From: "Christian Göttsche" <cgzones@googlemail.com>
To: Frederick Lawler <fred@cloudflare.com>
Cc: KP Singh <kpsingh@kernel.org>,
revest@chromium.org, jackmanb@chromium.org,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <kafai@fb.com>, Song Liu <songliubraving@fb.com>,
Yonghong Song <yhs@fb.com>,
John Fastabend <john.fastabend@gmail.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Paul Moore <paul@paul-moore.com>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Eric Paris <eparis@parisplace.org>,
shuah@kernel.org, Christian Brauner <brauner@kernel.org>,
Casey Schaufler <casey@schaufler-ca.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
bpf@vger.kernel.org, linux-security-module@vger.kernel.org,
SElinux list <selinux@vger.kernel.org>,
linux-kselftest@vger.kernel.org,
Linux kernel mailing list <linux-kernel@vger.kernel.org>,
netdev@vger.kernel.org, kernel-team@cloudflare.com
Subject: Re: [PATCH v2 0/4] Introduce security_create_user_ns()
Date: Fri, 8 Jul 2022 14:10:04 +0200 [thread overview]
Message-ID: <CAJ2a_DezgSpc28jvJuU_stT7V7et-gD7qjy409oy=ZFaUxJneg@mail.gmail.com> (raw)
In-Reply-To: <20220707223228.1940249-1-fred@cloudflare.com>
,On Fri, 8 Jul 2022 at 00:32, Frederick Lawler <fred@cloudflare.com> wrote:
>
> While creating a LSM BPF MAC policy to block user namespace creation, we
> used the LSM cred_prepare hook because that is the closest hook to prevent
> a call to create_user_ns().
>
> The calls look something like this:
>
> cred = prepare_creds()
> security_prepare_creds()
> call_int_hook(cred_prepare, ...
> if (cred)
> create_user_ns(cred)
>
> We noticed that error codes were not propagated from this hook and
> introduced a patch [1] to propagate those errors.
>
> The discussion notes that security_prepare_creds()
> is not appropriate for MAC policies, and instead the hook is
> meant for LSM authors to prepare credentials for mutation. [2]
>
> Ultimately, we concluded that a better course of action is to introduce
> a new security hook for LSM authors. [3]
>
> This patch set first introduces a new security_create_user_ns() function
> and create_user_ns LSM hook, then marks the hook as sleepable in BPF.
Some thoughts:
I.
Why not make the hook more generic, e.g. support all other existing
and potential future namespaces?
Also I think the naming scheme is <object>_<verb>.
LSM_HOOK(int, 0, namespace_create, const struct cred *cred,
unsigned int flags)
where flags is a bitmap of CLONE flags from include/uapi/linux/sched.h
(like CLONE_NEWUSER).
II.
While adding policing for namespaces maybe also add a new hook for setns(2)
LSM_HOOK(int, 0, namespace_join, const struct cred *subj, const
struct cred *obj, unsigned int flags)
III.
Maybe even attach a security context to namespaces so they can be
further governed?
SELinux example:
type domainA_userns_t;
type_transition domainA_t domainA_t : namespace domainA_userns_t "user";
allow domainA_t domainA_userns_t:namespace create;
# domainB calling setns(2) with domainA as target
allow domainB_t domainA_userns_t:namespace join;
>
> Links:
> 1. https://lore.kernel.org/all/20220608150942.776446-1-fred@cloudflare.com/
> 2. https://lore.kernel.org/all/87y1xzyhub.fsf@email.froward.int.ebiederm.org/
> 3. https://lore.kernel.org/all/9fe9cd9f-1ded-a179-8ded-5fde8960a586@cloudflare.com/
>
> Changes since v1:
> - Add selftests/bpf: Add tests verifying bpf lsm create_user_ns hook patch
> - Add selinux: Implement create_user_ns hook patch
> - Change function signature of security_create_user_ns() to only take
> struct cred
> - Move security_create_user_ns() call after id mapping check in
> create_user_ns()
> - Update documentation to reflect changes
>
> Frederick Lawler (4):
> security, lsm: Introduce security_create_user_ns()
> bpf-lsm: Make bpf_lsm_create_user_ns() sleepable
> selftests/bpf: Add tests verifying bpf lsm create_user_ns hook
> selinux: Implement create_user_ns hook
>
> include/linux/lsm_hook_defs.h | 1 +
> include/linux/lsm_hooks.h | 4 +
> include/linux/security.h | 6 ++
> kernel/bpf/bpf_lsm.c | 1 +
> kernel/user_namespace.c | 5 ++
> security/security.c | 5 ++
> security/selinux/hooks.c | 9 ++
> security/selinux/include/classmap.h | 2 +
> .../selftests/bpf/prog_tests/deny_namespace.c | 88 +++++++++++++++++++
> .../selftests/bpf/progs/test_deny_namespace.c | 39 ++++++++
> 10 files changed, 160 insertions(+)
> create mode 100644 tools/testing/selftests/bpf/prog_tests/deny_namespace.c
> create mode 100644 tools/testing/selftests/bpf/progs/test_deny_namespace.c
>
> --
> 2.30.2
>
next prev parent reply other threads:[~2022-07-08 12:10 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-07 22:32 [PATCH v2 0/4] Introduce security_create_user_ns() Frederick Lawler
2022-07-07 22:32 ` [PATCH v2 1/4] security, lsm: " Frederick Lawler
2022-07-07 22:32 ` [PATCH v2 2/4] bpf-lsm: Make bpf_lsm_create_user_ns() sleepable Frederick Lawler
2022-07-07 22:32 ` [PATCH v2 3/4] selftests/bpf: Add tests verifying bpf lsm create_user_ns hook Frederick Lawler
2022-07-07 22:32 ` [PATCH v2 4/4] selinux: Implement " Frederick Lawler
2022-07-20 1:32 ` Paul Moore
2022-07-20 14:57 ` Frederick Lawler
[not found] ` <CA+EEuAhfMrg=goGhWxVW2=i4Z7mVN4GvfzettvX8T+tFcOPKCw@mail.gmail.com>
2022-07-20 14:52 ` Paul Moore
2022-07-08 12:10 ` Christian Göttsche [this message]
2022-07-08 14:01 ` [PATCH v2 0/4] Introduce security_create_user_ns() Frederick Lawler
2022-07-08 14:35 ` Christian Brauner
2022-07-08 16:11 ` Casey Schaufler
2022-07-14 14:27 ` Serge E. Hallyn
2022-07-19 19:59 ` Frederick Lawler
2022-07-20 1:32 ` Paul Moore
2022-07-20 21:42 ` Casey Schaufler
2022-07-20 22:39 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJ2a_DezgSpc28jvJuU_stT7V7et-gD7qjy409oy=ZFaUxJneg@mail.gmail.com' \
--to=cgzones@googlemail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=daniel@iogearbox.net \
--cc=ebiederm@xmission.com \
--cc=eparis@parisplace.org \
--cc=fred@cloudflare.com \
--cc=jackmanb@chromium.org \
--cc=jmorris@namei.org \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=kernel-team@cloudflare.com \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=revest@chromium.org \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=shuah@kernel.org \
--cc=songliubraving@fb.com \
--cc=stephen.smalley.work@gmail.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.