From: Paul Moore <paul@paul-moore.com>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: "Frederick Lawler" <fred@cloudflare.com>,
"Christian Göttsche" <cgzones@googlemail.com>,
"KP Singh" <kpsingh@kernel.org>,
revest@chromium.org, jackmanb@chromium.org,
"Alexei Starovoitov" <ast@kernel.org>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"Andrii Nakryiko" <andrii@kernel.org>,
"Martin KaFai Lau" <kafai@fb.com>,
"Song Liu" <songliubraving@fb.com>, "Yonghong Song" <yhs@fb.com>,
"John Fastabend" <john.fastabend@gmail.com>,
"James Morris" <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Stephen Smalley" <stephen.smalley.work@gmail.com>,
"Eric Paris" <eparis@parisplace.org>,
shuah@kernel.org, "Christian Brauner" <brauner@kernel.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
bpf@vger.kernel.org, linux-security-module@vger.kernel.org,
"SElinux list" <selinux@vger.kernel.org>,
linux-kselftest@vger.kernel.org,
"Linux kernel mailing list" <linux-kernel@vger.kernel.org>,
netdev@vger.kernel.org, kernel-team@cloudflare.com
Subject: Re: [PATCH v2 0/4] Introduce security_create_user_ns()
Date: Wed, 20 Jul 2022 18:39:05 -0400 [thread overview]
Message-ID: <CAHC9VhTFb7=FUyq4oM8ULtnZpZYj3ztpNhASy3WtHnn6QWwZig@mail.gmail.com> (raw)
In-Reply-To: <f1f8b350-4dc5-b975-3854-ecbf9f4e54ba@schaufler-ca.com>
On Wed, Jul 20, 2022 at 5:42 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
> On 7/19/2022 6:32 PM, Paul Moore wrote:
> > On Fri, Jul 8, 2022 at 12:11 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
> >> On 7/8/2022 7:01 AM, Frederick Lawler wrote:
> >>> On 7/8/22 7:10 AM, Christian Göttsche wrote:
> >>>> ,On Fri, 8 Jul 2022 at 00:32, Frederick Lawler <fred@cloudflare.com>
> >>>> wrote:
...
> >>>> III.
> >>>>
> >>>> Maybe even attach a security context to namespaces so they can be
> >>>> further governed?
> >> That would likely add confusion to the existing security module namespace
> >> efforts. SELinux, Smack and AppArmor have all developed namespace models.
> >
> > I'm not sure I fully understand what Casey is saying here as SELinux
> > does not yet have an established namespace model to the best of my
> > understanding, but perhaps we are talking about different concepts for
> > the word "namespace"?
>
> Stephen Smalley proposed a SELinux namespace model, with patches,
> some time back. It hasn't been adopted, but I've seen at least one
> attempt to revive it. You're right that there isn't an established
> model.
If it isn't in the mainline kernel, it isn't an established namespace model.
I ported Stephen's initial namespace patches to new kernels for quite
some time, look at the working-selinuxns branch in the main SELinux
repository, but that doesn't mean they are ready for upstreaming.
Aside from some pretty critical implementation holes, there is the
much larger conceptual issue of how to deal with persistent filesystem
objects. We've discussed that quite a bit among the SELinux
developers but have yet to arrive at a good-enough solution. I have
some thoughts on how we might be able to make forward progress on
that, but it's wildly off-topic for this patchset discussion. I
mostly wanted to make sure I was understanding what you were
referencing when you talked about a "SELinux namespace model", and it
is what I suspected ... which I believe is unrelated to the patches
being discussed here.
> >> That, or it could replace the various independent efforts with a single,
> >> unified security module namespace effort.
> >
> > We've talked about this before and I just don't see how that could
> > ever work, the LSM implementations are just too different to do
> > namespacing at the LSM layer.
>
> It's possible that fresh eyes might see options that those who have
> been staring at the current state and historical proposals may have
> missed.
That's always a possibility, and I'm definitely open to a clever
approach that would resolve all the current issues and not paint us
into a corner in the future, but I haven't seen anything close (or any
serious effort for that matter).
... and this still remains way off-topic for a discussion around
adding a hook to allow LSMs to enforce access controls on user
namespace creation.
> > If a LSM is going to namespace
> > themselves, they need the ability to define what that means without
> > having to worry about what other LSMs want to do.
>
> Possibly. On the other hand, if someone came up with a rational scheme
> for general xattr namespacing I don't see that anyone would pass it up.
Oh geez ...
Namespacing xattrs is not the same thing as namespacing LSMs. LSMs
may make use of xattrs, and namespacing xattrs may make it easier to
namespace a given LSM, but I'm not aware of an in-tree LSM that would
be magically namespaced if xattrs were namespaced.
This patchset has nothing to do with xattrs, it deals with adding a
LSM hook to implement LSM-based access controls for user namespace
creation.
--
paul-moore.com
prev parent reply other threads:[~2022-07-20 22:39 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-07 22:32 [PATCH v2 0/4] Introduce security_create_user_ns() Frederick Lawler
2022-07-07 22:32 ` [PATCH v2 1/4] security, lsm: " Frederick Lawler
2022-07-07 22:32 ` [PATCH v2 2/4] bpf-lsm: Make bpf_lsm_create_user_ns() sleepable Frederick Lawler
2022-07-07 22:32 ` [PATCH v2 3/4] selftests/bpf: Add tests verifying bpf lsm create_user_ns hook Frederick Lawler
2022-07-07 22:32 ` [PATCH v2 4/4] selinux: Implement " Frederick Lawler
2022-07-20 1:32 ` Paul Moore
2022-07-20 14:57 ` Frederick Lawler
[not found] ` <CA+EEuAhfMrg=goGhWxVW2=i4Z7mVN4GvfzettvX8T+tFcOPKCw@mail.gmail.com>
2022-07-20 14:52 ` Paul Moore
2022-07-08 12:10 ` [PATCH v2 0/4] Introduce security_create_user_ns() Christian Göttsche
2022-07-08 14:01 ` Frederick Lawler
2022-07-08 14:35 ` Christian Brauner
2022-07-08 16:11 ` Casey Schaufler
2022-07-14 14:27 ` Serge E. Hallyn
2022-07-19 19:59 ` Frederick Lawler
2022-07-20 1:32 ` Paul Moore
2022-07-20 21:42 ` Casey Schaufler
2022-07-20 22:39 ` Paul Moore [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHC9VhTFb7=FUyq4oM8ULtnZpZYj3ztpNhASy3WtHnn6QWwZig@mail.gmail.com' \
--to=paul@paul-moore.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=cgzones@googlemail.com \
--cc=daniel@iogearbox.net \
--cc=ebiederm@xmission.com \
--cc=eparis@parisplace.org \
--cc=fred@cloudflare.com \
--cc=jackmanb@chromium.org \
--cc=jmorris@namei.org \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=kernel-team@cloudflare.com \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=revest@chromium.org \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=shuah@kernel.org \
--cc=songliubraving@fb.com \
--cc=stephen.smalley.work@gmail.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).