Re: [PATCH v5 0/4] Introduce security_create_user_ns()

From: Paul Moore <paul@paul-moore.com>
Date: 2022-08-25 19:19:27
Also in: bpf, linux-kselftest, linux-security-module, lkml, selinux

Possibly related (same subject, not in this thread)

2022-08-19 · Re: [PATCH v5 0/4] Introduce security_create_user_ns() · Paul Moore <paul@paul-moore.com>
2022-08-19 · Re: [PATCH v5 0/4] Introduce security_create_user_ns() · "Serge E. Hallyn" <serge@hallyn.com>
2022-08-18 · Re: [PATCH v5 0/4] Introduce security_create_user_ns() · Paul Moore <paul@paul-moore.com>
2022-08-18 · Re: [PATCH v5 0/4] Introduce security_create_user_ns() · "Serge E. Hallyn" <serge@hallyn.com>
2022-08-18 · RE: [PATCH v5 0/4] Introduce security_create_user_ns() · Jonathan Chapman-Moore <hidden>

On Thu, Aug 25, 2022 at 2:15 PM Eric W. Biederman [off-list ref] wrote:

Paul Moore [off-list ref] writes:

quoted

On Fri, Aug 19, 2022 at 10:45 AM Serge E. Hallyn [off-list ref] wrote:

quoted

 I am hoping we can come up with
"something better" to address people's needs, make everyone happy, and
bring forth world peace.  Which would stack just fine with what's here
for defense in depth.

You may well not be interested in further work, and that's fine.  I need
to set aside a few days to think on this.

I'm happy to continue the discussion as long as it's constructive; I
think we all are.  My gut feeling is that Frederick's approach falls
closest to the sweet spot of "workable without being overly offensive"
(*cough*), but if you've got an additional approach in mind, or an
alternative approach that solves the same use case problems, I think
we'd all love to hear about it.

I would love to actually hear the problems people are trying to solve so
that we can have a sensible conversation about the trade offs.

Here are several taken from the previous threads, it's surely not a
complete list, but it should give you a good idea:

https://lore.kernel.org/linux-security-module/CAHC9VhQnPAsmjmKo-e84XDJ1wmaOFkTKPjjztsOa9Yrq+AeAQA@mail.gmail.com/ (local)

As best I can tell without more information people want to use
the creation of a user namespace as a signal that the code is
attempting an exploit.

Some use cases are like that, there are several other use cases that
go beyond this; see all of our previous discussions on this
topic/patchset.  As has been mentioned before, there are use cases
that require improved observability, access control, or both.

As such let me propose instead of returning an error code which will let
the exploit continue, have the security hook return a bool.  With true
meaning the code can continue and on false it will trigger using SIGSYS
to terminate the program like seccomp does.

Having the kernel forcibly exit the process isn't something that most
LSMs would likely want.  I suppose we could modify the hook/caller so
that *if* an LSM wanted to return SIGSYS the system would kill the
process, but I would want that to be something in addition to
returning an error code like LSMs normally do (e.g. EACCES).

-- 
paul-moore.com

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help