From: Casey Schaufler <casey@schaufler-ca.com>
To: Roberto Sassu <roberto.sassu@huaweicloud.com>,
"Dr. Greg" <greg@enjellic.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
Oleg Nesterov <oleg@redhat.com>, Paul Moore <paul@paul-moore.com>,
James Morris <jmorris@namei.org>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Eric Paris <eparis@parisplace.org>,
Andrew Morton <akpm@linux-foundation.org>,
Mimi Zohar <zohar@linux.ibm.com>,
Kees Cook <keescook@chromium.org>,
David Howells <dhowells@redhat.com>,
LuisChamberlain <mcgrof@kernel.org>,
Eric Biederman <ebiederm@xmission.com>,
Petr Tesarik <petrtesarik@huaweicloud.com>,
Christoph Hellwig <hch@infradead.org>,
Petr Mladek <pmladek@suse.com>,
Peter Zijlstra <peterz@infradead.org>,
Thomas Gleixner <tglx@linutronix.de>, Tejun Heo <tj@kernel.org>,
linux-mm@kvack.org, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, keyrings@vger.kernel.org,
linux-integrity@vger.kernel.org, linux-hardening@vger.kernel.org,
Alexei Starovoitov <alexei.starovoitov@gmail.com>,
Andrii Nakryiko <andrii@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [QUESTION] Full user space process isolation?
Date: Mon, 3 Jul 2023 07:43:55 -0700 [thread overview]
Message-ID: <2939cc00-2b8b-bf9a-45bc-b9a2d8d8def1@schaufler-ca.com> (raw)
In-Reply-To: <0870d82571d1075433a2b81b2953cf8b4afcd415.camel@huaweicloud.com>
On 7/3/2023 12:57 AM, Roberto Sassu wrote:
> On Sun, 2023-07-02 at 12:55 -0500, Dr. Greg wrote:
>> On Thu, Jun 29, 2023 at 10:11:26AM +0200, Roberto Sassu wrote:
>>
>> Good morning, I hope the weekend is going well for everyone, greetings
>> to Roberto and everyone copied.
>>
>>> On Wed, 2023-06-28 at 21:10 -0500, Serge E. Hallyn wrote:
>>>> On Thu, Jun 22, 2023 at 04:42:37PM +0200, Roberto Sassu wrote:
>>>>> Hi everyone
>>>>>
>>>>> I briefly discussed this topic at LSS NA 2023, but I wanted to have an
>>>>> opinion from a broader audience.
>>>>>
>>>>> In short:
>>>>>
>>>>> I wanted to execute some kernel workloads in a fully isolated user
>>>>> space process, started from a binary statically linked with klibc,
>>>>> connected to the kernel only through a pipe.
>>>>>
>>>>> I also wanted that, for the root user, tampering with that process is
>>>>> as hard as if the same code runs in kernel space.
>>>>>
>>>>> I would use the fully isolated process to parse and convert unsupported
>>>>> data formats to a supported one, after the kernel verified the
>>>> Can you give some examples here of supported and unsupported data
>>>> formats? ext2 is supported, but we sadly don't trust the sb parser
>>>> to read a an ext2fs coming from unknown source. So I'm not quite
>>>> clear what problem you're trying to solve.
>>> + eBPF guys (as I'm talking about eBPF)
>> If the week goes well, we will be submitting the second version of our
>> TSEM LSM for review. It incorporates a significant number of changes
>> and enhancements, based on both initial review comments, and
>> importantly, feedback from our collaborators in the critical
>> infrastructure community.
>>
>> Just as a levelset. TSEM provides kernel infrastructure to implement
>> security controls based on either deterministic or machine learning
>> models. Quixote is the userspace infrastructure that enables use of
>> the TSEM kernel infrastructure.
>>
>> Based on your description Roberto, TSEM may be of assistance in
>> addressesing your issues at two different levels.
>>
>> First with respect to protection of an isolated workload.
>>
>> TSEM is inherently workload based, given that it is based on an
>> architecture that implements security modeling namespaces that a
>> process heirarchy can be placed into. This reduces model complexity
>> and provides the implementation of very specific and targeted security
>> controls based on the needs of a proposed workload.
>>
>> The security controls are prospective rather than retrospective,
>> ie. TSEM will pro-actively block any security behaviors that are not
>> in a security model that has been defined for the workload.
>>
>> For example, with respect to the concerns you had previously mentioned
>> about ptrace. If the security model definition does not include a
>> security state coefficient for a ptrace_traceme security event, it
>> will be disallowed, regardless of what goes on with respect to kernel
>> development, modulo of course the ptrace_traceme LSM hook being
>> discontinued.
> Hi Greg
>
> thanks for your insights.
>
> The policy is quite simple:
>
>
> r/w ^ kernel space
> ----------|-----------------------------------------
> v (pipe) user space
> +-----------------+ +-----------------------+
> | trustworthy UMD |---X---| rest of the processes |
> +-----------------+ +-----------------------+
>
> The question was more, is the LSM infrastructure complete enough that
> the X can be really enforced?
I believe that it is. SELinux and Smack, users of the LSM infrastructure,
enforce "X". They also require netlabel for IP communications, and Smack
falls short on newer protocols, but that's not the fault of LSM.
>
> Could there be other implicit information flows that the LSM
> infrastructure is not able/does not yet mediate, that could break the
> policy above?
Sure. Every so often something pops into the kernel (e.g. io_uring)
without proper LSM integration. We try to discourage that, and correct
it when we find it.
>
> I guess TSEM could be for more elaborated security models, but in this
> case the policy is quite straithforward. Also, your TSEM would be as
> limited as mine by the LSM hooks available.
>
> Thanks
>
> Roberto
>
next prev parent reply other threads:[~2023-07-03 14:44 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <eb31920bd00e2c921b0aa6ebed8745cb0130b0e1.camel@huaweicloud.com>
2023-06-29 2:10 ` Serge E. Hallyn
[not found] ` <14599d8216f1b7520ff5f6cfb27377fa79709f13.camel@huaweicloud.com>
2023-07-02 17:55 ` Dr. Greg
[not found] ` <0870d82571d1075433a2b81b2953cf8b4afcd415.camel@huaweicloud.com>
2023-07-03 14:43 ` Casey Schaufler [this message]
2023-07-04 17:26 ` Dr. Greg
2023-07-03 15:06 ` Jann Horn
2023-07-03 18:47 ` Kees Cook
[not found] ` <ab8e68962feba9f16ed0a715d46ed003da61cfe8.camel@huaweicloud.com>
2023-07-04 15:18 ` Petr Tesarik
2023-07-06 10:53 ` Dr. Greg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2939cc00-2b8b-bf9a-45bc-b9a2d8d8def1@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=akpm@linux-foundation.org \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=daniel@iogearbox.net \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=eparis@parisplace.org \
--cc=greg@enjellic.com \
--cc=hch@infradead.org \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=oleg@redhat.com \
--cc=paul@paul-moore.com \
--cc=peterz@infradead.org \
--cc=petrtesarik@huaweicloud.com \
--cc=pmladek@suse.com \
--cc=roberto.sassu@huaweicloud.com \
--cc=serge@hallyn.com \
--cc=stephen.smalley.work@gmail.com \
--cc=tglx@linutronix.de \
--cc=tj@kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox