From: "Serge E. Hallyn" <serge@hallyn.com>
To: Song Liu <songliubraving@fb.com>
Cc: Paul Moore <paul@paul-moore.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Frederick Lawler <fred@cloudflare.com>,
KP Singh <kpsingh@kernel.org>,
"revest@chromium.org" <revest@chromium.org>,
"jackmanb@chromium.org" <jackmanb@chromium.org>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>, Martin Lau <kafai@fb.com>,
Yonghong Song <yhs@fb.com>,
John Fastabend <john.fastabend@gmail.com>,
James Morris <jmorris@namei.org>,
"stephen.smalley.work@gmail.com" <stephen.smalley.work@gmail.com>,
"eparis@parisplace.org" <eparis@parisplace.org>,
Shuah Khan <shuah@kernel.org>,
"brauner@kernel.org" <brauner@kernel.org>,
Casey Schaufler <casey@schaufler-ca.com>,
bpf <bpf@vger.kernel.org>,
LSM List <linux-security-module@vger.kernel.org>,
"selinux@vger.kernel.org" <selinux@vger.kernel.org>,
"open list:KERNEL SELFTEST FRAMEWORK"
<linux-kselftest@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Networking <netdev@vger.kernel.org>,
"kernel-team@cloudflare.com" <kernel-team@cloudflare.com>,
"cgzones@googlemail.com" <cgzones@googlemail.com>,
"karl@bigbadwolfsecurity.com" <karl@bigbadwolfsecurity.com>,
"tixxdz@gmail.com" <tixxdz@gmail.com>
Subject: Re: [PATCH v5 0/4] Introduce security_create_user_ns()
Date: Fri, 26 Aug 2022 10:24:45 -0500 [thread overview]
Message-ID: <20220826152445.GB12466@mail.hallyn.com> (raw)
In-Reply-To: <0D14C118-E644-4D7B-84C0-CA7752DC0605@fb.com>
On Thu, Aug 25, 2022 at 09:58:46PM +0000, Song Liu wrote:
>
>
> > On Aug 25, 2022, at 12:19 PM, Paul Moore <paul@paul-moore.com> wrote:
> >
> > On Thu, Aug 25, 2022 at 2:15 PM Eric W. Biederman <ebiederm@xmission.com> wrote:
> >> Paul Moore <paul@paul-moore.com> writes:
> >>> On Fri, Aug 19, 2022 at 10:45 AM Serge E. Hallyn <serge@hallyn.com> wrote:
> >>>> I am hoping we can come up with
> >>>> "something better" to address people's needs, make everyone happy, and
> >>>> bring forth world peace. Which would stack just fine with what's here
> >>>> for defense in depth.
> >>>>
> >>>> You may well not be interested in further work, and that's fine. I need
> >>>> to set aside a few days to think on this.
> >>>
> >>> I'm happy to continue the discussion as long as it's constructive; I
> >>> think we all are. My gut feeling is that Frederick's approach falls
> >>> closest to the sweet spot of "workable without being overly offensive"
> >>> (*cough*), but if you've got an additional approach in mind, or an
> >>> alternative approach that solves the same use case problems, I think
> >>> we'd all love to hear about it.
> >>
> >> I would love to actually hear the problems people are trying to solve so
> >> that we can have a sensible conversation about the trade offs.
> >
> > Here are several taken from the previous threads, it's surely not a
> > complete list, but it should give you a good idea:
> >
> > https://lore.kernel.org/linux-security-module/CAHC9VhQnPAsmjmKo-e84XDJ1wmaOFkTKPjjztsOa9Yrq+AeAQA@mail.gmail.com/
> >
> >> As best I can tell without more information people want to use
> >> the creation of a user namespace as a signal that the code is
> >> attempting an exploit.
> >
> > Some use cases are like that, there are several other use cases that
> > go beyond this; see all of our previous discussions on this
> > topic/patchset. As has been mentioned before, there are use cases
> > that require improved observability, access control, or both.
> >
> >> As such let me propose instead of returning an error code which will let
> >> the exploit continue, have the security hook return a bool. With true
> >> meaning the code can continue and on false it will trigger using SIGSYS
> >> to terminate the program like seccomp does.
