On Thu, Jun 1, 2023 at 9:41 PM Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote: > Paul Moore <paul@xxxxxxxxxxxxxx> writes: > > On Thu, Jun 1, 2023 at 8:14 PM Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote: > >> Paul Moore <paul@xxxxxxxxxxxxxx> writes: > >> > > >> > Given the challenges around adding access controls to userns > >> > operations, have you considered using the LSM support that was added > >> > upstream last year? The relevant LSM hook can be found in commit > >> > 7cd4c5c2101c ("security, lsm: Introduce security_create_user_ns()"), > >> > >> Paul how have you handled the real world regression I reported against > >> chromium? > > > > I don't track chromium development. > > You have chosen to be the maintainer and I reported it to you. I just dug through all of the mail I've received from you over the past two (?) years, as well as checking the LSM archive on lore and I don't see any bug reports from you directed at the upstream LSM or SELinux code ... perhaps I missed something, do you have a pointer? Also, for the sake of clarification, I do not maintain any part of Chromium or Chrome OS. I do maintain the upstream LSM, SELinux, audit, and labeled networking subsystems in the Linux Kernel as well as a couple of userspace packages. > >> Paul are you aware that the LSM hook can not be used to achieve the > >> objective of this patchset? > > > > /me shrugs > > [snip parts about performing a group id check] My comments here were only discussing the possibility of performing a group ID based access control check; I made no claims about the desirability of such a check, and I have no interest in rehashing our old debates. -- paul-moore.com