lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAHC9VhQycyUNTxuRUDGfcHkpv5G3O4k+gSn4Qth7S9vB3YNPEQ@mail.gmail.com>
Date:	Fri, 21 Aug 2015 11:56:46 -0400
From:	Paul Moore <paul@...l-moore.com>
To:	Lukasz Pawelczyk <l.pawelczyk@...sung.com>
Cc:	"Eric W. Biederman" <ebiederm@...ssion.com>,
	"Serge E. Hallyn" <serge@...lyn.com>,
	Al Viro <viro@...iv.linux.org.uk>,
	Alexey Dobriyan <adobriyan@...il.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Andy Lutomirski <luto@...capital.net>,
	Arnd Bergmann <arnd@...db.de>,
	Casey Schaufler <casey@...aufler-ca.com>,
	David Howells <dhowells@...hat.com>,
	Eric Dumazet <edumazet@...gle.com>,
	Eric Paris <eparis@...isplace.org>,
	Fabian Frederick <fabf@...net.be>,
	Greg KH <gregkh@...uxfoundation.org>,
	James Morris <james.l.morris@...cle.com>,
	Jiri Slaby <jslaby@...e.com>, Joe Perches <joe@...ches.com>,
	John Johansen <john.johansen@...onical.com>,
	Jonathan Corbet <corbet@....net>,
	Kees Cook <keescook@...omium.org>,
	Mauro Carvalho Chehab <mchehab@....samsung.com>,
	NeilBrown <neilb@...e.de>, Oleg Nesterov <oleg@...hat.com>,
	Stephen Smalley <sds@...ho.nsa.gov>,
	Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>,
	Zefan Li <lizefan@...wei.com>, linux-doc@...r.kernel.org,
	linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org, selinux@...ho.nsa.gov,
	havner@...il.com
Subject: Re: [PATCH v3 01/11] user_ns: 3 new LSM hooks for user namespace operations

On Fri, Jul 24, 2015 at 6:04 AM, Lukasz Pawelczyk
<l.pawelczyk@...sung.com> wrote:
> This commit implements 3 new LSM hooks that provide the means for LSMs
> to embed their own security context within user namespace, effectively
> creating some sort of a user_ns related security namespace.
>
> The first one to take advantage of this mechanism is Smack.
>
> The hooks has been documented in the in the security.h below.
>
> Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@...sung.com>
> Reviewed-by: Casey Schaufler <casey@...aufler-ca.com>
> ---
>  include/linux/lsm_hooks.h      | 28 ++++++++++++++++++++++++++++
>  include/linux/security.h       | 23 +++++++++++++++++++++++
>  include/linux/user_namespace.h |  4 ++++
>  kernel/user.c                  |  3 +++
>  kernel/user_namespace.c        | 18 ++++++++++++++++++
>  security/security.c            | 28 ++++++++++++++++++++++++++++
>  6 files changed, 104 insertions(+)

I'm not sure at this point in time we know what we want to do with
SELinux and these hooks, if anything, but they look reasonable to me.

