Received: by 2002:ab2:6c55:0:b0:1fd:c486:4f03 with SMTP id v21csp100491lqp; Tue, 11 Jun 2024 16:31:48 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXPwNcK2ivFbSE9anFSwYJBGHGOL5/dpqdE9fBL8QcxgTcsqZHTEm/uMPMMEI5ZQ17lZlQhGALCXRh3YXkmoPb94ZTBMnd+30ZIUzKguw== X-Google-Smtp-Source: AGHT+IEI30CtggJwRErkINnXGC/iJ9JDdd7rd1EToQBXBoFvRaaVPETPjwJXUw1po26pVQIDmQHt X-Received: by 2002:a17:90a:f48c:b0:2c3:c80:9ac8 with SMTP id 98e67ed59e1d1-2c4a760a974mr387667a91.9.1718148707750; Tue, 11 Jun 2024 16:31:47 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1718148707; cv=pass; d=google.com; s=arc-20160816; b=eQny4EWDD4LCJ7nHy44OH17kOeT4wWLeGZk9PwMznsfCIU83oV2KJRyuEf9nPO+3Ax +u/HlCRH7xHXGf1CqxWF2LzNWKE5IvvCCWxi0Rc3WvnbGAYZBa0oI/PuBnn5BnyAxdxe wULcft7NpksG+R0hKWhxb89nT9bTKe3udEO8oKb+1lHZjr4oNP1Lmx8sLLGSjIzGmN2M +RPAVrsmei4TMl5uevfRpvb2lE+feK6uCY/6jdKR1JcmZM7BsZ2dJTOMfERo0MuYgKfj Kmf0ONhiOjIv5LZ/2Wjj+OLp49tEf6mv7UmG4MVO0h6L/8hQM6Ka0G493lq1xINygs+E JEOg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date:feedback-id :dkim-signature:dkim-signature; bh=hLoyDphzPvoA7UYBfDpLVZId/MwW/v8vWSAXuFf49/w=; fh=O/CJSNYfSzcb9M4ceWa85lQgp+Mr0+7HoMsmgQl28zk=; b=em69OZIi6AjGLbb8AZkn+1p1iUXC2yIoEG9wjZb3GbTV2mZaomx2L4EVm1mWs8RWRd NG39zhAaby9CYzzGnvhT4DsbQ9QGSJpddszZbBZJDpG+snti7GaD2SIRykssRxcdvZzO 5Uqslkca5pTar84sYpwVTaqRANJPCYVZesPNQHtva6Vmo4AEKUVScu4g2HmFqhtMuIR5 N9QHQP6Sb2LQ8gEKy/9D0k0A3W/oLD2dVqQQdvDD4CrE/O18Rcz/5o28b/3lIk5XgXu8 PkNLxSPjv8SV9PvUih2Jbwo6cCASbKW0nciP31hSR2TZTq4Vp9FMSMbxlGfpLNxQMD2A 3s+A==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=neutral (expired) header.i=@3xx0.net header.s=fm1 header.b=Pq9rjGAS; dkim=neutral (expired) header.i=@messagingengine.com header.s=fm1 header.b="ISNh/oJu"; arc=pass (i=1 spf=pass spfdomain=3xx0.net dkim=pass dkdomain=3xx0.net dkim=pass dkdomain=messagingengine.com dmarc=pass fromdomain=3xx0.net); spf=pass (google.com: domain of linux-kernel+bounces-210656-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-210656-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=3xx0.net Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id 98e67ed59e1d1-2c4a772cc1esi235036a91.182.2024.06.11.16.31.47 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Jun 2024 16:31:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-210656-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=neutral (expired) header.i=@3xx0.net header.s=fm1 header.b=Pq9rjGAS; dkim=neutral (expired) header.i=@messagingengine.com header.s=fm1 header.b="ISNh/oJu"; arc=pass (i=1 spf=pass spfdomain=3xx0.net dkim=pass dkdomain=3xx0.net dkim=pass dkdomain=messagingengine.com dmarc=pass fromdomain=3xx0.net); spf=pass (google.com: domain of linux-kernel+bounces-210656-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-210656-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=3xx0.net Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id D69E3285284 for ; Tue, 11 Jun 2024 22:15:52 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 8C1B11553A2; Tue, 11 Jun 2024 22:15:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=3xx0.net header.i=@3xx0.net header.b="Pq9rjGAS"; dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b="ISNh/oJu" Received: from wflow2-smtp.messagingengine.com (wflow2-smtp.messagingengine.com [64.147.123.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4F87438DC8; Tue, 11 Jun 2024 22:15:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=64.147.123.137 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718144134; cv=none; b=O0BnY08yVEVn0WAAJx0Tgfo7wIF7syl5/PfW76t90Vh5T0ZVboPxLzyRiBLo6Krze168JGofkzXjuk6nUBtuOxiQA3IGN18RsB9LkjaoXGuoYMgKXumRL2qgZWGnFyOEQ0E8/v5gwOeXbPS1+QzF/qEcKZd1ZDdCS1G5toluK5E= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718144134; c=relaxed/simple; bh=GdAkFK62RY/EebkDCQaRIl7vglLd8+Mimrq9+Eb15nk=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=bhzmLOoOn31Z6acsu8IcW5TFA2ETxenJS4iEYTKdjnONyPHnh1I6GixBrbY0WphqExCjdX0jiXGJyceOYsHDZ7tVDcRtwNT+NND655CM89iHjYe4Eo5RhhgGz97tJ5oZsp/V4l8xz7vZvPLpzn4VnKfLrXWvWzLdx56saFYDGoc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=3xx0.net; spf=pass smtp.mailfrom=3xx0.net; dkim=pass (2048-bit key) header.d=3xx0.net header.i=@3xx0.net header.b=Pq9rjGAS; dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b=ISNh/oJu; arc=none smtp.client-ip=64.147.123.137 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=3xx0.