Received: by 2002:ab2:6c55:0:b0:1fd:c486:4f03 with SMTP id v21csp80713lqp; Tue, 11 Jun 2024 15:39:11 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXOdiJ/u5tN2OC/ooQutxxjVacZY4RcVWm0Up9ddZr4BKynntAGar25TT8W85jm/jhQeFWpKgck6we7f05XcFetbcmSRHBqYKNJsqIt+Q== X-Google-Smtp-Source: AGHT+IHUJggAXZBfMjArL0DQPC9wpAt2ZjspYTMe0fNy6iBd/Xn41fn5qAoBl+Ad9YUE/1KdwTt2 X-Received: by 2002:a05:6214:3d86:b0:6b0:8626:1b94 with SMTP id 6a1803df08f44-6b191778d0fmr420176d6.6.1718145551101; Tue, 11 Jun 2024 15:39:11 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1718145551; cv=pass; d=google.com; s=arc-20160816; b=jZbHvAUWQ5jvbwGKxiRR3snwaKhTPR8HYizw9mg2elxa5Nsb7o5cEo8D5OcCRJxtkM X95AmiwBurv8tjcUy7Ar7igwy0K5JpqMQrThyyfU2iew7BTf08iE8N1UfBIAerEQfLig ynuFqMaPdLOd7CPf/ZzklLRe7xZcNQCefO+K69LIP/IIQ4yjbhZGzdY7Xu7iakXhNMiU x97DQwNxJNa+1VKRhycggAFJ4kdXYL9LwA6QY7+AWIs4N2CktyeAOUAj9S4YCO/J7Y5f DM30ck1PBeQC9mLygtOlVJIYCztUuJXDWIFC6kgLX6T6VmsCQZr/TtVzFAFNFg+fgaqL t5ig== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=plZlLULbEPZ4CPINB2iX4W5eyj0ufYBE504Q1QyZ288=; fh=nDdHjFFbwmNJB2/I/EAHKa7XcUQIEXSjYNK0Wykl/N8=; b=dx7iPzST4UfGJkQBguqmQ7UnumzRB/B2EhduzTrvCepZ+vuKuVTUqPSglGcK9h4/3L rsHIbc9bx4i6pX77SLTSpehhoETS/1yJtXfi46AGHAoJptFytRx5+gqBvn81uf8fYoe/ i+Tg32JHtg6VOlFTs41a/Km/jCfRE8bg2ZWz8y2a61nERR0ocmK1K2SNSKf7mPOKcvHd BlDPiVze2xwBBxcCsI5xF/0wI2ltJTuxC3+l2dSqVgNOVcmUJOHFgP1Y1yTwVZppJcbj uq0gLRwXGNdD5DHc8ixKeotJrobDwsQR/d7DlxE3Ey80A9IEPlh8vfweJhwjWtZnsn3y pA+A==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=dM+ClF+P; arc=pass (i=1 spf=pass spfdomain=paul-moore.com dkim=pass dkdomain=paul-moore.com dmarc=pass fromdomain=paul-moore.com); spf=pass (google.com: domain of linux-kernel+bounces-210672-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-210672-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id 6a1803df08f44-6b04fa45b52si142394296d6.577.2024.06.11.15.39.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Jun 2024 15:39:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-210672-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=dM+ClF+P; arc=pass (i=1 spf=pass spfdomain=paul-moore.com dkim=pass dkdomain=paul-moore.com dmarc=pass fromdomain=paul-moore.com); spf=pass (google.com: domain of linux-kernel+bounces-210672-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-210672-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id BBF041C20C22 for ; Tue, 11 Jun 2024 22:39:10 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 33AD0155353; Tue, 11 Jun 2024 22:38:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore.com header.i=@paul-moore.com header.b="dM+ClF+P" Received: from mail-yw1-f181.google.com (mail-yw1-f181.google.com [209.85.128.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3C35E46444 for ; Tue, 11 Jun 2024 22:38:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.181 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718145525; cv=none; b=t6wJStyLYZBeJcCVfSzCltxn2XpOTLj4lKsCs7rdTBgCMCx/9Crzb2SE0ZdWTX2MFEJGmynQASN684e0H6a1uL7bbsdwyBGDFdBgxRPRT+NTEwm8vLJ2TGoAMujKuLbhStj2fslDUt0j4uM8w2PIEP+k95RHZuoF+P5SUm8DV0E= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718145525; c=relaxed/simple; bh=9Njb1QFUfo0wbmyt1RFmIM5BrHWuvMLeu82oSPr0buU=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=KUYmeelL1w2X7Z3y/aGPyMMCn2wp6vfJ/U9iq+EFfbAb6305PVHg/qYR1f4G6sjIYm54CrYfF1xLGifve0Zh9XGz7wzTmxpWFUSbE4Uo2GNV+KXJepgt7uJC0r9MOG/GGtSPncQcj8Cxp954Xm+ex3RsTOYbIRaw7Di9tKtqZGY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=paul-moore.com; spf=pass smtp.mailfrom=paul-moore.com; dkim=pass (2048-bit key) header.d=paul-moore.com header.i=@paul-moore.com header.b=dM+ClF+P; arc=none smtp.client-ip=209.85.128.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=paul-moore.