From: "Serge E. Hallyn" <serge@hallyn.com>
To: Song Liu <songliubraving@fb.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
Paul Moore <paul@paul-moore.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Frederick Lawler <fred@cloudflare.com>,
KP Singh <kpsingh@kernel.org>,
"revest@chromium.org" <revest@chromium.org>,
"jackmanb@chromium.org" <jackmanb@chromium.org>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>, Martin Lau <kafai@fb.com>,
Yonghong Song <yhs@fb.com>,
John Fastabend <john.fastabend@gmail.com>,
James Morris <jmorris@namei.org>,
"stephen.smalley.work@gmail.com" <stephen.smalley.work@gmail.com>,
"eparis@parisplace.org" <eparis@parisplace.org>,
Shuah Khan <shuah@kernel.org>,
"brauner@kernel.org" <brauner@kernel.org>,
Casey Schaufler <casey@schaufler-ca.com>,
bpf <bpf@vger.kernel.org>,
LSM List <linux-security-module@vger.kernel.org>,
"selinux@vger.kernel.org" <selinux@vger.kernel.org>,
"open list:KERNEL SELFTEST FRAMEWORK"
<linux-kselftest@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Networking <netdev@vger.kernel.org>,
"kernel-team@cloudflare.com" <kernel-team@cloudflare.com>,
"cgzones@googlemail.com" <cgzones@googlemail.com>,
"karl@bigbadwolfsecurity.com" <karl@bigbadwolfsecurity.com>,
"tixxdz@gmail.com" <tixxdz@gmail.com>
Subject: Re: [PATCH v5 0/4] Introduce security_create_user_ns()
Date: Fri, 26 Aug 2022 16:00:39 -0500 [thread overview]
Message-ID: <20220826210039.GA15952@mail.hallyn.com> (raw)
In-Reply-To: <25C89E75-A900-42C7-A8E4-2800AA2E3387@fb.com>
On Fri, Aug 26, 2022 at 05:00:51PM +0000, Song Liu wrote:
>
>
> > On Aug 26, 2022, at 8:24 AM, Serge E. Hallyn <serge@hallyn.com> wrote:
> >
> > On Thu, Aug 25, 2022 at 09:58:46PM +0000, Song Liu wrote:
> >>
> >>
> >>> On Aug 25, 2022, at 12:19 PM, Paul Moore <paul@paul-moore.com> wrote:
> >>>
> >>> On Thu, Aug 25, 2022 at 2:15 PM Eric W. Biederman <ebiederm@xmission.com> wrote:
> >>>> Paul Moore <paul@paul-moore.com> writes:
> >>>>> On Fri, Aug 19, 2022 at 10:45 AM Serge E. Hallyn <serge@hallyn.com> wrote:
> >>>>>> I am hoping we can come up with
> >>>>>> "something better" to address people's needs, make everyone happy, and
> >>>>>> bring forth world peace. Which would stack just fine with what's here
> >>>>>> for defense in depth.
> >>>>>>
> >>>>>> You may well not be interested in further work, and that's fine. I need
> >>>>>> to set aside a few days to think on this.
> >>>>>
> >>>>> I'm happy to continue the discussion as long as it's constructive; I
> >>>>> think we all are. My gut feeling is that Frederick's approach falls
> >>>>> closest to the sweet spot of "workable without being overly offensive"
> >>>>> (*cough*), but if you've got an additional approach in mind, or an
> >>>>> alternative approach that solves the same use case problems, I think
> >>>>> we'd all love to hear about it.
> >>>>
> >>>> I would love to actually hear the problems people are trying to solve so
> >>>> that we can have a sensible conversation about the trade offs.
> >>>
> >>> Here are several taken from the previous threads, it's surely not a
> >>> complete list, but it should give you a good idea:
> >>>
> >>> https://lore.kernel.org/linux-security-module/CAHC9VhQnPAsmjmKo-e84XDJ1wmaOFkTKPjjztsOa9Yrq+AeAQA@mail.gmail.com/
> >>>
> >>>> As best I can tell without more information people want to use
> >>>> the creation of a user namespace as a signal that the code is
> >>>> attempting an exploit.
> >>>
> >>> Some use cases are like that, there are several other use cases that
> >>> go beyond this; see all of our previous discussions on this
> >>> topic/patchset. As has been mentioned before, there are use cases
> >>> that require improved observability, access control, or both.
> >>>
> >>>> As such let me propose instead of returning an error code which will let
> >>>> the exploit continue, have the security hook return a bool. With true
> >>>> meaning the code can continue and on false it will trigger using SIGSYS
> >>>> to terminate the program like seccomp does.
