| From: |
| Frederick Lawler <fred-AT-cloudflare.com> |
| To: |
| kpsingh-AT-kernel.org, revest-AT-chromium.org, jackmanb-AT-chromium.org, ast-AT-kernel.org, daniel-AT-iogearbox.net, andrii-AT-kernel.org, kafai-AT-fb.com, songliubraving-AT-fb.com, yhs-AT-fb.com, john.fastabend-AT-gmail.com, jmorris-AT-namei.org, serge-AT-hallyn.com, paul-AT-paul-moore.com, stephen.smalley.work-AT-gmail.com, eparis-AT-parisplace.org, shuah-AT-kernel.org, brauner-AT-kernel.org, casey-AT-schaufler-ca.com, ebiederm-AT-xmission.com, bpf-AT-vger.kernel.org, linux-security-module-AT-vger.kernel.org, selinux-AT-vger.kernel.org, linux-kselftest-AT-vger.kernel.org |
| Subject: |
| [PATCH v3 0/4] Introduce security_create_user_ns() |
| Date: |
| Thu, 21 Jul 2022 12:28:04 -0500 |
| Message-ID: |
| <20220721172808.585539-1-fred@cloudflare.com> |
| Cc: |
| linux-kernel-AT-vger.kernel.org, netdev-AT-vger.kernel.org, kernel-team-AT-cloudflare.com, cgzones-AT-googlemail.com, karl-AT-bigbadwolfsecurity.com, Frederick Lawler <fred-AT-cloudflare.com> |
| Archive-link: |
| Article |
While creating a LSM BPF MAC policy to block user namespace creation, we
used the LSM cred_prepare hook because that is the closest hook to prevent
a call to create_user_ns().
The calls look something like this:
cred = prepare_creds()
security_prepare_creds()
call_int_hook(cred_prepare, ...
if (cred)
create_user_ns(cred)
We noticed that error codes were not propagated from this hook and
introduced a patch [1] to propagate those errors.
The discussion notes that security_prepare_creds()
is not appropriate for MAC policies, and instead the hook is
meant for LSM authors to prepare credentials for mutation. [2]
Ultimately, we concluded that a better course of action is to introduce
a new security hook for LSM authors. [3]
This patch set first introduces a new security_create_user_ns() function
and userns_create LSM hook, then marks the hook as sleepable in BPF.
Links:
1. https://lore.kernel.org/all/20220608150942.776446-1-fred@...
2. https://lore.kernel.org/all/87y1xzyhub.fsf@email.froward....
3. https://lore.kernel.org/all/9fe9cd9f-1ded-a179-8ded-5fde8...
Past discussions:
V2: https://lore.kernel.org/all/20220707223228.1940249-1-fred...
V1: https://lore.kernel.org/all/20220621233939.993579-1-fred@...
Changes since v2:
- Rename create_user_ns hook to userns_create
- Use user_namespace as an object opposed to a generic namespace object
- s/domB_t/domA_t in commit message
Changes since v1:
- Add selftests/bpf: Add tests verifying bpf lsm create_user_ns hook patch
- Add selinux: Implement create_user_ns hook patch
- Change function signature of security_create_user_ns() to only take
struct cred
- Move security_create_user_ns() call after id mapping check in
create_user_ns()
- Update documentation to reflect changes
Frederick Lawler (4):
security, lsm: Introduce security_create_user_ns()
bpf-lsm: Make bpf_lsm_userns_create() sleepable
selftests/bpf: Add tests verifying bpf lsm userns_create hook
selinux: Implement userns_create hook
include/linux/lsm_hook_defs.h | 1 +
include/linux/lsm_hooks.h | 4 +
include/linux/security.h | 6 ++
kernel/bpf/bpf_lsm.c | 1 +
kernel/user_namespace.c | 5 ++
security/security.c | 5 ++
security/selinux/hooks.c | 9 ++
security/selinux/include/classmap.h | 2 +
.../selftests/bpf/prog_tests/deny_namespace.c | 88 +++++++++++++++++++
.../selftests/bpf/progs/test_deny_namespace.c | 39 ++++++++
10 files changed, 160 insertions(+)
create mode 100644 tools/testing/selftests/bpf/prog_tests/deny_namespace.c
create mode 100644 tools/testing/selftests/bpf/progs/test_deny_namespace.c
--
2.30.2
