Received: by 2002:ab2:69cc:0:b0:1fd:c486:4f03 with SMTP id n12csp251121lqp; Tue, 11 Jun 2024 03:33:11 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXkLi9ybtd09klDAGNk+WuoCsXxH6z9TQNSHTDl9T45QRt6Kh8VGmIz8CVhvkTtE6NRgwjOzvdE3QL5xNsACWwle0XSYUCEf/aOcQ4jtQ== X-Google-Smtp-Source: AGHT+IHl/OEL4g5O7b+BAe7QT9NikH6WUPjZrxiEbdLq8GXx2QKT1lJTlrZdsXtyYdZRZtdDoTxN X-Received: by 2002:a05:6a20:914e:b0:1b6:dd1e:da51 with SMTP id adf61e73a8af0-1b86bd9b855mr3253163637.21.1718101990895; Tue, 11 Jun 2024 03:33:10 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1718101990; cv=pass; d=google.com; s=arc-20160816; b=WQvoSQkhODvwxxMoAEnKZv0uxP+KrcLe7mEihQxXSdGJRqr5YB55iFvNlJspXXd/46 +WziN08KBYPQHAheYZTNQzDzctFbTd3ANvdAySGeN38Nd67HMd+pYRD5W7YLvUZpTYhc MmgN/6LYGNWPeAkZntfQ4ljx4VGJ/2mWGxB0z/Yyqm/weQ1jK2wAk63HsPjkAOK9xB5i X4He/sMwYQqBPNaegHLHTnKGH0hPWrq83PkDGFb5z0ej5+PQdJah/3fV6L0b700j7qE7 4QUxVUNxmm1K/FuVNRXM2Xj/hC8MFrfwoK/rEFEPCR56oMvI+oVNlg1Ft0ZTfNMzb2P9 djwg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:organization:autocrypt:from :content-language:references:cc:to:subject:user-agent:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:date:message-id :dkim-signature; bh=FuWU3S8T9H1PCw3M7cNRUYssP1wgq9lP4eO/D5Buewg=; fh=lipmZB4QEFS+YenWKWwznwpBRK39AsmJIEUy2gv4tAU=; b=ShdajsWAK+pR2TmfNdlHPFE4h1lj1vSBn6FXPfT5c0AJYHSk16lBftgI7IjHI8RFsK JqCvCzbUwxbGZCESv3nbnCoB5Uil1nCuy55gOR70UmCOyYXmw74e+FqXsMvvnvYPIwDX pFAHYR5GX7Gpe2h2lQaGTQ/kIQrlLBMI0tf7xAoPvlczjQOD9Wg7mwdTjUZv0xDxd1t7 Gc0jbe6g1zPsOkY747DbRCdI5qDkWILMTf7+m7Kt//7exVxmF4Tx9n6UbvVjsj9v2rlA C+pzZD69rVIRwEX0mdNWKLRuUvWHCZ8tijmnJvNLCprW8JaVoSC7I14VKhR9K3x6G52x 27aw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@canonical.com header.s=20210705 header.b=Ibbu4awM; arc=pass (i=1 spf=pass spfdomain=canonical.com dkim=pass dkdomain=canonical.com dmarc=pass fromdomain=canonical.com); spf=pass (google.com: domain of linux-kernel+bounces-209647-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-209647-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id 41be03b00d2f7-6de28f26dccsi6342078a12.648.2024.06.11.03.33.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Jun 2024 03:33:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-209647-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@canonical.com header.s=20210705 header.b=Ibbu4awM; arc=pass (i=1 spf=pass spfdomain=canonical.com dkim=pass dkdomain=canonical.com dmarc=pass fromdomain=canonical.com); spf=pass (google.com: domain of linux-kernel+bounces-209647-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-209647-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 24FF8286CF3 for ; Tue, 11 Jun 2024 10:32:33 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 4037F17967F; Tue, 11 Jun 2024 10:32:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=canonical.com header.i=@canonical.com header.b="Ibbu4awM" Received: from smtp-relay-canonical-0.canonical.com (smtp-relay-canonical-0.canonical.com [185.125.188.