-----Original Message-----
From: James Morris [mailto:jmorris at namei.org]
Sent: Thursday, September 27, 2018 3:47 PM
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: Schaufler, Casey <redacted>; kristen at linux.intel.com;
kernel-hardening at lists.openwall.com; Dock, Deneen T
[off-list ref]; linux-kernel at vger.kernel.org; Hansen, Dave
[off-list ref]; linux-security-module at vger.kernel.org;
selinux at tycho.nsa.gov; arjan at linux.intel.com
Subject: Re: [PATCH v5 5/5] sidechannel: Linux Security Module for sidechannel

On Thu, 27 Sep 2018, Casey Schaufler wrote:

quoted

On 9/27/2018 2:45 PM, James Morris wrote:

quoted

On Wed, 26 Sep 2018, Casey Schaufler wrote:

quoted

+	/*
+	 * Namespace checks. Considered safe if:
+	 *	cgroup namespace is the same
+	 *	User namespace is the same
+	 *	PID namespace is the same
+	 */
+	if (current->nsproxy)
+		ccgn = current->nsproxy->cgroup_ns;
+	if (p->nsproxy)
+		pcgn = p->nsproxy->cgroup_ns;
+	if (ccgn != pcgn)
+		return -EACCES;
+	if (current->cred->user_ns != p->cred->user_ns)
+		return -EACCES;
+	if (task_active_pid_ns(current) != task_active_pid_ns(p))
+		return -EACCES;
+	return 0;

I really don't like the idea of hard-coding namespace security semantics
in an LSM.  Also, I'm not sure if these semantics make any sense.

Checks on namespaces where explicitly requested.

By whom and what is the rationale?

The rationale is to protect containers. Since those closest thing
there is to a definition of containers is "uses namespaces" that
becomes the focus. Separating them out does not make too much
sense as I would expect someone concerned with one to be concerned
with all.