Received: by 2002:a05:7412:cfc7:b0:fc:a2b0:25d7 with SMTP id by7csp382929rdb;
        Sat, 17 Feb 2024 12:57:04 -0800 (PST)
X-Forwarded-Encrypted: i=3; AJvYcCXKocmNiPwbm3pkUWqlU2uh8eJ6VW4HsPrTR/pNZJvIKif3yjGVgef35gWh6HMnayQ1CD3HJRElRoVVQZ/VMYNl4KyFHBLzGRW4HAO9sA==
X-Google-Smtp-Source: AGHT+IHTd01Ywr5eq4gXyOFMmcCY59VfCQSPmOJAAuMh6GujObrgjtL4pqb4swTyFyywHcqkU0+Y
X-Received: by 2002:a05:6808:d4a:b0:3c1:4d0d:2401 with SMTP id w10-20020a0568080d4a00b003c14d0d2401mr2702516oik.42.1708203424460;
        Sat, 17 Feb 2024 12:57:04 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1708203424; cv=pass;
        d=google.com; s=arc-20160816;
        b=zWKHoAif3zOHdMl0U1GghhrzS0yqpkHiU3Msz6GFtSp10rlLAPxxSODfvR7h8l54+k
         /Agw6HwQ8Y9+qSi6H8oV31uOih14PWO/OEwscIOApa61qsM1c13N2XDSff74ZxBNZ7HY
         tfRJL15cTGIwRl75bDkS39zQcq1VVTya8Q96gRBwN+f9enLUK+8V1bv6vVBYQniNNoj5
         A2/YLJOoPLtRh7rojFOBu4VgUqwd45xmFvDZ/3JpKob9UKmkEpu2RvDODvkJqaboIdHi
         xpBtOqA78YjxmkIBAtLHnydS9OkE7HjWB9pXGLQpmubDkAkkL9z4j/wNHQ6d62lv6IEC
         a1pw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-disposition:mime-version:list-unsubscribe:list-subscribe
         :list-id:precedence:message-id:subject:to:from:dkim-signature:date;
        bh=GYlD62MZzIuZyNCsoCfXEkfgZAjvXmKUf8f+PmRt0x0=;
        fh=660W+IIRNOAUuVyjxwDg5mVm7jRbKx+J0/4noJmtjnQ=;
        b=Q0FW6lnRoi3Q3vnrbG1ZUPV8mw6cbPvufHdEsECx5+tYq1vtBTpJj1mLWmWuhgvp3D
         lPVXh8NNU+ucUeYrTvLizKo7JM4OX2+Nk0glaKCydK5H5hat6YONZZ0hXqwPE75s0mRj
         j8xOHhawIDQSuNkDQGfs5+ZhVAfrD3RWXTawpalbvmbSEgjMtAvNyVnAxoH+J+v3xMJg
         TRAy3KmY09SY68+WHsfneDmdK+7xLOdbFRgo8Dy50TXBFTUeLnzgsIMZfmMxgSQgmYVN
         jSrFftOvmC7GbYHrcbRav0nAHiCjRvDQkEAOKORCE+0cmvoUmrbND2QD14aN4bMhRIyc
         SQMQ==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@linux.dev header.s=key1 header.b=IClDwX8P;
       arc=pass (i=1 spf=pass spfdomain=linux.dev dkim=pass dkdomain=linux.dev dmarc=pass fromdomain=linux.dev);
       spf=pass (google.com: domain of linux-kernel+bounces-70081-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-70081-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev
Return-Path: <linux-kernel+bounces-70081-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161])
        by mx.google.com with ESMTPS id k13-20020a6568cd000000b005dc41faf522si1868309pgt.790.2024.02.17.12.57.03
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 17 Feb 2024 12:57:04 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-70081-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linux.dev header.s=key1 header.b=IClDwX8P;
       arc=pass (i=1 spf=pass spfdomain=linux.dev dkim=pass dkdomain=linux.dev dmarc=pass fromdomain=linux.dev);
       spf=pass (google.com: domain of linux-kernel+bounces-70081-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-70081-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id 96F4AB221F1
	for <linux.lists.archive@gmail.com>; Sat, 17 Feb 2024 20:56:58 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 835327FBDA;
	Sat, 17 Feb 2024 20:56:48 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="IClDwX8P"
Received: from out-186.mta0.migadu.com (out-186.mta0.migadu.com [91.218.175.186])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9D427436A6
	for <linux-kernel@vger.kernel.org>; Sat, 17 Feb 2024 20:56:45 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.186
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1708203407; cv=none; b=puw3ggt2kAE3FP8iPvBvX3H0rnxBeQ7i5Kp0TuJymWUzakoif0X9io5MSPyakpa4ceoswLXiK1qEC9EgnGi0un5jKKtv0BHMJyfxpTeR6vZSFWGkNeCxJJkxknAg2dqar8teZeY5QS3NhtKD73OLh7BWj1SpxXrH8M+NJt0HsQc=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1708203407; c=relaxed/simple;
	bh=sLnpjWXtHn126dH9KY5lksXlS3Xddlz8ALRfxjqvHNU=;
	h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type:
	 Content-Disposition; b=uc0THMdByLH3T+aoig8/At2kfzaxwNIxegg1yyRa6akRioOfvC2KuBFMtH0pXz9m8rJoJQ1mIOB3iicfo7eopbeF8s/ioH8/wGvdkgoJSNm28UuAS9Nq4KeS2cJel1xsYliTncrNYaEJiTFxU+Ov0QvHEcoU8HbVAkFDa7dox9o=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=IClDwX8P; arc=none smtp.client-ip=91.218.175.186
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev
Date: Sat, 17 Feb 2024 15:56:40 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1;
	t=1708203403;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type;
	bh=GYlD62MZzIuZyNCsoCfXEkfgZAjvXmKUf8f+PmRt0x0=;
	b=IClDwX8PwFz8TqHo/Dc040UtCcGSrFLKn3Y3H7StwbQPuPCUyXm0RVGdsqj1W6W+jlSh1e
	++XfSHkoKXHoj267dMZVhVJS3MeldXBnR0lT6SvHT4HJj8GkYOVIGUHfQdHOZhlIZmDr0u
	75US7yEmqDJWL9XjUiEzpXT475cpyc8=
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers.
From: Kent Overstreet <kent.overstreet@linux.dev>
To: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, 
	lsf-pc@lists.linux-foundation.org
Subject: [LSF TOPIC] beyond uidmapping, & towards a better security model
Message-ID: <tixdzlcmitz2kvyamswcpnydeypunkify5aifsmfihpecvat7d@pmgcepiilpi6>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Migadu-Flow: FLOW_OUT

