From: "Serge E. Hallyn" <serge@hallyn.com>
To: Lukasz Pawelczyk <l.pawelczyk@samsung.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Al Viro <viro@zeniv.linux.org.uk>,
Alexey Dobriyan <adobriyan@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
Andy Lutomirski <luto@amacapital.net>,
Arnd Bergmann <arnd@arndb.de>,
Casey Schaufler <casey@schaufler-ca.com>,
David Howells <dhowells@redhat.com>,
Eric Dumazet <edumazet@google.com>,
Eric Paris <eparis@parisplace.org>,
Fabian Frederick <fabf@skynet.be>,
Greg KH <gregkh@linuxfoundation.org>,
James Morris <james.l.morris@oracle.com>,
Jiri Slaby <jslaby@suse.com>, Joe Perches <joe@perches.com>,
John Johansen <john.johansen@canonical.com>,
Jonathan Corbet <corbet@lwn.net>,
Kees Cook <keescook@chromium.org>,
Mauro Carvalho Chehab <mchehab@osg.samsung.com>,
NeilBrown <neilb@suse.de>, Oleg Nesterov <oleg@redhat.com>,
Paul Moore <paul@paul-moore.com>, Stephen Smalley <sds@
Subject: Re: [PATCH v3 01/11] user_ns: 3 new LSM hooks for user namespace operations
Date: Thu, 30 Jul 2015 16:30:59 -0500 [thread overview]
Message-ID: <20150730213059.GA13589@mail.hallyn.com> (raw)
In-Reply-To: <1437732285-11524-2-git-send-email-l.pawelczyk@samsung.com>
On Fri, Jul 24, 2015 at 12:04:35PM +0200, Lukasz Pawelczyk wrote:
> This commit implements 3 new LSM hooks that provide the means for LSMs
> to embed their own security context within user namespace, effectively
> creating some sort of a user_ns related security namespace.
>
> The first one to take advantage of this mechanism is Smack.
>
> The hooks has been documented in the in the security.h below.
>
> Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@samsung.com>
> Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
> ---
> include/linux/lsm_hooks.h | 28 ++++++++++++++++++++++++++++
> include/linux/security.h | 23 +++++++++++++++++++++++
> include/linux/user_namespace.h | 4 ++++
> kernel/user.c | 3 +++
> kernel/user_namespace.c | 18 ++++++++++++++++++
> security/security.c | 28 ++++++++++++++++++++++++++++
> 6 files changed, 104 insertions(+)
>
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 9429f05..228558c 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -1261,6 +1261,23 @@
> * audit_rule_init.
> * @rule contains the allocated rule
> *
> + * @userns_create:
> + * Allocates and fills the security part of a new user namespace.
> + * @ns points to a newly created user namespace.
> + * Returns 0 or an error code.
> + *
> + * @userns_free:
> + * Deallocates the security part of a user namespace.
> + * @ns points to a user namespace about to be destroyed.
> + *
> + * @userns_setns:
> + * Run during a setns syscall to add a process to an already existing
> + * user namespace. Returning failure here will block the operation
> + * requested from userspace (setns() with CLONE_NEWUSER).
> + * @nsproxy contains nsproxy to which the user namespace will be assigned.
> + * @ns contains user namespace that is to be incorporated to the nsproxy.
> + * Returns 0 or an error code.
