Received: by 2002:ab2:69cc:0:b0:1fd:c486:4f03 with SMTP id n12csp552024lqp; Tue, 11 Jun 2024 12:01:34 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWcDzufGX6JFCTsl0ds4EC8jqN30ufPt3B+ZbXomIPCZsxWctKrCFJVQuw25XsYzJcv5ti41mK2EqAUUJy+Wnpe9O6hOHim6SkRY9wRcA== X-Google-Smtp-Source: AGHT+IGb0bg8cdlJvwxQ9uvx13YhZ3h6cVDV5QhTzME5tqkkehPc3ZB9qOkU7xbPn5tH1OOY6yXT X-Received: by 2002:a17:90b:46d8:b0:2c2:c79f:944 with SMTP id 98e67ed59e1d1-2c2c79f0fa7mr12069130a91.14.1718132494592; Tue, 11 Jun 2024 12:01:34 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1718132494; cv=pass; d=google.com; s=arc-20160816; b=CDXENMvyUiZQCXlx+MInXWWaTbYrCWbdYfI7/SY3bxxkj43b1h86O9HxZbGonzV8XB TvvdyzqzjSWPFRbwyYyOdnxZydRfSsvEZxsoT3YDlLR5riUYuCec0dfOR7kMZN2gCokY 086WXyRT3AQr/tmCn0glucxOhafW5mXPQUXPio+X/vF1xGEd3yseiPrOyyP2f1ismaw/ J2tvSIEAIck+ZQSXpunLDby0C5nn9Q7cmkRNjfvbE3x2v3nogmAnMhmMkSdA/1E1ubqZ ogz/cLR+Bn0YNaIJcrAzFpHoYIsdLkaedjBmkOMc3bFTbqIcKRSK/tcSjRkg40IdVRN+ b8Gg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=EIQEfhtUbJ7wSRBw/Z3zFV6dBPlc3fX2vRxj6Dj2nXo=; fh=dsIkVkLu0zMTt2BoMkbjX5YA6zCuXA3xevAArzekYuI=; b=jvH8+WDaJk6LYXIIVBJ9IT6T8Dlrg/hHtdpkCJ9NoIF0Lpt7v2FQIXLs3DP/I1wigu QWGMzP4Nmc1TEY4qMdl8BRbLCzQDnscxfuaYU9m6DJCWFCT49GuAcZ+ErOIb72AtGZgD GJLAh31MkDBYlhhnoElsVEIyfcntQtWYpa40BnxS7pTXCgC+dhuUwkFxfflBGd8MIu3O uNPzepGiLwtxWjX/14/EBCFaLlSQSS1Ex1wFd7KMxOSOpbHJdG5oJJdy9UlpjFg/GKHK nksAicuCz3lGPch4Qz5Np0P24t5XHu+U3NjXdDol61DnmlDfDalfH+CJedbDOisL7LzS PjOQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=T6AVwgxv; arc=pass (i=1 spf=pass spfdomain=paul-moore.com dkim=pass dkdomain=paul-moore.com dmarc=pass fromdomain=paul-moore.com); spf=pass (google.com: domain of linux-kernel+bounces-210480-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-210480-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id 98e67ed59e1d1-2c2bd04ad60si7256423a91.23.2024.06.11.12.01.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Jun 2024 12:01:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-210480-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=T6AVwgxv; arc=pass (i=1 spf=pass spfdomain=paul-moore.com dkim=pass dkdomain=paul-moore.com dmarc=pass fromdomain=paul-moore.com); spf=pass (google.com: domain of linux-kernel+bounces-210480-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-210480-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id E4DED284D71 for ; Tue, 11 Jun 2024 19:01:33 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 0F3649475; Tue, 11 Jun 2024 19:01:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore.com header.i=@paul-moore.com header.b="T6AVwgxv" Received: from mail-vs1-f48.google.com (mail-vs1-f48.google.com [209.85.217.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 08B3D770FF for ; Tue, 11 Jun 2024 19:01:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.217.48 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718132476; cv=none; b=SfF0Ek5QeDFjiQDHfriiaF1owZMIwwjxxRtxGsBQgeRYcgzQHE9urMw/Qlq1HexhsMiavk0f63nOd+vPRsuNsLADlhpJOScpVn0nUL8mDiuWLYfjlD2bc+i0Gf4creL0Z8kt/diWqtjwIcWB7kVAr8PN+bzwPEOEvsyFwtG8zME= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718132476; c=relaxed/simple; bh=ENJyu2q1TCIG7X86Dkn/kBr09c7RlEUlrRfjGN+h+lU=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=WH6ugroq2DK6hjfWFESxLkKiqg1XssU/wOAdHS1nqh07R5wkvwK/A2IhBf4GIagXzZ7PnURX8IV8ka3HWdRserBHozwx4XHICYv/oeczp2UK2Esn6nvYcOYJvgnb1ux1BPLtCbwutwfC5Ar4RDf9zftw0C4mCauxzoSlNH3b8UM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=paul-moore.com; spf=pass smtp.mailfrom=paul-moore.com; dkim=pass (2048-bit key) header.d=paul-moore.com header.i=@paul-moore.com header.b=T6AVwgxv; arc=none smtp.client-ip=209.85.217.