mbox series

[0/2] Introduce security_create_user_ns()

Message ID 20220621233939.993579-1-fred@cloudflare.com (mailing list archive)
Headers show
Series Introduce security_create_user_ns() | expand

Message

Frederick Lawler June 21, 2022, 11:39 p.m. UTC
While creating a LSM BPF MAC policy to block user namespace creation, we
used the LSM cred_prepare hook because that is the closest hook to prevent
a call to create_user_ns().

The calls look something like this:

    cred = prepare_creds()
        security_prepare_creds()
            call_int_hook(cred_prepare, ...
    if (cred)
        create_user_ns(cred)

We noticed that error codes were not propagated from this hook and
introduced a patch [1] to propagate those errors.

The discussion notes that security_prepare_creds()
is not appropriate for MAC policies, and instead the hook is
meant for LSM authors to prepare credentials for mutation. [2]

Ultimately, we concluded that a better course of action is to introduce
a new security hook for LSM authors. [3]

This patch set first introduces a new security_create_user_ns() function
and create_user_ns LSM hook, then marks the hook as sleepable in BPF.

Links:
1. https://lore.kernel.org/all/20220608150942.776446-1-fred@cloudflare.com/
2. https://lore.kernel.org/all/87y1xzyhub.fsf@email.froward.int.ebiederm.org/
3. https://lore.kernel.org/all/9fe9cd9f-1ded-a179-8ded-5fde8960a586@cloudflare.com/

Frederick Lawler (2):
  security, lsm: Introduce security_create_user_ns()
  bpf-lsm: Make bpf_lsm_create_user_ns() sleepable

 include/linux/lsm_hook_defs.h | 2 ++
 include/linux/lsm_hooks.h     | 5 +++++
 include/linux/security.h      | 8 ++++++++
 kernel/bpf/bpf_lsm.c          | 1 +
 kernel/user_namespace.c       | 5 +++++
 security/security.c           | 6 ++++++
 6 files changed, 27 insertions(+)

--
2.30.2

Comments

Casey Schaufler June 22, 2022, 12:19 a.m. UTC | #1
On 6/21/2022 4:39 PM, Frederick Lawler wrote:
> While creating a LSM BPF MAC policy to block user namespace creation, we
> used the LSM cred_prepare hook because that is the closest hook to prevent
> a call to create_user_ns().
>
> The calls look something like this:
>
>      cred = prepare_creds()
>          security_prepare_creds()
>              call_int_hook(cred_prepare, ...
>      if (cred)
>          create_user_ns(cred)
>
> We noticed that error codes were not propagated from this hook and
> introduced a patch [1] to propagate those errors.
>
> The discussion notes that security_prepare_creds()
> is not appropriate for MAC policies, and instead the hook is
> meant for LSM authors to prepare credentials for mutation. [2]
>
> Ultimately, we concluded that a better course of action is to introduce
> a new security hook for LSM authors. [3]
>
> This patch set first introduces a new security_create_user_ns() function
> and create_user_ns LSM hook, then marks the hook as sleepable in BPF.

Why restrict this hook to user namespaces? It seems that an LSM that
chooses to preform controls on user namespaces may want to do so for
network namespaces as well. Also, the hook seems backwards. You should
decide if the creation of the namespace is allowed before you create it.
Passing the new namespace to a function that checks to see creating a
namespace is allowed doesn't make a lot off sense.

>
> Links:
> 1. https://lore.kernel.org/all/20220608150942.776446-1-fred@cloudflare.com/
> 2. https://lore.kernel.org/all/87y1xzyhub.fsf@email.froward.int.ebiederm.org/
> 3. https://lore.kernel.org/all/9fe9cd9f-1ded-a179-8ded-5fde8960a586@cloudflare.com/
>
> Frederick Lawler (2):
>    security, lsm: Introduce security_create_user_ns()
>    bpf-lsm: Make bpf_lsm_create_user_ns() sleepable
>
>   include/linux/lsm_hook_defs.h | 2 ++
>   include/linux/lsm_hooks.h     | 5 +++++
>   include/linux/security.h      | 8 ++++++++
>   kernel/bpf/bpf_lsm.c          | 1 +
>   kernel/user_namespace.c       | 5 +++++
>   security/security.c           | 6 ++++++
>   6 files changed, 27 insertions(+)
>
> --
> 2.30.2
>
Frederick Lawler June 22, 2022, 2:24 p.m. UTC | #2
Hi Casey,

On 6/21/22 7:19 PM, Casey Schaufler wrote:
> On 6/21/2022 4:39 PM, Frederick Lawler wrote:
>> While creating a LSM BPF MAC policy to block user namespace creation, we
>> used the LSM cred_prepare hook because that is the closest hook to 
>> prevent
>> a call to create_user_ns().
>>
>> The calls look something like this:
>>
>>      cred = prepare_creds()
>>          security_prepare_creds()
>>              call_int_hook(cred_prepare, ...
>>      if (cred)
>>          create_user_ns(cred)
>>
>> We noticed that error codes were not propagated from this hook and
>> introduced a patch [1] to propagate those errors.
>>
>> The discussion notes that security_prepare_creds()
>> is not appropriate for MAC policies, and instead the hook is
>> meant for LSM authors to prepare credentials for mutation. [2]
>>
>> Ultimately, we concluded that a better course of action is to introduce
>> a new security hook for LSM authors. [3]
>>
>> This patch set first introduces a new security_create_user_ns() function
>> and create_user_ns LSM hook, then marks the hook as sleepable in BPF.
> 
> Why restrict this hook to user namespaces? It seems that an LSM that
> chooses to preform controls on user namespaces may want to do so for
> network namespaces as well.
IIRC, CLONE_NEWUSER is the only namespace flag that does not require 
CAP_SYS_ADMIN. There is a security use case to prevent this namespace 
from being created within an unprivileged environment. I'm not opposed 
to a more generic hook, but I don't currently have a use case to block 
any others. We can also say the same is true for the other namespaces: 
add this generic security function to these too.

I'm curious what others think about this too.


> Also, the hook seems backwards. You should
> decide if the creation of the namespace is allowed before you create it.
> Passing the new namespace to a function that checks to see creating a
> namespace is allowed doesn't make a lot off sense.
> 

I think having more context to a security hook is a good thing. I 
believe you brought up in the previous discussions that you'd like to 
use this hook for xattr purposes. Doesn't that require a namespace?

>>
>> Links:
>> 1. 
>> https://lore.kernel.org/all/20220608150942.776446-1-fred@cloudflare.com/
>> 2. 
>> https://lore.kernel.org/all/87y1xzyhub.fsf@email.froward.int.ebiederm.org/ 
>>
>> 3. 
>> https://lore.kernel.org/all/9fe9cd9f-1ded-a179-8ded-5fde8960a586@cloudflare.com/ 
>>
>>
>> Frederick Lawler (2):
>>    security, lsm: Introduce security_create_user_ns()
>>    bpf-lsm: Make bpf_lsm_create_user_ns() sleepable
>>
>>   include/linux/lsm_hook_defs.h | 2 ++
>>   include/linux/lsm_hooks.h     | 5 +++++
>>   include/linux/security.h      | 8 ++++++++
>>   kernel/bpf/bpf_lsm.c          | 1 +
>>   kernel/user_namespace.c       | 5 +++++
>>   security/security.c           | 6 ++++++
>>   6 files changed, 27 insertions(+)
>>
>> -- 
>> 2.30.2
>>
Casey Schaufler June 22, 2022, 3:26 p.m. UTC | #3
On 6/22/2022 7:24 AM, Frederick Lawler wrote:
> Hi Casey,
>
> On 6/21/22 7:19 PM, Casey Schaufler wrote:
>> On 6/21/2022 4:39 PM, Frederick Lawler wrote:
>>> While creating a LSM BPF MAC policy to block user namespace creation, we
>>> used the LSM cred_prepare hook because that is the closest hook to prevent
>>> a call to create_user_ns().
>>>
>>> The calls look something like this:
>>>
>>>      cred = prepare_creds()
>>>          security_prepare_creds()
>>>              call_int_hook(cred_prepare, ...
>>>      if (cred)
>>>          create_user_ns(cred)
>>>
>>> We noticed that error codes were not propagated from this hook and
>>> introduced a patch [1] to propagate those errors.
>>>
>>> The discussion notes that security_prepare_creds()
>>> is not appropriate for MAC policies, and instead the hook is
>>> meant for LSM authors to prepare credentials for mutation. [2]
>>>
>>> Ultimately, we concluded that a better course of action is to introduce
>>> a new security hook for LSM authors. [3]
>>>
>>> This patch set first introduces a new security_create_user_ns() function
>>> and create_user_ns LSM hook, then marks the hook as sleepable in BPF.
>>
>> Why restrict this hook to user namespaces? It seems that an LSM that
>> chooses to preform controls on user namespaces may want to do so for
>> network namespaces as well.
> IIRC, CLONE_NEWUSER is the only namespace flag that does not require CAP_SYS_ADMIN.

LSM hooks are (or should be) orthogonal to capabilities, except for
where they are required to implement capabilities.

> There is a security use case to prevent this namespace from being created within an unprivileged environment.

Yes, which is why some people argued against allowing unprivileged creation of
user namespaces.

> I'm not opposed to a more generic hook, but I don't currently have a use case to block any others. We can also say the same is true for the other namespaces: add this generic security function to these too.

If the only reason to have the hook is to disallow unprivileged user namespaces
it's probably time to revise the decision to always allow them. Make it a build
or runtime option. That would address the issue more directly than creating a
security module.

>
> I'm curious what others think about this too.
>
>
>> Also, the hook seems backwards. You should
>> decide if the creation of the namespace is allowed before you create it.
>> Passing the new namespace to a function that checks to see creating a
>> namespace is allowed doesn't make a lot off sense.
>>
>
> I think having more context to a security hook is a good thing. I believe you brought up in the previous discussions that you'd like to use this hook for xattr purposes. Doesn't that require a namespace?

I'm not saying the information isn't required. But if you create a new namespace
and then decide the user isn't allowed to create a namespace you have to tear it
down. That's ugly. Better to pass the creation parameters to the hook before
creating the namespace.

The relationship between xattrs and namespaces is it's own can of worms.

