From: John Johansen <john.johansen@canonical.com>
To: Jonathan Calmels <jcalmels@3xx0.net>, Paul Moore <paul@paul-moore.com>
Cc: brauner@kernel.org, ebiederm@xmission.com,
Jonathan Corbet <corbet@lwn.net>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
KP Singh <kpsingh@kernel.org>,
Matt Bobrowski <mattbobrowski@google.com>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
Eduard Zingerman <eddyz87@gmail.com>, Song Liu <song@kernel.org>,
Yonghong Song <yonghong.song@linux.dev>,
John Fastabend <john.fastabend@gmail.com>,
Stanislav Fomichev <sdf@google.com>, Hao Luo <haoluo@google.com>,
Jiri Olsa <jolsa@kernel.org>,
Luis Chamberlain <mcgrof@kernel.org>, Kees Cook <kees@kernel.org>,
Joel Granados <j.granados@samsung.com>,
David Howells <dhowells@redhat.com>,
Jarkko Sakkinen <jarkko@kernel.org>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Ondrej Mosnacek <omosnace@redhat.com>,
Mykola Lysenko <mykolal@fb.com>, Shuah Khan <shuah@kernel.org>,
containers@lists.linux.dev, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-doc@vger.kernel.org,
linux-security-module@vger.kernel.org, bpf@vger.kernel.org,
apparmor@lists.ubuntu.com, keyrings@vger.kernel.org,
selinux@vger.kernel.org, linux-kselftest@vger.kernel.org
Subject: Re: [PATCH v2 4/4] bpf,lsm: Allow editing capabilities in BPF-LSM hooks
Date: Tue, 11 Jun 2024 03:31:59 -0700 [thread overview]
Message-ID: <887a3658-2d8d-4f9e-98f2-27124bb6f8e6@canonical.com> (raw)
In-Reply-To: <z2bgjrzeq7crqx24chdbxnaanuhczbjnq6da3xw6al6omjj5xz@mqbzzzfva5sw>
On 6/11/24 01:09, Jonathan Calmels wrote:
> On Sun, Jun 09, 2024 at 08:18:48PM GMT, Paul Moore wrote:
>> On Sun, Jun 9, 2024 at 6:40 AM Jonathan Calmels <jcalmels@3xx0.net> wrote:
>>>
>>> This patch allows modifying the various capabilities of the struct cred
>>> in BPF-LSM hooks. More specifically, the userns_create hook called
>>> prior to creating a new user namespace.
>>>
>>> With the introduction of userns capabilities, this effectively provides
>>> a simple way for LSMs to control the capabilities granted to a user
>>> namespace and all its descendants.
>>>
>>> Update the selftests accordingly by dropping CAP_SYS_ADMIN in
>>> namespaces and checking the resulting task's bounding set.
>>>
>>> Signed-off-by: Jonathan Calmels <jcalmels@3xx0.net>
>>> ---
>>> include/linux/lsm_hook_defs.h | 2 +-
>>> include/linux/security.h | 4 +-
>>> kernel/bpf/bpf_lsm.c | 55 +++++++++++++++++++
>>> security/apparmor/lsm.c | 2 +-
>>> security/security.c | 6 +-
>>> security/selinux/hooks.c | 2 +-
>>> .../selftests/bpf/prog_tests/deny_namespace.c | 12 ++--
>>> .../selftests/bpf/progs/test_deny_namespace.c | 7 ++-
>>> 8 files changed, 76 insertions(+), 14 deletions(-)
>>
>> I'm not sure we want to go down the path of a LSM modifying the POSIX
>> capabilities of a task, other than the capabilities/commoncap LSM. It
>> sets a bad precedent and could further complicate issues around LSM
>> ordering.
>
> Well unless I'm misunderstanding, this does allow modifying the
> capabilities/commoncap LSM through BTF. The reason for allowing
> `userns_create` to be modified is that it is functionally very similar
> to `cred_prepare` in that it operates with new creds (but specific to
> user namespaces because of reasons detailed in [1]).
