From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752732AbbGaJ3F (ORCPT <rfc822;w@1wt.eu>);
	Fri, 31 Jul 2015 05:29:05 -0400
Received: from mailout2.w1.samsung.com ([210.118.77.12]:52013 "EHLO
	mailout2.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751256AbbGaJ3B (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Fri, 31 Jul 2015 05:29:01 -0400
X-AuditID: cbfec7f4-f79c56d0000012ee-ed-55bb3fda66a4
Message-id: <1438334936.2081.6.camel@samsung.com>
Subject: Re: [PATCH v3 01/11] user_ns: 3 new LSM hooks for user namespace
 operations
From: Lukasz Pawelczyk <l.pawelczyk@samsung.com>
To: "Serge E. Hallyn" <serge@hallyn.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Alexey Dobriyan <adobriyan@gmail.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Andy Lutomirski <luto@amacapital.net>, Arnd Bergmann <arnd@arndb.de>,
        Casey Schaufler <casey@schaufler-ca.com>,
        David Howells <dhowells@redhat.com>,
        Eric Dumazet <edumazet@google.com>, Eric Paris <eparis@parisplace.org>,
        Fabian Frederick <fabf@skynet.be>,
        Greg KH <gregkh@linuxfoundation.org>,
        James Morris <james.l.morris@oracle.com>, Jiri Slaby <jslaby@suse.com>,
        Joe Perches <joe@perches.com>,
        John Johansen <john.johansen@canonical.com>,
        Jonathan Corbet <corbet@lwn.net>, Kees Cook <keescook@chromium.org>,
        Mauro Carvalho Chehab <mchehab@osg.samsung.com>,
        NeilBrown <neilb@suse.de>, Oleg Nesterov <oleg@redhat.com>,
        Paul Moore <paul@paul-moore.com>, Stephen Smalley <sds@tycho.nsa.gov>,
        Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
        Zefan Li <lizefan@huawei.com>, linux-doc@vger.kernel.org,
        linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
        linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
        havner@gmail.com
Date: Fri, 31 Jul 2015 11:28:56 +0200
In-reply-to: <20150730213059.GA13589@mail.hallyn.com>
References: <1437732285-11524-1-git-send-email-l.pawelczyk@samsung.com>
 <1437732285-11524-2-git-send-email-l.pawelczyk@samsung.com>
 <20150730213059.GA13589@mail.hallyn.com>
Content-type: text/plain; charset=UTF-8
X-Mailer: Evolution 3.16.4 (3.16.4-2.fc22)
MIME-version: 1.0
Content-transfer-encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA02Se0hTYRjG/Xa+c3YcDk5r1cekkkUWUubowleG1R/poSSkMiowO+lJLWey
	pWhQLZ2aphbTNDbN6RTKe0vFS8OwmN01QqPbJM2uassLTUWXOgL/e16e3/s+zx8vTUgySRkd
	E3eeV8VxsXJKBJ/PdvZsfL+rLdSvQOuFC6/sw0V11RSe0VmF2NY0ReEvDzMAHkmZhtjZpBXi
	QWu/EGd+fkngrOlJCqea6ijs/LUB5w4cxIa+AYifjKdROL/eLsAvrilxaXo5xA8sTyF+01pE
	YXt2P4V1V3OEuKpGQ+Kqr0nYUqKBuLE9DeAPukKIDdoREj9qMxE470sHxF3dr4S4a6aT3O3F
	9g3NQHZ6SgdYvSaHYg2a15Bt0X8SskZzAtvbdozVPh4m2ZaaSgH75NY0ZNuLq4WsKTePZP8M
	vodsw/U59OXEcbbG8h2EyI6LdkbysTGJvGpTwElR9E9rIYxvEid127dpQL0oC7jTiNmCXlQ8
	Ay69HHXb6qgsIKIlTAVA72w3SdcwBpBj9C0xT4kZBcoYmxLM66XMEVTbWLmgKcYP/e22LDBS
	Zj0qHXIsXCKYPzSq+Oik5g3IrEUpXTULkDuzFRWkZgtcCfVzcboJct4gmHVId7tsDqLnOvmg
	9KEzruAlyJFngy5kNbpfPUzcAIx+0YZ+EaZfhBkBUQmW8QkR8epTUUqFr5pTqhPionwjzinN
	wPUg483AZN3RARgayD3EjKk1VEJyiepkZQdANCGXivu820Il4kgu+QKvOheuSojl1R3Ak4by
	FeLi1t+HJUwUd54/y/PxvOq/K6DdZRrA9SQaZduVxW4G450yd+KAIOIemZv2vD2pauXomlqP
	zj25zg8Xyze/PjqYmec7ZmgIk3q3OKSrBr1aFWZu1l912Rxs9LdMfm1El+76DRzyiWg+Hb//
	9ECQxtPmCDVaS/p/RCuC/L+7NeafCNh7V1URiMJ6k8ODA+0xIRnf+lsccqiO5hQ+hErN/QNc
	fVPRHAMAAA==
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On czw, 2015-07-30 at 16:30 -0500, Serge E. Hallyn wrote:
> On Fri, Jul 24, 2015 at 12:04:35PM +0200, Lukasz Pawelczyk wrote:
> > @@ -969,6 +982,7 @@ static int userns_install(struct nsproxy 
> > *nsproxy, struct ns_common *ns)
> >  {
> >  	struct user_namespace *user_ns = to_user_ns(ns);
> >  	struct cred *cred;
> > +	int err;
> >  
> >  	/* Don't allow gaining capabilities by reentering
> >  	 * the same user namespace.
> > @@ -986,6 +1000,10 @@ static int userns_install(struct nsproxy 
> > *nsproxy, struct ns_common *ns)
> >  	if (!ns_capable(user_ns, CAP_SYS_ADMIN))
> >  		return -EPERM;
> >  
> > +	err = security_userns_setns(nsproxy, user_ns);
> > +	if (err)
> > +		return err;
> 
> So at this point the LSM thinks current is in the new ns.  If
> prepare_creds() fails below, should it be informed of that?
> (Or am I over-thinking this?)
> 
> > +
> >  	cred = prepare_creds();
> >  	if (!cred)
> >  		return -ENOMEM;

Hmm, the use case for this hook I had in mind was just to allow or
disallow the operation based on the information passed in arguments.
Not to register the current in any way so LSM can think it is or isn't
in the new namespace.

I think that any other LSM check that would like to know in what
namespace the current is, would just check that from current's creds.
Not use some stale and duplicated information the above hook could have
registered.

I see no reason for this hook to change the LSM state, only to answer
the question: allowed/disallowed (eventually return an error cause it
is unable to give an answer which falls into the disallow category).


-- 
Lukasz Pawelczyk
Samsung R&D Institute Poland
Samsung Electronics