>
>>>
>>> Links:
>>> 1. https://lore.kernel.org/all/20220608150942.776446-1-fred@cloudflare.com/
>>> 2. https://lore.kernel.org/all/87y1xzyhub.fsf@email.froward.int.ebiederm.org/
>>> 3. https://lore.kernel.org/all/9fe9cd9f-1ded-a179-8ded-5fde8960a586@cloudflare.com/
>>>
>>> Frederick Lawler (2):
>>>    security, lsm: Introduce security_create_user_ns()
>>>    bpf-lsm: Make bpf_lsm_create_user_ns() sleepable
>>>
>>>   include/linux/lsm_hook_defs.h | 2 ++
>>>   include/linux/lsm_hooks.h     | 5 +++++
>>>   include/linux/security.h      | 8 ++++++++
>>>   kernel/bpf/bpf_lsm.c          | 1 +
>>>   kernel/user_namespace.c       | 5 +++++
>>>   security/security.c           | 6 ++++++
>>>   6 files changed, 27 insertions(+)
>>>
>>> -- 
>>> 2.30.2
>>>
>
Casey Schaufler June 22, 2022, 3:26 p.m. UTC | #4
On 6/22/2022 7:24 AM, Frederick Lawler wrote:
> Hi Casey,
>
> On 6/21/22 7:19 PM, Casey Schaufler wrote:
>> On 6/21/2022 4:39 PM, Frederick Lawler wrote:
>>> While creating a LSM BPF MAC policy to block user namespace creation, we
>>> used the LSM cred_prepare hook because that is the closest hook to prevent
>>> a call to create_user_ns().
>>>
>>> The calls look something like this:
>>>
>>>      cred = prepare_creds()
>>>          security_prepare_creds()
>>>              call_int_hook(cred_prepare, ...
>>>      if (cred)
>>>          create_user_ns(cred)
>>>
>>> We noticed that error codes were not propagated from this hook and
>>> introduced a patch [1] to propagate those errors.
>>>
>>> The discussion notes that security_prepare_creds()
>>> is not appropriate for MAC policies, and instead the hook is
>>> meant for LSM authors to prepare credentials for mutation. [2]
>>>
>>> Ultimately, we concluded that a better course of action is to introduce
>>> a new security hook for LSM authors. [3]
>>>
>>> This patch set first introduces a new security_create_user_ns() function
>>> and create_user_ns LSM hook, then marks the hook as sleepable in BPF.
>>
>> Why restrict this hook to user namespaces? It seems that an LSM that
>> chooses to preform controls on user namespaces may want to do so for
>> network namespaces as well.
> IIRC, CLONE_NEWUSER is the only namespace flag that does not require CAP_SYS_ADMIN.

LSM hooks are (or should be) orthogonal to capabilities, except for
where they are required to implement capabilities.

> There is a security use case to prevent this namespace from being created within an unprivileged environment.

Yes, which is why some people argued against allowing unprivileged creation of
user namespaces.

> I'm not opposed to a more generic hook, but I don't currently have a use case to block any others. We can also say the same is true for the other namespaces: add this generic security function to these too.

If the only reason to have the hook is to disallow unprivileged user namespaces
it's probably time to revise the decision to always allow them. Make it a build
or runtime option. That would address the issue more directly than creating a
security module.

>
> I'm curious what others think about this too.
>
>
>> Also, the hook seems backwards. You should
>> decide if the creation of the namespace is allowed before you create it.
>> Passing the new namespace to a function that checks to see creating a
>> namespace is allowed doesn't make a lot off sense.
>>
>
> I think having more context to a security hook is a good thing. I believe you brought up in the previous discussions that you'd like to use this hook for xattr purposes. Doesn't that require a namespace?

I'm not saying the information isn't required. But if you create a new namespace
and then decide the user isn't allowed to create a namespace you have to tear it
down. That's ugly. Better to pass the creation parameters to the hook before
creating the namespace.

The relationship between xattrs and namespaces is it's own can of worms.

>
>>>
>>> Links:
>>> 1. https://lore.kernel.org/all/20220608150942.776446-1-fred@cloudflare.com/
>>> 2. https://lore.kernel.org/all/87y1xzyhub.fsf@email.froward.int.ebiederm.org/
>>> 3. https://lore.kernel.org/all/9fe9cd9f-1ded-a179-8ded-5fde8960a586@cloudflare.com/
>>>
>>> Frederick Lawler (2):
>>>    security, lsm: Introduce security_create_user_ns()
>>>    bpf-lsm: Make bpf_lsm_create_user_ns() sleepable
>>>
>>>   include/linux/lsm_hook_defs.h | 2 ++
>>>   include/linux/lsm_hooks.h     | 5 +++++
>>>   include/linux/security.h      | 8 ++++++++
>>>   kernel/bpf/bpf_lsm.c          | 1 +
>>>   kernel/user_namespace.c       | 5 +++++
>>>   security/security.c           | 6 ++++++
>>>   6 files changed, 27 insertions(+)
>>>
>>> -- 
>>> 2.30.2
>>>
>
Paul Moore June 24, 2022, 3:21 a.m. UTC | #5
On Wed, Jun 22, 2022 at 10:24 AM Frederick Lawler <fred@cloudflare.com> wrote:
> On 6/21/22 7:19 PM, Casey Schaufler wrote:
> > On 6/21/2022 4:39 PM, Frederick Lawler wrote:
> >> While creating a LSM BPF MAC policy to block user namespace creation, we
> >> used the LSM cred_prepare hook because that is the closest hook to
> >> prevent
> >> a call to create_user_ns().
> >>
> >> The calls look something like this:
> >>
> >>      cred = prepare_creds()
> >>          security_prepare_creds()
> >>              call_int_hook(cred_prepare, ...
> >>      if (cred)
> >>          create_user_ns(cred)
> >>
> >> We noticed that error codes were not propagated from this hook and
> >> introduced a patch [1] to propagate those errors.
> >>
> >> The discussion notes that security_prepare_creds()
> >> is not appropriate for MAC policies, and instead the hook is
> >> meant for LSM authors to prepare credentials for mutation. [2]
> >>
> >> Ultimately, we concluded that a better course of action is to introduce
> >> a new security hook for LSM authors. [3]
> >>
> >> This patch set first introduces a new security_create_user_ns() function
> >> and create_user_ns LSM hook, then marks the hook as sleepable in BPF.
> >
> > Why restrict this hook to user namespaces? It seems that an LSM that
> > chooses to preform controls on user namespaces may want to do so for
> > network namespaces as well.
>
> IIRC, CLONE_NEWUSER is the only namespace flag that does not require
> CAP_SYS_ADMIN. There is a security use case to prevent this namespace
> from being created within an unprivileged environment. I'm not opposed
> to a more generic hook, but I don't currently have a use case to block
> any others. We can also say the same is true for the other namespaces:
> add this generic security function to these too.
>
> I'm curious what others think about this too.

While user namespaces are obviously one of the more significant
namespaces from a security perspective, I do think it seems reasonable
that the LSMs could benefit from additional namespace creation hooks.
However, I don't think we need to do all of them at once, starting
with a userns hook seems okay to me.

I also think that using the same LSM hook as an access control point
for all of the different namespaces would be a mistake.  At the very
least we would need to pass a flag or some form of context to the hook
to indicate which new namespace(s) are being requested and I fear that
is a problem waiting to happen.  That isn't to say someone couldn't
mistakenly call the security_create_user_ns(...) from the mount
namespace code, but I suspect that is much easier to identify as wrong
than the equivalent security_create_ns(USER, ...).

We also should acknowledge that while in most cases the current task's
credentials are probably sufficient to make any LSM access control
decisions around namespace creation, it's possible that for some
namespaces we would need to pass additional, namespace specific info
to the LSM.  With a shared LSM hook this could become rather awkward.

> > Also, the hook seems backwards. You should
> > decide if the creation of the namespace is allowed before you create it.
> > Passing the new namespace to a function that checks to see creating a
> > namespace is allowed doesn't make a lot off sense.
>
> I think having more context to a security hook is a good thing.

This is one of the reasons why I usually like to see at least one LSM
implementation to go along with every new/modified hook.  The
implementation forces you to think about what information is necessary
to perform a basic access control decision; sometimes it isn't always
obvious until you have to write the access control :)

[aside: If you would like to explore the SELinux implementation let me
know, I'm happy to work with you on this.  I suspect Casey and the
other LSM maintainers would also be willing to do the same for their
LSMs.]

In this particular case I think the calling task's credentials are
generally all that is needed.  You mention that the newly created
namespace would be helpful, so I'll ask: what info in the new ns do
you believe would be helpful in making an access decision about its
creation?

Once we've sorted that we can make a better decision about the hook
placement, but right now my gut feeling is that we only need to pass
the task's creds, and I think placing the hook right after the UID/GID
mapping check (before the new ns allocation) would be the best spot.
Christian Brauner June 27, 2022, 12:11 p.m. UTC | #6
On Thu, Jun 23, 2022 at 11:21:37PM -0400, Paul Moore wrote:
> On Wed, Jun 22, 2022 at 10:24 AM Frederick Lawler <fred@cloudflare.com> wrote:
> > On 6/21/22 7:19 PM, Casey Schaufler wrote:
> > > On 6/21/2022 4:39 PM, Frederick Lawler wrote:
> > >> While creating a LSM BPF MAC policy to block user namespace creation, we
> > >> used the LSM cred_prepare hook because that is the closest hook to
> > >> prevent
> > >> a call to create_user_ns().
> > >>
> > >> The calls look something like this:
> > >>
> > >>      cred = prepare_creds()
> > >>          security_prepare_creds()
> > >>              call_int_hook(cred_prepare, ...
> > >>      if (cred)
> > >>          create_user_ns(cred)
> > >>
> > >> We noticed that error codes were not propagated from this hook and
> > >> introduced a patch [1] to propagate those errors.
> > >>
> > >> The discussion notes that security_prepare_creds()
> > >> is not appropriate for MAC policies, and instead the hook is
> > >> meant for LSM authors to prepare credentials for mutation. [2]
> > >>
> > >> Ultimately, we concluded that a better course of action is to introduce
> > >> a new security hook for LSM authors. [3]
> > >>
> > >> This patch set first introduces a new security_create_user_ns() function
> > >> and create_user_ns LSM hook, then marks the hook as sleepable in BPF.
> > >
> > > Why restrict this hook to user namespaces? It seems that an LSM that
> > > chooses to preform controls on user namespaces may want to do so for
> > > network namespaces as well.
> >
> > IIRC, CLONE_NEWUSER is the only namespace flag that does not require
> > CAP_SYS_ADMIN. There is a security use case to prevent this namespace
> > from being created within an unprivileged environment. I'm not opposed
> > to a more generic hook, but I don't currently have a use case to block
> > any others. We can also say the same is true for the other namespaces:
> > add this generic security function to these too.
> >
> > I'm curious what others think about this too.
> 
> While user namespaces are obviously one of the more significant
> namespaces from a security perspective, I do think it seems reasonable
> that the LSMs could benefit from additional namespace creation hooks.
> However, I don't think we need to do all of them at once, starting
> with a userns hook seems okay to me.
> 
> I also think that using the same LSM hook as an access control point
> for all of the different namespaces would be a mistake.  At the very

Agreed.

