Received: by 2002:ab2:6c55:0:b0:1fd:c486:4f03 with SMTP id v21csp604156lqp; Wed, 12 Jun 2024 10:30:23 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVvKcXLfjiilFG67lJgLo7qnSGLVFKrB7yJL71p9AL6nI1UgdhWKaLhWQw8MusFdUPaPgqnkS2C04p0/eLw45lG3QtH2fIvnmmgRUZA7Q== X-Google-Smtp-Source: AGHT+IGiL2ldQj5TcHocAl1CKU+u08jgcty8NfHge82Pmm5akj9OI88tqmsf30oyN5eHUuLq9kVi X-Received: by 2002:a17:902:ee8d:b0:1f7:27e8:69fb with SMTP id d9443c01a7336-1f83b5eafbemr27695185ad.21.1718213423078; Wed, 12 Jun 2024 10:30:23 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1718213423; cv=pass; d=google.com; s=arc-20160816; b=H1CDpSZyrfzi3KbfArUVyQNnJIAZniMT9faPRFJZNxs2mQiF8b0q8U43m4DH4NmB7T BcDlY3gqkwHut9xy9pSiG9nxmuJ3RZ5x0qd+auLjrvVaZN4IbfqTv3l0kCL0kiXYHZAn pJzOQUQ+lpMVWLBRcGjzx4vynw7bDg371b7E2qnISGNNNklfhV19gvm2dJoptnk6h5ys Uj42yNJC17GsGlv7GajlunEqEv1MPuIxHG1NVcoIg9tBNfCaPChhPaDKHtjgqIqkruha qAvgCtZGGYB547i/Drrc+pv35UNosgFE8t+ZuW0wWQYETmeyFPM/UwVwwxfVp6b36khu 7tww== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=60lvPuusqxavVhRXfVcmrSoiIVupdLi0rpCh21972os=; fh=205OdvNaYDz9R9qcQuGYm26XHmzOJYZBWtlRagraoBs=; b=rHrTH6UD/5yjcf4wpfOVMtlshGpx+ocQoyWEBCxmaXhtXkrU4ABKUx9MZ23IA2KMKS RUzDDiLuzxuL7CAMQjgz3b8gI+9dN/iRb4Hrz0QkbWczxK21F2hVenaBiwvqnwFsmTmf ew/uBjLY9gTnFJh+AgR4eGkI5nkdX9369X4gd4pt/pQ01v+XSzlfqcPJT1UR1FsZa5Ba cAvKv9cApepS6W1AzzTTaSXAucFjPLY0f0lUhX8ym7ptGPVynT2sLABja7ByZsBeLDkY 9MqxrFgMKelYTjvQEzeTu4XP1QvPGwdKLJGmdtmPAoIx5BwiviFBIy3PZXYKsr/sMpVX 7YJQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=cHTfEDbH; arc=pass (i=1 spf=pass spfdomain=paul-moore.com dkim=pass dkdomain=paul-moore.com dmarc=pass fromdomain=paul-moore.com); spf=pass (google.com: domain of linux-kernel+bounces-212008-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-212008-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id d9443c01a7336-1f6bd760346si119739085ad.75.2024.06.12.10.30.22 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 12 Jun 2024 10:30:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-212008-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=cHTfEDbH; arc=pass (i=1 spf=pass spfdomain=paul-moore.com dkim=pass dkdomain=paul-moore.com dmarc=pass fromdomain=paul-moore.com); spf=pass (google.com: domain of linux-kernel+bounces-212008-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-212008-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 6129F285C6F for ; Wed, 12 Jun 2024 17:30:22 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E245518410D; Wed, 12 Jun 2024 17:29:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore.com header.i=@paul-moore.com header.b="cHTfEDbH" Received: from mail-yb1-f174.google.com (mail-yb1-f174.google.com [209.85.219.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E00991836C4 for ; Wed, 12 Jun 2024 17:29:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.174 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718213362; cv=none; b=WODEDuZCRoHAtwAgiB9Z6XpnQrkx6HVO80pvBObBxgPHPjftsNn5FvNL4LoNmCX0+8ZpNUAd0t30b54BvtThjrszX6Zw/9FqXe0eb1WYb/kBZRj6kj+hHvOFZug6sVKgsV6zYSE+E+ppOCPrKHHELKRlm2g3V/1xUXGgbdXQUv8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718213362; c=relaxed/simple; bh=SqHXwxyX0hOMrGyXlbcSlWw9tiq1bd472LhKjNZO0j4=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=MhS/xX8285cwx6pzMhp2JlCW+81LRyB3Ymsl1JCCdmAz4oLqnSE7Arrt1Zdq4WZ9aD5Yj/3RIrunmL+6nYat+3ep9GeZicYtvz9apUdrbrnMhvKsxDeGbpU95p8aGqxvT5pLYT+zEQrN0297sz7s3tMDy/48JfKpWs++tqTiq/E= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=paul-moore.com; spf=pass smtp.mailfrom=paul-moore.com; dkim=pass (2048-bit key) header.d=paul-moore.com header.i=@paul-moore.com header.b=cHTfEDbH; arc=none smtp.client-ip=209.85.219.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=paul-moore.