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=paul-moore.com Received: by mail-yw1-f181.google.com with SMTP id 00721157ae682-62f518bbab1so6867747b3.2 for ; Tue, 11 Jun 2024 15:38:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1718145523; x=1718750323; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=plZlLULbEPZ4CPINB2iX4W5eyj0ufYBE504Q1QyZ288=; b=dM+ClF+PxazyNTapsEd1uyA6O2r4SlarCGevqA1wr135PJ6jjT3C63n/dAoXlKKNni k/EykW2WxSKnglGup8fJJWYSyhRHq+5JM+aOuExMTaI4OyzeKaISp+u/bDdiryl11EgA 178Z37EAx0TE5nO/YjK8v09GgzL8pBjJ3hhpYg9NaXxPSfS/5gNjQSb4BXA4jZGZrmK0 7OXVOtu1yhmxs8CTNioxG07GMVuvY9uk6TZD2sbJq1YhVcx2t0uzLynhsfRxMTYoOMCC s8LStSl+pn9ydn2EcPRl6H3zCzJ+1FZHjUfPaDDLumwje/Usw3WghuBUKJmmiSvr9cu4 6sdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718145523; x=1718750323; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=plZlLULbEPZ4CPINB2iX4W5eyj0ufYBE504Q1QyZ288=; b=uXGjUase0I/+XbkKxGZ4PxuGNJEQVrgN5P9/ZCYZATZbU4Sf1R22Bm/OvAxf1oiPBn m+tTIxD6VtU66pB0qZWLjnp6getKWdZecUYxwaW2ejfWGJw3eLLDhl3A86o3uJbcUIXZ qYJ2R9yK3kN1kKldDEQdDZn8wRuFjvYG2tJZQDp4VJ1DryNlf+2tunb5C7z5/NN92QUm V/8ywjuLej/Fad4Y+UO3cCUnW7n5fvhVJXx4/qTdCkETlapdqf3RG1zhZnWrLb83l2rN /RHm5XJoFlGLuDYwjB6D8kiYZUXeC+9nNi9y7YiA+UKr9xN7FLQQ7Gf1e5Eu8LM+Ndf7 irjQ== X-Forwarded-Encrypted: i=1; AJvYcCW4dS8CZrWrAl2UXRoGkiTQ0BDrCfgHE9QwPDUEeR/N4uSNCXVrnxUDxWQHq1GMkALnouBMFd6z0a+5t/SiEhVEiD1DtuvC/r1LKlbB X-Gm-Message-State: AOJu0Ywc203d5YOXbrPp8x4pr7/UTis5/RYlBujRSfp0mRQao04zvNp1 jR4L9Sw+YBht1TfXFwoDyMbOxNUOTkkq8j4Ju8NlzfrkXSIGiBMBMNF+lIRbXj/uzgD8Rg9kNlW vsbZu7T7Gtm4GGIoBVjrYR3lgqRDA3FlYSRaS X-Received: by 2002:a81:7283:0:b0:62f:518b:ba53 with SMTP id 00721157ae682-62fba943427mr1376147b3.49.1718145522756; Tue, 11 Jun 2024 15:38:42 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240609104355.442002-1-jcalmels@3xx0.net> <20240609104355.442002-5-jcalmels@3xx0.net> <887a3658-2d8d-4f9e-98f2-27124bb6f8e6@canonical.com> In-Reply-To: From: Paul Moore Date: Tue, 11 Jun 2024 18:38:31 -0400 Message-ID: Subject: Re: [PATCH v2 4/4] bpf,lsm: Allow editing capabilities in BPF-LSM hooks To: Jonathan Calmels Cc: John Johansen , brauner@kernel.org, ebiederm@xmission.com, Jonathan Corbet , James Morris , "Serge E. Hallyn" , KP Singh , Matt Bobrowski , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , Stanislav Fomichev , Hao Luo , Jiri Olsa , Luis Chamberlain , Kees Cook , Joel Granados , David Howells , Jarkko Sakkinen , Stephen Smalley , Ondrej Mosnacek , Mykola Lysenko , Shuah Khan , containers@lists.linux.dev, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-doc@vger.kernel.org, linux-security-module@vger.kernel.org, bpf@vger.kernel.org, apparmor@lists.ubuntu.com, keyrings@vger.kernel.org, selinux@vger.kernel.org, linux-kselftest@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, Jun 11, 2024 at 6:15=E2=80=AFPM Jonathan Calmels wrote: > On Tue, Jun 11, 2024 at 03:01:01PM GMT, Paul Moore wrote: > > On Tue, Jun 11, 2024 at 6:32=E2=80=AFAM John Johansen > > wrote: > > > > > > On 6/11/24 01:09, Jonathan Calmels wrote: > > > > On Sun, Jun 09, 2024 at 08:18:48PM GMT, Paul Moore wrote: > > > >> On Sun, Jun 9, 2024 at 6:40=E2=80=AFAM Jonathan Calmels wrote: > > > >>> > > > >>> This patch allows modifying the various capabilities of the struc= t cred > > > >>> in BPF-LSM hooks. More specifically, the userns_create hook calle= d > > > >>> prior to creating a new user namespace. > > > >>> > > > >>> With the introduction of userns capabilities, this effectively pr= ovides > > > >>> a simple way for LSMs to control the capabilities granted to a us= er > > > >>> namespace and all its descendants. > > > >>> > > > >>> Update the selftests accordingly by dropping CAP_SYS_ADMIN in > > > >>> namespaces and checking the resulting task's bounding set. > > > >>> > > > >>> Signed-off-by: Jonathan Calmels > > > >>> --- > > > >>> include/linux/lsm_hook_defs.h | 2 +- > > > >>> include/linux/security.h | 4 +- > > > >>> kernel/bpf/bpf_lsm.c | 55 ++++++++++++= +++++++ > > > >>> security/apparmor/lsm.c | 2 +- > > > >>> security/security.c | 6 +- > > > >>> security/selinux/hooks.c | 2 +- > > > >>> .../selftests/bpf/prog_tests/deny_namespace.c | 12 ++-- > > > >>> .../selftests/bpf/progs/test_deny_namespace.c | 7 ++- > > > >>> 8 files changed, 76 insertions(+), 14 deletions(-) > > > >> > > > >> I'm not sure we want to go down the path of a LSM modifying the PO= SIX > > > >> capabilities of a task, other than the capabilities/commoncap LSM.