> least we would need to pass a flag or some form of context to the hook
> to indicate which new namespace(s) are being requested and I fear that
> is a problem waiting to happen.  That isn't to say someone couldn't
> mistakenly call the security_create_user_ns(...) from the mount
> namespace code, but I suspect that is much easier to identify as wrong
> than the equivalent security_create_ns(USER, ...).

Yeah, I think that's a pretty unlikely scenario.

> 
> We also should acknowledge that while in most cases the current task's
> credentials are probably sufficient to make any LSM access control
> decisions around namespace creation, it's possible that for some
> namespaces we would need to pass additional, namespace specific info
> to the LSM.  With a shared LSM hook this could become rather awkward.

Agreed.

> 
> > > Also, the hook seems backwards. You should
> > > decide if the creation of the namespace is allowed before you create it.
> > > Passing the new namespace to a function that checks to see creating a
> > > namespace is allowed doesn't make a lot off sense.
> >
> > I think having more context to a security hook is a good thing.
> 
> This is one of the reasons why I usually like to see at least one LSM
> implementation to go along with every new/modified hook.  The
> implementation forces you to think about what information is necessary
> to perform a basic access control decision; sometimes it isn't always
> obvious until you have to write the access control :)

I spoke to Frederick at length during LSS and as I've been given to
understand there's a eBPF program that would immediately use this new
hook. Now I don't want to get into the whole "Is the eBPF LSM hook
infrastructure an LSM" but I think we can let this count as a legitimate
first user of this hook/code.

> 
> [aside: If you would like to explore the SELinux implementation let me
> know, I'm happy to work with you on this.  I suspect Casey and the
> other LSM maintainers would also be willing to do the same for their
> LSMs.]
> 
> In this particular case I think the calling task's credentials are
> generally all that is needed.  You mention that the newly created

Agreed.

> namespace would be helpful, so I'll ask: what info in the new ns do
> you believe would be helpful in making an access decision about its
> creation?
> 
> Once we've sorted that we can make a better decision about the hook
> placement, but right now my gut feeling is that we only need to pass
> the task's creds, and I think placing the hook right after the UID/GID
> mapping check (before the new ns allocation) would be the best spot.

When I toyed with this I placed it directly into create_user_ns() and
only relied on the calling task's cred. I just created an eBPF program
that verifies the caller is capable(CAP_SYS_ADMIN). Since both the
chrooted and mapping check return EPERM it doesn't really matter that
much where exactly. Conceptually it makes more sense to me to place it
after the mapping check because then all the preliminaries are done.

Christian
Frederick Lawler June 27, 2022, 3:51 p.m. UTC | #7
On 6/27/22 7:11 AM, Christian Brauner wrote:
> On Thu, Jun 23, 2022 at 11:21:37PM -0400, Paul Moore wrote:
>> On Wed, Jun 22, 2022 at 10:24 AM Frederick Lawler <fred@cloudflare.com> wrote:
>>> On 6/21/22 7:19 PM, Casey Schaufler wrote:
>>>> On 6/21/2022 4:39 PM, Frederick Lawler wrote:
>>>>> While creating a LSM BPF MAC policy to block user namespace creation, we
>>>>> used the LSM cred_prepare hook because that is the closest hook to
>>>>> prevent
>>>>> a call to create_user_ns().
>>>>>
>>>>> The calls look something like this:
>>>>>
>>>>>       cred = prepare_creds()
>>>>>           security_prepare_creds()
>>>>>               call_int_hook(cred_prepare, ...
>>>>>       if (cred)
>>>>>           create_user_ns(cred)
>>>>>
>>>>> We noticed that error codes were not propagated from this hook and
>>>>> introduced a patch [1] to propagate those errors.
>>>>>
>>>>> The discussion notes that security_prepare_creds()
>>>>> is not appropriate for MAC policies, and instead the hook is
>>>>> meant for LSM authors to prepare credentials for mutation. [2]
>>>>>
>>>>> Ultimately, we concluded that a better course of action is to introduce
>>>>> a new security hook for LSM authors. [3]
>>>>>
>>>>> This patch set first introduces a new security_create_user_ns() function
>>>>> and create_user_ns LSM hook, then marks the hook as sleepable in BPF.
>>>>
>>>> Why restrict this hook to user namespaces? It seems that an LSM that
>>>> chooses to preform controls on user namespaces may want to do so for
>>>> network namespaces as well.
>>>
>>> IIRC, CLONE_NEWUSER is the only namespace flag that does not require
>>> CAP_SYS_ADMIN. There is a security use case to prevent this namespace
>>> from being created within an unprivileged environment. I'm not opposed
>>> to a more generic hook, but I don't currently have a use case to block
>>> any others. We can also say the same is true for the other namespaces:
>>> add this generic security function to these too.
>>>
>>> I'm curious what others think about this too.
>>
>> While user namespaces are obviously one of the more significant
>> namespaces from a security perspective, I do think it seems reasonable
>> that the LSMs could benefit from additional namespace creation hooks.
>> However, I don't think we need to do all of them at once, starting
>> with a userns hook seems okay to me.
>>
>> I also think that using the same LSM hook as an access control point
>> for all of the different namespaces would be a mistake.  At the very
> 
> Agreed. >
>> least we would need to pass a flag or some form of context to the hook
>> to indicate which new namespace(s) are being requested and I fear that
>> is a problem waiting to happen.  That isn't to say someone couldn't
>> mistakenly call the security_create_user_ns(...) from the mount
>> namespace code, but I suspect that is much easier to identify as wrong
>> than the equivalent security_create_ns(USER, ...).
> 
> Yeah, I think that's a pretty unlikely scenario.
> 
>>
>> We also should acknowledge that while in most cases the current task's
>> credentials are probably sufficient to make any LSM access control
>> decisions around namespace creation, it's possible that for some
>> namespaces we would need to pass additional, namespace specific info
>> to the LSM.  With a shared LSM hook this could become rather awkward.
> 
> Agreed.
> 
>>
>>>> Also, the hook seems backwards. You should
>>>> decide if the creation of the namespace is allowed before you create it.
>>>> Passing the new namespace to a function that checks to see creating a
>>>> namespace is allowed doesn't make a lot off sense.
>>>
>>> I think having more context to a security hook is a good thing.
>>
>> This is one of the reasons why I usually like to see at least one LSM
>> implementation to go along with every new/modified hook.  The
>> implementation forces you to think about what information is necessary
>> to perform a basic access control decision; sometimes it isn't always
>> obvious until you have to write the access control :)
> 
> I spoke to Frederick at length during LSS and as I've been given to
> understand there's a eBPF program that would immediately use this new
> hook. Now I don't want to get into the whole "Is the eBPF LSM hook
> infrastructure an LSM" but I think we can let this count as a legitimate
> first user of this hook/code.
> 
>>
>> [aside: If you would like to explore the SELinux implementation let me
>> know, I'm happy to work with you on this.  I suspect Casey and the
>> other LSM maintainers would also be willing to do the same for their
>> LSMs.]
>>

I can take a shot at making a SELinux implementation, but the question 
becomes: is that for v2 or a later patch? I don't think the 
implementation for SELinux would be too complicated (i.e. make a call to 
avc_has_perm()?) but, testing and revisions might take a bit longer.

>> In this particular case I think the calling task's credentials are
>> generally all that is needed.  You mention that the newly created
> 
> Agreed.
> 
>> namespace would be helpful, so I'll ask: what info in the new ns do
>> you believe would be helpful in making an access decision about its
>> creation?
>>

In the other thread [1], there was mention of xattr mapping support. As 
I understand Caseys response to this thread [2], that feature is no 
longer requested for this hook.

Users can still access the older parent ns from the passed in cred, but 
I was thinking of handling the transition point here. There's probably 
more suitable hooks for that case.


>> Once we've sorted that we can make a better decision about the hook
>> placement, but right now my gut feeling is that we only need to pass
>> the task's creds, and I think placing the hook right after the UID/GID
>> mapping check (before the new ns allocation) would be the best spot.
> 

I don't specifically have a use case to pass the new user namespace for 
this hook at this time. I'll move the hook in v2.

> When I toyed with this I placed it directly into create_user_ns() and
> only relied on the calling task's cred. I just created an eBPF program
> that verifies the caller is capable(CAP_SYS_ADMIN). Since both the
> chrooted and mapping check return EPERM it doesn't really matter that
> much where exactly. Conceptually it makes more sense to me to place it
> after the mapping check because then all the preliminaries are done.
> 

Agreed.