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 09F3E7407C; Tue, 11 Jun 2024 10:32:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.125.188.120 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718101938; cv=none; b=CGdtOFj7ipHb0EFIssIsVAUpnqcOToja/tJiFCXSIaCiPwikzSCjNIHICte0honB33BnwXfuIhJFjHgyASo+JUiy23OWS2RkJPUyyfXJHhpcrt7q81Prp43qWddfdqpEM//yySWpkQ0FQVXZdKmX0HIxZ+EW/x+PaXhF643WBLo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718101938; c=relaxed/simple; bh=4gUX2Nkdvr4uMueRlF1MAsWgrpQGIDfwlHWqe7a4zYA=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=G1i9/KOYFxO0smRMIO4hWi/sRQi/NC/8WI1QGIQLBm/TIwu2nqG/9MD/24y6mal8B0Ttpc9WkT+ahc19L+uDTbW0OYh4svfGU+RiwCV+aRe7/bxsSBh3PApyLsB+MYKEzVdD66/fR8KcYCDZUdCJFwiWqz/aWTnY4x2xn6S/RkU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=canonical.com; spf=pass smtp.mailfrom=canonical.com; dkim=pass (2048-bit key) header.d=canonical.com header.i=@canonical.com header.b=Ibbu4awM; arc=none smtp.client-ip=185.125.188.120 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=canonical.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=canonical.com Received: from [192.168.192.83] (unknown [50.39.103.33]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id 8D74940EA5; Tue, 11 Jun 2024 10:32:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1718101929; bh=FuWU3S8T9H1PCw3M7cNRUYssP1wgq9lP4eO/D5Buewg=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=Ibbu4awMvEK8bDBSzFvSHo4KysoyHDSyJogL3aDOGrmK/MndkQdB/FuBdhc8tuDnC 3wctX7vJraevcHXU3Wd7UK85ESPsj32CzAkVctpUHFdvUoJ2gDRozSTgudiZ/zrCC6 omsvQWGMY7VyU8Lc/xnGO/sEABQpOjRn4c04bIPSNLHPGLkN0ivNFTFpWFMKvlJrdL 17HDFJWIoMRdpBMpMAR2hfROvTtRSH8HnVdSc1p37+UOWn7rD5z3kob4LbBtQOzs+5 GMm+Ek3VTPPblZHYvGOtdt2oqGZ6m6XpTEqOjtbdVrqU3NYcw9O5Zk9CW03FQG3mEq KVatTldgzoVNA== Message-ID: <887a3658-2d8d-4f9e-98f2-27124bb6f8e6@canonical.com> Date: Tue, 11 Jun 2024 03:31:59 -0700 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v2 4/4] bpf,lsm: Allow editing capabilities in BPF-LSM hooks To: Jonathan Calmels , Paul Moore Cc: brauner@kernel.org, ebiederm@xmission.com, Jonathan Corbet , James Morris , "Serge E. Hallyn" , KP Singh , Matt Bobrowski , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , Stanislav Fomichev , Hao Luo , Jiri Olsa , Luis Chamberlain , Kees Cook , Joel Granados , David Howells , Jarkko Sakkinen , Stephen Smalley , Ondrej Mosnacek , Mykola Lysenko , Shuah Khan , containers@lists.linux.dev, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-doc@vger.kernel.org, linux-security-module@vger.kernel.org, bpf@vger.kernel.org, apparmor@lists.ubuntu.com, keyrings@vger.kernel.org, selinux@vger.kernel.org, linux-kselftest@vger.kernel.org References: <20240609104355.442002-1-jcalmels@3xx0.net> <20240609104355.442002-5-jcalmels@3xx0.net> Content-Language: en-US From: John Johansen Autocrypt: