On Thu, Jul 21, 2022 at 12:28:05PM -0500, Frederick Lawler wrote: > Preventing user namespace (privileged or otherwise) creation comes in a > few of forms in order of granularity: > > 1. /proc/sys/user/max_user_namespaces sysctl > 2. OS specific patch(es) > 3. CONFIG_USER_NS > > To block a task based on its attributes, the LSM hook cred_prepare is a > good candidate for use because it provides more granular control, and > it is called before create_user_ns(): > > cred = prepare_creds() > security_prepare_creds() > call_int_hook(cred_prepare, ... > if (cred) > create_user_ns(cred) > > Since security_prepare_creds() is meant for LSMs to copy and prepare > credentials, access control is an unintended use of the hook. Therefore > introduce a new function security_create_user_ns() with an accompanying > userns_create LSM hook. > > This hook takes the prepared creds for LSM authors to write policy > against. On success, the new namespace is applied to credentials, > otherwise an error is returned. > > Signed-off-by: Frederick Lawler <fred@xxxxxxxxxxxxxx> > > --- Nice and straightforward, Reviewed-by: Christian Brauner (Microsoft) <brauner@xxxxxxxxxx>