> >>>
> >>> Having the kernel forcibly exit the process isn't something that most
> >>> LSMs would likely want. I suppose we could modify the hook/caller so
> >>> that *if* an LSM wanted to return SIGSYS the system would kill the
> >>> process, but I would want that to be something in addition to
> >>> returning an error code like LSMs normally do (e.g. EACCES).
> >>
> >> I am new to user_namespace and security work, so please pardon me if
> >> anything below is very wrong.
> >>
> >> IIUC, user_namespace is a tool that enables trusted userspace code to
> >> control the behavior of untrusted (or less trusted) userspace code.
> >
> > No. user namespaces are not a way for more trusted code to control the
> > behavior of less trusted code.
>
> Hmm.. In this case, I think I really need to learn more.
>
> Thanks for pointing out my misunderstanding.
(I thought maybe Eric would chime in with a better explanation, but I'll
fill it in for now :)
One of the main goals of user namespaces is to allow unprivileged users
to do things like chroot and mount, which are very useful development
tools, without needing admin privileges. So it's almost the opposite
of what you said: rather than to enable trusted userspace code to control
the behavior of less trusted code, it's to allow less privileged code to
do things which do not affect other users, without having to assume *more*
privilege.
To be precise, the goals were:
1. uid mapping - allow two users to both "use uid 500" without conflicting
2. provide (unprivileged) users privilege over their own resources
3. absolutely no extra privilege over other resources
4. be able to nest
While (3) was technically achieved, the problem we have is that
(2) provides unprivileged users the ability to exercise kernel code
which they previously could not.
-serge
next prev parent reply other threads:[~2022-08-26 21:00 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-15 16:20 [PATCH v5 0/4] Introduce security_create_user_ns() Frederick Lawler
2022-08-15 16:20 ` [PATCH v5 1/4] security, lsm: " Frederick Lawler
2022-08-15 16:20 ` [PATCH v5 2/4] bpf-lsm: Make bpf_lsm_userns_create() sleepable Frederick Lawler
2022-08-15 16:20 ` [PATCH v5 3/4] selftests/bpf: Add tests verifying bpf lsm userns_create hook Frederick Lawler
2022-08-15 16:20 ` [PATCH v5 4/4] selinux: Implement " Frederick Lawler
2022-08-16 21:51 ` [PATCH v5 0/4] Introduce security_create_user_ns() Paul Moore
2022-08-17 15:07 ` Eric W. Biederman
2022-08-17 16:01 ` Paul Moore
2022-08-17 19:57 ` Eric W. Biederman
2022-08-17 20:13 ` Paul Moore
2022-08-17 20:56 ` Eric W. Biederman
2022-08-17 21:09 ` Paul Moore
2022-08-17 21:24 ` Eric W. Biederman
2022-08-17 21:50 ` Paul Moore
2022-08-18 0:35 ` Jonathan Chapman-Moore
2022-08-18 14:05 ` Serge E. Hallyn
2022-08-18 15:11 ` Paul Moore
2022-08-19 14:45 ` Serge E. Hallyn
2022-08-19 21:10 ` Paul Moore
2022-08-25 18:15 ` Eric W. Biederman
2022-08-25 19:19 ` Paul Moore
2022-08-25 21:58 ` Song Liu
2022-08-25 22:10 ` Paul Moore
2022-08-25 22:42 ` Song Liu
2022-08-26 15:02 ` Paul Moore
2022-08-26 16:57 ` Song Liu
2022-08-26 15:24 ` Serge E. Hallyn
2022-08-26 17:00 ` Song Liu
2022-08-26 21:00 ` Serge E. Hallyn [this message]
2022-08-26 22:34 ` Song Liu
2022-08-29 15:33 ` Christian Brauner
2022-09-03 3:58 ` Serge E. Hallyn
2022-08-26 9:10 ` Ignat Korchagin
2022-08-26 15:12 ` Paul Moore
2022-08-26 15:23 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220826210039.GA15952@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=cgzones@googlemail.com \
--cc=daniel@iogearbox.net \
--cc=ebiederm@xmission.com \
--cc=eparis@parisplace.org \
--cc=fred@cloudflare.com \
--cc=jackmanb@chromium.org \
--cc=jmorris@namei.org \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=karl@bigbadwolfsecurity.com \
--cc=kernel-team@cloudflare.com \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=revest@chromium.org \
--cc=selinux@vger.kernel.org \
--cc=shuah@kernel.org \
--cc=songliubraving@fb.com \
--cc=stephen.smalley.work@gmail.com \
--cc=tixxdz@gmail.com \
--cc=torvalds@linux-foundation.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).