[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <25C89E75-A900-42C7-A8E4-2800AA2E3387@fb.com>
Date: Fri, 26 Aug 2022 17:00:51 +0000
From: Song Liu <songliubraving@...com>
To: "Serge E. Hallyn" <serge@...lyn.com>
CC: Paul Moore <paul@...l-moore.com>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Frederick Lawler <fred@...udflare.com>,
KP Singh <kpsingh@...nel.org>,
"revest@...omium.org" <revest@...omium.org>,
"jackmanb@...omium.org" <jackmanb@...omium.org>,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Andrii Nakryiko <andrii@...nel.org>, Martin Lau <kafai@...com>,
Yonghong Song <yhs@...com>,
John Fastabend <john.fastabend@...il.com>,
James Morris <jmorris@...ei.org>,
"stephen.smalley.work@...il.com" <stephen.smalley.work@...il.com>,
"eparis@...isplace.org" <eparis@...isplace.org>,
Shuah Khan <shuah@...nel.org>,
"brauner@...nel.org" <brauner@...nel.org>,
Casey Schaufler <casey@...aufler-ca.com>,
bpf <bpf@...r.kernel.org>,
LSM List <linux-security-module@...r.kernel.org>,
"selinux@...r.kernel.org" <selinux@...r.kernel.org>,
"open list:KERNEL SELFTEST FRAMEWORK"
<linux-kselftest@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
Networking <netdev@...r.kernel.org>,
"kernel-team@...udflare.com" <kernel-team@...udflare.com>,
"cgzones@...glemail.com" <cgzones@...glemail.com>,
"karl@...badwolfsecurity.com" <karl@...badwolfsecurity.com>,
"tixxdz@...il.com" <tixxdz@...il.com>
Subject: Re: [PATCH v5 0/4] Introduce security_create_user_ns()
> On Aug 26, 2022, at 8:24 AM, Serge E. Hallyn <serge@...lyn.com> wrote:
>
> On Thu, Aug 25, 2022 at 09:58:46PM +0000, Song Liu wrote:
>>
>>
>>> On Aug 25, 2022, at 12:19 PM, Paul Moore <paul@...l-moore.com> wrote:
>>>
>>> On Thu, Aug 25, 2022 at 2:15 PM Eric W. Biederman <ebiederm@...ssion.com> wrote:
>>>> Paul Moore <paul@...l-moore.com> writes:
>>>>> On Fri, Aug 19, 2022 at 10:45 AM Serge E. Hallyn <serge@...lyn.com> wrote:
>>>>>> I am hoping we can come up with
>>>>>> "something better" to address people's needs, make everyone happy, and
>>>>>> bring forth world peace. Which would stack just fine with what's here
>>>>>> for defense in depth.
>>>>>>
>>>>>> You may well not be interested in further work, and that's fine. I need
>>>>>> to set aside a few days to think on this.
>>>>>
>>>>> I'm happy to continue the discussion as long as it's constructive; I
>>>>> think we all are. My gut feeling is that Frederick's approach falls
>>>>> closest to the sweet spot of "workable without being overly offensive"
>>>>> (*cough*), but if you've got an additional approach in mind, or an
>>>>> alternative approach that solves the same use case problems, I think
>>>>> we'd all love to hear about it.
>>>>
>>>> I would love to actually hear the problems people are trying to solve so
>>>> that we can have a sensible conversation about the trade offs.
>>>
>>> Here are several taken from the previous threads, it's surely not a
>>> complete list, but it should give you a good idea:
>>>
>>> https://lore.kernel.org/linux-security-module/CAHC9VhQnPAsmjmKo-e84XDJ1wmaOFkTKPjjztsOa9Yrq+AeAQA@mail.gmail.com/
>>>
>>>> As best I can tell without more information people want to use
>>>> the creation of a user namespace as a signal that the code is
>>>> attempting an exploit.
>>>
>>> Some use cases are like that, there are several other use cases that
>>> go beyond this; see all of our previous discussions on this
>>> topic/patchset. As has been mentioned before, there are use cases
>>> that require improved observability, access control, or both.
>>>
>>>> As such let me propose instead of returning an error code which will let
>>>> the exploit continue, have the security hook return a bool. With true
>>>> meaning the code can continue and on false it will trigger using SIGSYS
>>>> to terminate the program like seccomp does.
>>>
>>> Having the kernel forcibly exit the process isn't something that most
>>> LSMs would likely want. I suppose we could modify the hook/caller so
>>> that *if* an LSM wanted to return SIGSYS the system would kill the
>>> process, but I would want that to be something in addition to
>>> returning an error code like LSMs normally do (e.g. EACCES).
>>
>> I am new to user_namespace and security work, so please pardon me if
>> anything below is very wrong.
>>
>> IIUC, user_namespace is a tool that enables trusted userspace code to
>> control the behavior of untrusted (or less trusted) userspace code.
>
> No. user namespaces are not a way for more trusted code to control the
> behavior of less trusted code.
Hmm.. In this case, I think I really need to learn more.
Thanks for pointing out my misunderstanding.
Song
>
>> Failing create_user_ns() doesn't make the system more reliable.
>> Specifically, we call create_user_ns() via two paths: fork/clone and
>> unshare. For both paths, we need the userspace to use user_namespace,
>> and to honor failed create_user_ns().
>>
>> On the other hand, I would echo that killing the process is not
>> practical in some use cases. Specifically, allowing the application to
>> run in a less secure environment for a short period of time might be
>> much better than killing it and taking down the whole service. Of
>> course, there are other cases that security is more important, and
>> taking down the whole service is the better choice.
>>
>> I guess the ultimate solution is a way to enforce using user_namespace
>> in the kernel (if it ever makes sense...). But I don't know how that
>> gonna work. Before we have such solution, maybe we only need an
>> void hook for observability (or just a tracepoint, coming from BPF
>> background).
>>
>> Thanks,
>> Song
Powered by blists - more mailing lists