Re: [PATCH v3 0/4] Introduce security_create_user_ns()

From: Martin KaFai Lau
Date: Fri Jul 22 2022 - 02:12:11 EST

Next message: Alexander Stein: "Re: [PATCH v1 02/12] ARM: dts: imx6qdl-mba6: don't use multiple blank lines"
Previous message: Xingrui Yi: "[PATCH] vt: remove old FONT ioctls definitions in uapi"
In reply to: Frederick Lawler: "[PATCH v3 4/4] selinux: Implement userns_create hook"
Next in thread: Paul Moore: "Re: [PATCH v3 0/4] Introduce security_create_user_ns()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jul 21, 2022 at 12:28:04PM -0500, Frederick Lawler wrote:
> While creating a LSM BPF MAC policy to block user namespace creation, we
> used the LSM cred_prepare hook because that is the closest hook to prevent
> a call to create_user_ns().
>
> The calls look something like this:
>
> cred = prepare_creds()
> security_prepare_creds()
> call_int_hook(cred_prepare, ...
> if (cred)
> create_user_ns(cred)
>
> We noticed that error codes were not propagated from this hook and
> introduced a patch [1] to propagate those errors.
>
> The discussion notes that security_prepare_creds()
> is not appropriate for MAC policies, and instead the hook is
> meant for LSM authors to prepare credentials for mutation. [2]
>
> Ultimately, we concluded that a better course of action is to introduce
> a new security hook for LSM authors. [3]
>
> This patch set first introduces a new security_create_user_ns() function
> and userns_create LSM hook, then marks the hook as sleepable in BPF.
Patch 1 and 4 still need review from the lsm/security side.

Next message: Alexander Stein: "Re: [PATCH v1 02/12] ARM: dts: imx6qdl-mba6: don't use multiple blank lines"
Previous message: Xingrui Yi: "[PATCH] vt: remove old FONT ioctls definitions in uapi"
In reply to: Frederick Lawler: "[PATCH v3 4/4] selinux: Implement userns_create hook"
Next in thread: Paul Moore: "Re: [PATCH v3 0/4] Introduce security_create_user_ns()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]