From patchwork Tue Jun 21 23:39:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frederick Lawler X-Patchwork-Id: 12889934 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3504ACCA483 for ; Tue, 21 Jun 2022 23:39:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238239AbiFUXjz (ORCPT ); Tue, 21 Jun 2022 19:39:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44624 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344222AbiFUXjv (ORCPT ); Tue, 21 Jun 2022 19:39:51 -0400 Received: from mail-oi1-x231.google.com (mail-oi1-x231.google.com [IPv6:2607:f8b0:4864:20::231]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7579E3122C for ; Tue, 21 Jun 2022 16:39:49 -0700 (PDT) Received: by mail-oi1-x231.google.com with SMTP id q11so19055766oih.10 for ; Tue, 21 Jun 2022 16:39:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=huv2RTjsGDwilBCbef/P98mwZ35L+fncBIqkcOwhEoQ=; b=Cdk7IqdUOCuZT8nbDb+rIQqHc9Qld5ajj6cuRHEGtM9rz2FkUEKrHTx4KvJ45/1udm NQeazcjps23qhrOc4Us53GBsH0QktC7SY74rqwXecFNimTeSoplvg9XOa9UEbul0hDqR 97UWIuKIsuumf2vl2DaTBcXThnwFpmj21ZODw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=huv2RTjsGDwilBCbef/P98mwZ35L+fncBIqkcOwhEoQ=; b=npxyb4E+V/ntCPJVVtiHW53/ld04JqRLl8oW7+BnDnjyvX9eVz9iObZnssr5U3kW33 qHyyr5UfpVuWTsmVh0+fjgPWNSQ0nYVdKO9744UTrToWoS2E4iR9QL0W8D99TE/3wqgX dma8QOImN/CaVvWSjMjWRK8IjtqXiuYKbRQdUq8LE6BG+oP4/e8yu3Wftx0jDf9ac6Ag 60upOsAf/Sqw+0D0bFTTVKKSsgj9fIiauWdFYSPC+ewNkRA44C3HGBLucqZCtYtAOQxE +jho+N57Ly50oR15xSNfsZtiBniZHYxa7JgOzv6tqbqWzRJs3MnhJnfnei6dLWFjuptP Yo5w== X-Gm-Message-State: AJIora9w+8DngE6sDTSjf0JTC1zDEizUDFq2LfmWnVqieWrq0lIbesGI bMoPRFOS44RfRiaZ6CYroHJihkEgzHU2bA== X-Google-Smtp-Source: AGRyM1vTDxHi1GKF6Vuy5fCOCpBYBG+YhPjJ7KOlB9WbhbBwJmrY5xotmQwM3vjhmPjn+deeENWm2g== X-Received: by 2002:a05:6808:11c7:b0:2f9:f96c:d0ee with SMTP id p7-20020a05680811c700b002f9f96cd0eemr325810oiv.134.1655854788652; Tue, 21 Jun 2022 16:39:48 -0700 (PDT) Received: from localhost.localdomain ([172.58.70.161]) by smtp.gmail.com with ESMTPSA id v73-20020acaac4c000000b00326414c1bb7sm9839181oie.35.2022.06.21.16.39.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Jun 2022 16:39:48 -0700 (PDT) From: Frederick Lawler To: kpsingh@kernel.org, revest@chromium.org, jackmanb@chromium.org, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kafai@fb.com, songliubraving@fb.com, yhs@fb.com, john.fastabend@gmail.com, jmorris@namei.org, serge@hallyn.com, bpf@vger.kernel.org, linux-security-module@vger.kernel.org Cc: brauner@kernel.org, casey@schaufler-ca.com, paul@paul-moore.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@cloudflare.com, Frederick Lawler Subject: [PATCH 1/2] security, lsm: Introduce security_create_user_ns() Date: Tue, 21 Jun 2022 18:39:38 -0500 Message-Id: <20220621233939.993579-2-fred@cloudflare.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220621233939.993579-1-fred@cloudflare.com> References: <20220621233939.993579-1-fred@cloudflare.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Preventing user namespace (privileged or otherwise) creation comes in a few of forms in order of granularity: 1. /proc/sys/user/max_user_namespaces sysctl 2. OS specific patch(es) 3. CONFIG_USER_NS To block a task based on its attributes, the LSM hook cred_prepare is a good candidate for use because it provides more granular control, and it is called before create_user_ns(): cred = prepare_creds() security_prepare_creds() call_int_hook(cred_prepare, ... if (cred) create_user_ns(cred) Since security_prepare_creds() is meant for LSMs to copy and prepare credentials, access control is an unintended use of the hook. Therefore introduce a new function security_create_user_ns() with an accompanying create_user_ns LSM hook. This hook takes the prepared creds and the newly created user namespace for LSM authors to write policy against. On success, the new namespace is applied to credentials, otherwise an error is returned. Signed-off-by: Frederick Lawler --- include/linux/lsm_hook_defs.h | 2 ++ include/linux/lsm_hooks.h | 5 +++++ include/linux/security.h | 8 ++++++++ kernel/user_namespace.c | 5 +++++ security/security.c | 6 ++++++ 5 files changed, 26 insertions(+) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index eafa1d2489fd..bd9b38db4d03 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -223,6 +223,8 @@ LSM_HOOK(int, -ENOSYS, task_prctl, int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5) LSM_HOOK(void, LSM_RET_VOID, task_to_inode, struct task_struct *p, struct inode *inode) +LSM_HOOK(int, 0, create_user_ns, const struct cred *new, + const struct user_namespace *new_userns) LSM_HOOK(int, 0, ipc_permission, struct kern_ipc_perm *ipcp, short flag) LSM_HOOK(void, LSM_RET_VOID, ipc_getsecid, struct kern_ipc_perm *ipcp, u32 *secid) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 91c8146649f5..1356a792a6bd 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -799,6 +799,11 @@ * security attributes, e.g. for /proc/pid inodes. * @p contains the task_struct for the task. * @inode contains the inode structure for the inode. + * @create_user_ns: + * Check permission prior to assigning the new namespace to @cred->user_ns. + * @cred points to prepared creds. + * @new_userns points to the newly created user namespace. + * Return 0 if successful, otherwise < 0 error code. * * Security hooks for Netlink messaging. * diff --git a/include/linux/security.h b/include/linux/security.h index 7fc4e9f49f54..a656dbe7b65a 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -435,6 +435,8 @@ int security_task_kill(struct task_struct *p, struct kernel_siginfo *info, int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5); void security_task_to_inode(struct task_struct *p, struct inode *inode); +int security_create_user_ns(const struct cred *cred, + const struct user_namespace *new_userns); int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag); void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid); int security_msg_msg_alloc(struct msg_msg *msg); @@ -1185,6 +1187,12 @@ static inline int security_task_prctl(int option, unsigned long arg2, static inline void security_task_to_inode(struct task_struct *p, struct inode *inode) { } +static inline int security_create_user_ns(const struct cred *cred, + const struct user_namespace *new_userns) +{ + return 0; +} + static inline int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag) { diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c index 5481ba44a8d6..8c5e5592a503 100644 --- a/kernel/user_namespace.c +++ b/kernel/user_namespace.c @@ -9,6 +9,7 @@ #include #include #include +#include #include #include #include @@ -153,6 +154,10 @@ int create_user_ns(struct cred *new) if (!setup_userns_sysctls(ns)) goto fail_keyring; + ret = security_create_user_ns(new, ns); + if (ret < 0) + goto fail_keyring; + set_cred_user_ns(new, ns); return 0; fail_keyring: diff --git a/security/security.c b/security/security.c index 188b8f782220..d6b1751805ca 100644 --- a/security/security.c +++ b/security/security.c @@ -1903,6 +1903,12 @@ void security_task_to_inode(struct task_struct *p, struct inode *inode) call_void_hook(task_to_inode, p, inode); } +int security_create_user_ns(const struct cred *cred, + const struct user_namespace *new_userns) +{ + return call_int_hook(create_user_ns, 0, cred, new_userns); +} + int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag) { return call_int_hook(ipc_permission, 0, ipcp, flag); From