> Christian

Links:
1. 
https://lore.kernel.org/all/4ae12ee6-959c-51cb-9d7a-54adb3a0ea53@schaufler-ca.com/
2. 
https://lore.kernel.org/all/4b62f0c5-9f3c-e0bc-d836-1b7cdea429da@schaufler-ca.com/
Christian Brauner June 27, 2022, 3:56 p.m. UTC | #8
On Mon, Jun 27, 2022 at 10:51:48AM -0500, Frederick Lawler wrote:
> On 6/27/22 7:11 AM, Christian Brauner wrote:
> > On Thu, Jun 23, 2022 at 11:21:37PM -0400, Paul Moore wrote:
> > > On Wed, Jun 22, 2022 at 10:24 AM Frederick Lawler <fred@cloudflare.com> wrote:
> > > > On 6/21/22 7:19 PM, Casey Schaufler wrote:
> > > > > On 6/21/2022 4:39 PM, Frederick Lawler wrote:
> > > > > > While creating a LSM BPF MAC policy to block user namespace creation, we
> > > > > > used the LSM cred_prepare hook because that is the closest hook to
> > > > > > prevent
> > > > > > a call to create_user_ns().
> > > > > > 
> > > > > > The calls look something like this:
> > > > > > 
> > > > > >       cred = prepare_creds()
> > > > > >           security_prepare_creds()
> > > > > >               call_int_hook(cred_prepare, ...
> > > > > >       if (cred)
> > > > > >           create_user_ns(cred)
> > > > > > 
> > > > > > We noticed that error codes were not propagated from this hook and
> > > > > > introduced a patch [1] to propagate those errors.
> > > > > > 
> > > > > > The discussion notes that security_prepare_creds()
> > > > > > is not appropriate for MAC policies, and instead the hook is
> > > > > > meant for LSM authors to prepare credentials for mutation. [2]
> > > > > > 
> > > > > > Ultimately, we concluded that a better course of action is to introduce
> > > > > > a new security hook for LSM authors. [3]
> > > > > > 
> > > > > > This patch set first introduces a new security_create_user_ns() function
> > > > > > and create_user_ns LSM hook, then marks the hook as sleepable in BPF.
> > > > > 
> > > > > Why restrict this hook to user namespaces? It seems that an LSM that
> > > > > chooses to preform controls on user namespaces may want to do so for
> > > > > network namespaces as well.
> > > > 
> > > > IIRC, CLONE_NEWUSER is the only namespace flag that does not require
> > > > CAP_SYS_ADMIN. There is a security use case to prevent this namespace
> > > > from being created within an unprivileged environment. I'm not opposed
> > > > to a more generic hook, but I don't currently have a use case to block
> > > > any others. We can also say the same is true for the other namespaces:
> > > > add this generic security function to these too.
> > > > 
> > > > I'm curious what others think about this too.
> > > 
> > > While user namespaces are obviously one of the more significant
> > > namespaces from a security perspective, I do think it seems reasonable
> > > that the LSMs could benefit from additional namespace creation hooks.
> > > However, I don't think we need to do all of them at once, starting
> > > with a userns hook seems okay to me.
> > > 
> > > I also think that using the same LSM hook as an access control point
> > > for all of the different namespaces would be a mistake.  At the very
> > 
> > Agreed. >
> > > least we would need to pass a flag or some form of context to the hook
> > > to indicate which new namespace(s) are being requested and I fear that
> > > is a problem waiting to happen.  That isn't to say someone couldn't
> > > mistakenly call the security_create_user_ns(...) from the mount
> > > namespace code, but I suspect that is much easier to identify as wrong
> > > than the equivalent security_create_ns(USER, ...).
> > 
> > Yeah, I think that's a pretty unlikely scenario.
> > 
> > > 
> > > We also should acknowledge that while in most cases the current task's
> > > credentials are probably sufficient to make any LSM access control
> > > decisions around namespace creation, it's possible that for some
> > > namespaces we would need to pass additional, namespace specific info
> > > to the LSM.  With a shared LSM hook this could become rather awkward.
> > 
> > Agreed.
> > 
> > > 
> > > > > Also, the hook seems backwards. You should
> > > > > decide if the creation of the namespace is allowed before you create it.
> > > > > Passing the new namespace to a function that checks to see creating a
> > > > > namespace is allowed doesn't make a lot off sense.
> > > > 
> > > > I think having more context to a security hook is a good thing.
> > > 
> > > This is one of the reasons why I usually like to see at least one LSM
> > > implementation to go along with every new/modified hook.  The
> > > implementation forces you to think about what information is necessary
> > > to perform a basic access control decision; sometimes it isn't always
> > > obvious until you have to write the access control :)
> > 
> > I spoke to Frederick at length during LSS and as I've been given to
> > understand there's a eBPF program that would immediately use this new
> > hook. Now I don't want to get into the whole "Is the eBPF LSM hook
> > infrastructure an LSM" but I think we can let this count as a legitimate
> > first user of this hook/code.
> > 
> > > 
> > > [aside: If you would like to explore the SELinux implementation let me
> > > know, I'm happy to work with you on this.  I suspect Casey and the
> > > other LSM maintainers would also be willing to do the same for their
> > > LSMs.]
> > > 
> 
> I can take a shot at making a SELinux implementation, but the question
> becomes: is that for v2 or a later patch? I don't think the implementation
> for SELinux would be too complicated (i.e. make a call to avc_has_perm()?)
> but, testing and revisions might take a bit longer.
> 
> > > In this particular case I think the calling task's credentials are
> > > generally all that is needed.  You mention that the newly created
> > 
> > Agreed.
> > 
> > > namespace would be helpful, so I'll ask: what info in the new ns do
> > > you believe would be helpful in making an access decision about its
> > > creation?
> > > 
> 
> In the other thread [1], there was mention of xattr mapping support. As I
> understand Caseys response to this thread [2], that feature is no longer
> requested for this hook.

I think that is an orthogonal problem at least wrt to this hook.

> 
> Users can still access the older parent ns from the passed in cred, but I
> was thinking of handling the transition point here. There's probably more
> suitable hooks for that case.

Yes.
Casey Schaufler June 27, 2022, 5:24 p.m. UTC | #9
On 6/27/2022 8:56 AM, Christian Brauner wrote:
> On Mon, Jun 27, 2022 at 10:51:48AM -0500, Frederick Lawler wrote:
>> On 6/27/22 7:11 AM, Christian Brauner wrote:
>>> On Thu, Jun 23, 2022 at 11:21:37PM -0400, Paul Moore wrote:
>>>> On Wed, Jun 22, 2022 at 10:24 AM Frederick Lawler <fred@cloudflare.com> wrote:
>>>>> On 6/21/22 7:19 PM, Casey Schaufler wrote:
>>>>>> On 6/21/2022 4:39 PM, Frederick Lawler wrote:
>>>>>>> While creating a LSM BPF MAC policy to block user namespace creation, we
>>>>>>> used the LSM cred_prepare hook because that is the closest hook to
>>>>>>> prevent
>>>>>>> a call to create_user_ns().
>>>>>>>
>>>>>>> The calls look something like this:
>>>>>>>
>>>>>>>        cred = prepare_creds()
>>>>>>>            security_prepare_creds()
>>>>>>>                call_int_hook(cred_prepare, ...
>>>>>>>        if (cred)
>>>>>>>            create_user_ns(cred)
>>>>>>>
>>>>>>> We noticed that error codes were not propagated from this hook and
>>>>>>> introduced a patch [1] to propagate those errors.
>>>>>>>
>>>>>>> The discussion notes that security_prepare_creds()
>>>>>>> is not appropriate for MAC policies, and instead the hook is
>>>>>>> meant for LSM authors to prepare credentials for mutation. [2]
>>>>>>>
>>>>>>> Ultimately, we concluded that a better course of action is to introduce
>>>>>>> a new security hook for LSM authors. [3]
>>>>>>>
>>>>>>> This patch set first introduces a new security_create_user_ns() function
>>>>>>> and create_user_ns LSM hook, then marks the hook as sleepable in BPF.
>>>>>> Why restrict this hook to user namespaces? It seems that an LSM that
>>>>>> chooses to preform controls on user namespaces may want to do so for
>>>>>> network namespaces as well.
>>>>> IIRC, CLONE_NEWUSER is the only namespace flag that does not require
>>>>> CAP_SYS_ADMIN. There is a security use case to prevent this namespace
>>>>> from being created within an unprivileged environment. I'm not opposed
>>>>> to a more generic hook, but I don't currently have a use case to block
>>>>> any others. We can also say the same is true for the other namespaces:
>>>>> add this generic security function to these too.
>>>>>
>>>>> I'm curious what others think about this too.
>>>> While user namespaces are obviously one of the more significant
>>>> namespaces from a security perspective, I do think it seems reasonable
>>>> that the LSMs could benefit from additional namespace creation hooks.
>>>> However, I don't think we need to do all of them at once, starting
>>>> with a userns hook seems okay to me.
>>>>
>>>> I also think that using the same LSM hook as an access control point
>>>> for all of the different namespaces would be a mistake.  At the very
>>> Agreed. >
>>>> least we would need to pass a flag or some form of context to the hook
>>>> to indicate which new namespace(s) are being requested and I fear that
>>>> is a problem waiting to happen.  That isn't to say someone couldn't
>>>> mistakenly call the security_create_user_ns(...) from the mount
>>>> namespace code, but I suspect that is much easier to identify as wrong
>>>> than the equivalent security_create_ns(USER, ...).
>>> Yeah, I think that's a pretty unlikely scenario.
>>>
>>>> We also should acknowledge that while in most cases the current task's
>>>> credentials are probably sufficient to make any LSM access control
>>>> decisions around namespace creation, it's possible that for some
>>>> namespaces we would need to pass additional, namespace specific info
>>>> to the LSM.  With a shared LSM hook this could become rather awkward.
>>> Agreed.
>>>
>>>>>> Also, the hook seems backwards. You should
>>>>>> decide if the creation of the namespace is allowed before you create it.
>>>>>> Passing the new namespace to a function that checks to see creating a
>>>>>> namespace is allowed doesn't make a lot off sense.
>>>>> I think having more context to a security hook is a good thing.
>>>> This is one of the reasons why I usually like to see at least one LSM
>>>> implementation to go along with every new/modified hook.  The
>>>> implementation forces you to think about what information is necessary
>>>> to perform a basic access control decision; sometimes it isn't always
>>>> obvious until you have to write the access control :)
>>> I spoke to Frederick at length during LSS and as I've been given to
>>> understand there's a eBPF program that would immediately use this new
>>> hook. Now I don't want to get into the whole "Is the eBPF LSM hook
>>> infrastructure an LSM" but I think we can let this count as a legitimate
>>> first user of this hook/code.

Yes, although it would be really helpful if there were a recognized upstream
for eBPF programs so that we could see not only that the hook is used but how
it is being used. It is possible (even likely) that someone will want to change
either the interface or the caller some day. Without having the eBPF that
depends on it, it's hard to determine if a change would be a regression.

