , "jackmanb@chromium.org" , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin Lau , Yonghong Song , John Fastabend , James Morris , "stephen.smalley.work@gmail.com" , "eparis@parisplace.org" , Shuah Khan , "brauner@kernel.org" , Casey Schaufler , bpf , LSM List , "selinux@vger.kernel.org" , "open list:KERNEL SELFTEST FRAMEWORK" , LKML , Networking , "kernel-team@cloudflare.com" , "cgzones@googlemail.com" , "karl@bigbadwolfsecurity.com" , "tixxdz@gmail.com" Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Aug 25, 2022 at 6:42 PM Song Liu wrote: > > On Aug 25, 2022, at 3:10 PM, Paul Moore wrote: > > On Thu, Aug 25, 2022 at 5:58 PM Song Liu wrote: ... > >> I am new to user_namespace and security work, so please pardon me if > >> anything below is very wrong. > >> > >> IIUC, user_namespace is a tool that enables trusted userspace code to > >> control the behavior of untrusted (or less trusted) userspace code. > >> Failing create_user_ns() doesn't make the system more reliable. > >> Specifically, we call create_user_ns() via two paths: fork/clone and > >> unshare. For both paths, we need the userspace to use user_namespace, > >> and to honor failed create_user_ns(). > >> > >> On the other hand, I would echo that killing the process is not > >> practical in some use cases. Specifically, allowing the application to > >> run in a less secure environment for a short period of time might be > >> much better than killing it and taking down the whole service. Of > >> course, there are other cases that security is more important, and > >> taking down the whole service is the better choice. > >> > >> I guess the ultimate solution is a way to enforce using user_namespace > >> in the kernel (if it ever makes sense...). > > > > The LSM framework, and the BPF and SELinux LSM implementations in this > > patchset, provide a mechanism to do just that: kernel enforced access > > controls using flexible security policies which can be tailored by the > > distro, solution provider, or end user to meet the specific needs of > > their use case. > > In this case, I wouldn't call the kernel is enforcing access control. > (I might be wrong). There are 3 components here: kernel, LSM, and > trusted userspace (whoever calls unshare). The LSM layer, and the LSMs themselves are part of the kernel; look at the changes in this patchset to see the LSM, BPF LSM, and SELinux kernel changes. Explaining how the different LSMs work is quite a bit beyond the scope of this discussion, but there is plenty of information available online that should be able to serve as an introduction, not to mention the kernel source itself. However, in very broad terms you can think of the individual LSMs as somewhat analogous to filesystem drivers, e.g. ext4, and the LSM itself as the VFS layer. > AFAICT, kernel simply passes > the decision made by LSM (BPF or SELinux) to the trusted userspace. It > is up to the trusted userspace to honor the return value of unshare(). With a LSM enabled and enforcing a security policy on user namespace creation, which appears to be the case of most concern, the kernel would make a decision on the namespace creation based on various factors (e.g. for SELinux this would be the calling process' security domain and the domain's permission set as determined by the configured security policy) and if the operation was rejected an error code would be returned to userspace and the operation rejected. It is the exact same thing as what would happen if the calling process is chrooted or doesn't have a proper UID/GID mapping. Don't forget that the create_user_ns() function already enforces a security policy and returns errors to userspace; this patchset doesn't add anything new in that regard, it just allows for a richer and more flexible security policy to be built on top of the existing constraints. > If the userspace simply ignores unshare failures, or does not call > unshare(CLONE_NEWUSER), kernel and LSM cannot do much about it, right? The process is still subject to any security policies that are active and being enforced by the kernel. A malicious or misconfigured application can still be constrained by the kernel using both the kernel's legacy Discretionary Access Controls (DAC) as well as the more comprehensive Mandatory Access Controls (MAC) provided by many of the LSMs. -- paul-moore.com