From mboxrd@z Thu Jan 1 00:00:00 1970 From: casey.schaufler@intel.com (Schaufler, Casey) Date: Thu, 27 Sep 2018 23:19:28 +0000 Subject: [PATCH v5 5/5] sidechannel: Linux Security Module for sidechannel In-Reply-To: References: <20180926203446.2004-1-casey.schaufler@intel.com> <20180926203446.2004-6-casey.schaufler@intel.com> <025d4742-5947-545e-f603-502a0c5ee03f@schaufler-ca.com> Message-ID: <99FC4B6EFCEFD44486C35F4C281DC67321463CE3@ORSMSX107.amr.corp.intel.com> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org > -----Original Message----- > From: James Morris [mailto:jmorris at namei.org] > Sent: Thursday, September 27, 2018 3:47 PM > To: Casey Schaufler > Cc: Schaufler, Casey ; kristen at linux.intel.com; > kernel-hardening at lists.openwall.com; Dock, Deneen T > ; linux-kernel at vger.kernel.org; Hansen, Dave > ; linux-security-module at vger.kernel.org; > selinux at tycho.nsa.gov; arjan at linux.intel.com > Subject: Re: [PATCH v5 5/5] sidechannel: Linux Security Module for sidechannel > > On Thu, 27 Sep 2018, Casey Schaufler wrote: > > > On 9/27/2018 2:45 PM, James Morris wrote: > > > On Wed, 26 Sep 2018, Casey Schaufler wrote: > > > > > >> + /* > > >> + * Namespace checks. Considered safe if: > > >> + * cgroup namespace is the same > > >> + * User namespace is the same > > >> + * PID namespace is the same > > >> + */ > > >> + if (current->nsproxy) > > >> + ccgn = current->nsproxy->cgroup_ns; > > >> + if (p->nsproxy) > > >> + pcgn = p->nsproxy->cgroup_ns; > > >> + if (ccgn != pcgn) > > >> + return -EACCES; > > >> + if (current->cred->user_ns != p->cred->user_ns) > > >> + return -EACCES; > > >> + if (task_active_pid_ns(current) != task_active_pid_ns(p)) > > >> + return -EACCES; > > >> + return 0; > > > I really don't like the idea of hard-coding namespace security semantics > > > in an LSM. Also, I'm not sure if these semantics make any sense. > > > > Checks on namespaces where explicitly requested. > > By whom and what is the rationale? The rationale is to protect containers. Since those closest thing there is to a definition of containers is "uses namespaces" that becomes the focus. Separating them out does not make too much sense as I would expect someone concerned with one to be concerned with all.