Received: by 2002:a89:413:0:b0:1fd:dba5:e537 with SMTP id m19csp413724lqs; Thu, 13 Jun 2024 13:55:34 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXPK2O47aJ6DPO19RdPyHfgBGNEy2yXDDs+Pl60VmthNL/nT/T04yoSl7tZSYJ8fu/jT9h92MT3+Gbyu2YE7zKsjgd40oWx9/6IgRp43w== X-Google-Smtp-Source: AGHT+IE6IL19iDIcr6QJ/2tbaLq9dl8Bb679jgztY5Oeuo2voRp6tyJ4EiXNTWVXo20aA2LvwAK0 X-Received: by 2002:a17:906:1b54:b0:a6f:176e:477b with SMTP id a640c23a62f3a-a6f60de61b5mr49757866b.66.1718312133960; Thu, 13 Jun 2024 13:55:33 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1718312133; cv=pass; d=google.com; s=arc-20160816; b=kqP+j4Yrao6oZxwJIG/kZEAmPT6w7a+t6FvaggYKOPWk9QNMfaXSTlqCbCJzDS/gM4 tYi7LuW48zB13YeQvEx0/K4skZ57k1yLmJ7J+kuITyHvOlit+9X28ZSB/AVn7S0DIWmx 0FQcJeuqwCaEp4EYPoRNq5OYlZdXSsFaBZ6fg7sPdV+whAn74GM8aCpCJ3C152w7uq41 xOeXC3AjmmhFgtNw9CKArB/HDUJFXGhpvOQnayh4yA7nPbWoKU0KX9k2+RuVo4oAazuw w2jsOhD6VAPDslr+YlBbljankivu+PtogfCMBi8lZMHWhb+J6QHhtCfBR3aX4G7tZmzu T5qw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=mcXAwgD8G/DtMBTj2XjZiXsT2OTNX1kHEG3gcoNV7As=; fh=DhvpLviE+YGXCjlEcL/XBT8EjFQez3WZTiFdt5ZUlrg=; b=siiw9fTlg6AOt2uNpZV9q+nfkbPnQmibdSrOR+ARrueDfCuNQGfejA82ryOffq//ou pcmHALZdOa0uaAC/vUYlRHB13H8s5RdOAkyUwTXGeU6PFlcF3lx6Tx2bTngEfHtFJvY1 7Doy3wzca+ggYjA0hZsc/M8rw5LAKtaXCHweSMqUqG/t2lIrBSYbCZvLkcflIo4327o8 JdES5sCoAlYthEYt1s+UO/pq6SE0gA+kelXo5CksyRLSeDVh0/jxT37omKSw/NPF/nwy iM0Qh1VL5I+YKqwOESLl/nzCK0+qVY1KWjMpFo4m7g66T6ysj/xnLsVooJngyWiukUGT yQ8Q==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=LY4ASSj5; arc=pass (i=1 spf=pass spfdomain=paul-moore.com dkim=pass dkdomain=paul-moore.com dmarc=pass fromdomain=paul-moore.com); spf=pass (google.com: domain of linux-kernel+bounces-214006-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-214006-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id a640c23a62f3a-a6f62d3f745si11845966b.716.2024.06.13.13.55.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Jun 2024 13:55:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-214006-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=LY4ASSj5; arc=pass (i=1 spf=pass spfdomain=paul-moore.com dkim=pass dkdomain=paul-moore.com dmarc=pass fromdomain=paul-moore.com); spf=pass (google.com: domain of linux-kernel+bounces-214006-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-214006-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 7E5A71F24FA2 for ; Thu, 13 Jun 2024 20:55:33 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 9D84213B5B6; Thu, 13 Jun 2024 20:55:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore.com header.i=@paul-moore.com header.b="LY4ASSj5" Received: from mail-yw1-f182.google.com (mail-yw1-f182.google.com [209.85.128.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C3CF713B5BB for ; Thu, 13 Jun 2024 20:55:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.182 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718312114; cv=none; b=AH5gcgIg2ofs/5bE9pK5DVL8lv8V6alF6ym/FKELQFcpRsTMdH6wWwwcPJE7/fjLGoP+s3turyp4qublq9BiTtaBSKSb32zL0d2XD3jNBZLirv+sQUspl+M80iuZ1huzrnNLhL208Z7JnvDhbKlr7V5Bv2Hh9bfg449+J6s713M= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718312114; c=relaxed/simple; bh=l5BZRVe4EjUxYN3yXF5F7zfYiMw/7+iKLgPHpiV/pbM=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=VZFqASrTGggz982qhp2IEM6cnEuXYtR3JFmm8RYrMjmoO/cvc0Kkr8qrJfM2fS6i+3Vg3iJvNloOAdxugxxfeDIr+KPIyOZFQpX2Fp1wnk8OTAuke3NbA6GDGvipvjyZEpXIIoOlNZzvh6mUyuyIi1iHjwTXDKFCkmOv68ZINRI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=paul-moore.com; spf=pass smtp.mailfrom=paul-moore.com; dkim=pass (2048-bit key) header.d=paul-moore.com header.i=@paul-moore.com header.b=LY4ASSj5; arc=none smtp.client-ip=209.85.128.