>>>
>>>> [aside: If you would like to explore the SELinux implementation let me
>>>> know, I'm happy to work with you on this.  I suspect Casey and the
>>>> other LSM maintainers would also be willing to do the same for their
>>>> LSMs.]
>>>>
>> I can take a shot at making a SELinux implementation, but the question
>> becomes: is that for v2 or a later patch? I don't think the implementation
>> for SELinux would be too complicated (i.e. make a call to avc_has_perm()?)
>> but, testing and revisions might take a bit longer.
>>
>>>> In this particular case I think the calling task's credentials are
>>>> generally all that is needed.  You mention that the newly created
>>> Agreed.
>>>
>>>> namespace would be helpful, so I'll ask: what info in the new ns do
>>>> you believe would be helpful in making an access decision about its
>>>> creation?
>>>>
>> In the other thread [1], there was mention of xattr mapping support. As I
>> understand Caseys response to this thread [2], that feature is no longer
>> requested for this hook.
> I think that is an orthogonal problem at least wrt to this hook.

Agreed. It was always a look deeply into the future sort of thing.
At this point I don't see anything blocking the proposed hook moving
forward.

>
>> Users can still access the older parent ns from the passed in cred, but I
>> was thinking of handling the transition point here. There's probably more
>> suitable hooks for that case.
> Yes.
Paul Moore June 27, 2022, 9:56 p.m. UTC | #10
On Mon, Jun 27, 2022 at 8:11 AM Christian Brauner <brauner@kernel.org> wrote:
> On Thu, Jun 23, 2022 at 11:21:37PM -0400, Paul Moore wrote:

...

> > This is one of the reasons why I usually like to see at least one LSM
> > implementation to go along with every new/modified hook.  The
> > implementation forces you to think about what information is necessary
> > to perform a basic access control decision; sometimes it isn't always
> > obvious until you have to write the access control :)
>
> I spoke to Frederick at length during LSS and as I've been given to
> understand there's a eBPF program that would immediately use this new
> hook. Now I don't want to get into the whole "Is the eBPF LSM hook
> infrastructure an LSM" but I think we can let this count as a legitimate
> first user of this hook/code.

Yes, for the most part I don't really worry about the "is a BPF LSM a
LSM?" question, it's generally not important for most discussions.
However, there is an issue unique to the BPF LSMs which I think is
relevant here: there is no hook implementation code living under
security/.  While I talked about a hook implementation being helpful
to verify the hook prototype, it is also helpful in providing an
in-tree example for other LSMs; unfortunately we don't get that same
example value when the initial hook implementation is a BPF LSM.
Paul Moore June 27, 2022, 10:13 p.m. UTC | #11
On Mon, Jun 27, 2022 at 11:51 AM Frederick Lawler <fred@cloudflare.com> wrote:
> On 6/27/22 7:11 AM, Christian Brauner wrote:
> > On Thu, Jun 23, 2022 at 11:21:37PM -0400, Paul Moore wrote:
> >> On Wed, Jun 22, 2022 at 10:24 AM Frederick Lawler <fred@cloudflare.com> wrote:
> >>> On 6/21/22 7:19 PM, Casey Schaufler wrote:
> >>>> On 6/21/2022 4:39 PM, Frederick Lawler wrote:

...

> >>>>> While creating a LSM BPF MAC policy to block user namespace creation, we
> >>>>> used the LSM cred_prepare hook because that is the closest hook to
> >>>>> prevent
> >>>>> a call to create_user_ns().
> >>>>>
> >>>>> The calls look something like this:
> >>>>>
> >>>>>       cred = prepare_creds()
> >>>>>           security_prepare_creds()
> >>>>>               call_int_hook(cred_prepare, ...
> >>>>>       if (cred)
> >>>>>           create_user_ns(cred)
> >>>>>
> >>>>> We noticed that error codes were not propagated from this hook and
> >>>>> introduced a patch [1] to propagate those errors.
> >>>>>
> >>>>> The discussion notes that security_prepare_creds()
> >>>>> is not appropriate for MAC policies, and instead the hook is
> >>>>> meant for LSM authors to prepare credentials for mutation. [2]
> >>>>>
> >>>>> Ultimately, we concluded that a better course of action is to introduce
> >>>>> a new security hook for LSM authors. [3]
> >>>>>
> >>>>> This patch set first introduces a new security_create_user_ns() function
> >>>>> and create_user_ns LSM hook, then marks the hook as sleepable in BPF.
> >>>>
> >>>> Why restrict this hook to user namespaces? It seems that an LSM that
> >>>> chooses to preform controls on user namespaces may want to do so for
> >>>> network namespaces as well.
> >>>
> >>> IIRC, CLONE_NEWUSER is the only namespace flag that does not require
> >>> CAP_SYS_ADMIN. There is a security use case to prevent this namespace
> >>> from being created within an unprivileged environment. I'm not opposed
> >>> to a more generic hook, but I don't currently have a use case to block
> >>> any others. We can also say the same is true for the other namespaces:
> >>> add this generic security function to these too.
> >>>
> >>> I'm curious what others think about this too.
> >>
> >> While user namespaces are obviously one of the more significant
> >> namespaces from a security perspective, I do think it seems reasonable
> >> that the LSMs could benefit from additional namespace creation hooks.
> >> However, I don't think we need to do all of them at once, starting
> >> with a userns hook seems okay to me.
> >>
> >> I also think that using the same LSM hook as an access control point
> >> for all of the different namespaces would be a mistake.  At the very
> >
> > Agreed. >
> >> least we would need to pass a flag or some form of context to the hook
> >> to indicate which new namespace(s) are being requested and I fear that
> >> is a problem waiting to happen.  That isn't to say someone couldn't
> >> mistakenly call the security_create_user_ns(...) from the mount
> >> namespace code, but I suspect that is much easier to identify as wrong
> >> than the equivalent security_create_ns(USER, ...).
> >
> > Yeah, I think that's a pretty unlikely scenario.
> >
> >>
> >> We also should acknowledge that while in most cases the current task's
> >> credentials are probably sufficient to make any LSM access control
> >> decisions around namespace creation, it's possible that for some
> >> namespaces we would need to pass additional, namespace specific info
> >> to the LSM.  With a shared LSM hook this could become rather awkward.
> >
> > Agreed.
> >
> >>
> >>>> Also, the hook seems backwards. You should
> >>>> decide if the creation of the namespace is allowed before you create it.
> >>>> Passing the new namespace to a function that checks to see creating a
> >>>> namespace is allowed doesn't make a lot off sense.
> >>>
> >>> I think having more context to a security hook is a good thing.
> >>
> >> This is one of the reasons why I usually like to see at least one LSM
> >> implementation to go along with every new/modified hook.  The
> >> implementation forces you to think about what information is necessary
> >> to perform a basic access control decision; sometimes it isn't always
> >> obvious until you have to write the access control :)
> >
> > I spoke to Frederick at length during LSS and as I've been given to
> > understand there's a eBPF program that would immediately use this new
> > hook. Now I don't want to get into the whole "Is the eBPF LSM hook
> > infrastructure an LSM" but I think we can let this count as a legitimate
> > first user of this hook/code.
> >
> >>
> >> [aside: If you would like to explore the SELinux implementation let me
> >> know, I'm happy to work with you on this.  I suspect Casey and the
> >> other LSM maintainers would also be willing to do the same for their
> >> LSMs.]
> >>
>
> I can take a shot at making a SELinux implementation, but the question
> becomes: is that for v2 or a later patch? I don't think the
> implementation for SELinux would be too complicated (i.e. make a call to
> avc_has_perm()?) but, testing and revisions might take a bit longer.

Isn't that the truth, writing code is easy(ish); testing it well is
the hard part ;)  Joking aside, I would suggest starting with v2.

As an example, the code below might be a good place to start - we would need to
discuss this on the SELinux list as there are some design decisions
I'm glossing over[1].

  int selinux_userns_create(struct cred *new)
  {
    u32 sid = current_sid();

    return avc_has_perm(&selinux_state, sid, sid,
                        SECCLASS_NAMESPACE,
                        NAMESPACE__USERNS_CREATE);
  }

You would also need to add the "namespace" class and the
"userns_create" permission in security/selinux/include/classmap.h.

  const struct security_class_mapping secclass_map[] = {
    ...
    { "namespace",
      { "userns_create", NULL } },
  }

As I mentioned earlier, if you find yourself getting stuck, or needing
some help, please feel free to send mail.

[1] This code snippet uses a new object class and permission for this
(namespace:userns_create).  I made that choice as object classes are
limited to 32 unique permissions and I expect the number of namespaces
to continue to grow.
Daniel Borkmann June 27, 2022, 10:15 p.m. UTC | #12
On 6/27/22 11:56 PM, Paul Moore wrote:
> On Mon, Jun 27, 2022 at 8:11 AM Christian Brauner <brauner@kernel.org> wrote:
>> On Thu, Jun 23, 2022 at 11:21:37PM -0400, Paul Moore wrote:
> 
> ...
> 
>>> This is one of the reasons why I usually like to see at least one LSM
>>> implementation to go along with every new/modified hook.  The
>>> implementation forces you to think about what information is necessary
>>> to perform a basic access control decision; sometimes it isn't always
>>> obvious until you have to write the access control :)
>>
>> I spoke to Frederick at length during LSS and as I've been given to
>> understand there's a eBPF program that would immediately use this new
>> hook. Now I don't want to get into the whole "Is the eBPF LSM hook
>> infrastructure an LSM" but I think we can let this count as a legitimate
>> first user of this hook/code.
> 
> Yes, for the most part I don't really worry about the "is a BPF LSM a
> LSM?" question, it's generally not important for most discussions.
> However, there is an issue unique to the BPF LSMs which I think is
> relevant here: there is no hook implementation code living under
> security/.  While I talked about a hook implementation being helpful
> to verify the hook prototype, it is also helpful in providing an
> in-tree example for other LSMs; unfortunately we don't get that same
> example value when the initial hook implementation is a BPF LSM.

I would argue that such a patch series must come together with a BPF
selftest which then i) contains an in-tree usage example, ii) adds BPF
CI test coverage. Shipping with a BPF selftest at least would be the
usual expectation.

