From: "Eric W. Biederman" <ebiederm@xmission.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Martin KaFai Lau <kafai@fb.com>,
Frederick Lawler <fred@cloudflare.com>, <kpsingh@kernel.org>,
<revest@chromium.org>, <jackmanb@chromium.org>, <ast@kernel.org>,
<daniel@iogearbox.net>, <andrii@kernel.org>,
<songliubraving@fb.com>, <yhs@fb.com>, <john.fastabend@gmail.com>,
<jmorris@namei.org>, <serge@hallyn.com>,
<stephen.smalley.work@gmail.com>, <eparis@parisplace.org>,
<shuah@kernel.org>, <brauner@kernel.org>,
<casey@schaufler-ca.com>, <bpf@vger.kernel.org>,
<linux-security-module@vger.kernel.org>,
<selinux@vger.kernel.org>, <linux-kselftest@vger.kernel.org>,
<linux-kernel@vger.kernel.org>, <netdev@vger.kernel.org>,
<kernel-team@cloudflare.com>, <cgzones@googlemail.com>,
<karl@bigbadwolfsecurity.com>
Subject: Re: [PATCH v3 0/4] Introduce security_create_user_ns()
Date: Tue, 02 Aug 2022 16:33:39 -0500 [thread overview]
Message-ID: <87a68mcouk.fsf@email.froward.int.ebiederm.org> (raw)
In-Reply-To: <18225d94bf0.28e3.85c95baa4474aabc7814e68940a78392@paul-moore.com> (Paul Moore's message of "Fri, 22 Jul 2022 08:20:10 -0400")
Paul Moore <paul@paul-moore.com> writes:
> On July 22, 2022 2:12:03 AM Martin KaFai Lau <kafai@fb.com> wrote:
>
>> On Thu, Jul 21, 2022 at 12:28:04PM -0500, Frederick Lawler wrote:
>>> While creating a LSM BPF MAC policy to block user namespace creation, we
>>> used the LSM cred_prepare hook because that is the closest hook to prevent
>>> a call to create_user_ns().
>>>
>>> The calls look something like this:
>>>
>>> cred = prepare_creds()
>>> security_prepare_creds()
>>> call_int_hook(cred_prepare, ...
>>> if (cred)
>>> create_user_ns(cred)
>>>
>>> We noticed that error codes were not propagated from this hook and
>>> introduced a patch [1] to propagate those errors.
>>>
>>> The discussion notes that security_prepare_creds()
>>> is not appropriate for MAC policies, and instead the hook is
>>> meant for LSM authors to prepare credentials for mutation. [2]
>>>
>>> Ultimately, we concluded that a better course of action is to introduce
>>> a new security hook for LSM authors. [3]
>>>
>>> This patch set first introduces a new security_create_user_ns() function
>>> and userns_create LSM hook, then marks the hook as sleepable in BPF.
>> Patch 1 and 4 still need review from the lsm/security side.
>
>
> This patchset is in my review queue and assuming everything checks
> out, I expect to merge it after the upcoming merge window closes.
It doesn't even address my issues with the last patchset.
So it has my NACK.
Eric
next prev parent reply other threads:[~2022-08-02 21:35 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-21 17:28 [PATCH v3 0/4] Introduce security_create_user_ns() Frederick Lawler
2022-07-21 17:28 ` [PATCH v3 1/4] security, lsm: " Frederick Lawler
2022-07-22 8:21 ` Christian Brauner
2022-07-21 17:28 ` [PATCH v3 2/4] bpf-lsm: Make bpf_lsm_userns_create() sleepable Frederick Lawler
2022-07-22 8:18 ` Christian Brauner
2022-07-21 17:28 ` [PATCH v3 3/4] selftests/bpf: Add tests verifying bpf lsm userns_create hook Frederick Lawler
2022-07-22 6:07 ` Martin KaFai Lau
2022-07-22 13:41 ` Frederick Lawler
2022-07-22 8:15 ` Christian Brauner
2022-07-21 17:28 ` [PATCH v3 4/4] selinux: Implement " Frederick Lawler
2022-07-22 6:11 ` [PATCH v3 0/4] Introduce security_create_user_ns() Martin KaFai Lau
2022-07-22 12:20 ` Paul Moore
2022-08-01 13:13 ` Frederick Lawler
2022-08-01 15:19 ` Paul Moore
2022-08-02 21:24 ` KP Singh
2022-08-03 1:49 ` Paul Moore
2022-08-01 15:25 ` Casey Schaufler
2022-08-01 16:34 ` Paul Moore
2022-08-02 21:27 ` KP Singh
2022-08-02 21:33 ` Eric W. Biederman [this message]
2022-08-03 15:20 ` Frederick Lawler
2022-07-22 17:05 ` Eric W. Biederman
2022-07-25 22:53 ` Paul Moore
2022-07-26 12:02 ` Djalal Harouni
2022-07-26 14:41 ` Ignat Korchagin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87a68mcouk.fsf@email.froward.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=cgzones@googlemail.com \
--cc=daniel@iogearbox.net \
--cc=eparis@parisplace.org \
--cc=fred@cloudflare.com \
--cc=jackmanb@chromium.org \
--cc=jmorris@namei.org \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=karl@bigbadwolfsecurity.com \
--cc=kernel-team@cloudflare.com \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=revest@chromium.org \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=shuah@kernel.org \
--cc=songliubraving@fb.com \
--cc=stephen.smalley.work@gmail.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).