On Thu, Aug 25, 2022 at 8:19 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > On Thu, Aug 25, 2022 at 2:15 PM Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote: > > Paul Moore <paul@xxxxxxxxxxxxxx> writes: > > > On Fri, Aug 19, 2022 at 10:45 AM Serge E. Hallyn <serge@xxxxxxxxxx> wrote: > > >> I am hoping we can come up with > > >> "something better" to address people's needs, make everyone happy, and > > >> bring forth world peace. Which would stack just fine with what's here > > >> for defense in depth. > > >> > > >> You may well not be interested in further work, and that's fine. I need > > >> to set aside a few days to think on this. > > > > > > I'm happy to continue the discussion as long as it's constructive; I > > > think we all are. My gut feeling is that Frederick's approach falls > > > closest to the sweet spot of "workable without being overly offensive" > > > (*cough*), but if you've got an additional approach in mind, or an > > > alternative approach that solves the same use case problems, I think > > > we'd all love to hear about it. > > > > I would love to actually hear the problems people are trying to solve so > > that we can have a sensible conversation about the trade offs. > > Here are several taken from the previous threads, it's surely not a > complete list, but it should give you a good idea: > > https://lore.kernel.org/linux-security-module/CAHC9VhQnPAsmjmKo-e84XDJ1wmaOFkTKPjjztsOa9Yrq+AeAQA@xxxxxxxxxxxxxx/ > > > As best I can tell without more information people want to use > > the creation of a user namespace as a signal that the code is > > attempting an exploit. > > Some use cases are like that, there are several other use cases that > go beyond this; see all of our previous discussions on this > topic/patchset. As has been mentioned before, there are use cases > that require improved observability, access control, or both. > > > As such let me propose instead of returning an error code which will let > > the exploit continue, have the security hook return a bool. With true > > meaning the code can continue and on false it will trigger using SIGSYS > > to terminate the program like seccomp does. > > Having the kernel forcibly exit the process isn't something that most > LSMs would likely want. I suppose we could modify the hook/caller so > that *if* an LSM wanted to return SIGSYS the system would kill the > process, but I would want that to be something in addition to > returning an error code like LSMs normally do (e.g. EACCES). I would also add here that seccomp allows more flexibility than just delivering SIGSYS to a violating application. We can program seccomp bpf to: * deliver a signal * return a CUSTOM error code (and BTW somehow this does not trigger any requirements to change userapi or document in manpages: in my toy example in [1] I'm delivering ENETDOWN from a uname(2) system call, which is not documented in the man pages, but totally valid from a seccomp usage perspective) * do-nothing, but log the action So I would say the seccomp reference supports the current approach more than the alternative approach of delivering SIGSYS as technically an LSM implementation of the hook (at least in-kernel one) can chose to deliver a signal to a task via kernel-api, but BPF-LSM (and others) can deliver custom error codes and log the actions as well. Ignat > -- > paul-moore.com [1]: https://blog.cloudflare.com/sandboxing-in-linux-with-zero-lines-of-code/