Thanks,
Daniel
KP Singh June 27, 2022, 10:27 p.m. UTC | #13
On Tue, Jun 28, 2022 at 12:15 AM Daniel Borkmann <daniel@iogearbox.net> wrote:
>
> On 6/27/22 11:56 PM, Paul Moore wrote:
> > On Mon, Jun 27, 2022 at 8:11 AM Christian Brauner <brauner@kernel.org> wrote:
> >> On Thu, Jun 23, 2022 at 11:21:37PM -0400, Paul Moore wrote:
> >
> > ...
> >
> >>> This is one of the reasons why I usually like to see at least one LSM
> >>> implementation to go along with every new/modified hook.  The
> >>> implementation forces you to think about what information is necessary
> >>> to perform a basic access control decision; sometimes it isn't always
> >>> obvious until you have to write the access control :)
> >>
> >> I spoke to Frederick at length during LSS and as I've been given to
> >> understand there's a eBPF program that would immediately use this new
> >> hook. Now I don't want to get into the whole "Is the eBPF LSM hook
> >> infrastructure an LSM" but I think we can let this count as a legitimate
> >> first user of this hook/code.
> >
> > Yes, for the most part I don't really worry about the "is a BPF LSM a
> > LSM?" question, it's generally not important for most discussions.
> > However, there is an issue unique to the BPF LSMs which I think is
> > relevant here: there is no hook implementation code living under
> > security/.  While I talked about a hook implementation being helpful
> > to verify the hook prototype, it is also helpful in providing an
> > in-tree example for other LSMs; unfortunately we don't get that same
> > example value when the initial hook implementation is a BPF LSM.
>
> I would argue that such a patch series must come together with a BPF
> selftest which then i) contains an in-tree usage example, ii) adds BPF
> CI test coverage. Shipping with a BPF selftest at least would be the
> usual expectation.

+1 I would also recommend that this comes with a BPF selftest as
suggested by Daniel.

>
> Thanks,
> Daniel
Paul Moore June 27, 2022, 10:27 p.m. UTC | #14
On Mon, Jun 27, 2022 at 6:15 PM Daniel Borkmann <daniel@iogearbox.net> wrote:
> On 6/27/22 11:56 PM, Paul Moore wrote:
> > On Mon, Jun 27, 2022 at 8:11 AM Christian Brauner <brauner@kernel.org> wrote:
> >> On Thu, Jun 23, 2022 at 11:21:37PM -0400, Paul Moore wrote:
> >
> > ...
> >
> >>> This is one of the reasons why I usually like to see at least one LSM
> >>> implementation to go along with every new/modified hook.  The
> >>> implementation forces you to think about what information is necessary
> >>> to perform a basic access control decision; sometimes it isn't always
> >>> obvious until you have to write the access control :)
> >>
> >> I spoke to Frederick at length during LSS and as I've been given to
> >> understand there's a eBPF program that would immediately use this new
> >> hook. Now I don't want to get into the whole "Is the eBPF LSM hook
> >> infrastructure an LSM" but I think we can let this count as a legitimate
> >> first user of this hook/code.
> >
> > Yes, for the most part I don't really worry about the "is a BPF LSM a
> > LSM?" question, it's generally not important for most discussions.
> > However, there is an issue unique to the BPF LSMs which I think is
> > relevant here: there is no hook implementation code living under
> > security/.  While I talked about a hook implementation being helpful
> > to verify the hook prototype, it is also helpful in providing an
> > in-tree example for other LSMs; unfortunately we don't get that same
> > example value when the initial hook implementation is a BPF LSM.
>
> I would argue that such a patch series must come together with a BPF
> selftest which then i) contains an in-tree usage example, ii) adds BPF
> CI test coverage. Shipping with a BPF selftest at least would be the
> usual expectation.

I'm not going to disagree with that, I generally require matching
tests for new SELinux kernel code, but I was careful to mention code
under 'security/' and not necessarily just a test implementation :)  I
don't want to get into a big discussion about it, but I think having a
working implementation somewhere under 'security/' is more
discoverable for most LSM folks.
Casey Schaufler June 27, 2022, 11:18 p.m. UTC | #15
On 6/27/2022 3:27 PM, Paul Moore wrote:
> On Mon, Jun 27, 2022 at 6:15 PM Daniel Borkmann <daniel@iogearbox.net> wrote:
>> On 6/27/22 11:56 PM, Paul Moore wrote:
>>> On Mon, Jun 27, 2022 at 8:11 AM Christian Brauner <brauner@kernel.org> wrote:
>>>> On Thu, Jun 23, 2022 at 11:21:37PM -0400, Paul Moore wrote:
>>> ...
>>>
>>>>> This is one of the reasons why I usually like to see at least one LSM
>>>>> implementation to go along with every new/modified hook.  The
>>>>> implementation forces you to think about what information is necessary
>>>>> to perform a basic access control decision; sometimes it isn't always
>>>>> obvious until you have to write the access control :)
>>>> I spoke to Frederick at length during LSS and as I've been given to
>>>> understand there's a eBPF program that would immediately use this new
>>>> hook. Now I don't want to get into the whole "Is the eBPF LSM hook
>>>> infrastructure an LSM" but I think we can let this count as a legitimate
>>>> first user of this hook/code.
>>> Yes, for the most part I don't really worry about the "is a BPF LSM a
>>> LSM?" question, it's generally not important for most discussions.
>>> However, there is an issue unique to the BPF LSMs which I think is
>>> relevant here: there is no hook implementation code living under
>>> security/.  While I talked about a hook implementation being helpful
>>> to verify the hook prototype, it is also helpful in providing an
>>> in-tree example for other LSMs; unfortunately we don't get that same
>>> example value when the initial hook implementation is a BPF LSM.
>> I would argue that such a patch series must come together with a BPF
>> selftest which then i) contains an in-tree usage example, ii) adds BPF
>> CI test coverage. Shipping with a BPF selftest at least would be the
>> usual expectation.
> I'm not going to disagree with that, I generally require matching
> tests for new SELinux kernel code, but I was careful to mention code
> under 'security/' and not necessarily just a test implementation :)  I
> don't want to get into a big discussion about it, but I think having a
> working implementation somewhere under 'security/' is more
> discoverable for most LSM folks.

I agree. It would be unfortunate if we added a hook explicitly for eBPF
only to discover that the proposed user needs something different. The
LSM community should have a chance to review the code before committing
to all the maintenance required in supporting it.

Is there a reference on how to write an eBPF security module?
There should be something out there warning the eBPF programmer of the
implications of providing a secid_to_secctx hook for starters.
Frederick Lawler June 28, 2022, 3:11 p.m. UTC | #16
On 6/27/22 5:15 PM, Daniel Borkmann wrote:
> On 6/27/22 11:56 PM, Paul Moore wrote:
>> On Mon, Jun 27, 2022 at 8:11 AM Christian Brauner <brauner@kernel.org> 
>> wrote:
>>> On Thu, Jun 23, 2022 at 11:21:37PM -0400, Paul Moore wrote:
>>
>> ...
>>
>>>> This is one of the reasons why I usually like to see at least one LSM
>>>> implementation to go along with every new/modified hook.  The
>>>> implementation forces you to think about what information is necessary
>>>> to perform a basic access control decision; sometimes it isn't always
>>>> obvious until you have to write the access control :)
>>>
>>> I spoke to Frederick at length during LSS and as I've been given to
>>> understand there's a eBPF program that would immediately use this new
>>> hook. Now I don't want to get into the whole "Is the eBPF LSM hook
>>> infrastructure an LSM" but I think we can let this count as a legitimate
>>> first user of this hook/code.
>>
>> Yes, for the most part I don't really worry about the "is a BPF LSM a
>> LSM?" question, it's generally not important for most discussions.
>> However, there is an issue unique to the BPF LSMs which I think is
>> relevant here: there is no hook implementation code living under
>> security/.  While I talked about a hook implementation being helpful
>> to verify the hook prototype, it is also helpful in providing an
>> in-tree example for other LSMs; unfortunately we don't get that same
>> example value when the initial hook implementation is a BPF LSM.
> 
> I would argue that such a patch series must come together with a BPF
> selftest which then i) contains an in-tree usage example, ii) adds BPF
> CI test coverage. Shipping with a BPF selftest at least would be the
> usual expectation.

Sounds good. I'll add both a eBPF selftest and SELinux implementation 
for v2.

> 
> Thanks,
> Daniel
Paul Moore June 28, 2022, 3:13 p.m. UTC | #17
On Tue, Jun 28, 2022 at 11:11 AM Frederick Lawler <fred@cloudflare.com> wrote:
> On 6/27/22 5:15 PM, Daniel Borkmann wrote:
> > On 6/27/22 11:56 PM, Paul Moore wrote:
> >> On Mon, Jun 27, 2022 at 8:11 AM Christian Brauner <brauner@kernel.org>
> >> wrote:
> >>> On Thu, Jun 23, 2022 at 11:21:37PM -0400, Paul Moore wrote:
> >>
> >> ...
> >>
> >>>> This is one of the reasons why I usually like to see at least one LSM
> >>>> implementation to go along with every new/modified hook.  The
> >>>> implementation forces you to think about what information is necessary
> >>>> to perform a basic access control decision; sometimes it isn't always
> >>>> obvious until you have to write the access control :)
> >>>
> >>> I spoke to Frederick at length during LSS and as I've been given to
> >>> understand there's a eBPF program that would immediately use this new
> >>> hook. Now I don't want to get into the whole "Is the eBPF LSM hook
> >>> infrastructure an LSM" but I think we can let this count as a legitimate
> >>> first user of this hook/code.
> >>
> >> Yes, for the most part I don't really worry about the "is a BPF LSM a
> >> LSM?" question, it's generally not important for most discussions.
> >> However, there is an issue unique to the BPF LSMs which I think is
> >> relevant here: there is no hook implementation code living under
> >> security/.  While I talked about a hook implementation being helpful
> >> to verify the hook prototype, it is also helpful in providing an
> >> in-tree example for other LSMs; unfortunately we don't get that same
> >> example value when the initial hook implementation is a BPF LSM.
> >
> > I would argue that such a patch series must come together with a BPF
> > selftest which then i) contains an in-tree usage example, ii) adds BPF
> > CI test coverage. Shipping with a BPF selftest at least would be the
> > usual expectation.
>
> Sounds good. I'll add both a eBPF selftest and SELinux implementation
> for v2.