> + *
> * @inode_notifysecctx:
> * Notify the security module of what the security context of an inode
> * should be. Initializes the incore security context managed by the
> @@ -1613,6 +1630,12 @@ union security_list_options {
> struct audit_context *actx);
> void (*audit_rule_free)(void *lsmrule);
> #endif /* CONFIG_AUDIT */
> +
> +#ifdef CONFIG_USER_NS
> + int (*userns_create)(struct user_namespace *ns);
> + void (*userns_free)(struct user_namespace *ns);
> + int (*userns_setns)(struct nsproxy *nsproxy, struct user_namespace *ns);
> +#endif /* CONFIG_USER_NS */
> };
>
> struct security_hook_heads {
> @@ -1824,6 +1847,11 @@ struct security_hook_heads {
> struct list_head audit_rule_match;
> struct list_head audit_rule_free;
> #endif /* CONFIG_AUDIT */
> +#ifdef CONFIG_USER_NS
> + struct list_head userns_create;
> + struct list_head userns_free;
> + struct list_head userns_setns;
> +#endif /* CONFIG_USER_NS */
> };
>
> /*
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 79d85dd..1b0eccc 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -1584,6 +1584,29 @@ static inline void security_audit_rule_free(void *lsmrule)
> #endif /* CONFIG_SECURITY */
> #endif /* CONFIG_AUDIT */
>
> +#ifdef CONFIG_USER_NS
> +int security_userns_create(struct user_namespace *ns);
> +void security_userns_free(struct user_namespace *ns);
> +int security_userns_setns(struct nsproxy *nsproxy, struct user_namespace *ns);
> +
> +#else
> +
> +static inline int security_userns_create(struct user_namespace *ns)
> +{
> + return 0;
> +}
> +
> +static inline void security_userns_free(struct user_namespace *ns)
> +{ }
> +
> +static inline int security_userns_setns(struct nsproxy *nsproxy,
> + struct user_namespace *ns)
> +{
> + return 0;
> +}
> +
> +#endif /* CONFIG_USER_NS */
> +
> #ifdef CONFIG_SECURITYFS
>
> extern struct dentry *securityfs_create_file(const char *name, umode_t mode,
> diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
> index 8297e5b..a9400cc 100644
> --- a/include/linux/user_namespace.h
> +++ b/include/linux/user_namespace.h
> @@ -39,6 +39,10 @@ struct user_namespace {
> struct key *persistent_keyring_register;
> struct rw_semaphore persistent_keyring_register_sem;
> #endif
> +
> +#ifdef CONFIG_SECURITY
> + void *security;
> +#endif
> };
>
> extern struct user_namespace init_user_ns;
> diff --git a/kernel/user.c b/kernel/user.c
> index b069ccb..ce5419e 100644
> --- a/kernel/user.c
> +++ b/kernel/user.c
> @@ -59,6 +59,9 @@ struct user_namespace init_user_ns = {
> .persistent_keyring_register_sem =
> __RWSEM_INITIALIZER(init_user_ns.persistent_keyring_register_sem),
> #endif
> +#ifdef CONFIG_SECURITY
> + .security = NULL,
> +#endif
> };
> EXPORT_SYMBOL_GPL(init_user_ns);
>
> diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
> index 4109f83..cadffb6 100644
> --- a/kernel/user_namespace.c
> +++ b/kernel/user_namespace.c
> @@ -22,6 +22,7 @@
> #include <linux/ctype.h>
> #include <linux/projid.h>
> #include <linux/fs_struct.h>
> +#include <linux/security.h>
>
> static struct kmem_cache *user_ns_cachep __read_mostly;
> static DEFINE_MUTEX(userns_state_mutex);
> @@ -108,6 +109,15 @@ int create_user_ns(struct cred *new)
>
> set_cred_user_ns(new, ns);
>
> +#ifdef CONFIG_SECURITY
> + ret = security_userns_create(ns);
> + if (ret) {
> + ns_free_inum(&ns->ns);
> + kmem_cache_free(user_ns_cachep, ns);
> + return ret;
> + }
> +#endif
> +
> #ifdef CONFIG_PERSISTENT_KEYRINGS
> init_rwsem(&ns->persistent_keyring_register_sem);
> #endif
> @@ -143,6 +153,9 @@ void free_user_ns(struct user_namespace *ns)
> #ifdef CONFIG_PERSISTENT_KEYRINGS
> key_put(ns->persistent_keyring_register);
> #endif
> +#ifdef CONFIG_SECURITY
> + security_userns_free(ns);
> +#endif
> ns_free_inum(&ns->ns);
> kmem_cache_free(user_ns_cachep, ns);
> ns = parent;
> @@ -969,6 +982,7 @@ static int userns_install(struct nsproxy *nsproxy, struct ns_common *ns)
> {
> struct user_namespace *user_ns = to_user_ns(ns);
> struct cred *cred;
> + int err;
>
> /* Don't allow gaining capabilities by reentering
> * the same user namespace.