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=paul-moore.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=paul-moore.com Received: by mail-yw1-f182.google.com with SMTP id 00721157ae682-63152a07830so10688457b3.3 for ; Thu, 13 Jun 2024 13:55:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1718312112; x=1718916912; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=mcXAwgD8G/DtMBTj2XjZiXsT2OTNX1kHEG3gcoNV7As=; b=LY4ASSj5sD1R9fmYZn5gSBdQcVKzA/Abv6SD3GZehE/Wn/sDSFoAp1R/vhdCDnwbf+ b83ZV/RHzrYz32yqmtZQVOwlbNCk5jFSSY8Ik3l/S3j10VNT7tVhSg7az9C8eBWBFjdy j2PuEv2yLn903jg6kZp4KtNTlc5UaM4pK+W38Sx7a9auud2uZ5LoWNHqLqacnv8dYGrW xRALKPOwEPfpDwZ5tuXLIxYXsGseEFUbyVIVyPZpZ90SbdwdV6aaDp/xx0S+06fJ6bbx WBaG+a7x50apV2PFHdkYt6I9t/ZZGrkI6JfBLa14L/dhPQ/Y7UR4OpHbRhwRJkSnhMEb p5MA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718312112; x=1718916912; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mcXAwgD8G/DtMBTj2XjZiXsT2OTNX1kHEG3gcoNV7As=; b=TWRgtn9ElHkzUy3U/Gb7ih4NcbnnkwzOiwU6rye/kKjdvFHLYd1KFGdOBGfzD61dbb QFpeELTQBR4wrJwBdHrVa7OmynLVjnx8kA4Y/oQD+HuR3MD8a1FAEqy/+Lsy+UaNgdlP lHM/L7KQ4a5eqXv+z2mRw3PcIr3+qJBRN3ZiZxZNppLfEA6UsB8L8Wkv/eVERHesiP0w ThFQcEDHrseLukxuY/EZcpOot+L7UOMnSd+lurdyCUyCWg45x23d1ugCP7NN3gUgF6kk FAo2T+ptfm89MRXTfMiP3I5p88BeBcRtMk0ZRBZEal2XlTzeYbe2x4jvyBUcREpCn2aD /X/A== X-Forwarded-Encrypted: i=1; AJvYcCXRUOZ4tr6g78iigh55y/SzNOm+/EGYDWssovnWtgBWE4Whgy1phFXEM+jve5j+jkk0eusaFQZFxJUNfWfyIUz5m4QbhybrjSM2CWVl X-Gm-Message-State: AOJu0YxxDKcw7KfGpfZwkjl7UXVjVPlv9ZzG0UAYttz6K4FrlhdeJhKW +FEQ1Vbgcebem9ot0D0PginsNIbNvVMV9ZDWd5Kz3l4nyV5uklzvdPGeua/FNX7gIWXUvci49f3 CLL7QdypyDqr41FJaVy9Texuy8ckZWTe5xptN X-Received: by 2002:a81:910f:0:b0:62f:ad9c:cd4 with SMTP id 00721157ae682-6322470facfmr6187707b3.41.1718312111715; Thu, 13 Jun 2024 13:55:11 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240609104355.442002-5-jcalmels@3xx0.net> <887a3658-2d8d-4f9e-98f2-27124bb6f8e6@canonical.com> In-Reply-To: From: Paul Moore Date: Thu, 13 Jun 2024 16:55:00 -0400 Message-ID: Subject: Re: [PATCH v2 4/4] bpf,lsm: Allow editing capabilities in BPF-LSM hooks To: Jonathan Calmels Cc: John Johansen , brauner@kernel.org, ebiederm@xmission.com, Jonathan Corbet , James Morris , "Serge E. Hallyn" , KP Singh , Matt Bobrowski , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , Stanislav Fomichev , Hao Luo , Jiri Olsa , Luis Chamberlain , Kees Cook , Joel Granados , David Howells , Jarkko Sakkinen , Stephen Smalley , Ondrej Mosnacek , Mykola Lysenko , Shuah Khan , containers@lists.linux.dev, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-doc@vger.kernel.org, linux-security-module@vger.kernel.org, bpf@vger.kernel.org, apparmor@lists.ubuntu.com, keyrings@vger.kernel.org, selinux@vger.kernel.org, linux-kselftest@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Jun 13, 2024 at 4:45=E2=80=AFAM Jonathan Calmels wrote: > On Wed, Jun 12, 2024 at 08:54:28PM GMT, John Johansen wrote: > > On 6/12/24 10:29, Paul Moore wrote: > > > On Wed, Jun 12, 2024 at 4:15=E2=80=AFAM Jonathan Calmels wrote: > > > > On Tue, Jun 11, 2024 at 06:38:31PM GMT, Paul Moore wrote: > > > > > On Tue, Jun 11, 2024 at 6:15=E2=80=AFPM Jonathan Calmels wrote: > > > > > > ... > > > > > > > > > Arguably, if we do want fine-grained userns policies, we need L= SMs to > > > > > > influence the userns capset at some point. > > > > > > > > > > One could always use, or develop, a LSM that offers additional > > > > > controls around exercising capabilities. There are currently fou= r > > > > > in-tree LSMs, including the capabilities LSM, which supply a > > > > > security_capable() hook that is used by the capability-based acce= ss > > > > > controls in the kernel; all of these hook implementations