AKA - integer identifiers considered harmful

Any time you've got a namespace that's just integers, if you ever end up
needing to subdivide it you're going to have a bad time.

This comes up all over the place - for another example, consider ioctl
numbering, where keeping them organized and collision free is a major
headache.

For UIDs, we need to be able to subdivide the UID namespace for e.g.
containers and mounting filesystems as an unprivileged user - but since
we just have an integer identifier, this requires complicated remapping
and updating and maintaining a global table.

Subdividing a UID to create new permissions domains should be a cheap,
easy operation, and it's not.

The solution (originally from plan9, of course) is - UIDs shouldn't be
numbers, they should be strings; and additionally, the strings should be
paths.

Then, if 'alice' is a user, 'alice.foo' and 'alice.bar' would be
subusers, created by alice without any privileged operations or mucking
with outside system state, and 'alice' would be superuser w.r.t.
'alice.foo' and 'alice.bar'.

What's this get us?

Much better, easier to use sandboxing - and maybe we can kill off a
_whole_ lot of other stuff, too.

Apparmour and selinux are fundamentally just about sandboxing programs
so they can't own everything owned by the user they're run by.

But if we have an easy way to say "exec this program as a subuser of the
current user..."

Then we can control what that program can access with just our existing
UNIX permission and acls.

This would be a pretty radical change, and there's a number of things to
explore - lots of brainstorming to do.

 - How can we do this without breaking absolutely everything? Obviously,
   any syscalls that communicate in terms of UIDs and GIDs are a
   problem; can we come up with a compat layer so that most stuff more
   or less still works?

 - How can we do this a way that's the most orthogonal, that gets us the
   most bang for our buck? How can we kill off as much security model
   stupidity as possible? How can we make sandboxing _dead easy_ for new
   applications?

Cheers,
Kent