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=paul-moore.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=paul-moore.com Received: by mail-vs1-f48.google.com with SMTP id ada2fe7eead31-48c482acdb0so786905137.3 for ; Tue, 11 Jun 2024 12:01:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1718132473; x=1718737273; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=EIQEfhtUbJ7wSRBw/Z3zFV6dBPlc3fX2vRxj6Dj2nXo=; b=T6AVwgxvMWbNKACXjYTAV6vrBVRPd2vr4NSw1Q31b0LWOBTTkhObRxI5jHVPc1u1sN S98//NKrQsFF2Qug1uSohZWo3TCbSvdBM3kWjQW0Ww+qIKdf6apXELbXumyY+JKPC3OH EqT1WQ+9ZMW+i0eqwzIHoCX0exbf3Q95HOsVnm2ZI/UNEjFM+jY4vppiqJwdgNcEqCz6 kHqdL0pdKFHs1UVF0EFSsh6H4hrMedBzevW9zwIszoigNqklahEtbEAo4NYwUiCg1hTD 30zcCbPMDT4yHCirXoFfJBmbsLwxlg7/t13hKuiaC66Uifr7P61e/DxkpxXENJ1Nncfb mlZw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718132473; x=1718737273; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=EIQEfhtUbJ7wSRBw/Z3zFV6dBPlc3fX2vRxj6Dj2nXo=; b=UFuYVoSxpsmOiSAh8GDW6lxzu5yHA2kpltqKHoSiZbc0JT+ZdOnmkU1kJI57CQtcEX pAKW9W5nPTJ/GQp/n5YPymAISKI7OxPazvUmz6AYC60dsjdyF+jIyzW3LPXuH8zwHfXu IZ9gBUYfmlljVoFyDD89qBCSqUD4rILMenMwmJAGoQrRdmh6zm7a/GecE0F7GfUjB1LQ AVYXOJHWM+XYSSTo/62C3HWizbrOfOXfO8ScaYcBPrJeCKb4aX5fVhpIaMd/3RO6h/Gc bXTJXKvw9QWhSmY9+fYSfHIDx3E0Pk9oBWSTzrlDkj5DxmQZrT/tcjJu3/tZIkVKEh1B 2DyA== X-Forwarded-Encrypted: i=1; AJvYcCWu6beNHcM86ULDWh7DY2zBjjLdROtibPEOQmcfes9yIxt/ajei4G5wT81/9O61PqPwwr4TQFWwr7irq0Rari3CrxGapmMn3JVax00H X-Gm-Message-State: AOJu0Yy5qxNZAHYfddmXMM01m3jb1p2wHxeuV6oXYkeH1kc0F4ptOlZZ /APHDkiS6xQNk3lRoQfReNKSlfIgMuqaqjWkQmD4XsRJxM9Z343k/d+4zusVUtOiH4DHaJiUzcm 5UChchDVn+zRrXNAtzQovTi/rULq/5wXoAnzn X-Received: by 2002:a05:6102:2162:b0:48c:5349:b19a with SMTP id ada2fe7eead31-48c5349b531mr6044494137.15.1718132472414; Tue, 11 Jun 2024 12:01:12 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240609104355.442002-1-jcalmels@3xx0.net> <20240609104355.442002-5-jcalmels@3xx0.net> <887a3658-2d8d-4f9e-98f2-27124bb6f8e6@canonical.com> In-Reply-To: <887a3658-2d8d-4f9e-98f2-27124bb6f8e6@canonical.com> From: Paul Moore Date: Tue, 11 Jun 2024 15:01:01 -0400 Message-ID: Subject: Re: [PATCH v2 4/4] bpf,lsm: Allow editing capabilities in BPF-LSM hooks To: John Johansen , Jonathan Calmels Cc: brauner@kernel.org, ebiederm@xmission.com, Jonathan Corbet , James Morris , "Serge E. Hallyn" , KP Singh , Matt Bobrowski , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , Stanislav Fomichev , Hao Luo , Jiri Olsa , Luis Chamberlain , Kees Cook , Joel Granados , David Howells , Jarkko Sakkinen , Stephen Smalley , Ondrej Mosnacek , Mykola Lysenko , Shuah Khan , containers@lists.linux.dev, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-doc@vger.kernel.org, linux-security-module@vger.kernel.org, bpf@vger.kernel.org, apparmor@lists.ubuntu.com, keyrings@vger.kernel.org, selinux@vger.kernel.org, linux-kselftest@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, Jun 11, 2024 at 6:32=E2=80=AFAM John Johansen wrote: > > On 6/11/24 01:09, Jonathan Calmels wrote: > > On Sun, Jun 09, 2024 at 08:18:48PM GMT, Paul Moore wrote: > >> On Sun, Jun 9, 2024 at 6:40=E2=80=AFAM Jonathan Calmels wrote: > >>> > >>> This patch allows modifying the various capabilities of the struct cr= ed > >>> in BPF-LSM hooks. More specifically, the userns_create hook called > >>> prior to creating a new user namespace. > >>> > >>> With the introduction of userns capabilities, this effectively provid= es > >>> a simple way for LSMs to control the capabilities granted to a user > >>> namespace and all its descendants. > >>> > >>> Update the selftests accordingly by dropping CAP_SYS_ADMIN in > >>> namespaces and checking the resulting task's bounding set. > >>> > >>> Signed-off-by: Jonathan Calmels > >>> --- > >>> include/linux/lsm_hook_defs.h | 2 +- > >>> include/linux/security.h | 4 +- > >>> kernel/bpf/bpf_lsm.c | 55 ++++++++++++++++= +++ > >>> security/apparmor/lsm.c | 2 +- > >>> security/security.c | 6 +- > >>> security/selinux/hooks.c | 2 +- > >>> .../selftests/bpf/prog_tests/deny_namespace.c | 12 ++-- > >>> .../selftests/bpf/progs/test_deny_namespace.c | 7 ++- > >>> 8 files changed, 76 insertions(+), 14 deletions(-) > >> > >> I'm not sure we want to go down the path of a LSM modifying the POSIX > >> capabilities of a task, other than the capabilities/commoncap LSM. It > >> sets a bad precedent and could further complicate issues around LSM > >> ordering. > > > > Well unless I'm misunderstanding, this does allow modifying the > > capabilities/commoncap LSM through BTF. The reason for allowing > > `userns_create` to be modified is that it is functionally very similar > > to `cred_prepare` in that it operates with new creds (but specific to > > user namespaces because of reasons detailed in [1]). > > yes > > > There were some concerns in previous threads that the userns caps by > > themselves wouldn't be granular enough, hence the LSM integration. > > > Ubuntu for example, currently has to resort to a hardcoded profile > > transition to achieve this [2]. > > > > The hard coded profile transition, is because the more generic solution > as part of policy just wasn't ready. The hard coding will go away before > it is upstreamed. > > But yes, updating the cred really is necessary for the flexibility needed > whether it is modifying the POSIX capabilities of the task or the LSM > modifying its own security blob. > > I do share some of Paul's concerns about the LSM modifying the POSIX > capabilities of the task, but also thing the LSM here needs to be > able to modify its own blob. To be clear, this isn't about a generic LSM needing to update its own blob (LSM state), it is about the BPF LSM updating the capability sets. While we obviously must support a LSM updating its own state, I'm currently of the opinion that allowing one LSM to update the state of another LSM is only going to lead to problems. We wouldn't want to allow Smack to update AppArmor state, and from my current perspective allowing the BPF LSM to update the capability state is no different. It's also important to keep in mind that if we allow one LSM to do something, we need to allow all LSMs to do something. If we allow multiple LSMs to manipulate the capability sets, how do we reconcile differences in the desired capability state? Does that resolution change depending on what LSMs are enabled at build time? Enabled at boot? Similarly, what about custom LSM ordering? What about those LSMs that use a task's capabilities as an input to an access control decision? If those LSMs allow an access based on a given capability set only to have a LSM later in the ordering modify that capability set to something which would have resulted in an access denial, do we risk a security regression? Our current approach to handling multiple LSMs is that each LSM is limited to modifying its own state, and I'm pretty confident that we stick to this model if we have any hope of preserving the sanity of the LSM layer as a whole. If you want to modify the capability set you need to do so within the confines of the capability LSM and/or modify the other related kernel subsystems (which I'm guessing will likely necessitate a change in the LSMs, but that avenue is very unclear if such an option even exists). --=20 paul-moore.com