Thanks Daniel!
Frederick Lawler June 28, 2022, 3:14 p.m. UTC | #18
On 6/27/22 6:18 PM, Casey Schaufler wrote:
> On 6/27/2022 3:27 PM, Paul Moore wrote:
>> On Mon, Jun 27, 2022 at 6:15 PM Daniel Borkmann <daniel@iogearbox.net> 
>> wrote:
>>> On 6/27/22 11:56 PM, Paul Moore wrote:
>>>> On Mon, Jun 27, 2022 at 8:11 AM Christian Brauner 
>>>> <brauner@kernel.org> wrote:
>>>>> On Thu, Jun 23, 2022 at 11:21:37PM -0400, Paul Moore wrote:
>>>> ...
>>>>
>>>>>> This is one of the reasons why I usually like to see at least one LSM
>>>>>> implementation to go along with every new/modified hook.  The
>>>>>> implementation forces you to think about what information is 
>>>>>> necessary
>>>>>> to perform a basic access control decision; sometimes it isn't always
>>>>>> obvious until you have to write the access control :)
>>>>> I spoke to Frederick at length during LSS and as I've been given to
>>>>> understand there's a eBPF program that would immediately use this new
>>>>> hook. Now I don't want to get into the whole "Is the eBPF LSM hook
>>>>> infrastructure an LSM" but I think we can let this count as a 
>>>>> legitimate
>>>>> first user of this hook/code.
>>>> Yes, for the most part I don't really worry about the "is a BPF LSM a
>>>> LSM?" question, it's generally not important for most discussions.
>>>> However, there is an issue unique to the BPF LSMs which I think is
>>>> relevant here: there is no hook implementation code living under
>>>> security/.  While I talked about a hook implementation being helpful
>>>> to verify the hook prototype, it is also helpful in providing an
>>>> in-tree example for other LSMs; unfortunately we don't get that same
>>>> example value when the initial hook implementation is a BPF LSM.
>>> I would argue that such a patch series must come together with a BPF
>>> selftest which then i) contains an in-tree usage example, ii) adds BPF
>>> CI test coverage. Shipping with a BPF selftest at least would be the
>>> usual expectation.
>> I'm not going to disagree with that, I generally require matching
>> tests for new SELinux kernel code, but I was careful to mention code
>> under 'security/' and not necessarily just a test implementation :)  I
>> don't want to get into a big discussion about it, but I think having a
>> working implementation somewhere under 'security/' is more
>> discoverable for most LSM folks.
> 
> I agree. It would be unfortunate if we added a hook explicitly for eBPF
> only to discover that the proposed user needs something different. The
> LSM community should have a chance to review the code before committing
> to all the maintenance required in supporting it.
> 
> Is there a reference on how to write an eBPF security module?

There's a documentation page that briefly touches on a BPF LSM 
implementation [1].

> There should be something out there warning the eBPF programmer of the
> implications of providing a secid_to_secctx hook for starters.
> 

Links:
1. https://docs.kernel.org/bpf/prog_lsm.html?highlight=bpf+lsm#
Casey Schaufler June 28, 2022, 4:02 p.m. UTC | #19
On 6/28/2022 8:14 AM, Frederick Lawler wrote:
> On 6/27/22 6:18 PM, Casey Schaufler wrote:
>> On 6/27/2022 3:27 PM, Paul Moore wrote:
>>> On Mon, Jun 27, 2022 at 6:15 PM Daniel Borkmann <daniel@iogearbox.net> wrote:
>>>> On 6/27/22 11:56 PM, Paul Moore wrote:
>>>>> On Mon, Jun 27, 2022 at 8:11 AM Christian Brauner <brauner@kernel.org> wrote:
>>>>>> On Thu, Jun 23, 2022 at 11:21:37PM -0400, Paul Moore wrote:
>>>>> ...
>>>>>
>>>>>>> This is one of the reasons why I usually like to see at least one LSM
>>>>>>> implementation to go along with every new/modified hook.  The
>>>>>>> implementation forces you to think about what information is necessary
>>>>>>> to perform a basic access control decision; sometimes it isn't always
>>>>>>> obvious until you have to write the access control :)
>>>>>> I spoke to Frederick at length during LSS and as I've been given to
>>>>>> understand there's a eBPF program that would immediately use this new
>>>>>> hook. Now I don't want to get into the whole "Is the eBPF LSM hook
>>>>>> infrastructure an LSM" but I think we can let this count as a legitimate
>>>>>> first user of this hook/code.
>>>>> Yes, for the most part I don't really worry about the "is a BPF LSM a
>>>>> LSM?" question, it's generally not important for most discussions.
>>>>> However, there is an issue unique to the BPF LSMs which I think is
>>>>> relevant here: there is no hook implementation code living under
>>>>> security/.  While I talked about a hook implementation being helpful
>>>>> to verify the hook prototype, it is also helpful in providing an
>>>>> in-tree example for other LSMs; unfortunately we don't get that same
>>>>> example value when the initial hook implementation is a BPF LSM.
>>>> I would argue that such a patch series must come together with a BPF
>>>> selftest which then i) contains an in-tree usage example, ii) adds BPF
>>>> CI test coverage. Shipping with a BPF selftest at least would be the
>>>> usual expectation.
>>> I'm not going to disagree with that, I generally require matching
>>> tests for new SELinux kernel code, but I was careful to mention code
>>> under 'security/' and not necessarily just a test implementation :)  I
>>> don't want to get into a big discussion about it, but I think having a
>>> working implementation somewhere under 'security/' is more
>>> discoverable for most LSM folks.
>>
>> I agree. It would be unfortunate if we added a hook explicitly for eBPF
>> only to discover that the proposed user needs something different. The
>> LSM community should have a chance to review the code before committing
>> to all the maintenance required in supporting it.
>>
>> Is there a reference on how to write an eBPF security module?
>
> There's a documentation page that briefly touches on a BPF LSM implementation [1].

That's a brief touch, alright. I'll grant that the LSM interface isn't
especially well documented for C developers, but we have done tutorials
and have multiple examples. I worry that without an in-tree example for
eBPF we might well be setting developers up for spectacular failure.

>
>> There should be something out there warning the eBPF programmer of the
>> implications of providing a secid_to_secctx hook for starters.
>>
>
> Links:
> 1. https://docs.kernel.org/bpf/prog_lsm.html?highlight=bpf+lsm#
>
KP Singh June 28, 2022, 4:12 p.m. UTC | #20
On Tue, Jun 28, 2022 at 6:02 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>
> On 6/28/2022 8:14 AM, Frederick Lawler wrote:
> > On 6/27/22 6:18 PM, Casey Schaufler wrote:
> >> On 6/27/2022 3:27 PM, Paul Moore wrote:
> >>> On Mon, Jun 27, 2022 at 6:15 PM Daniel Borkmann <daniel@iogearbox.net> wrote:
> >>>> On 6/27/22 11:56 PM, Paul Moore wrote:
> >>>>> On Mon, Jun 27, 2022 at 8:11 AM Christian Brauner <brauner@kernel.org> wrote:
> >>>>>> On Thu, Jun 23, 2022 at 11:21:37PM -0400, Paul Moore wrote:
> >>>>> ...
> >>>>>
> >>>>>>> This is one of the reasons why I usually like to see at least one LSM
> >>>>>>> implementation to go along with every new/modified hook.  The
> >>>>>>> implementation forces you to think about what information is necessary
> >>>>>>> to perform a basic access control decision; sometimes it isn't always
> >>>>>>> obvious until you have to write the access control :)
> >>>>>> I spoke to Frederick at length during LSS and as I've been given to
> >>>>>> understand there's a eBPF program that would immediately use this new
> >>>>>> hook. Now I don't want to get into the whole "Is the eBPF LSM hook
> >>>>>> infrastructure an LSM" but I think we can let this count as a legitimate
> >>>>>> first user of this hook/code.
> >>>>> Yes, for the most part I don't really worry about the "is a BPF LSM a
> >>>>> LSM?" question, it's generally not important for most discussions.
> >>>>> However, there is an issue unique to the BPF LSMs which I think is
> >>>>> relevant here: there is no hook implementation code living under
> >>>>> security/.  While I talked about a hook implementation being helpful
> >>>>> to verify the hook prototype, it is also helpful in providing an
> >>>>> in-tree example for other LSMs; unfortunately we don't get that same
> >>>>> example value when the initial hook implementation is a BPF LSM.
> >>>> I would argue that such a patch series must come together with a BPF
> >>>> selftest which then i) contains an in-tree usage example, ii) adds BPF
> >>>> CI test coverage. Shipping with a BPF selftest at least would be the
> >>>> usual expectation.
> >>> I'm not going to disagree with that, I generally require matching
> >>> tests for new SELinux kernel code, but I was careful to mention code
> >>> under 'security/' and not necessarily just a test implementation :)  I
> >>> don't want to get into a big discussion about it, but I think having a
> >>> working implementation somewhere under 'security/' is more
> >>> discoverable for most LSM folks.
> >>
> >> I agree. It would be unfortunate if we added a hook explicitly for eBPF
> >> only to discover that the proposed user needs something different. The
> >> LSM community should have a chance to review the code before committing
> >> to all the maintenance required in supporting it.
> >>
> >> Is there a reference on how to write an eBPF security module?
> >
> > There's a documentation page that briefly touches on a BPF LSM implementation [1].
>
> That's a brief touch, alright. I'll grant that the LSM interface isn't
> especially well documented for C developers, but we have done tutorials
> and have multiple examples. I worry that without an in-tree example for
> eBPF we might well be setting developers up for spectacular failure.
>

Casey, Daniel and I are recommending an in-tree example, it will be
in BPF selftests and we will CC you on the reviews.

Frederick, is that okay with you?