>
yes
> There were some concerns in previous threads that the userns caps by
> themselves wouldn't be granular enough, hence the LSM integration.
> Ubuntu for example, currently has to resort to a hardcoded profile
> transition to achieve this [2].
>
The hard coded profile transition, is because the more generic solution
as part of policy just wasn't ready. The hard coding will go away before
it is upstreamed.
But yes, updating the cred really is necessary for the flexibility needed
whether it is modifying the POSIX capabilities of the task or the LSM
modifying its own security blob.
I do share some of Paul's concerns about the LSM modifying the POSIX
capabilities of the task, but also thing the LSM here needs to be
able to modify its own blob.
I have a very similar patch I was planning on posting once the
work to fix the hard coded profile transition is done.
> [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7cd4c5c2101cb092db00f61f69d24380cf7a0ee8
> [2] https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?id=43a6c29532f517179fea8c94949d657d71f4fc13
next prev parent reply other threads:[~2024-06-11 10:32 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-09 10:43 [PATCH v2 0/4] Introduce user namespace capabilities Jonathan Calmels
2024-06-09 10:43 ` [PATCH v2 1/4] capabilities: Add " Jonathan Calmels
2024-06-10 1:50 ` Serge E. Hallyn
2024-06-10 8:47 ` Jonathan Calmels
2024-06-10 12:48 ` Serge E. Hallyn
2024-06-10 13:00 ` Serge E. Hallyn
2024-06-11 8:20 ` Jonathan Calmels
2024-06-15 15:19 ` Serge E. Hallyn
2024-06-09 10:43 ` [PATCH v2 2/4] capabilities: Add securebit to restrict userns caps Jonathan Calmels
2024-06-10 2:33 ` Serge E. Hallyn
2024-06-10 9:46 ` Jonathan Calmels
2024-06-10 13:05 ` Serge E. Hallyn
2024-06-28 14:43 ` Jarkko Sakkinen
2024-06-28 14:45 ` Jarkko Sakkinen
2024-06-09 10:43 ` [PATCH v2 3/4] capabilities: Add sysctl to mask off " Jonathan Calmels
2024-06-09 10:43 ` [PATCH v2 4/4] bpf,lsm: Allow editing capabilities in BPF-LSM hooks Jonathan Calmels
2024-06-10 0:18 ` Paul Moore
2024-06-11 8:09 ` Jonathan Calmels
2024-06-11 10:31 ` John Johansen [this message]
2024-06-11 19:01 ` Paul Moore
2024-06-11 22:20 ` Jonathan Calmels
2024-06-11 22:38 ` Paul Moore
2024-06-12 8:20 ` Jonathan Calmels
2024-06-12 17:29 ` Paul Moore
2024-06-13 3:54 ` John Johansen
2024-06-13 8:50 ` Jonathan Calmels
2024-06-13 20:55 ` Paul Moore
2024-06-15 15:20 ` Serge E. Hallyn
2024-06-13 10:45 ` Dr. Greg
2024-06-13 20:43 ` Paul Moore
2024-06-10 20:12 ` [PATCH v2 0/4] Introduce user namespace capabilities Josef Bacik
2024-06-11 8:33 ` Jonathan Calmels
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=887a3658-2d8d-4f9e-98f2-27124bb6f8e6@canonical.com \
--to=john.johansen@canonical.com \
--cc=andrii@kernel.org \
--cc=apparmor@lists.ubuntu.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=containers@lists.linux.dev \
--cc=corbet@lwn.net \
--cc=daniel@iogearbox.net \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=j.granados@samsung.com \
--cc=jarkko@kernel.org \
--cc=jcalmels@3xx0.net \
--cc=jmorris@namei.org \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kees@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=mattbobrowski@google.com \
--cc=mcgrof@kernel.org \
--cc=mykolal@fb.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=sdf@google.com \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=stephen.smalley.work@gmail.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox