Received: by 2002:a05:7412:cfc7:b0:fc:a2b0:25d7 with SMTP id by7csp382929rdb; Sat, 17 Feb 2024 12:57:04 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCXKocmNiPwbm3pkUWqlU2uh8eJ6VW4HsPrTR/pNZJvIKif3yjGVgef35gWh6HMnayQ1CD3HJRElRoVVQZ/VMYNl4KyFHBLzGRW4HAO9sA== X-Google-Smtp-Source: AGHT+IHTd01Ywr5eq4gXyOFMmcCY59VfCQSPmOJAAuMh6GujObrgjtL4pqb4swTyFyywHcqkU0+Y X-Received: by 2002:a05:6808:d4a:b0:3c1:4d0d:2401 with SMTP id w10-20020a0568080d4a00b003c14d0d2401mr2702516oik.42.1708203424460; Sat, 17 Feb 2024 12:57:04 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708203424; cv=pass; d=google.com; s=arc-20160816; b=zWKHoAif3zOHdMl0U1GghhrzS0yqpkHiU3Msz6GFtSp10rlLAPxxSODfvR7h8l54+k /Agw6HwQ8Y9+qSi6H8oV31uOih14PWO/OEwscIOApa61qsM1c13N2XDSff74ZxBNZ7HY tfRJL15cTGIwRl75bDkS39zQcq1VVTya8Q96gRBwN+f9enLUK+8V1bv6vVBYQniNNoj5 A2/YLJOoPLtRh7rojFOBu4VgUqwd45xmFvDZ/3JpKob9UKmkEpu2RvDODvkJqaboIdHi xpBtOqA78YjxmkIBAtLHnydS9OkE7HjWB9pXGLQpmubDkAkkL9z4j/wNHQ6d62lv6IEC a1pw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-disposition:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:message-id:subject:to:from:dkim-signature:date; bh=GYlD62MZzIuZyNCsoCfXEkfgZAjvXmKUf8f+PmRt0x0=; fh=660W+IIRNOAUuVyjxwDg5mVm7jRbKx+J0/4noJmtjnQ=; b=Q0FW6lnRoi3Q3vnrbG1ZUPV8mw6cbPvufHdEsECx5+tYq1vtBTpJj1mLWmWuhgvp3D lPVXh8NNU+ucUeYrTvLizKo7JM4OX2+Nk0glaKCydK5H5hat6YONZZ0hXqwPE75s0mRj j8xOHhawIDQSuNkDQGfs5+ZhVAfrD3RWXTawpalbvmbSEgjMtAvNyVnAxoH+J+v3xMJg TRAy3KmY09SY68+WHsfneDmdK+7xLOdbFRgo8Dy50TXBFTUeLnzgsIMZfmMxgSQgmYVN jSrFftOvmC7GbYHrcbRav0nAHiCjRvDQkEAOKORCE+0cmvoUmrbND2QD14aN4bMhRIyc SQMQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b=IClDwX8P; arc=pass (i=1 spf=pass spfdomain=linux.dev dkim=pass dkdomain=linux.dev dmarc=pass fromdomain=linux.dev); spf=pass (google.com: domain of linux-kernel+bounces-70081-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-70081-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id k13-20020a6568cd000000b005dc41faf522si1868309pgt.790.2024.02.17.12.57.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 17 Feb 2024 12:57:04 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-70081-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b=IClDwX8P; arc=pass (i=1 spf=pass spfdomain=linux.dev dkim=pass dkdomain=linux.dev dmarc=pass fromdomain=linux.dev); spf=pass (google.com: domain of linux-kernel+bounces-70081-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-70081-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 96F4AB221F1 for ; Sat, 17 Feb 2024 20:56:58 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 835327FBDA; Sat, 17 Feb 2024 20:56:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="IClDwX8P" Received: from out-186.mta0.migadu.com (out-186.mta0.migadu.com [91.218.175.186]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9D427436A6 for ; Sat, 17 Feb 2024 20:56:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.186 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708203407; cv=none; b=puw3ggt2kAE3FP8iPvBvX3H0rnxBeQ7i5Kp0TuJymWUzakoif0X9io5MSPyakpa4ceoswLXiK1qEC9EgnGi0un5jKKtv0BHMJyfxpTeR6vZSFWGkNeCxJJkxknAg2dqar8teZeY5QS3NhtKD73OLh7BWj1SpxXrH8M+NJt0HsQc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708203407; c=relaxed/simple; bh=sLnpjWXtHn126dH9KY5lksXlS3Xddlz8ALRfxjqvHNU=; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type: Content-Disposition; b=uc0THMdByLH3T+aoig8/At2kfzaxwNIxegg1yyRa6akRioOfvC2KuBFMtH0pXz9m8rJoJQ1mIOB3iicfo7eopbeF8s/ioH8/wGvdkgoJSNm28UuAS9Nq4KeS2cJel1xsYliTncrNYaEJiTFxU+Ov0QvHEcoU8HbVAkFDa7dox9o= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=IClDwX8P; arc=none smtp.client-ip=91.218.175.186 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Date: Sat, 17 Feb 2024 15:56:40 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1708203403; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=GYlD62MZzIuZyNCsoCfXEkfgZAjvXmKUf8f+PmRt0x0=; b=IClDwX8PwFz8TqHo/Dc040UtCcGSrFLKn3Y3H7StwbQPuPCUyXm0RVGdsqj1W6W+jlSh1e ++XfSHkoKXHoj267dMZVhVJS3MeldXBnR0lT6SvHT4HJj8GkYOVIGUHfQdHOZhlIZmDr0u 75US7yEmqDJWL9XjUiEzpXT475cpyc8= X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Kent Overstreet To: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, lsf-pc@lists.linux-foundation.org Subject: [LSF TOPIC] beyond uidmapping, & towards a better security model Message-ID: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Migadu-Flow: FLOW_OUT AKA - integer identifiers considered harmful Any time you've got a namespace that's just integers, if you ever end up needing to subdivide it you're going to have a bad time. This comes up all over the place - for another example, consider ioctl numbering, where keeping them organized and collision free is a major headache. For UIDs, we need to be able to subdivide the UID namespace for e.g. containers and mounting filesystems as an unprivileged user - but since we just have an integer identifier, this requires complicated remapping and updating and maintaining a global table. Subdividing a UID to create new permissions domains should be a cheap, easy operation, and it's not. The solution (originally from plan9, of course) is - UIDs shouldn't be numbers, they should be strings; and additionally, the strings should be paths. Then, if 'alice' is a user, 'alice.foo' and 'alice.bar' would be subusers, created by alice without any privileged operations or mucking with outside system state, and 'alice' would be superuser w.r.t. 'alice.foo' and 'alice.bar'. What's this get us? Much better, easier to use sandboxing - and maybe we can kill off a _whole_ lot of other stuff, too. Apparmour and selinux are fundamentally just about sandboxing programs so they can't own everything owned by the user they're run by. But if we have an easy way to say "exec this program as a subuser of the current user..." Then we can control what that program can access with just our existing UNIX permission and acls. This would be a pretty radical change, and there's a number of things to explore - lots of brainstorming to do. - How can we do this without breaking absolutely everything? Obviously, any syscalls that communicate in terms of UIDs and GIDs are a problem; can we come up with a compat layer so that most stuff more or less still works? - How can we do this a way that's the most orthogonal, that gets us the most bang for our buck? How can we kill off as much security model stupidity as possible? How can we make sandboxing _dead easy_ for new applications? Cheers, Kent