Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp588244iog; Wed, 15 Jun 2022 08:14:21 -0700 (PDT) X-Google-Smtp-Source: AGRyM1sxAaWZkstYecgc4lanQeU8+LACrnhRfWKdz0WGPJVqUHLVZSZeDWk0OHbA0cNT4LtstyHB X-Received: by 2002:a17:903:210a:b0:167:78c0:dd70 with SMTP id o10-20020a170903210a00b0016778c0dd70mr45733ple.157.1655306061290; Wed, 15 Jun 2022 08:14:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1655306061; cv=none; d=google.com; s=arc-20160816; b=o2frWsgCgEnXoq8GJOed9vlaEnKKT3majB+Ua0isP5dIf4fWPXgtlM7nmq1XPLWpWl DY2zwPtAPIwSaktiifALTvTJyogINbd/pAQsTC3OhfMXw0NYWRoGGRD5ba+j1hkHRmNr ifbcCy2hmk2cL5PnHzWSp5gS074/o0Z/bmUAf38n7WdqOsNRMIAfVATSJhmYyKmxYx8E vLuC3fqrIJeOaT+JVFx14kRcnuOk9F62mMLrnZiVCrr/LRGDs1h2nIT10+5ch0AHG14E lN+td+FXkE3I5B6FtHKt25ho9MB4zbXHjVPgGvwvrEwOouPFki6h/lpFLPfbkN0bt8PE bwcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=j6yW8cSNxyHcKGLBH/RzzZpKDGH+HEQvUp5OHLJ1vSg=; b=tiOt64jfIsfao2d3yPsKlV9LuSkVa11jaIU2e5mtt3P6f//0UD6M12UYzBzs7GTA3I bUm2AsgGluugkRa2MGrGTu+r4y5I3DNO+zHGc+gdAoD7ES0QfTkUtbK9rMUHpuVNIZvQ CWnXohnbx4WnnvAoxsJ5y15STkbd0MdIiV/iPZ/RAevjDxffsB1NQe+oxAM/7tnJ5eLf r8XZBp4Z2xCpMLthqVtw4kVieeVAR9J86MDKg3xiTVeBzZts9w+lLNSCd4JvhEA/QtId BuOwis1Cj3Vwng8oErXbe2pWkJf72YmMS1gbEPKwxZfMczs9Z6mKwmyaXMFJH8TFnA8a 06iQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@cloudflare.com header.s=google header.b=nHFIWSpa; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cloudflare.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p9-20020a1709026b8900b001635f7dccffsi12795143plk.493.2022.06.15.08.13.54; Wed, 15 Jun 2022 08:14:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@cloudflare.com header.s=google header.b=nHFIWSpa; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cloudflare.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345907AbiFOPGU (ORCPT + 99 others); Wed, 15 Jun 2022 11:06:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55130 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243619AbiFOPGU (ORCPT ); Wed, 15 Jun 2022 11:06:20 -0400 Received: from mail-il1-x12e.google.com (mail-il1-x12e.google.com [IPv6:2607:f8b0:4864:20::12e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 205103B003 for ; Wed, 15 Jun 2022 08:06:18 -0700 (PDT) Received: by mail-il1-x12e.google.com with SMTP id s1so9007264ilj.0 for ; Wed, 15 Jun 2022 08:06:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=j6yW8cSNxyHcKGLBH/RzzZpKDGH+HEQvUp5OHLJ1vSg=; b=nHFIWSpabtnN+Um1pljyrhwwDAfJjxUkuJ6rvWuwYZgQx3aHiUVOzZBoQ315+IY0IK y9sYTVz0n6GHUXTI1hng+qIVv9i00u8NOVnfVbThgFFOBxMJPVRnOoLGZMJaolcOFg0W l4S0cC3C+ob82bPzHmurYZcuzY3FwqJYYvn3E= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=j6yW8cSNxyHcKGLBH/RzzZpKDGH+HEQvUp5OHLJ1vSg=; b=RN0D7xfsZq5dul8tAu7Ire9obfMdkPGsnD0+0emEfgHHFpvho7AJ/4Bho8D5B6cIkx bEdBF7Vg1K8pJ4qpY0PL8C65rDm61AWO0no0ewF7p+er2me59x6Q++aAxgoWtN0u364G OApK36oFnF4SoXvYytuAo0ZxhqMY9w+oI3GUzEl6nm35Jv9Ehr8phj30tlVhLpaaI9LE pcj1oXXetjKUDzmCkAxHXt5ULDTjdqtjMw5de2pKeH6wer7LvpgbmspL7s32/NBPgqre Zh7GKPOxYdWUM8ghq+MH2YjEcykz9iX0zbt9daFRHRY5wBgZUB7rO6o8Iwe8W8Aee8Lm uUvg== X-Gm-Message-State: AJIora+RUODCQ5nRnbYTf5srdIGksdu4kRCjEXvKFsga88HtabYDUmBO ID36SCz/Df5cr0y//WEs7+XqfGpk5/ESErYZZXMTTQ== X-Received: by 2002:a05:6e02:1747:b0:2d3:e571:5058 with SMTP id y7-20020a056e02174700b002d3e5715058mr142461ill.309.1655305577283; Wed, 15 Jun 2022 08:06:17 -0700 (PDT) MIME-Version: 1.0 References: <20220608150942.776446-1-fred@cloudflare.com> <87tu8oze94.fsf@email.froward.int.ebiederm.org> <87y1xzyhub.fsf@email.froward.int.ebiederm.org> <859cb593-9e96-5846-2191-6613677b07c5@cloudflare.com> <87o7yvxl4x.fsf@email.froward.int.ebiederm.org> <9ed91f15-420c-3db6-8b3b-85438b02bf97@cloudflare.com> <20220615103031.qkzae4xr34wysj4b@wittgenstein> In-Reply-To: From: Ignat Korchagin Date: Wed, 15 Jun 2022 16:06:06 +0100 Message-ID: Subject: Re: [PATCH v3] cred: Propagate security_prepare_creds() error code To: Paul Moore , Christian Brauner , "Eric W. Biederman" Cc: Frederick Lawler , linux-doc@vger.kernel.org, linux-kernel , linux-aio@kvack.org, linux-fsdevel@vger.kernel.org, linux-cachefs@redhat.com, linux-cifs@vger.kernel.org, samba-technical@lists.samba.org, linux-mm@kvack.org, linux-nfs@vger.kernel.org, linux-unionfs@vger.kernel.org, linux-security-module@vger.kernel.org, netdev , keyrings@vger.kernel.org, selinux@vger.kernel.org, serge@hallyn.com, amir73il@gmail.com, kernel-team , Jeff Moyer Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Wed, Jun 15, 2022 at 3:14 PM Paul Moore wrote: > > On Wed, Jun 15, 2022 at 6:30 AM Christian Brauner wrote: > > > > On Tue, Jun 14, 2022 at 01:59:08PM -0500, Frederick Lawler wrote: > > > On 6/14/22 11:30 AM, Eric W. Biederman wrote: > > > > Frederick Lawler writes: > > > > > > > > > On 6/13/22 11:44 PM, Eric W. Biederman wrote: > > > > > > Frederick Lawler writes: > > > > > > > > > > > > > Hi Eric, > > > > > > > > > > > > > > On 6/13/22 12:04 PM, Eric W. Biederman wrote: > > > > > > > > Frederick Lawler writes: > > > > > > > > > > > > > > > > > While experimenting with the security_prepare_creds() LSM hook, we > > > > > > > > > noticed that our EPERM error code was not propagated up the callstack. > > > > > > > > > Instead ENOMEM is always returned. As a result, some tools may send a > > > > > > > > > confusing error message to the user: > > > > > > > > > > > > > > > > > > $ unshare -rU > > > > > > > > > unshare: unshare failed: Cannot allocate memory > > > > > > > > > > > > > > > > > > A user would think that the system didn't have enough memory, when > > > > > > > > > instead the action was denied. > > > > > > > > > > > > > > > > > > This problem occurs because prepare_creds() and prepare_kernel_cred() > > > > > > > > > return NULL when security_prepare_creds() returns an error code. Later, > > > > > > > > > functions calling prepare_creds() and prepare_kernel_cred() return > > > > > > > > > ENOMEM because they assume that a NULL meant there was no memory > > > > > > > > > allocated. > > > > > > > > > > > > > > > > > > Fix this by propagating an error code from security_prepare_creds() up > > > > > > > > > the callstack. > > > > > > > > Why would it make sense for security_prepare_creds to return an error > > > > > > > > code other than ENOMEM? > > > > > > > > > That seems a bit of a violation of what that function is supposed to do > > > > > > > > > > > > > > > > > > > > > > The API allows LSM authors to decide what error code is returned from the > > > > > > > cred_prepare hook. security_task_alloc() is a similar hook, and has its return > > > > > > > code propagated. > > > > > > It is not an api. It is an implementation detail of the linux kernel. > > > > > > It is a set of convenient functions that do a job. > > > > > > The general rule is we don't support cases without an in-tree user. I > > > > > > don't see an in-tree user. > > > > > > > > > > > > > I'm