addr=john.johansen@canonical.com; keydata= xsFNBE5mrPoBEADAk19PsgVgBKkImmR2isPQ6o7KJhTTKjJdwVbkWSnNn+o6Up5knKP1f49E BQlceWg1yp/NwbR8ad+eSEO/uma/K+PqWvBptKC9SWD97FG4uB4/caomLEU97sLQMtnvGWdx rxVRGM4anzWYMgzz5TZmIiVTZ43Ou5VpaS1Vz1ZSxP3h/xKNZr/TcW5WQai8u3PWVnbkjhSZ PHv1BghN69qxEPomrJBm1gmtx3ZiVmFXluwTmTgJOkpFol7nbJ0ilnYHrA7SX3CtR1upeUpM a/WIanVO96WdTjHHIa43fbhmQube4txS3FcQLOJVqQsx6lE9B7qAppm9hQ10qPWwdfPy/+0W 6AWtNu5ASiGVCInWzl2HBqYd/Zll93zUq+NIoCn8sDAM9iH+wtaGDcJywIGIn+edKNtK72AM gChTg/j1ZoWH6ZeWPjuUfubVzZto1FMoGJ/SF4MmdQG1iQNtf4sFZbEgXuy9cGi2bomF0zvy BJSANpxlKNBDYKzN6Kz09HUAkjlFMNgomL/cjqgABtAx59L+dVIZfaF281pIcUZzwvh5+JoG eOW5uBSMbE7L38nszooykIJ5XrAchkJxNfz7k+FnQeKEkNzEd2LWc3QF4BQZYRT6PHHga3Rg ykW5+1wTMqJILdmtaPbXrF3FvnV0LRPcv4xKx7B3fGm7ygdoowARAQABzStKb2huIEpvaGFu c2VuIDxqb2huLmpvaGFuc2VuQGNhbm9uaWNhbC5jb20+wsF3BBMBCgAhBQJOjRdaAhsDBQsJ CAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEAUvNnAY1cPYi0wP/2PJtzzt0zi4AeTrI0w3Rj8E Waa1NZWw4GGo6ehviLfwGsM7YLWFAI8JB7gsuzX/im16i9C3wHYXKs9WPCDuNlMc0rvivqUI JXHHfK7UHtT0+jhVORyyVVvX+qZa7HxdZw3jK+ROqUv4bGnImf31ll99clzo6HpOY59soa8y 66/lqtIgDckcUt/1ou9m0DWKwlSvulL1qmD25NQZSnvB9XRZPpPd4bea1RTa6nklXjznQvTm MdLq5aJ79j7J8k5uLKvE3/pmpbkaieEsGr+azNxXm8FPcENV7dG8Xpd0z06E+fX5jzXHnj69 DXXc3yIvAXsYZrXhnIhUA1kPQjQeNG9raT9GohFPMrK48fmmSVwodU8QUyY7MxP4U6jE2O9L 7v7AbYowNgSYc+vU8kFlJl4fMrX219qU8ymkXGL6zJgtqA3SYHskdDBjtytS44OHJyrrRhXP W1oTKC7di/bb8jUQIYe8ocbrBz3SjjcL96UcQJecSHu0qmUNykgL44KYzEoeFHjr5dxm+DDg OBvtxrzd5BHcIbz0u9ClbYssoQQEOPuFmGQtuSQ9FmbfDwljjhrDxW2DFZ2dIQwIvEsg42Hq 5nv/8NhW1whowliR5tpm0Z0KnQiBRlvbj9V29kJhs7rYeT/dWjWdfAdQSzfoP+/VtPRFkWLr 0uCwJw5zHiBgzsFNBE5mrPoBEACirDqSQGFbIzV++BqYBWN5nqcoR+dFZuQL3gvUSwku6ndZ vZfQAE04dKRtIPikC4La0oX8QYG3kI/tB1UpEZxDMB3pvZzUh3L1EvDrDiCL6ef93U+bWSRi GRKLnNZoiDSblFBST4SXzOR/m1wT/U3Rnk4rYmGPAW7ltfRrSXhwUZZVARyJUwMpG3EyMS2T dLEVqWbpl1DamnbzbZyWerjNn2Za7V3bBrGLP5vkhrjB4NhrufjVRFwERRskCCeJwmQm0JPD IjEhbYqdXI6uO+RDMgG9o/QV0/a+9mg8x2UIjM6UiQ8uDETQha55Nd4EmE2zTWlvxsuqZMgy W7gu8EQsD+96JqOPmzzLnjYf9oex8F/gxBSEfE78FlXuHTopJR8hpjs6ACAq4Y0HdSJohRLn 5r2CcQ5AsPEpHL9rtDW/1L42/H7uPyIfeORAmHFPpkGFkZHHSCQfdP4XSc0Obk1olSxqzCAm uoVmRQZ3YyubWqcrBeIC3xIhwQ12rfdHQoopELzReDCPwmffS9ctIb407UYfRQxwDEzDL+m+ TotTkkaNlHvcnlQtWEfgwtsOCAPeY9qIbz5+i1OslQ+qqGD2HJQQ+lgbuyq3vhefv34IRlyM sfPKXq8AUTZbSTGUu1C1RlQc7fpp8W/yoak7dmo++MFS5q1cXq29RALB/cfpcwARAQABwsFf BBgBCgAJBQJOZqz6AhsMAAoJEAUvNnAY1cPYP9cP/R10z/hqLVv5OXWPOcpqNfeQb4x4Rh4j h/jS9yjes4uudEYU5xvLJ9UXr0wp6mJ7g7CgjWNxNTQAN5ydtacM0emvRJzPEEyujduesuGy a+O6dNgi+ywFm0HhpUmO4sgs9SWeEWprt9tWrRlCNuJX+u3aMEQ12b2lslnoaOelghwBs8IJ r998vj9JBFJgdeiEaKJLjLmMFOYrmW197As7DTZ+R7Ef4gkWusYFcNKDqfZKDGef740Xfh9d yb2mJrDeYqwgKb7SF02Hhp8ZnohZXw8ba16ihUOnh1iKH77Ff9dLzMEJzU73DifOU/aArOWp JZuGJamJ9EkEVrha0B4lN1dh3fuP8EjhFZaGfLDtoA80aPffK0Yc1R/pGjb+O2Pi0XXL9AVe qMkb/AaOl21F9u1SOosciy98800mr/3nynvid0AKJ2VZIfOP46nboqlsWebA07SmyJSyeG8c XA87+8BuXdGxHn7RGj6G+zZwSZC6/2v9sOUJ+nOna3dwr6uHFSqKw7HwNl/PUGeRqgJEVu++ +T7sv9+iY+e0Y+SolyJgTxMYeRnDWE6S77g6gzYYHmcQOWP7ZMX+MtD4SKlf0+Q8li/F9GUL