> >
> >> There should be something out there warning the eBPF programmer of the
> >> implications of providing a secid_to_secctx hook for starters.
> >>
> >
> > Links:
> > 1. https://docs.kernel.org/bpf/prog_lsm.html?highlight=bpf+lsm#
> >
Frederick Lawler June 28, 2022, 4:44 p.m. UTC | #21
On 6/28/22 11:12 AM, KP Singh wrote:
> On Tue, Jun 28, 2022 at 6:02 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>>
>> On 6/28/2022 8:14 AM, Frederick Lawler wrote:
>>> On 6/27/22 6:18 PM, Casey Schaufler wrote:
>>>> On 6/27/2022 3:27 PM, Paul Moore wrote:
>>>>> On Mon, Jun 27, 2022 at 6:15 PM Daniel Borkmann <daniel@iogearbox.net> wrote:
>>>>>> On 6/27/22 11:56 PM, Paul Moore wrote:
>>>>>>> On Mon, Jun 27, 2022 at 8:11 AM Christian Brauner <brauner@kernel.org> wrote:
>>>>>>>> On Thu, Jun 23, 2022 at 11:21:37PM -0400, Paul Moore wrote:
>>>>>>> ...
>>>>>>>
>>>>>>>>> This is one of the reasons why I usually like to see at least one LSM
>>>>>>>>> implementation to go along with every new/modified hook.  The
>>>>>>>>> implementation forces you to think about what information is necessary
>>>>>>>>> to perform a basic access control decision; sometimes it isn't always
>>>>>>>>> obvious until you have to write the access control :)
>>>>>>>> I spoke to Frederick at length during LSS and as I've been given to
>>>>>>>> understand there's a eBPF program that would immediately use this new
>>>>>>>> hook. Now I don't want to get into the whole "Is the eBPF LSM hook
>>>>>>>> infrastructure an LSM" but I think we can let this count as a legitimate
>>>>>>>> first user of this hook/code.
>>>>>>> Yes, for the most part I don't really worry about the "is a BPF LSM a
>>>>>>> LSM?" question, it's generally not important for most discussions.
>>>>>>> However, there is an issue unique to the BPF LSMs which I think is
>>>>>>> relevant here: there is no hook implementation code living under
>>>>>>> security/.  While I talked about a hook implementation being helpful
>>>>>>> to verify the hook prototype, it is also helpful in providing an
>>>>>>> in-tree example for other LSMs; unfortunately we don't get that same
>>>>>>> example value when the initial hook implementation is a BPF LSM.
>>>>>> I would argue that such a patch series must come together with a BPF
>>>>>> selftest which then i) contains an in-tree usage example, ii) adds BPF
>>>>>> CI test coverage. Shipping with a BPF selftest at least would be the
>>>>>> usual expectation.
>>>>> I'm not going to disagree with that, I generally require matching
>>>>> tests for new SELinux kernel code, but I was careful to mention code
>>>>> under 'security/' and not necessarily just a test implementation :)  I
>>>>> don't want to get into a big discussion about it, but I think having a
>>>>> working implementation somewhere under 'security/' is more
>>>>> discoverable for most LSM folks.
>>>>
>>>> I agree. It would be unfortunate if we added a hook explicitly for eBPF
>>>> only to discover that the proposed user needs something different. The
>>>> LSM community should have a chance to review the code before committing
>>>> to all the maintenance required in supporting it.
>>>>
>>>> Is there a reference on how to write an eBPF security module?
>>>
>>> There's a documentation page that briefly touches on a BPF LSM implementation [1].
>>
>> That's a brief touch, alright. I'll grant that the LSM interface isn't
>> especially well documented for C developers, but we have done tutorials
>> and have multiple examples. I worry that without an in-tree example for
>> eBPF we might well be setting developers up for spectacular failure.
>>
> 
> Casey, Daniel and I are recommending an in-tree example, it will be
> in BPF selftests and we will CC you on the reviews.
> 
> Frederick, is that okay with you?

Yep.

> 
>>>
>>>> There should be something out there warning the eBPF programmer of the
>>>> implications of providing a secid_to_secctx hook for starters.
>>>>
>>>
>>> Links:
>>> 1. https://docs.kernel.org/bpf/prog_lsm.html?highlight=bpf+lsm#
>>>
Eric W. Biederman June 30, 2022, 6:28 p.m. UTC | #22
Frederick Lawler <fred@cloudflare.com> writes:

> Hi Casey,
>
> On 6/21/22 7:19 PM, Casey Schaufler wrote:
>> On 6/21/2022 4:39 PM, Frederick Lawler wrote:
>>> While creating a LSM BPF MAC policy to block user namespace creation, we
>>> used the LSM cred_prepare hook because that is the closest hook to prevent
>>> a call to create_user_ns().
>>>
>>> The calls look something like this:
>>>
>>>      cred = prepare_creds()
>>>          security_prepare_creds()
>>>              call_int_hook(cred_prepare, ...
>>>      if (cred)
>>>          create_user_ns(cred)
>>>
>>> We noticed that error codes were not propagated from this hook and
>>> introduced a patch [1] to propagate those errors.
>>>
>>> The discussion notes that security_prepare_creds()
>>> is not appropriate for MAC policies, and instead the hook is
>>> meant for LSM authors to prepare credentials for mutation. [2]
>>>
>>> Ultimately, we concluded that a better course of action is to introduce
>>> a new security hook for LSM authors. [3]
>>>
>>> This patch set first introduces a new security_create_user_ns() function
>>> and create_user_ns LSM hook, then marks the hook as sleepable in BPF.
>> Why restrict this hook to user namespaces? It seems that an LSM that
>> chooses to preform controls on user namespaces may want to do so for
>> network namespaces as well.
> IIRC, CLONE_NEWUSER is the only namespace flag that does not require
> CAP_SYS_ADMIN. There is a security use case to prevent this namespace 
> from being created within an unprivileged environment. I'm not opposed to a more
> generic hook, but I don't currently have a use case to block any others. We can
> also say the same is true for the other namespaces: add this generic security
> function to these too.

There is also a very strong security use case for not putting security
checks in the creation of the user namespace.

In particular there are all kinds of kernel features that are useful for
building sandboxes namespaces, chroot, etc, that previous to user
namespaces were not possible to make available to unprivileged users
because they could confuse suid-root executables.  With user namespaces
the concern about confusing suid-root executable goes away.

The only justification I have ever heard for restricting the user
namespace is because it indirectly allows for greater kernel attack
surface.

Do you have a case for restricting the user namespace other than the
kernel is buggy and the user namespace makes the kernel bugs easier
to access?

How does increasing the attack surface of the kernel make the situation
that the kernel is buggy and the attack surface is too big better?

Perhaps it is explained somewhere down-thread and I just have not caught
up yet, but so far I have not see a description of why it makes sense
for a security module to restrict the kernel here.

Eric

p.s.  I am little disappointed that I was not copied on this thread
given that it is my code you are messing with, and I was in an earlier
version of this thread.
Frederick Lawler July 1, 2022, 3:47 a.m. UTC | #23
On 6/30/22 1:28 PM, Eric W. Biederman wrote:
> Frederick Lawler <fred@cloudflare.com> writes:
> 
>> Hi Casey,
>>
>> On 6/21/22 7:19 PM, Casey Schaufler wrote:
>>> On 6/21/2022 4:39 PM, Frederick Lawler wrote:
>>>> While creating a LSM BPF MAC policy to block user namespace creation, we
>>>> used the LSM cred_prepare hook because that is the closest hook to prevent
>>>> a call to create_user_ns().
>>>>
>>>> The calls look something like this:
>>>>
>>>>       cred = prepare_creds()
>>>>           security_prepare_creds()
>>>>               call_int_hook(cred_prepare, ...
>>>>       if (cred)
>>>>           create_user_ns(cred)
>>>>
>>>> We noticed that error codes were not propagated from this hook and
>>>> introduced a patch [1] to propagate those errors.
>>>>
>>>> The discussion notes that security_prepare_creds()
>>>> is not appropriate for MAC policies, and instead the hook is
>>>> meant for LSM authors to prepare credentials for mutation. [2]
>>>>
>>>> Ultimately, we concluded that a better course of action is to introduce
>>>> a new security hook for LSM authors. [3]
>>>>
>>>> This patch set first introduces a new security_create_user_ns() function
>>>> and create_user_ns LSM hook, then marks the hook as sleepable in BPF.
>>> Why restrict this hook to user namespaces? It seems that an LSM that
>>> chooses to preform controls on user namespaces may want to do so for
>>> network namespaces as well.
>> IIRC, CLONE_NEWUSER is the only namespace flag that does not require
>> CAP_SYS_ADMIN. There is a security use case to prevent this namespace
>> from being created within an unprivileged environment. I'm not opposed to a more
>> generic hook, but I don't currently have a use case to block any others. We can
>> also say the same is true for the other namespaces: add this generic security
>> function to these too.
> 
> There is also a very strong security use case for not putting security
> checks in the creation of the user namespace.
> 
> In particular there are all kinds of kernel features that are useful for
> building sandboxes namespaces, chroot, etc, that previous to user
> namespaces were not possible to make available to unprivileged users
> because they could confuse suid-root executables.  With user namespaces
> the concern about confusing suid-root executable goes away.
> 
> The only justification I have ever heard for restricting the user
> namespace is because it indirectly allows for greater kernel attack
> surface.
> 
> Do you have a case for restricting the user namespace other than the
> kernel is buggy and the user namespace makes the kernel bugs easier
> to access?

No.

> 
> How does increasing the attack surface of the kernel make the situation
> that the kernel is buggy and the attack surface is too big better?
> 

We agree that completely blocking this feature may disable effective 
sandboxing techniques, but uncontrolled user namespace creation 
increases the attack surface as well. There are known examples where 
creating a new namespace is the first step in a priv escalation attack.

> Perhaps it is explained somewhere down-thread and I just have not caught
> up yet, but so far I have not see a description of why it makes sense
> for a security module to restrict the kernel here.
> 

Having a new security hook allows us to decide when unpriv user 
namespace creation is acceptable and unacceptable. Patching 
vulnerabilities takes time and effort amongst the community. We want to 
protect our systems so that we are not as impacted by the next 0-day 
disclosure. This in turn decreases our overall attack surface.

Security hooks are a good fit because they offer us flexibility to 
protect our systems how we see fit.

> Eric
> 
> p.s.  I am little disappointed that I was not copied on this thread
> given that it is my code you are messing with, and I was in an earlier
> version of this thread.