lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 8 Jul 2022 14:10:04 +0200 From: Christian Göttsche <cgzones@...glemail.com> To: Frederick Lawler <fred@...udflare.com> Cc: KP Singh <kpsingh@...nel.org>, revest@...omium.org, jackmanb@...omium.org, Alexei Starovoitov <ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net>, Andrii Nakryiko <andrii@...nel.org>, Martin KaFai Lau <kafai@...com>, Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>, John Fastabend <john.fastabend@...il.com>, James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, Paul Moore <paul@...l-moore.com>, Stephen Smalley <stephen.smalley.work@...il.com>, Eric Paris <eparis@...isplace.org>, shuah@...nel.org, Christian Brauner <brauner@...nel.org>, Casey Schaufler <casey@...aufler-ca.com>, "Eric W. Biederman" <ebiederm@...ssion.com>, bpf@...r.kernel.org, linux-security-module@...r.kernel.org, SElinux list <selinux@...r.kernel.org>, linux-kselftest@...r.kernel.org, Linux kernel mailing list <linux-kernel@...r.kernel.org>, netdev@...r.kernel.org, kernel-team@...udflare.com Subject: Re: [PATCH v2 0/4] Introduce security_create_user_ns() ,On Fri, 8 Jul 2022 at 00:32, Frederick Lawler <fred@...udflare.com> wrote: > > While creating a LSM BPF MAC policy to block user namespace creation, we > used the LSM cred_prepare hook because that is the closest hook to prevent > a call to create_user_ns(). > > The calls look something like this: > > cred = prepare_creds() > security_prepare_creds() > call_int_hook(cred_prepare, ... > if (cred) > create_user_ns(cred) > > We noticed that error codes were not propagated from this hook and > introduced a patch [1] to propagate those errors. > > The discussion notes that security_prepare_creds() > is not appropriate for MAC policies, and instead the hook is > meant for LSM authors to prepare credentials for mutation. [2] > > Ultimately, we concluded that a better course of action is to introduce > a new security hook for LSM authors. [3] > > This patch set first introduces a new security_create_user_ns() function > and create_user_ns LSM hook, then marks the hook as sleepable in BPF. Some thoughts: I. Why not make the hook more generic, e.g. support all other existing and potential future namespaces? Also I think the naming scheme is <object>_<verb>. LSM_HOOK(int, 0, namespace_create, const struct cred *cred, unsigned int flags) where flags is a bitmap of CLONE flags from include/uapi/linux/sched.h (like CLONE_NEWUSER). II. While adding policing for namespaces maybe also add a new hook for setns(2) LSM_HOOK(int, 0, namespace_join, const struct cred *subj, const struct cred *obj, unsigned int flags) III. Maybe even attach a security context to namespaces so they can be further governed? SELinux example: type domainA_userns_t; type_transition domainA_t domainA_t : namespace domainA_userns_t "user"; allow domainA_t domainA_userns_t:namespace create; # domainB calling setns(2) with domainA as target allow domainB_t domainA_userns_t:namespace join; > > Links: > 1. https://lore.kernel.org/all/20220608150942.776446-1-fred@cloudflare.com/ > 2. https://lore.kernel.org/all/87y1xzyhub.fsf@email.froward.int.ebiederm.org/ > 3. https://lore.kernel.org/all/9fe9cd9f-1ded-a179-8ded-5fde8960a586@cloudflare.com/ > > Changes since v1: > - Add selftests/bpf: Add tests verifying bpf lsm create_user_ns hook patch > - Add selinux: Implement create_user_ns hook patch > - Change function signature of security_create_user_ns() to only take > struct cred > - Move security_create_user_ns() call after id mapping check in > create_user_ns() > - Update documentation to reflect changes > > Frederick Lawler (4): > security, lsm: Introduce security_create_user_ns() > bpf-lsm: Make bpf_lsm_create_user_ns() sleepable > selftests/bpf: Add tests verifying bpf lsm create_user_ns hook > selinux: Implement create_user_ns hook > > include/linux/lsm_hook_defs.h | 1 + > include/linux/lsm_hooks.h | 4 + > include/linux/security.h | 6 ++ > kernel/bpf/bpf_lsm.c | 1 + > kernel/user_namespace.c | 5 ++ > security/security.c | 5 ++ > security/selinux/hooks.c | 9 ++ > security/selinux/include/classmap.h | 2 + > .../selftests/bpf/prog_tests/deny_namespace.c | 88 +++++++++++++++++++ > .../selftests/bpf/progs/test_deny_namespace.c | 39 ++++++++ > 10 files changed, 160 insertions(+) > create mode 100644 tools/testing/selftests/bpf/prog_tests/deny_namespace.c > create mode 100644 tools/testing/selftests/bpf/progs/test_deny_namespace.c > > -- > 2.30.2 >
Powered by blists - more mailing lists