> @@ -986,6 +1000,10 @@ static int userns_install(struct nsproxy *nsproxy, struct ns_common *ns)
> if (!ns_capable(user_ns, CAP_SYS_ADMIN))
> return -EPERM;
>
> + err = security_userns_setns(nsproxy, user_ns);
> + if (err)
> + return err;
So at this point the LSM thinks current is in the new ns. If
prepare_creds() fails below, should it be informed of that?
(Or am I over-thinking this?)
> +
> cred = prepare_creds();
> if (!cred)
> return -ENOMEM;
> diff --git a/security/security.c b/security/security.c
> index 595fffa..5e66388 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -25,6 +25,7 @@
> #include <linux/mount.h>
> #include <linux/personality.h>
> #include <linux/backing-dev.h>
> +#include <linux/user_namespace.h>
> #include <net/flow.h>
>
> #define MAX_LSM_EVM_XATTR 2
> @@ -1542,6 +1543,25 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule,
> }
> #endif /* CONFIG_AUDIT */
>
> +#ifdef CONFIG_USER_NS
> +
> +int security_userns_create(struct user_namespace *ns)
> +{
> + return call_int_hook(userns_create, 0, ns);
> +}
> +
> +void security_userns_free(struct user_namespace *ns)
> +{
> + call_void_hook(userns_free, ns);
> +}
> +
> +int security_userns_setns(struct nsproxy *nsproxy, struct user_namespace *ns)
> +{
> + return call_int_hook(userns_setns, 0, nsproxy, ns);
> +}
> +
> +#endif /* CONFIG_USER_NS */
> +
> struct security_hook_heads security_hook_heads = {
> .binder_set_context_mgr =
> LIST_HEAD_INIT(security_hook_heads.binder_set_context_mgr),
> @@ -1886,4 +1906,12 @@ struct security_hook_heads security_hook_heads = {
> .audit_rule_free =
> LIST_HEAD_INIT(security_hook_heads.audit_rule_free),
> #endif /* CONFIG_AUDIT */
> +#ifdef CONFIG_USER_NS
> + .userns_create =
> + LIST_HEAD_INIT(security_hook_heads.userns_create),
> + .userns_free =
> + LIST_HEAD_INIT(security_hook_heads.userns_free),
> + .userns_setns =
> + LIST_HEAD_INIT(security_hook_heads.userns_setns),
> +#endif /* CONFIG_USER_NS */
> };
> --
> 2.4.3
next prev parent reply other threads:[~2015-07-30 21:30 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1437732285-11524-1-git-send-email-l.pawelczyk@samsung.com>
2015-07-24 10:04 ` [PATCH v3 01/11] user_ns: 3 new LSM hooks for user namespace operations Lukasz Pawelczyk
2015-07-24 10:04 ` [PATCH v3 02/11] lsm: /proc/$PID/attr/label_map file and getprocattr_seq hook Lukasz Pawelczyk
2015-07-24 10:04 ` [PATCH v3 03/11] lsm: add file opener's cred to a setprocattr arguments Lukasz Pawelczyk
2015-07-24 10:04 ` [PATCH v3 04/11] lsm: inode_pre_setxattr hook Lukasz Pawelczyk
2015-07-24 10:04 ` [PATCH v3 05/11] smack: extend capability functions and fix 2 checks Lukasz Pawelczyk
2015-07-24 10:04 ` [PATCH v3 06/11] smack: don't use implicit star to display smackfs/syslog Lukasz Pawelczyk
2015-07-24 10:04 ` [PATCH v3 07/11] smack: abstraction layer for 2 common Smack operations Lukasz Pawelczyk
