Re: [RESEND RFC PATCH v2 00/14] device_cgroup: guard mknod for non-initial user namespace

From: Christian Brauner
Date: Fri Nov 24 2023 - 11:47:45 EST

Next message: Simon Horman: "Re: [PATCH net-next v3] firmware_loader: Expand Firmware upload error codes with firmware invalid error"
Previous message: Simon Horman: "Re: [PATCH net-next v2] firmware_loader: Expand Firmware upload error codes with firmware invalid error"
Next in thread: Christian Brauner: "Re: [RESEND RFC PATCH v2 00/14] device_cgroup: guard mknod for non-initial user namespace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> - Integrate this as LSM (Christian, Paul)

Huh, my rant made you write an LSM. I'm not sure if that's a good or bad
thing...

So I dislike this less than the initial version that just worked around
SB_I_NODEV and this might be able to go somewhere. _But_ I want to see
the rules written down:

(1) current device access management
I summarized the current places where that's done very very briefly in
https://lore.kernel.org/all/20230815-feigling-kopfsache-56c2d31275bd@brauner

* inode_permission()
-> devcgroup_inode_permission()

* vfs_mknod()
-> devcgroup_inode_mknod()

* blkdev_get_by_dev() // sget()/sget_fc(), other ways to open block devices and friends
-> devcgroup_check_permission()

* drivers/gpu/drm/amd/amdkfd // weird restrictions on showing gpu info afaict
-> devcgroup_check_permission()

but that's not enough. What we need is a summary of how device node
creation and device node opening currently interact.

Because it is subtle. Currently you cannot even create device nodes
without capable(CAP_SYS_ADMIN) and you can't open any existing ones
if you lack capable(CAP_SYS_ADMIN).

Years ago we tried that insane model where we enabled userspace to
create device nodes but not open them. IOW, the capability check
for device node creation was lifted but the SB_I_NODEV limitation
wasn't lifted. That broke the whole world and had to be reverted.

(2) LSM device access management

I really want to be able to see how you envision the permission
checking to work in the new model. Specifically:

* How do device node creation and device node opening interact.
* The consequences of allowing to remove the SB_I_NODEV restriction.
* Permission checking for users without and without a bpf guarded
profile.

If you write this down we'll add it to documentation as well or to the
commit messages. It won't be lost. It doesn't have to be some really
long thing. I just want to better understand what you think this is
going to do and what the code does.

Next message: Simon Horman: "Re: [PATCH net-next v3] firmware_loader: Expand Firmware upload error codes with firmware invalid error"
Previous message: Simon Horman: "Re: [PATCH net-next v2] firmware_loader: Expand Firmware upload error codes with firmware invalid error"
Next in thread: Christian Brauner: "Re: [RESEND RFC PATCH v2 00/14] device_cgroup: guard mknod for non-initial user namespace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]