From: "Eric W. Biederman" <ebiederm@xmission.com>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: Paul Moore <paul@paul-moore.com>,
Frederick Lawler <fred@cloudflare.com>,
kpsingh@kernel.org, revest@chromium.org, jackmanb@chromium.org,
ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
kafai@fb.com, songliubraving@fb.com, yhs@fb.com,
john.fastabend@gmail.com, jmorris@namei.org, serge@hallyn.com,
stephen.smalley.work@gmail.com, eparis@parisplace.org,
shuah@kernel.org, brauner@kernel.org, bpf@vger.kernel.org,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org,
linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org, kernel-team@cloudflare.com,
cgzones@googlemail.com, karl@bigbadwolfsecurity.com
Subject: Re: [PATCH v4 0/4] Introduce security_create_user_ns()
Date: Tue, 09 Aug 2022 16:52:06 -0500 [thread overview]
Message-ID: <87bkstaxvd.fsf@email.froward.int.ebiederm.org> (raw)
In-Reply-To: <f38216d8-8ee4-d6fd-a5b1-0d21013e09c6@schaufler-ca.com> (Casey Schaufler's message of "Tue, 9 Aug 2022 10:43:30 -0700")
Casey Schaufler <casey@schaufler-ca.com> writes:
> Smack has no interest in using the proposed hook because user namespaces
> are neither subjects nor objects. They are collections of DAC and/or
> privilege configuration alternatives. Or something like that. From the
> viewpoint of a security module that only implements old fashioned MAC
> there is no value in constraining user namespaces.
The goal is to simply enable things that become safe when you don't have
to worry about confusing setuid executables.
> SELinux, on the other hand, seeks to be comprehensive well beyond
> controlling accesses between subjects and objects. Asking the question
> "should there be a control on this operation?" seems sufficient to justify
> adding the control to SELinux policy. This is characteristic of
> "Fine Grain" control.
I see that from a theoretical standpoint. On the flip side I prefer
arguments grounded in something more than what an abstract framework
could appreciate. We are so far from any theoretical purity in the
linux kernel that I can't see theoretical purity being enough to justify
a decision like this.
> So I'm of two minds on this. I don't need the hook, but I also understand
> why SELinux and BPF want it. I don't necessarily agree with their logic,
> but it is consistent with existing behavior. Any system that uses either
> of those security modules needs to be ready for unexpected denials based
> on any potential security concern. Keeping namespaces completely orthogonal
> to LSM seems doomed to failure eventually.
I can cross that bridge when there is a healthy conversation about such
a change.
Too often I get "ouch! Creating a user namespace was used as the easiest
way to exploit a security bug. Let's solve the issue by denying user
namespaces." Which leads to half thought out policies made out of fear.
Which is where I think this conversation started. I haven't seen it
make it's way to any healthy reasons to deny user namespaces yet.
Eric
next prev parent reply other threads:[~2022-08-09 21:52 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-01 18:01 [PATCH v4 0/4] Introduce security_create_user_ns() Frederick Lawler
2022-08-01 18:01 ` [PATCH v4 1/4] security, lsm: " Frederick Lawler
2022-08-02 21:47 ` KP Singh
2022-08-03 13:13 ` Frederick Lawler
2022-08-01 18:01 ` [PATCH v4 2/4] bpf-lsm: Make bpf_lsm_userns_create() sleepable Frederick Lawler
2022-08-01 23:00 ` Alexei Starovoitov
2022-08-01 23:06 ` Paul Moore
2022-08-02 21:29 ` KP Singh
2022-08-01 18:01 ` [PATCH v4 3/4] selftests/bpf: Add tests verifying bpf lsm userns_create hook Frederick Lawler
2022-08-02 22:08 ` KP Singh
2022-08-01 18:01 ` [PATCH v4 4/4] selinux: Implement " Frederick Lawler
2022-08-02 2:56 ` [PATCH v4 0/4] Introduce security_create_user_ns() Eric W. Biederman
2022-08-03 2:10 ` Paul Moore
2022-08-08 18:56 ` Eric W. Biederman
2022-08-08 19:16 ` Paul Moore
2022-08-08 19:26 ` Eric W. Biederman
2022-08-08 19:43 ` Eric W. Biederman
2022-08-08 22:47 ` Paul Moore
2022-08-09 16:07 ` Eric W. Biederman
2022-08-09 16:47 ` Paul Moore
2022-08-09 21:40 ` Eric W. Biederman
2022-08-09 22:40 ` Paul Moore
2022-08-10 0:51 ` Alexei Starovoitov
2022-08-09 17:43 ` Casey Schaufler
2022-08-09 21:52 ` Eric W. Biederman [this message]
2022-08-08 19:49 ` Paul Moore
2022-08-09 16:40 ` Eric W. Biederman
2022-08-14 15:55 ` Serge E. Hallyn
2022-08-15 2:32 ` Paul Moore
2022-08-15 15:41 ` Serge E. Hallyn
2022-08-15 16:24 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bkstaxvd.fsf@email.froward.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=cgzones@googlemail.com \
--cc=daniel@iogearbox.net \
--cc=eparis@parisplace.org \
--cc=fred@cloudflare.com \
--cc=jackmanb@chromium.org \
--cc=jmorris@namei.org \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=karl@bigbadwolfsecurity.com \
--cc=kernel-team@cloudflare.com \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=revest@chromium.org \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=shuah@kernel.org \
--cc=songliubraving@fb.com \
--cc=stephen.smalley.work@gmail.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.