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=3xx0.net Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailflow.west.internal (Postfix) with ESMTP id C97482CC0169; Tue, 11 Jun 2024 18:15:27 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Tue, 11 Jun 2024 18:15:30 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=3xx0.net; h=cc :cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm1; t=1718144127; x=1718147727; bh=hLoyDphzPvoA7UYBfDpLVZId/MwW/v8vWSAXuFf49/w=; b= Pq9rjGAS1w/Bgo5vWiHK4C9GSmw8UEqW23zxfC6CU+LFTqGfGsPAhKcyrwHoj90O 2g7tjpvdho680sZED5/2pEYwnSPHE6Nyuowy4t+liSKxQFrggVMMiqon8nSX9UYe oVBsXm4b6ZW6z97l0uDDa5lkmqrKrNH3jKXI/kXAvkXXFnrHwG6oKoSy/6j3AF1Y 8cm9z2VOiKm0Y60hTybScXH/pn1OM/r/TpGNjtGS43aretvWB4MzGA3unImRVifY 913jLZ1dcL0oU2fUqcd35OHYcKeVnIiStKNnfKqAViqm85MfWYGX9m8CAyZAGKTa iabR1CZR/u5ovgrtmgo/zg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1718144127; x= 1718147727; bh=hLoyDphzPvoA7UYBfDpLVZId/MwW/v8vWSAXuFf49/w=; b=I SNh/oJu/e8FBFK91pEhdVzPaxeoy0vJBcCYsFR5dTBa0eTNI52Mh6vmtzoNEnGGo 0nk1m7ki7/In22P/dp/EXcSDHlAz5BfLVF+KTy5T2BmEdmd9GgekK0iKTSeHoXrF qgiz+C959oucHJqv+TsGRpUAUjs2GCWmVT1rVLthx5HBkCDuetmM/I23iDS5r0tT W6HmZFu74Tm8QZns/LE00Y7Nh3h6HK7WrxdV+ExaadRJAJwmM9Qv5H0pqfa0EnHA Pq+gmx9IfmHP/NPUS88TJZaod19sMGo6bD1rEZ6UeYk8d3P1h816uGx3p9eTi7ne VZ5GqWvsh5NKbZvAPyg3A== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrfedufedgtdekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvfevuffkfhggtggugfgjsehtkefstddttdejnecuhfhrohhmpeflohhn rghthhgrnhcuvegrlhhmvghlshcuoehjtggrlhhmvghlshesfeiggidtrdhnvghtqeenuc ggtffrrghtthgvrhhnpeetgedutdfggeetleefhfeuhedtheduteekieduvdeigeegvdev vddtieekiedvheenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfh hrohhmpehjtggrlhhmvghlshesfeiggidtrdhnvght X-ME-Proxy: Feedback-ID: i76614979:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 11 Jun 2024 18:15:23 -0400 (EDT) Date: Tue, 11 Jun 2024 15:20:33 -0700 From: Jonathan Calmels To: Paul Moore Cc: John Johansen , brauner@kernel.org, ebiederm@xmission.com, Jonathan Corbet , James Morris , "Serge E. Hallyn" , KP Singh , Matt Bobrowski , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , Stanislav Fomichev , Hao Luo , Jiri Olsa , Luis Chamberlain , Kees Cook , Joel Granados , David Howells , Jarkko Sakkinen , Stephen Smalley , Ondrej Mosnacek , Mykola Lysenko , Shuah Khan , containers@lists.linux.dev, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-doc@vger.kernel.org, linux-security-module@vger.kernel.org, bpf@vger.kernel.org, apparmor@lists.ubuntu.com, keyrings@vger.kernel.org, selinux@vger.kernel.org, linux-kselftest@vger.kernel.org Subject: Re: [PATCH v2 4/4] bpf,lsm: Allow editing capabilities in BPF-LSM hooks Message-ID: References: <20240609104355.442002-1-jcalmels@3xx0.net> <20240609104355.442002-5-jcalmels@3xx0.net> <887a3658-2d8d-4f9e-98f2-27124bb6f8e6@canonical.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: On Tue, Jun 11, 2024 at 03:01:01PM GMT, Paul Moore wrote: > On Tue, Jun 11, 2024 at 6:32 AM John Johansen > wrote: > > > > On 6/11/24 01:09, Jonathan Calmels wrote: > > > On Sun, Jun 09, 2024 at 08:18:48PM GMT, Paul Moore wrote: > > >> On Sun, Jun 9, 2024 at 6:40 AM Jonathan Calmels wrote: > > >>> > > >>> This patch allows modifying the various capabilities of the struct cred > > >>> in BPF-LSM hooks. More specifically, the userns_create hook called > > >>> prior to creating a new user namespace. > > >>> > > >>> With the introduction of userns capabilities, this effectively provides > > >>> a simple way for LSMs to control the capabilities granted to a user > > >>> namespace and all its descendants. > > >>> > > >>> Update the selftests accordingly by dropping CAP_SYS_ADMIN in > > >>> namespaces and checking the resulting task's bounding set. > > >>> > > >>> Signed-off-by: Jonathan Calmels > > >>> --- > > >>> include/linux/lsm_hook_defs.h | 2 +- > > >>> include/linux/security.h | 4 +- > > >>> kernel/bpf/bpf_lsm.c | 55 +++++++++++++++++++ > > >>> security/apparmor/lsm.c | 2 +- > > >>> security/security.c | 6 +- > > >>> security/selinux/hooks.c | 2 +- > > >>> .../selftests/bpf/prog_tests/deny_namespace.c | 12 ++-- > > >>> .../selftests/bpf/progs/test_deny_namespace.c | 7 ++- > > >>> 8 files changed, 76 insertions(+), 14 deletions(-) > > >> > > >> I'm not sure we want to go down the path of a LSM modifying the POSIX > > >> capabilities of a task, other than the capabilities/commoncap LSM. It > > >> sets a bad precedent and could further complicate issues around LSM > > >> ordering. > > > > > > Well unless I'm misunderstanding, this does allow modifying the > > > capabilities/commoncap LSM through BTF. The reason for allowing > > > `userns_create` to be modified is that it is functionally very similar > > > to `cred_prepare` in that it operates with new creds (but specific to > > > user namespaces because of reasons detailed in [1]). > > > > yes > > > > > There were some concerns in previous threads that the userns caps by > > > themselves wouldn't be granular enough, hence the LSM integration. > > > > > Ubuntu for example, currently has to resort to a hardcoded profile > > > transition to achieve this [2]. > > > > > > > The hard coded profile transition, is because the more generic solution > > as part of policy just wasn't ready. The hard coding will go away before > > it is upstreamed. > > > > But yes, updating the cred really is necessary for the flexibility needed > > whether it is modifying the POSIX capabilities of the task or the LSM > > modifying its own security blob. > > > > I do share some of Paul's concerns about the LSM modifying the POSIX > > capabilities of the task, but also thing the LSM here needs to be > > able to modify its own blob. > > To be clear, this isn't about a generic LSM needing to update its own > blob (LSM state), it is about the BPF LSM updating the capability > sets. While we obviously must support a LSM updating its own state, > I'm currently of the opinion that allowing one LSM to update the state > of another LSM is only going to lead to problems. We wouldn't want to > allow Smack to update AppArmor state, and from my current perspective > allowing the BPF LSM to update the capability state is no different. > > It's also important to keep in mind that if we allow one LSM to do > something, we need to allow all LSMs to do something. If we allow > multiple LSMs to manipulate the capability sets, how do we reconcile > differences in the desired capability state? Does that resolution > change depending on what LSMs are enabled at build time? Enabled at > boot? Similarly, what about custom LSM ordering? > > What about those LSMs that use a task's capabilities as an input to an > access control decision? If those LSMs allow an access based on a > given capability set only to have a LSM later in the ordering modify > that capability set to something which would have resulted in an > access denial, do we risk a security regression? I understand the concerns, what I fail to understand however, is how is it any different from say the `cred_prepare` hook today? > Our current approach to handling multiple LSMs is that each LSM is > limited to modifying its own state, and I'm pretty confident that we > stick to this model if we have any hope of preserving the sanity of > the LSM layer as a whole. If you want to modify the capability set > you need to do so within the confines of the capability LSM and/or > modify the other related kernel subsystems (which I'm guessing will > likely necessitate a change in the LSMs, but that avenue is very > unclear if such an option even exists). What do you mean by "within the confines of the capability LSM" here? Arguably, if we do want fine-grained userns policies, we need LSMs to influence the userns capset at some point. Regardless of how or where we do this, it will always be subject to some sort of ordering. We could come up with some rules to limit surprises (e.g. caps can only be dropped, only possible through some hooks, etc), but at the end of the day, something needs to have the final word when it comes to deciding what the creds should be.