= It > > > >> sets a bad precedent and could further complicate issues around LS= M > > > >> ordering. > > > > > > > > Well unless I'm misunderstanding, this does allow modifying the > > > > capabilities/commoncap LSM through BTF. The reason for allowing > > > > `userns_create` to be modified is that it is functionally very simi= lar > > > > to `cred_prepare` in that it operates with new creds (but specific = to > > > > user namespaces because of reasons detailed in [1]). > > > > > > yes > > > > > > > There were some concerns in previous threads that the userns caps b= y > > > > themselves wouldn't be granular enough, hence the LSM integration. > > > > > > > Ubuntu for example, currently has to resort to a hardcoded profile > > > > transition to achieve this [2]. > > > > > > > > > > The hard coded profile transition, is because the more generic soluti= on > > > as part of policy just wasn't ready. The hard coding will go away bef= ore > > > it is upstreamed. > > > > > > But yes, updating the cred really is necessary for the flexibility ne= eded > > > whether it is modifying the POSIX capabilities of the task or the LSM > > > modifying its own security blob. > > > > > > I do share some of Paul's concerns about the LSM modifying the POSIX > > > capabilities of the task, but also thing the LSM here needs to be > > > able to modify its own blob. > > > > To be clear, this isn't about a generic LSM needing to update its own > > blob (LSM state), it is about the BPF LSM updating the capability > > sets. While we obviously must support a LSM updating its own state, > > I'm currently of the opinion that allowing one LSM to update the state > > of another LSM is only going to lead to problems. We wouldn't want to > > allow Smack to update AppArmor state, and from my current perspective > > allowing the BPF LSM to update the capability state is no different. > > > > It's also important to keep in mind that if we allow one LSM to do > > something, we need to allow all LSMs to do something. If we allow > > multiple LSMs to manipulate the capability sets, how do we reconcile > > differences in the desired capability state? Does that resolution > > change depending on what LSMs are enabled at build time? Enabled at > > boot? Similarly, what about custom LSM ordering? > > > > What about those LSMs that use a task's capabilities as an input to an > > access control decision? If those LSMs allow an access based on a > > given capability set only to have a LSM later in the ordering modify > > that capability set to something which would have resulted in an > > access denial, do we risk a security regression? > > I understand the concerns, what I fail to understand however, is how is > it any different from say the `cred_prepare` hook today? The existing cred_prepare hooks only operate on their own small portion of the cred::security blob. What you are proposing would be the BPF LSM operating on the capability sets that it does not "own" (they belong to the capability LSM). If you see that as a minor difference, please understand that if you skip past that you have all the issues I mentioned in my previous message to deal with. > > Our current approach to handling multiple LSMs is that each LSM is > > limited to modifying its own state, and I'm pretty confident that we > > stick to this model if we have any hope of preserving the sanity of > > the LSM layer as a whole. If you want to modify the capability set > > you need to do so within the confines of the capability LSM and/or > > modify the other related kernel subsystems (which I'm guessing will > > likely necessitate a change in the LSMs, but that avenue is very > > unclear if such an option even exists). > > What do you mean by "within the confines of the capability LSM" here? Basically security/commoncap.c. One could make a lot of arguments about if it is, or isn't, a LSM, but commoncap.c registers LSM hooks which is pretty much the definition of a LSM from an implementation point of view. > Arguably, if we do want fine-grained userns policies, we need LSMs to > influence the userns capset at some point. One could always use, or develop, a LSM that offers additional controls around exercising capabilities. There are currently four in-tree LSMs, including the capabilities LSM, which supply a security_capable() hook that is used by the capability-based access controls in the kernel; all of these hook implementations work together within the LSM framework and provide an additional level of control/granularity beyond the existing capabilities. --=20 paul-moore.com