lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20220826152445.GB12466@mail.hallyn.com>
Date:   Fri, 26 Aug 2022 10:24:45 -0500
From:   "Serge E. Hallyn" <serge@...lyn.com>
To:     Song Liu <songliubraving@...com>
Cc:     Paul Moore <paul@...l-moore.com>,
        "Eric W. Biederman" <ebiederm@...ssion.com>,
        "Serge E. Hallyn" <serge@...lyn.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Frederick Lawler <fred@...udflare.com>,
        KP Singh <kpsingh@...nel.org>,
        "revest@...omium.org" <revest@...omium.org>,
        "jackmanb@...omium.org" <jackmanb@...omium.org>,
        Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        Andrii Nakryiko <andrii@...nel.org>, Martin Lau <kafai@...com>,
        Yonghong Song <yhs@...com>,
        John Fastabend <john.fastabend@...il.com>,
        James Morris <jmorris@...ei.org>,
        "stephen.smalley.work@...il.com" <stephen.smalley.work@...il.com>,
        "eparis@...isplace.org" <eparis@...isplace.org>,
        Shuah Khan <shuah@...nel.org>,
        "brauner@...nel.org" <brauner@...nel.org>,
        Casey Schaufler <casey@...aufler-ca.com>,
        bpf <bpf@...r.kernel.org>,
        LSM List <linux-security-module@...r.kernel.org>,
        "selinux@...r.kernel.org" <selinux@...r.kernel.org>,
        "open list:KERNEL SELFTEST FRAMEWORK" 
        <linux-kselftest@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Networking <netdev@...r.kernel.org>,
        "kernel-team@...udflare.com" <kernel-team@...udflare.com>,
        "cgzones@...glemail.com" <cgzones@...glemail.com>,
        "karl@...badwolfsecurity.com" <karl@...badwolfsecurity.com>,
        "tixxdz@...il.com" <tixxdz@...il.com>
Subject: Re: [PATCH v5 0/4] Introduce security_create_user_ns()

On Thu, Aug 25, 2022 at 09:58:46PM +0000, Song Liu wrote:
> 
> 
> > On Aug 25, 2022, at 12:19 PM, Paul Moore <paul@...l-moore.com> wrote:
> > 
> > On Thu, Aug 25, 2022 at 2:15 PM Eric W. Biederman <ebiederm@...ssion.com> wrote:
> >> Paul Moore <paul@...l-moore.com> writes:
> >>> On Fri, Aug 19, 2022 at 10:45 AM Serge E. Hallyn <serge@...lyn.com> wrote:
> >>>> I am hoping we can come up with
> >>>> "something better" to address people's needs, make everyone happy, and
> >>>> bring forth world peace.  Which would stack just fine with what's here
> >>>> for defense in depth.
> >>>> 
> >>>> You may well not be interested in further work, and that's fine.  I need
> >>>> to set aside a few days to think on this.
> >>> 
> >>> I'm happy to continue the discussion as long as it's constructive; I
> >>> think we all are.  My gut feeling is that Frederick's approach falls
> >>> closest to the sweet spot of "workable without being overly offensive"
> >>> (*cough*), but if you've got an additional approach in mind, or an
> >>> alternative approach that solves the same use case problems, I think
> >>> we'd all love to hear about it.
> >> 
> >> I would love to actually hear the problems people are trying to solve so
> >> that we can have a sensible conversation about the trade offs.
> > 
> > Here are several taken from the previous threads, it's surely not a
> > complete list, but it should give you a good idea:
> > 
> > https://lore.kernel.org/linux-security-module/CAHC9VhQnPAsmjmKo-e84XDJ1wmaOFkTKPjjztsOa9Yrq+AeAQA@mail.gmail.com/
> > 
> >> As best I can tell without more information people want to use
> >> the creation of a user namespace as a signal that the code is
> >> attempting an exploit.
> > 
> > Some use cases are like that, there are several other use cases that
> > go beyond this; see all of our previous discussions on this
> > topic/patchset.  As has been mentioned before, there are use cases
> > that require improved observability, access control, or both.
> > 
> >> As such let me propose instead of returning an error code which will let
> >> the exploit continue, have the security hook return a bool.  With true
> >> meaning the code can continue and on false it will trigger using SIGSYS
> >> to terminate the program like seccomp does.
> > 
> > Having the kernel forcibly exit the process isn't something that most
> > LSMs would likely want.  I suppose we could modify the hook/caller so
> > that *if* an LSM wanted to return SIGSYS the system would kill the
> > process, but I would want that to be something in addition to
> > returning an error code like LSMs normally do (e.g. EACCES).
> 
> I am new to user_namespace and security work, so please pardon me if
> anything below is very wrong. 
> 
> IIUC, user_namespace is a tool that enables trusted userspace code to 
> control the behavior of untrusted (or less trusted) userspace code. 

No.  user namespaces are not a way for more trusted code to control the
behavior of less trusted code.

> Failing create_user_ns() doesn't make the system more reliable. 
> Specifically, we call create_user_ns() via two paths: fork/clone and 
> unshare. For both paths, we need the userspace to use user_namespace, 
> and to honor failed create_user_ns(). 
> 
> On the other hand, I would echo that killing the process is not 
> practical in some use cases. Specifically, allowing the application to 
> run in a less secure environment for a short period of time might be 
> much better than killing it and taking down the whole service. Of 
> course, there are other cases that security is more important, and 
> taking down the whole service is the better choice. 
> 
> I guess the ultimate solution is a way to enforce using user_namespace
> in the kernel (if it ever makes sense...). But I don't know how that
> gonna work. Before we have such solution, maybe we only need an 
> void hook for observability (or just a tracepoint, coming from BPF
> background). 
> 
> Thanks,
> Song

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