> >
> > Having the kernel forcibly exit the process isn't something that most
> > LSMs would likely want. I suppose we could modify the hook/caller so
> > that *if* an LSM wanted to return SIGSYS the system would kill the
> > process, but I would want that to be something in addition to
> > returning an error code like LSMs normally do (e.g. EACCES).
>
> I am new to user_namespace and security work, so please pardon me if
> anything below is very wrong.
>
> IIUC, user_namespace is a tool that enables trusted userspace code to
> control the behavior of untrusted (or less trusted) userspace code.
No. user namespaces are not a way for more trusted code to control the
behavior of less trusted code.
> Failing create_user_ns() doesn't make the system more reliable.
> Specifically, we call create_user_ns() via two paths: fork/clone and
> unshare. For both paths, we need the userspace to use user_namespace,
> and to honor failed create_user_ns().
>
> On the other hand, I would echo that killing the process is not
> practical in some use cases. Specifically, allowing the application to
> run in a less secure environment for a short period of time might be
> much better than killing it and taking down the whole service. Of
> course, there are other cases that security is more important, and
> taking down the whole service is the better choice.
>
> I guess the ultimate solution is a way to enforce using user_namespace
> in the kernel (if it ever makes sense...). But I don't know how that
> gonna work. Before we have such solution, maybe we only need an
> void hook for observability (or just a tracepoint, coming from BPF
> background).
>
> Thanks,
> Song
next prev parent reply other threads:[~2022-08-26 15:27 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-15 16:20 [PATCH v5 0/4] Introduce security_create_user_ns() Frederick Lawler
2022-08-15 16:20 ` [PATCH v5 1/4] security, lsm: " Frederick Lawler
2022-08-15 16:20 ` [PATCH v5 2/4] bpf-lsm: Make bpf_lsm_userns_create() sleepable Frederick Lawler
2022-08-15 16:20 ` [PATCH v5 3/4] selftests/bpf: Add tests verifying bpf lsm userns_create hook Frederick Lawler
2022-08-15 16:20 ` [PATCH v5 4/4] selinux: Implement " Frederick Lawler
2022-08-16 21:51 ` [PATCH v5 0/4] Introduce security_create_user_ns() Paul Moore
2022-08-17 15:07 ` Eric W. Biederman
2022-08-17 16:01 ` Paul Moore
2022-08-17 19:57 ` Eric W. Biederman
2022-08-17 20:13 ` Paul Moore
2022-08-17 20:56 ` Eric W. Biederman
2022-08-17 21:09 ` Paul Moore
2022-08-17 21:24 ` Eric W. Biederman
2022-08-17 21:50 ` Paul Moore
2022-08-18 0:35 ` Jonathan Chapman-Moore
2022-08-18 14:05 ` Serge E. Hallyn
2022-08-18 15:11 ` Paul Moore
2022-08-19 14:45 ` Serge E. Hallyn
2022-08-19 21:10 ` Paul Moore
2022-08-25 18:15 ` Eric W. Biederman
2022-08-25 19:19 ` Paul Moore
2022-08-25 21:58 ` Song Liu
2022-08-25 22:10 ` Paul Moore
2022-08-25 22:42 ` Song Liu
2022-08-26 15:02 ` Paul Moore
2022-08-26 16:57 ` Song Liu
2022-08-26 15:24 ` Serge E. Hallyn [this message]
2022-08-26 17:00 ` Song Liu
2022-08-26 21:00 ` Serge E. Hallyn
2022-08-26 22:34 ` Song Liu
2022-08-29 15:33 ` Christian Brauner
2022-09-03 3:58 ` Serge E. Hallyn
2022-08-26 9:10 ` Ignat Korchagin
2022-08-26 15:12 ` Paul Moore
2022-08-26 15:23 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220826152445.GB12466@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=cgzones@googlemail.com \
--cc=daniel@iogearbox.net \
--cc=ebiederm@xmission.com \
--cc=eparis@parisplace.org \
--cc=fred@cloudflare.com \
--cc=jackmanb@chromium.org \
--cc=jmorris@namei.org \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=karl@bigbadwolfsecurity.com \
--cc=kernel-team@cloudflare.com \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=revest@chromium.org \
--cc=selinux@vger.kernel.org \
--cc=shuah@kernel.org \
--cc=songliubraving@fb.com \
--cc=stephen.smalley.work@gmail.com \
--cc=tixxdz@gmail.com \
--cc=torvalds@linux-foundation.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).