Received: by 2002:a05:7412:419a:b0:f3:1519:9f41 with SMTP id i26csp1279087rdh; Fri, 24 Nov 2023 08:48:12 -0800 (PST) X-Google-Smtp-Source: AGHT+IGkPpi7SqlVJo7AfTfzVN+szms9c4vju96dtxDBxmLaXsOG53SirbO8mXoyQmRG4JiZWdXK X-Received: by 2002:a17:902:ce88:b0:1cc:53ed:cc78 with SMTP id f8-20020a170902ce8800b001cc53edcc78mr3760202plg.15.1700844492450; Fri, 24 Nov 2023 08:48:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700844492; cv=none; d=google.com; s=arc-20160816; b=PSBJu0X9hPGA2jlP5KRIRkaticQV43S/QQY/bNfL7JJ9QVk6AHYuUPZpyRns58aJus lp2bf2COm8wbZ4hkUMmZJSDDtsacJLP3v9kad5LeyDQWOvBhACtRBzY7aRXBjEAyrdQi /jA+Ys/PcPRieqIObxqKdppG4LaO0Iy/Y99f2BCrZFBI4YKfsWuuGt8WzYCCczTnK9Ug IkXj9niT80+Dldzf0YzUyTX2Y4SggYdA3V2pWJH/q/XAhSP00UJMlNDhhOL/a15wIqFU 2AccJPtuviFJVMXHkjxfd4ri0wKf+IvIMy+O043ARLdKWSW6ozPjC6Fm1qpdlm4gnmeG sQlA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=JhqFy29MSh4WVpTPbvrruQ+VCfRfxCcqEl4f929dH3w=; fh=q6XKL7ArGdKsioVJH5IlIe4bY+j84UABH+3xosQaP/E=; b=gcjOMwSOWtwcT70r+3R3x6RhFxs/3tBr+iLc/NBvdW+NE2q8GI0R/smynqEOVDEAhd 7rEduo5A3ynYqPRdDJL6OnkAI2OrKgxd/LQpATm57LgsgrWKrIIAqe/PxCQ8V6QKOHxC tG5e9gUT27eQFojgHU7qy6GDz7lffjS8+bFYxZIRCYRpYZoV3kYrWzV3WlGWcKzzsNwy +TgeGXCsp2XiMwNrn9kWSiNWf+OV7kekRbYn3oiSpxxNtzsMSkobNuYK7uCWIz2AqyTx Exx0QZF8LHR20dcoqQaPnJ8/GGiJZVy8tys45yftf4UHxF5CzKRyC/huFq6O9TzOEk+A wz9Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=qzEdsyqs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from pete.vger.email (pete.vger.email. [23.128.96.36]) by mx.google.com with ESMTPS id m4-20020a170902768400b001b9f55d28a2si3152009pll.205.2023.11.24.08.47.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 24 Nov 2023 08:48:12 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) client-ip=23.128.96.36; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=qzEdsyqs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by pete.vger.email (Postfix) with ESMTP id C0CF680C9A70; Fri, 24 Nov 2023 08:47:51 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at pete.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231173AbjKXQrg (ORCPT + 99 others); Fri, 24 Nov 2023 11:47:36 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39044 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229741AbjKXQre (ORCPT ); Fri, 24 Nov 2023 11:47:34 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 03819199A for ; Fri, 24 Nov 2023 08:47:41 -0800 (PST) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6E7F1C433C8; Fri, 24 Nov 2023 16:47:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1700844460; bh=BVlDq5Ewu2rdhljejSY79vNe84v5IwBc/GsApe5yU/s=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=qzEdsyqs4qX/8QxQpY1uTGL4HjT8TD9PHyDFKrvVO8V4aMZWkHwQBR3R5xKe60OgY 4P/zM6kd9pWUB7TaKewQTegxNBwW64+j4X86xFW+QgfblB2uysr0eQLcZhkZXMmxKF ZFTSkkV2hCRt1Ss+sFvxK4pyYPi/dK0e83c5jUHJlnksdwN1mD0ZZ1F9zFPi5hTTk2 ka5MZP1GYaHPzjk1T4E0YsZpsc5J4ZoGa9vlDNWZVXEFiJWLyw0rp7Drsr3vlxwQtA wUhqVlnPDpoUxYfhHAqKqFTgnSv5zNhYEX6QvS3upn0WIwdVAWollBPUFNliLQR13/ zz+3aL1xxPz+Q== Date: Fri, 24 Nov 2023 17:47:32 +0100 From: Christian Brauner To: Michael =?utf-8?B?V2Vpw58=?= Cc: Alexander Mikhalitsyn , Alexei Starovoitov , Paul Moore , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Quentin Monnet , Alexander Viro , Miklos Szeredi , Amir Goldstein , "Serge E. Hallyn" , bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, gyroidos@aisec.fraunhofer.de Subject: Re: [RESEND RFC PATCH v2 00/14] device_cgroup: guard mknod for non-initial user namespace Message-ID: <20231124-filzen-bohrinsel-7ff9c7f44fe1@brauner> References: <20231025094224.72858-1-michael.weiss@aisec.fraunhofer.de> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20231025094224.72858-1-michael.weiss@aisec.fraunhofer.de> X-Spam-Status: No, score=-1.2 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Fri, 24 Nov 2023 08:47:51 -0800 (PST) > - Integrate this as LSM (Christian, Paul) Huh, my rant made you write an LSM. I'm not sure if that's a good or bad thing... So I dislike this less than the initial version that just worked around SB_I_NODEV and this might be able to go somewhere. _But_ I want to see the rules written down: (1) current device access management I summarized the current places where that's done very very briefly in https://lore.kernel.org/all/20230815-feigling-kopfsache-56c2d31275bd@brauner * inode_permission() -> devcgroup_inode_permission() * vfs_mknod() -> devcgroup_inode_mknod() * blkdev_get_by_dev() // sget()/sget_fc(), other ways to open block devices and friends -> devcgroup_check_permission() * drivers/gpu/drm/amd/amdkfd // weird restrictions on showing gpu info afaict -> devcgroup_check_permission() but that's not enough. What we need is a summary of how device node creation and device node opening currently interact. Because it is subtle. Currently you cannot even create device nodes without capable(CAP_SYS_ADMIN) and you can't open any existing ones if you lack capable(CAP_SYS_ADMIN). Years ago we tried that insane model where we enabled userspace to create device nodes but not open them. IOW, the capability check for device node creation was lifted but the SB_I_NODEV limitation wasn't lifted. That broke the whole world and had to be reverted. (2) LSM device access management I really want to be able to see how you envision the permission checking to work in the new model. Specifically: * How do device node creation and device node opening interact. * The consequences of allowing to remove the SB_I_NODEV restriction. * Permission checking for users without and without a bpf guarded profile. If you write this down we'll add it to documentation as well or to the commit messages. It won't be lost. It doesn't have to be some really long thing. I just want to better understand what you think this is going to do and what the code does.