work > > > > > together within the LSM framework and provide an additional level= of > > > > > control/granularity beyond the existing capabilities. > > > > > > > > Right, but the idea was to have a simple and easy way to reuse/trig= ger > > > > as much of the commoncap one as possible from BPF. If we're saying = we > > > > need to reimplement and/or use a whole new framework, then there is > > > > little value. > > > > > > I can appreciate how allowing direct manipulation of capability bits > > > from a BPF LSM looks attractive, but my hope is that our discussion > > > here revealed that as you look deeper into making it work there are a > > > number of pitfalls which prevent this from being a safe option for > > > generalized systems. > > > > > > > TBH, I don't feel strongly about this, which is why it is absent fr= om > > > > v1. However, as John pointed out, we should at least be able to mod= ify > > > > the blob if we want flexible userns caps policies down the road. > > > > > > As discussed in this thread, there are existing ways to provide fine > > > grained control over exercising capabilities that can be safely used > > > within the LSM framework. I don't want to speak to what John is > > > envisioning, but he should be aware of these mechanisms, and if I > > > recall he did voice a level of concern about the same worries I > > > mentioned. > > > > > > > sorry, I should have been more clear. I envision LSMs being able to > > update their own state in the userns hook. > > > > Basically the portion of the patch that removes const from the > > userns hook. > > Yes, pretty sure we'll need this regardless. > > > An LSM updating the capset is worrysome for all the reasons you > > pointed out, and I think a few more. I haven't had a chance to really > > look at v2 yet, so I didn't want to speak directly on the bpf part of > > the patch without first giving a good once over. > > > I'm happy to discuss ways in which we can adjust the LSM hooks/layer > > > to support different approaches to capability controls, but one LSM > > > directly manipulating the state of another is going to be a no vote > > > from me. > > > > I might not be as hard no as Paul here, I am always willing to listen > > to arguments, but it would have to be a really good argument to > > modify the capset, when there are multiple LSMs in play on a system. > > The way I see it, it's more about enhancing the capability LSM with BPF > hooks and have it modify its own state dynamically, not so much > crosstalk between two distinct LSM frameworks (say one where the BPF > LSM implements a lot of things like capable()). As I mentioned previously, if you want to do something with the capability sets you simply need to do it within the confines of security/commoncap.c. If you're really set on the "MUST BE BPF!" way of life, and you can convince Serge (capabilities maintainer) that it would be a good idea, you could propose a dedicated BPF hook within the capabilities LSM. I'm not sure how wise that would be, but it would resolve a lot of the LSM ordering/stacking issues that we've discussed. > If we think there is no way we can come up with something that's safe > enough, and that the risks outweigh the benefits, fine by me, we can > drop this patch from the series. To be clear, this patch is not acceptable at this point in time. With the understanding that I haven't looked that closely at the rest of the patchset, it looks fairly well contained to the capabilities code which means it is largely up to Serge, not me. I will mention that you should update the audit code to recognize the new capability set, look at kernel/auditsc.c for more information. --=20 paul-moore.com