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=paul-moore.com Received: by mail-yb1-f174.google.com with SMTP id 3f1490d57ef6-dfe398bc50dso109742276.2 for ; Wed, 12 Jun 2024 10:29:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1718213359; x=1718818159; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=60lvPuusqxavVhRXfVcmrSoiIVupdLi0rpCh21972os=; b=cHTfEDbHk6HIEEn0Ouvd1wUDoXpMYFN/HZO3ahKHW+K15xPGFiMJcf8MVBZfy7Lndu 9B0gJUKFP12+r7Xc0M3Fq2RqW+bZgItpodmOakdof6kuTbSmAdWWeM2ubU1BlyQiebMb MvuxAQamRDwQeIW9ZFBIcvc59CZMvSKdRtNzitNXU8JHVrEMDHNC/i5Yf9gBEwfkTVAI KAIunmbnZvUDIKtLlMs0yrTuey7ImwDoH+0hvUxrPZx76Hy4yG9yQD5DOFiP9PpUxuj6 EIcmmCaIDNDCFGvrURI3v936AvRLS4oTV3eYPx2TdJldxRqJalPrHlTJbKC7D+B/tmAO 4PzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718213359; x=1718818159; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=60lvPuusqxavVhRXfVcmrSoiIVupdLi0rpCh21972os=; b=xKzIDpSAZAPWewx9SPEaxDwxk7HN6SDAADrzv57nilzg7SJFngJrR5gSgjTbOBgVc2 DR1Xm+Azl+NsfjU2NsnnC3j1fF77ie+iLonaqT8hWSVyhTxfJODH0cu6XlYLcUZbCSwk YOAxDBEu+BzCRTUigsCDWRUjOnJo7lKp7r+N/aBgFI+p4jGoZ+hLOXyyb9460i0YJDZ0 yRfNePxl+4vUPHAAVmnZK8tOFYuMGI2nwjzQgCFHNMDhEJOJmKVQ9ODMyio/bebA8SSI HODrA073Whc10QMbiD0f6Xmbsrz0sYV7ss+J9XJHzAwq4T3bVP82c4p4xv1nAU+3QBt+ I1qA== X-Forwarded-Encrypted: i=1; AJvYcCV4LxbwKuRRirQQPfLSnnmOU1Y0dIN61MiExN5wF0x6f/wfZZcOQS+hCuUKF/NNHWKEZyHDJSP9w9Znx23hswB3soungLENtmRj7+lg X-Gm-Message-State: AOJu0Ywa79Hg9Zri3mfueDe86yCpdK2OA+J3rT2ZBJ+9dkthP+KfaqXs /RE09WetLiHVZh3SU88JL5bEkpgD2ESLT6qSYIREPMikPlgRJnN2d9kNhktqpCOr3w0FhDtU2W6 0rCti1iQ4iiMllmpyK2b/mEZb7E52V/fWjORt X-Received: by 2002:a25:7:0:b0:de6:1695:13a3 with SMTP id 3f1490d57ef6-dfe62f1a60dmr2505543276.0.1718213358736; Wed, 12 Jun 2024 10:29:18 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240609104355.442002-1-jcalmels@3xx0.net> <20240609104355.442002-5-jcalmels@3xx0.net> <887a3658-2d8d-4f9e-98f2-27124bb6f8e6@canonical.com> In-Reply-To: From: Paul Moore Date: Wed, 12 Jun 2024 13:29:06 -0400 Message-ID: Subject: Re: [PATCH v2 4/4] bpf,lsm: Allow editing capabilities in BPF-LSM hooks To: Jonathan Calmels Cc: John Johansen , brauner@kernel.org, ebiederm@xmission.com, Jonathan Corbet , James Morris , "Serge E. Hallyn" , KP Singh , Matt Bobrowski , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , Stanislav Fomichev , Hao Luo , Jiri Olsa , Luis Chamberlain , Kees Cook , Joel Granados , David Howells , Jarkko Sakkinen , Stephen Smalley , Ondrej Mosnacek , Mykola Lysenko , Shuah Khan , containers@lists.linux.dev, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-doc@vger.kernel.org, linux-security-module@vger.kernel.org, bpf@vger.kernel.org, apparmor@lists.ubuntu.com, keyrings@vger.kernel.org, selinux@vger.kernel.org, linux-kselftest@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Jun 12, 2024 at 4:15=E2=80=AFAM Jonathan Calmels wrote: > On Tue, Jun 11, 2024 at 06:38:31PM GMT, Paul Moore wrote: > > On Tue, Jun 11, 2024 at 6:15=E2=80=AFPM Jonathan Calmels wrote: ... > > > Arguably, if we do want fine-grained userns policies, we need LSMs to > > > influence the userns capset at some point. > > > > One could always use, or develop, a LSM that offers additional > > controls around exercising capabilities. There are currently four > > in-tree LSMs, including the capabilities LSM, which supply a > > security_capable() hook that is used by the capability-based access > > controls in the kernel; all of these hook implementations work > > together within the LSM framework and provide an additional level of > > control/granularity beyond the existing capabilities. > > Right, but the idea was to have a simple and easy way to reuse/trigger > as much of the commoncap one as possible from BPF. If we're saying we > need to reimplement and/or use a whole new framework, then there is > little value. I can appreciate how allowing direct manipulation of capability bits from a BPF LSM looks attractive, but my hope is that our discussion here revealed that as you look deeper into making it work there are a number of pitfalls which prevent this from being a safe option for generalized systems. > TBH, I don't feel strongly about this, which is why it is absent from > v1. However, as John pointed out, we should at least be able to modify > the blob if we want flexible userns caps policies down the road. As discussed in this thread, there are existing ways to provide fine grained control over exercising capabilities that can be safely used within the LSM framework. I don't want to speak to what John is envisioning, but he should be aware of these mechanisms, and if I recall he did voice a level of concern about the same worries I mentioned. I'm happy to discuss ways in which we can adjust the LSM hooks/layer to support different approaches to capability controls, but one LSM directly manipulating the state of another is going to be a no vote from me. --=20 paul-moore.com