p0rw8op9f0p1+YAhyAd+dXWNKf7zIfZ2ME+0qKpbQnr1oizLHuJX/Telo8KMmHter28DPJ03 lT9Q Organization: Canonical In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 6/11/24 01:09, Jonathan Calmels wrote: > On Sun, Jun 09, 2024 at 08:18:48PM GMT, Paul Moore wrote: >> On Sun, Jun 9, 2024 at 6:40 AM Jonathan Calmels wrote: >>> >>> This patch allows modifying the various capabilities of the struct cred >>> in BPF-LSM hooks. More specifically, the userns_create hook called >>> prior to creating a new user namespace. >>> >>> With the introduction of userns capabilities, this effectively provides >>> a simple way for LSMs to control the capabilities granted to a user >>> namespace and all its descendants. >>> >>> Update the selftests accordingly by dropping CAP_SYS_ADMIN in >>> namespaces and checking the resulting task's bounding set. >>> >>> Signed-off-by: Jonathan Calmels >>> --- >>> include/linux/lsm_hook_defs.h | 2 +- >>> include/linux/security.h | 4 +- >>> kernel/bpf/bpf_lsm.c | 55 +++++++++++++++++++ >>> security/apparmor/lsm.c | 2 +- >>> security/security.c | 6 +- >>> security/selinux/hooks.c | 2 +- >>> .../selftests/bpf/prog_tests/deny_namespace.c | 12 ++-- >>> .../selftests/bpf/progs/test_deny_namespace.c | 7 ++- >>> 8 files changed, 76 insertions(+), 14 deletions(-) >> >> I'm not sure we want to go down the path of a LSM modifying the POSIX >> capabilities of a task, other than the capabilities/commoncap LSM. It >> sets a bad precedent and could further complicate issues around LSM >> ordering. > > Well unless I'm misunderstanding, this does allow modifying the > capabilities/commoncap LSM through BTF. The reason for allowing > `userns_create` to be modified is that it is functionally very similar > to `cred_prepare` in that it operates with new creds (but specific to > user namespaces because of reasons detailed in [1]). > yes > There were some concerns in previous threads that the userns caps by > themselves wouldn't be granular enough, hence the LSM integration. > Ubuntu for example, currently has to resort to a hardcoded profile > transition to achieve this [2]. > The hard coded profile transition, is because the more generic solution as part of policy just wasn't ready. The hard coding will go away before it is upstreamed. But yes, updating the cred really is necessary for the flexibility needed whether it is modifying the POSIX capabilities of the task or the LSM modifying its own security blob. I do share some of Paul's concerns about the LSM modifying the POSIX capabilities of the task, but also thing the LSM here needs to be able to modify its own blob. I have a very similar patch I was planning on posting once the work to fix the hard coded profile transition is done. > [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7cd4c5c2101cb092db00f61f69d24380cf7a0ee8 > [2] https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?id=43a6c29532f517179fea8c94949d657d71f4fc13