proposing we follow security_task_allocs() pattern, and add visibility for > > > > > > > failure cases in prepare_creds(). > > > > > > I am asking why we would want to. Especially as it is not an API, and I > > > > > > don't see any good reason for anything but an -ENOMEM failure to be > > > > > > supported. > > > > > > > > > > > We're writing a LSM BPF policy, and not a new LSM. Our policy aims to solve > > > > > unprivileged unshare, similar to Debian's patch [1]. We're in a position such > > > > > that we can't use that patch because we can't block _all_ of our applications > > > > > from performing an unshare. We prefer a granular approach. LSM BPF seems like a > > > > > good choice. > > > > > > > > I am quite puzzled why doesn't /proc/sys/user/max_user_namespaces work > > > > for you? > > > > > > > > > > We have the following requirements: > > > > > > 1. Allow list criteria > > > 2. root user must be able to create namespaces whenever > > > 3. Everything else not in 1 & 2 must be denied > > > > > > We use per task attributes to determine whether or not we allow/deny the > > > current call to unshare(). > > > > > > /proc/sys/user/max_user_namespaces limits are a bit broad for this level of > > > detail. > > > > > > > > Because LSM BPF exposes these hooks, we should probably treat them as an > > > > > API. From that perspective, userspace expects unshare to return a EPERM > > > > > when the call is denied permissions. > > > > > > > > The BPF code gets to be treated as a out of tree kernel module. > > > > > > > > > > Without an in-tree user that cares it is probably better to go the > > > > > > opposite direction and remove the possibility of return anything but > > > > > > memory allocation failure. That will make it clearer to implementors > > > > > > that a general error code is not supported and this is not a location > > > > > > to implement policy, this is only a hook to allocate state for the LSM. > > > > > > > > > > > > > > > > That's a good point, and it's possible we're using the wrong hook for the > > > > > policy. Do you know of other hooks we can look into? > > > > Fwiw, from this commit it wasn't very clear what you wanted to achieve > > with this. It might be worth considering adding a new security hook for > > this. Within msft it recently came up SELinux might have an interest in > > something like this as well. > > Just to clarify things a bit, I believe SELinux would have an interest > in a LSM hook capable of implementing an access control point for user > namespaces regardless of Microsoft's current needs. I suspect due to > the security relevant nature of user namespaces most other LSMs would > be interested as well; it seems like a well crafted hook would be > welcome by most folks I think. > > -- > paul-moore.com Just to get the full picture: is there actually a good reason not to make this hook support this scenario? I understand it was not originally intended for this, but it is well positioned in the code, covers multiple subsystems (not only user namespaces), doesn't require changing the LSM interface and it already does the job - just the kernel internals need to respect the error code better. What bad things can happen if we extend its use case to not only allocate resources in LSMs? After all, the original Linus email introducing Linux stated that Linux was not intended to be a great OS, but here we are :) Ignat