2015-07-24 10:04 ` [PATCH v3 08/11] smack: misc cleanups in preparation for a namespace patch Lukasz Pawelczyk
2015-07-24 10:04 ` [PATCH v3 09/11] smack: namespace groundwork Lukasz Pawelczyk
2015-07-24 10:04 ` [PATCH v3 10/11] smack: namespace implementation Lukasz Pawelczyk
2015-07-24 10:04 ` [PATCH v3 11/11] smack: documentation for the Smack namespace Lukasz Pawelczyk
[not found] ` <1437732285-11524-12-git-send-email-l.pawelczyk@samsung.com>
2015-07-29 15:25 ` Serge E. Hallyn
[not found] ` <20150729152550.GC19285-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2015-07-29 16:10 ` Lukasz Pawelczyk
2015-07-29 16:13 ` Lukasz Pawelczyk
2015-07-29 16:24 ` Lukasz Pawelczyk
2015-07-29 16:37 ` Serge E. Hallyn
2015-07-29 17:05 ` Lukasz Pawelczyk
2015-07-30 19:11 ` Serge E. Hallyn
[not found] ` <1437732285-11524-4-git-send-email-l.pawelczyk@samsung.com>
2015-07-30 21:50 ` [PATCH v3 03/11] lsm: add file opener's cred to a setprocattr arguments Serge E. Hallyn
[not found] ` <1437732285-11524-5-git-send-email-l.pawelczyk@samsung.com>
2015-07-30 21:56 ` [PATCH v3 04/11] lsm: inode_pre_setxattr hook Serge E. Hallyn
2015-07-31 9:43 ` Lukasz Pawelczyk
[not found] ` <1437732285-11524-6-git-send-email-l.pawelczyk@samsung.com>
2015-07-30 22:10 ` [PATCH v3 05/11] smack: extend capability functions and fix 2 checks Serge E. Hallyn
[not found] ` <1437732285-11524-7-git-send-email-l.pawelczyk@samsung.com>
2015-07-30 22:42 ` [PATCH v3 06/11] smack: don't use implicit star to display smackfs/syslog Serge E. Hallyn
[not found] ` <1437732285-11524-3-git-send-email-l.pawelczyk@samsung.com>
2015-07-30 21:49 ` [PATCH v3 02/11] lsm: /proc/$PID/attr/label_map file and getprocattr_seq hook Serge E. Hallyn
2015-08-21 5:14 ` Paul Moore
2015-08-21 9:30 ` Lukasz Pawelczyk
[not found] ` <1437732285-11524-2-git-send-email-l.pawelczyk@samsung.com>
2015-07-30 21:30 ` Serge E. Hallyn [this message]
2015-07-31 9:28 ` [PATCH v3 01/11] user_ns: 3 new LSM hooks for user namespace operations Lukasz Pawelczyk
2015-08-01 3:48 ` Serge E. Hallyn
2015-08-03 11:34 ` Lukasz Pawelczyk
2015-08-04 1:38 ` Kees Cook
2015-08-21 5:04 ` Paul Moore
2015-08-21 15:56 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150730213059.GA13589@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=casey@schaufler-ca.com \
--cc=corbet@lwn.net \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=edumazet@google.com \
--cc=eparis@parisplace.org \
--cc=fabf@skynet.be \
--cc=gregkh@linuxfoundation.org \
--cc=james.l.morris@oracle.com \
--cc=joe@perches.com \
--cc=john.johansen@canonical.com \
--cc=jslaby@suse.com \
--cc=keescook@chromium.org \
--cc=l.pawelczyk@samsung.com \
--cc=luto@amacapital.net \
--cc=mchehab@osg.samsung.com \
--cc=neilb@suse.de \
--cc=oleg@redhat.com \
--cc=paul@paul-moore.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).