patchwork Tue Jun 21 23:39:39 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frederick Lawler X-Patchwork-Id: 12889935 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8B481C43334 for ; Tue, 21 Jun 2022 23:39:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1354624AbiFUXj4 (ORCPT ); Tue, 21 Jun 2022 19:39:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44640 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232552AbiFUXjw (ORCPT ); Tue, 21 Jun 2022 19:39:52 -0400 Received: from mail-oa1-x36.google.com (mail-oa1-x36.google.com [IPv6:2001:4860:4864:20::36]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 70B233123A for ; Tue, 21 Jun 2022 16:39:51 -0700 (PDT) Received: by mail-oa1-x36.google.com with SMTP id 586e51a60fabf-101cdfddfacso12247178fac.7 for ; Tue, 21 Jun 2022 16:39:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=jUmOqM8bvsG8cDfx+XvNCDDl82awPaNafAtF5jFkQEY=; b=o5t9urnpI0OdvMgRHCew9GBUrfvNLmNKP8PEUMDjteDWRX9zW0tnOI51xheMxEFYAJ 5SEdi6X2zEaSJF4Ud4OzuVLtfivzHa7Ctp2wYHZsqHTr8iBuDQVvzZN4vZpmSiqciPwK VVjhfdZ+3Ur1hFKuRE3jvHYIR5noV4NdKabvc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=jUmOqM8bvsG8cDfx+XvNCDDl82awPaNafAtF5jFkQEY=; b=qup5C4anO3MGFMzQiq1UxDwU/ofnTXICskzdKgNxdBCLhNINu+I9cuKU3tNhxM6E8X lUg3/extTT3tIvMNwETYyPpMAmlERband5wbPXttkQ/8CVGH8itBor1UHBrMjsqIFYtr N0Q/7bhUgRGbd1a6jJGcHFe+ouBDK3yTxxb5ZKkvTES/jsuiM4ymBYoVuFHeyYRIwYcj YECLgRc/S2Sc5a/sWHutbzqnj2YMCHod6DPonxmymuB8gO+hiy6UjM3TnStaae9S3MZ8 0LCLpWB+WhyKzFcqRuPo7fy/mkQDYW24tRbW6xtTm+rvXooym/hu+viPIMo68teNkMaU fTLw== X-Gm-Message-State: AJIora8Cr34CDkvDwt5UbKf930t3oRAIgXS65svnoI8kSDmDMA0sTooJ NB4SjZLJ1+9DWAP1IcjGjbVDIg== X-Google-Smtp-Source: AGRyM1t7CRjxualNOBRcURL8BoZp/Y8//UgT00jArGQfdCguxh7jvEelxlI+yNApXmiS4XDdhSPRvQ== X-Received: by 2002:a05:6870:8909:b0:101:202e:a71d with SMTP id i9-20020a056870890900b00101202ea71dmr371858oao.272.1655854790690; Tue, 21 Jun 2022 16:39:50 -0700 (PDT) Received: from localhost.localdomain ([172.58.70.161]) by smtp.gmail.com with ESMTPSA id v73-20020acaac4c000000b00326414c1bb7sm9839181oie.35.2022.06.21.16.39.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Jun 2022 16:39:50 -0700 (PDT) From: Frederick Lawler To: kpsingh@kernel.org, revest@chromium.org, jackmanb@chromium.org, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kafai@fb.com, songliubraving@fb.com, yhs@fb.com, john.fastabend@gmail.com, jmorris@namei.org, serge@hallyn.com, bpf@vger.kernel.org, linux-security-module@vger.kernel.org Cc: brauner@kernel.org, casey@schaufler-ca.com, paul@paul-moore.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@cloudflare.com, Frederick Lawler Subject: [PATCH 2/2] bpf-lsm: Make bpf_lsm_create_user_ns() sleepable Date: Tue, 21 Jun 2022 18:39:39 -0500 Message-Id: <20220621233939.993579-3-fred@cloudflare.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220621233939.993579-1-fred@cloudflare.com> References: <20220621233939.993579-1-fred@cloudflare.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net Users may want to audit calls to security_create_user_ns() and access user space memory. Also create_user_ns() runs without pagefault_disabled(). Therefore, make bpf_lsm_create_user_ns() sleepable for mandatory access control policies. Signed-off-by: Frederick Lawler --- kernel/bpf/bpf_lsm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c index c1351df9f7ee..75853965e7b0 100644 --- a/kernel/bpf/bpf_lsm.c +++ b/kernel/bpf/bpf_lsm.c @@ -250,6 +250,7 @@ BTF_ID(func, bpf_lsm_task_getsecid_obj) BTF_ID(func, bpf_lsm_task_prctl) BTF_ID(func, bpf_lsm_task_setscheduler) BTF_ID(func, bpf_lsm_task_to_inode) +BTF_ID(func, bpf_lsm_create_user_ns) BTF_SET_END(sleepable_lsm_hooks) bool bpf_lsm_is_sleepable_hook(u32 btf_id)