Acked-by: Paul Moore <paul@...l-moore.com>

> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 9429f05..228558c 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -1261,6 +1261,23 @@
>   *     audit_rule_init.
>   *     @rule contains the allocated rule
>   *
> + * @userns_create:
> + *     Allocates and fills the security part of a new user namespace.
> + *     @ns points to a newly created user namespace.
> + *     Returns 0 or an error code.
> + *
> + * @userns_free:
> + *     Deallocates the security part of a user namespace.
> + *     @ns points to a user namespace about to be destroyed.
> + *
> + * @userns_setns:
> + *     Run during a setns syscall to add a process to an already existing
> + *     user namespace. Returning failure here will block the operation
> + *     requested from userspace (setns() with CLONE_NEWUSER).
> + *     @nsproxy contains nsproxy to which the user namespace will be assigned.
> + *     @ns contains user namespace that is to be incorporated to the nsproxy.
> + *     Returns 0 or an error code.
> + *
>   * @inode_notifysecctx:
>   *     Notify the security module of what the security context of an inode
>   *     should be.  Initializes the incore security context managed by the
> @@ -1613,6 +1630,12 @@ union security_list_options {
>                                 struct audit_context *actx);
>         void (*audit_rule_free)(void *lsmrule);
>  #endif /* CONFIG_AUDIT */
> +
> +#ifdef CONFIG_USER_NS
> +       int (*userns_create)(struct user_namespace *ns);
> +       void (*userns_free)(struct user_namespace *ns);
> +       int (*userns_setns)(struct nsproxy *nsproxy, struct user_namespace *ns);
> +#endif /* CONFIG_USER_NS */
>  };
>
>  struct security_hook_heads {
> @@ -1824,6 +1847,11 @@ struct security_hook_heads {
>         struct list_head audit_rule_match;
>         struct list_head audit_rule_free;
>  #endif /* CONFIG_AUDIT */
> +#ifdef CONFIG_USER_NS
> +       struct list_head userns_create;
> +       struct list_head userns_free;
> +       struct list_head userns_setns;
> +#endif /* CONFIG_USER_NS */
>  };
>
>  /*
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 79d85dd..1b0eccc 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -1584,6 +1584,29 @@ static inline void security_audit_rule_free(void *lsmrule)
>  #endif /* CONFIG_SECURITY */
>  #endif /* CONFIG_AUDIT */
>
> +#ifdef CONFIG_USER_NS
> +int security_userns_create(struct user_namespace *ns);
> +void security_userns_free(struct user_namespace *ns);
> +int security_userns_setns(struct nsproxy *nsproxy, struct user_namespace *ns);
> +
> +#else
> +
> +static inline int security_userns_create(struct user_namespace *ns)
> +{
> +       return 0;
> +}
> +
> +static inline void security_userns_free(struct user_namespace *ns)
> +{ }
> +
> +static inline int security_userns_setns(struct nsproxy *nsproxy,
> +                                       struct user_namespace *ns)
> +{
> +       return 0;
> +}
> +
> +#endif /* CONFIG_USER_NS */
> +
>  #ifdef CONFIG_SECURITYFS
>
>  extern struct dentry *securityfs_create_file(const char *name, umode_t mode,
> diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
> index 8297e5b..a9400cc 100644
> --- a/include/linux/user_namespace.h
> +++ b/include/linux/user_namespace.h
> @@ -39,6 +39,10 @@ struct user_namespace {
>         struct key              *persistent_keyring_register;
>         struct rw_semaphore     persistent_keyring_register_sem;
>  #endif
> +
> +#ifdef CONFIG_SECURITY
> +       void *security;
> +#endif
>  };
>
>  extern struct user_namespace init_user_ns;
> diff --git a/kernel/user.c b/kernel/user.c
> index b069ccb..ce5419e 100644
> --- a/kernel/user.c
> +++ b/kernel/user.c
> @@ -59,6 +59,9 @@ struct user_namespace init_user_ns = {
>         .persistent_keyring_register_sem =
>         __RWSEM_INITIALIZER(init_user_ns.persistent_keyring_register_sem),
>  #endif
> +#ifdef CONFIG_SECURITY
> +       .security = NULL,
> +#endif
>  };
>  EXPORT_SYMBOL_GPL(init_user_ns);
>
> diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
> index 4109f83..cadffb6 100644
> --- a/kernel/user_namespace.c
> +++ b/kernel/user_namespace.c
> @@ -22,6 +22,7 @@
>  #include <linux/ctype.h>
>  #include <linux/projid.h>
>  #include <linux/fs_struct.h>
> +#include <linux/security.h>
>
>  static struct kmem_cache *user_ns_cachep __read_mostly;
>  static DEFINE_MUTEX(userns_state_mutex);
> @@ -108,6 +109,15 @@ int create_user_ns(struct cred *new)
>
>         set_cred_user_ns(new, ns);
>
> +#ifdef CONFIG_SECURITY
> +       ret = security_userns_create(ns);
> +       if (ret) {
> +               ns_free_inum(&ns->ns);
> +               kmem_cache_free(user_ns_cachep, ns);
> +               return ret;
> +       }
> +#endif
> +
>  #ifdef CONFIG_PERSISTENT_KEYRINGS
>         init_rwsem(&ns->persistent_keyring_register_sem);
>  #endif
> @@ -143,6 +153,9 @@ void free_user_ns(struct user_namespace *ns)
>  #ifdef CONFIG_PERSISTENT_KEYRINGS
>                 key_put(ns->persistent_keyring_register);
>  #endif
> +#ifdef CONFIG_SECURITY
> +               security_userns_free(ns);
> +#endif
>                 ns_free_inum(&ns->ns);
>                 kmem_cache_free(user_ns_cachep, ns);
>                 ns = parent;
> @@ -969,6 +982,7 @@ static int userns_install(struct nsproxy *nsproxy, struct ns_common *ns)
>  {
>         struct user_namespace *user_ns = to_user_ns(ns);
>         struct cred *cred;
> +       int err;
>
>         /* Don't allow gaining capabilities by reentering
>          * the same user namespace.
> @@ -986,6 +1000,10 @@ static int userns_install(struct nsproxy *nsproxy, struct ns_common *ns)
>         if (!ns_capable(user_ns, CAP_SYS_ADMIN))
>                 return -EPERM;
>
> +       err = security_userns_setns(nsproxy, user_ns);
> +       if (err)
> +               return err;
> +
>         cred = prepare_creds();
>         if (!cred)
>                 return -ENOMEM;
> diff --git a/security/security.c b/security/security.c
> index 595fffa..5e66388 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -25,6 +25,7 @@
>  #include <linux/mount.h>
>  #include <linux/personality.h>
>  #include <linux/backing-dev.h>
> +#include <linux/user_namespace.h>
>  #include <net/flow.h>
>
>  #define MAX_LSM_EVM_XATTR      2
> @@ -1542,6 +1543,25 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule,
>  }
>  #endif /* CONFIG_AUDIT */
>
> +#ifdef CONFIG_USER_NS
> +
> +int security_userns_create(struct user_namespace *ns)
> +{
> +       return call_int_hook(userns_create, 0, ns);
> +}
> +
> +void security_userns_free(struct user_namespace *ns)
> +{
> +       call_void_hook(userns_free, ns);
> +}
> +
> +int security_userns_setns(struct nsproxy *nsproxy, struct user_namespace *ns)
> +{
> +       return call_int_hook(userns_setns, 0, nsproxy, ns);
> +}
> +
> +#endif /* CONFIG_USER_NS */
> +
>  struct security_hook_heads security_hook_heads = {
>         .binder_set_context_mgr =
>                 LIST_HEAD_INIT(security_hook_heads.binder_set_context_mgr),
> @@ -1886,4 +1906,12 @@ struct security_hook_heads security_hook_heads = {
>         .audit_rule_free =
>                 LIST_HEAD_INIT(security_hook_heads.audit_rule_free),
>  #endif /* CONFIG_AUDIT */
> +#ifdef CONFIG_USER_NS
> +       .userns_create =
> +               LIST_HEAD_INIT(security_hook_heads.userns_create),
> +       .userns_free =
> +               LIST_HEAD_INIT(security_hook_heads.userns_free),
> +       .userns_setns =
> +               LIST_HEAD_INIT(security_hook_heads.userns_setns),
> +#endif /* CONFIG_USER_NS */
>  };
> --
> 2.4.3
>



-- 
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