On 9/27/2018 2:45 PM, James Morris wrote: > On Wed, 26 Sep 2018, Casey Schaufler wrote: > >> + /* >> + * Namespace checks. Considered safe if: >> + * cgroup namespace is the same >> + * User namespace is the same >> + * PID namespace is the same >> + */ >> + if (current->nsproxy) >> + ccgn = current->nsproxy->cgroup_ns; >> + if (p->nsproxy) >> + pcgn = p->nsproxy->cgroup_ns; >> + if (ccgn != pcgn) >> + return -EACCES; >> + if (current->cred->user_ns != p->cred->user_ns) >> + return -EACCES; >> + if (task_active_pid_ns(current) != task_active_pid_ns(p)) >> + return -EACCES; >> + return 0; > I really don't like the idea of hard-coding namespace security semantics > in an LSM. Also, I'm not sure if these semantics make any sense. Checks on namespaces where explicitly requested. I think these are the most sensible, but I'm willing to be educated. I was also requested to check on potential issues between containers, but as there is no kernel concept of containers this is the best I see we can do. > It least make it user configurable. Would you have a suggested granularity? I could have a configuration option for each of cgroups, user and pid namespaces but that's getting to be a lot of knobs to twist. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
