Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp1077216rwb; Thu, 6 Oct 2022 08:11:44 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6amte8h68TZr+GyLiGZlQpNfotconeU+F7P0OfB3RUQEfEMTpNwQAflSO//mRAM8RmRaf4 X-Received: by 2002:a17:907:8691:b0:783:645d:a4aa with SMTP id qa17-20020a170907869100b00783645da4aamr235430ejc.473.1665069104213; Thu, 06 Oct 2022 08:11:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1665069104; cv=none; d=google.com; s=arc-20160816; b=gMnIzeXBRmHeqAVmtxifPV8poGmVBnMzQqNAI+uPd5JPaY61gMfKeovt0cwU3U/2bc ovzioSnxzWORWKmGPvK0SZh3YoBP/nvlqeNFv1TvyKINT9ABGynvn1pcHjkUjyqeYcmn tnJhPgbSYhtePSYDtRQH5vRlLq/bJOlZ4K1OuPwrxu3iyYXPq3Zf9EBU9A7ZsMna9OCh NkxRv4VHwRtqbj7neOiUPLAFsVVR8SoQ9NOBsHgRqqh5MIZezKdHDVYvVnO2c31maMwZ wbu1Bn5m+J8zsLb3vt8Nc0G6y+CAo9Lcy2ZZwgnFQyFDD3dy172DxiYNCaB8gONli1Ug ZTSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=S2x0j0IMfjyHgJEcjGYF7+KaBoxh4wuOGf7JhVXcjJo=; b=fsDAemvIiqvvTu9dn9NgTBviTQIElRjXXg8QExWyzVQBO6NsXG2J7IT3iYaKURKCLH Nr7XmxRWcbXi67ytWiVkN0PG6xfxH8qsJT+BMz9Ivn0VnTXBzUtVSMMwhGqEG2saFq/w kIO3y2520ryjA7Xb4vBhudDi61q7gQioPfzey5yE0jcGrZ8EKHWRTCZC27CUDsPS/aXC p+RcpHuGntYG66gZr9XC9nJSEEvPUo0vPWSWpesZNxOr/VmGwE6YJTRwcBJC+HhIw/xA 2ULhZtbNADwhBkIwuo2RMGvFRB6HaA79WFRbut5owc54Ghro6uGu8ICKQ4hjlxkhhrmS UyEw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@mit.edu header.s=outgoing header.b=IAetTbAq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id js1-20020a17090797c100b0073d82226569si17492815ejc.414.2022.10.06.08.11.11; Thu, 06 Oct 2022 08:11:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=fail header.i=@mit.edu header.s=outgoing header.b=IAetTbAq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231689AbiJFOmQ (ORCPT + 99 others); Thu, 6 Oct 2022 10:42:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42744 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229540AbiJFOmO (ORCPT ); Thu, 6 Oct 2022 10:42:14 -0400 Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 36596A99F1; Thu, 6 Oct 2022 07:42:13 -0700 (PDT) Received: from cwcc.thunk.org (pool-173-48-120-46.bstnma.fios.verizon.net [173.48.120.46]) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 296Eg7p8007809 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 6 Oct 2022 10:42:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1665067329; bh=S2x0j0IMfjyHgJEcjGYF7+KaBoxh4wuOGf7JhVXcjJo=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=IAetTbAqYiQV5GylQ6WUizemjFS+jog/L9doNU8rV1tn1SFK4r+vhdrTOuUbuuTls /U4G0xPiXz3Efu1pjUVi/u1wG4K59l/gzv8CIZcFlm6VJYZgCMNzCJ60Ua6CzFSz6k 67oJH2lffqyMwBwcIq45kzrg1sOPD8Z/qUFpxUv8qHaXCQ6l+5bcQOqtMgvXxyzf1+ IqQI6XJTIk6E43ucxFDSGppkCM/oC5RcFyg2cC4sLZzQU4yt40/I4I5FBU63FNYlJG AW70mHa+Fy4eOaL1gGNTymqHZL/kG5njC61rbKVGKgeJPDBpS70BFklh37zhZYvlcx icsaTZmBTvS0Q== Received: by cwcc.thunk.org (Postfix, from userid 15806) id 6CF8715C35F2; Thu, 6 Oct 2022 10:42:07 -0400 (EDT) Date: Thu, 6 Oct 2022 10:42:07 -0400 From: "Theodore Ts'o" To: "Eric W. Biederman" Cc: Linus Torvalds , Paul Moore , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [GIT PULL] LSM patches for v6.1 Message-ID: References: <87sfk3mim9.fsf@email.froward.int.ebiederm.org> <87r0zmigx6.fsf@email.froward.int.ebiederm.org> <87h70h5d36.fsf@email.froward.int.ebiederm.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87h70h5d36.fsf@email.froward.int.ebiederm.org> X-Spam-Status: No, score=-4.0 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Eric, there's one thing I don't get about why you hate LSM's having the ability to prevent user name spaces, and yet you are OK with (indeed, touting) /proc/sys/user/max_user_namespaces. If we set max_user_namespaces to N, won't the N+1'th application get an error when they try to create a user namespace? One of your arguments about why having LSM's forcing a error of say, EPERM, is that applications that don't check for error returns might get confused. (Those are buggy applications; so they should be fixed --- isn't that your argument about why we shouldn't be freaking out over security bugs caused by kernel bugs and user namespaces.) But if you set max_user_namespaces, that same application will now fail with say, ENOSPC. And if in fact there is a buggy application that will create a security exposure because they aren't checking !@#@?! error returns, an attacker can simply create N user namespaces --- and then trigger the buggy applicaion, at which point, they will have 0wned the system. - Ted