From: "Serge E. Hallyn" <serge@hallyn.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Stephen Smalley <stephen.smalley.work@gmail.com>,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org,
John Johansen <john.johansen@canonical.com>
Subject: Re: LSM namespacing API
Date: Wed, 20 Aug 2025 21:05:12 -0500 [thread overview]
Message-ID: <aKZ+2NMx+ZQhpySY@mail.hallyn.com> (raw)
In-Reply-To: <CAHC9VhSubXA4tAUoz7T==UvfrM_DXS6nF5s0tJZ1HrrVizMgZA@mail.gmail.com>
On Tue, Aug 19, 2025 at 02:51:00PM -0400, Paul Moore wrote:
> On Tue, Aug 19, 2025 at 1:47 PM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> > I think we want to be able to unshare a specific security module
> > namespace without unsharing the others, i.e. just SELinux or just
> > AppArmor.
> > Not sure if your suggestion above supports that already but wanted to note it.
>
> The lsm_set_self_attr(2) approach allows for LSM specific unshare
> operations. Take the existing LSM_ATTR_EXEC attribute as an example,
> two LSMs have implemented support (AppArmor and SELinux), and
> userspace can independently set the attribute as desired for each LSM.
Overall I really like the idea.
> > Serge pointed out that we also will need an API to attach to an
> > existing SELinux namespace, which I captured here:
> > https://github.com/stephensmalley/selinuxns/issues/19
> > This is handled for other Linux namespaces by opening a pseudo file
> > under /proc/pid/ns and invoking setns(2), so not sure how we want to
> > do it.
>
> One option would be to have a the LSM framework return a LSM namespace
> "handle" for a given LSM using lsm_get_self_attr(2) and then do a
> setns(2)-esque operation using lsm_set_self_attr(2) with that
> "handle". We would need to figure out what would constitute a
> "handle" but let's just mark that as TBD for now with this approach (I
> think better options are available).
The use case which would be complicated (not blocked) by this, is
* a runtime creates a process p1
* p1 unshares its lsm namespace
* runtime forks a debug/admin process p2
* p2 wants to enter p1's namespace
Of course the runtime could work around it by, before relinquishing
control of p1 to a new executable, returning the lsm_get_self_attr()
data to over a pipe.
Note I don't think we should support setting another task's namespace,
only getting its namespace ID.
> Since we have an existing LSM namespace combination, with processes
> running inside of it, it might be sufficient to simply support moving
> into an existing LSM namespace set with setns(2) using only a pidfd
> and a new CLONE_LSMNS flag (or similar, upstream might want this as
> CLONE_NEWLSM). This would simply set the LSM namespace set for the
> setns(2) caller to match that of the target pidfd. We still wouldn't
> want to support CLONE_LSMNS/CLONE_NEWLSM for clone*().
A part of me is telling (another part of) me that being able to setns
to a subset of the lsms could lead to privilege escapes through
weird policy configurations for the various LSMs. In which case,
an all-or-nothing LSM setns might actually be preferable.
I haven't thought of a concrete example, though.
> Any other ideas?
>
> --
> paul-moore.com
next prev parent reply other threads:[~2025-08-21 2:05 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-19 14:56 LSM namespacing API Paul Moore
2025-08-19 17:11 ` Casey Schaufler
2025-08-19 18:40 ` Paul Moore
2025-08-19 18:58 ` Stephen Smalley
2025-08-21 7:26 ` John Johansen
2025-08-21 7:23 ` John Johansen
2025-08-22 1:57 ` Paul Moore
2025-08-22 14:30 ` John Johansen
2025-08-21 10:00 ` Mickaël Salaün
2025-08-22 2:14 ` Paul Moore
2025-08-22 14:47 ` Casey Schaufler
2025-08-22 19:59 ` John Johansen
2025-08-23 17:41 ` Dr. Greg
2025-08-23 23:00 ` John Johansen
2025-08-19 17:47 ` Stephen Smalley
2025-08-19 18:51 ` Paul Moore
2025-08-19 18:52 ` Paul Moore
2025-08-20 14:44 ` Mickaël Salaün
2025-08-20 15:37 ` Casey Schaufler
2025-08-20 20:47 ` Paul Moore
2025-08-21 9:56 ` Mickaël Salaün
2025-08-21 14:18 ` John Johansen
2025-08-22 2:09 ` Paul Moore
2025-08-21 2:05 ` Serge E. Hallyn [this message]
2025-08-21 2:35 ` Paul Moore
2025-08-21 3:02 ` Serge E. Hallyn
2025-08-22 1:50 ` Paul Moore
2025-08-21 8:12 ` John Johansen
2025-08-21 8:07 ` John Johansen
2025-08-21 7:46 ` John Johansen
2025-08-21 14:26 ` Serge E. Hallyn
2025-08-21 14:57 ` John Johansen
2025-09-01 16:01 ` Dr. Greg
2025-09-01 17:31 ` Casey Schaufler
2025-09-04 2:16 ` Dr. Greg
2025-09-04 17:40 ` Casey Schaufler
2025-09-02 10:55 ` John Johansen
2025-09-05 22:14 ` Dr. Greg
2025-09-06 2:01 ` John Johansen
2025-08-22 1:59 ` Paul Moore
2025-08-21 7:14 ` John Johansen
2025-08-21 11:20 ` Dr. Greg
2025-08-21 14:44 ` John Johansen
2026-02-26 0:05 ` Paul Moore
2026-03-03 13:30 ` Stephen Smalley
2026-03-03 16:46 ` Paul Moore
2026-03-06 17:48 ` Dr. Greg
2026-03-06 21:01 ` Casey Schaufler
2026-03-09 18:15 ` Stephen Smalley
2026-03-11 16:37 ` Casey Schaufler
2026-03-24 21:31 ` Paul Moore
2026-03-29 16:09 ` Dr. Greg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aKZ+2NMx+ZQhpySY@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=john.johansen@canonical.com \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox