Re: [PATCH 0/2] Introduce security_create_user_ns()

From: Casey Schaufler
Date: Tue Jun 21 2022 - 20:19:32 EST

Next message: kernel test robot: "[mgr:v5.19/topic/rk3568-vepu-h264-stateless-bootlin 3/4] drivers/staging/media/hantro/hantro_h264.c:1254:27: sparse: sparse: incorrect type in assignment (different base types)"
Previous message: Dylan Hatch: "Re: [PATCH] selftests/proc: Fix proc-pid-vm for vsyscall=xonly."
In reply to: Frederick Lawler: "[PATCH 2/2] bpf-lsm: Make bpf_lsm_create_user_ns() sleepable"
Next in thread: Frederick Lawler: "Re: [PATCH 0/2] Introduce security_create_user_ns()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 6/21/2022 4:39 PM, Frederick Lawler wrote:

While creating a LSM BPF MAC policy to block user namespace creation, we
used the LSM cred_prepare hook because that is the closest hook to prevent
a call to create_user_ns().

The calls look something like this:

cred = prepare_creds()
security_prepare_creds()
call_int_hook(cred_prepare, ...
if (cred)
create_user_ns(cred)

We noticed that error codes were not propagated from this hook and
introduced a patch [1] to propagate those errors.

The discussion notes that security_prepare_creds()
is not appropriate for MAC policies, and instead the hook is
meant for LSM authors to prepare credentials for mutation. [2]

Ultimately, we concluded that a better course of action is to introduce
a new security hook for LSM authors. [3]

This patch set first introduces a new security_create_user_ns() function
and create_user_ns LSM hook, then marks the hook as sleepable in BPF.

Why restrict this hook to user namespaces? It seems that an LSM that
chooses to preform controls on user namespaces may want to do so for
network namespaces as well. Also, the hook seems backwards. You should
decide if the creation of the namespace is allowed before you create it.
Passing the new namespace to a function that checks to see creating a
namespace is allowed doesn't make a lot off sense.

Links:
1. https://lore.kernel.org/all/20220608150942.776446-1-fred@xxxxxxxxxxxxxx/
2. https://lore.kernel.org/all/87y1xzyhub.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/
3. https://lore.kernel.org/all/9fe9cd9f-1ded-a179-8ded-5fde8960a586@xxxxxxxxxxxxxx/

Frederick Lawler (2):
security, lsm: Introduce security_create_user_ns()
bpf-lsm: Make bpf_lsm_create_user_ns() sleepable

include/linux/lsm_hook_defs.h | 2 ++
include/linux/lsm_hooks.h | 5 +++++
include/linux/security.h | 8 ++++++++
kernel/bpf/bpf_lsm.c | 1 +
kernel/user_namespace.c | 5 +++++
security/security.c | 6 ++++++
6 files changed, 27 insertions(+)

--
2.30.2

Next message: kernel test robot: "[mgr:v5.19/topic/rk3568-vepu-h264-stateless-bootlin 3/4] drivers/staging/media/hantro/hantro_h264.c:1254:27: sparse: sparse: incorrect type in assignment (different base types)"
Previous message: Dylan Hatch: "Re: [PATCH] selftests/proc: Fix proc-pid-vm for vsyscall=xonly."
In reply to: Frederick Lawler: "[PATCH 2/2] bpf-lsm: Make bpf_lsm_create_user_ns() sleepable"
Next in thread: Frederick Lawler: "Re: [PATCH 0/2] Introduce security_create_user_ns()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]