From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9B575C433EF for ; Tue, 14 Jun 2022 16:31:39 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 060926B0071; Tue, 14 Jun 2022 12:31:39 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id F2D846B0075; Tue, 14 Jun 2022 12:31:38 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D58856B0072; Tue, 14 Jun 2022 12:31:38 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id AD5416B0074 for ; Tue, 14 Jun 2022 12:31:38 -0400 (EDT) Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 69946DC9 for ; Tue, 14 Jun 2022 16:31:38 +0000 (UTC) X-FDA: 79577382276.21.04BC687 Received: from out03.mta.xmission.com (out03.mta.xmission.com [166.70.13.233]) by imf31.hostedemail.com (Postfix) with ESMTP id 51C5F200A4; Tue, 14 Jun 2022 16:31:36 +0000 (UTC) Received: from in02.mta.xmission.com ([166.70.13.52]:56828) by out03.mta.xmission.com with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from ) id 1o19S2-00AmWn-9i; Tue, 14 Jun 2022 10:31:34 -0600 Received: from ip68-227-174-4.om.om.cox.net ([68.227.174.4]:40454 helo=email.froward.int.ebiederm.org.xmission.com) by in02.mta.xmission.com with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from ) id 1o19S0-009rSu-TN; Tue, 14 Jun 2022 10:31:33 -0600 From: "Eric W. Biederman" To: Frederick Lawler Cc: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-aio@kvack.org, linux-fsdevel@vger.kernel.org, linux-cachefs@redhat.com, linux-cifs@vger.kernel.org, samba-technical@lists.samba.org, linux-mm@kvack.org, linux-nfs@vger.kernel.org, linux-unionfs@vger.kernel.org, linux-security-module@vger.kernel.org, netdev@vger.kernel.org, keyrings@vger.kernel.org, selinux@vger.kernel.org, serge@hallyn.com, amir73il@gmail.com, kernel-team@cloudflare.com, Jeff Moyer , Paul Moore References: <20220608150942.776446-1-fred@cloudflare.com> <87tu8oze94.fsf@email.froward.int.ebiederm.org> <87y1xzyhub.fsf@email.froward.int.ebiederm.org> <859cb593-9e96-5846-2191-6613677b07c5@cloudflare.com> Date: Tue, 14 Jun 2022 11:30:54 -0500 In-Reply-To: <859cb593-9e96-5846-2191-6613677b07c5@cloudflare.com> (Frederick Lawler's message of "Tue, 14 Jun 2022 11:06:24 -0500") Message-ID: <87o7yvxl4x.fsf@email.froward.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1o19S0-009rSu-TN;;;mid=<87o7yvxl4x.fsf@email.froward.int.ebiederm.org>;;;hst=in02.mta.xmission.com;;;ip=68.227.174.4;;;frm=ebiederm@xmission.com;;;spf=softfail X-XM-AID: U2FsdGVkX19OwrPXsW8XkXxckntCYt4oo3aNKl7qziA= X-SA-Exim-Connect-IP: 68.227.174.4 X-SA-Exim-Mail-From: ebiederm@xmission.com Subject: Re: [PATCH v3] cred: Propagate security_prepare_creds() error code X-SA-Exim-Version: 4.2.1 (built Sat, 08 Feb 2020 21:53:50 +0000) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1655224297; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6L6XLPEe3FwRpb3QSHSsBMVQesOZMNG0okY76sSBYfg=; b=JO1qfZ1dMCtL6EQ6Ca7+MyOtiJFtwPOxDJzDNotXA3Oi1krESu+PyTPDLSDUO7HpmHxS38 1gjPgSjY9Z60I8AnaWMlesIMpjkVH13qQHY0dT+OhWdM3ypRHh+hYpsIEAf1FglQs1WWgp zpTqxJW0Jzxr/LvkqI8GWSHPEZCl/JA= ARC-Authentication-Results: i=1; imf31.hostedemail.com; dkim=none; spf=pass (imf31.hostedemail.com: domain of ebiederm@xmission.com designates 166.70.13.233 as permitted sender) smtp.mailfrom=ebiederm@xmission.com; dmarc=pass (policy=none) header.from=xmission.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1655224297; a=rsa-sha256; cv=none; b=JZGDbCXjUt95YKslbiBi7+ynB1WMz4POyz/QfVm3oZwsfJqcI3PXZRUj7qY7sWkg90loiN UsHLYvwQHYr56kBi0d45zhWYOcBJPoxjqHMEf0UqMMuJl3tfy0BlJ/dgzIbWSyxb+ATOGu DS+qlN4zxMjahlR1KJx2xZEJwC8rg/M= X-Stat-Signature: xi7ijoh6zb9qpizuypwcwk36gzyocbof X-Rspamd-Queue-Id: 51C5F200A4 X-Rspamd-Server: rspam11 X-Rspam-User: Authentication-Results: imf31.hostedemail.com; dkim=none; spf=pass (imf31.hostedemail.com: domain of ebiederm@xmission.com designates 166.70.13.233 as permitted sender) smtp.mailfrom=ebiederm@xmission.com; dmarc=pass (policy=none) header.from=xmission.com X-HE-Tag: 1655224296-350903 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Frederick Lawler writes: > On 6/13/22 11:44 PM, Eric W. Biederman wrote: >> Frederick Lawler writes: >> >>> Hi Eric, >>> >>> On 6/13/22 12:04 PM, Eric W. Biederman wrote: >>>> Frederick Lawler writes: >>>> >>>>> While experimenting with the security_prepare_creds() LSM hook, we >>>>> noticed that our EPERM error code was not propagated up the callstack. >>>>> Instead ENOMEM is always returned. As a result, some tools may send a >>>>> confusing error message to the user: >>>>> >>>>> $ unshare -rU >>>>> unshare: unshare failed: Cannot allocate memory >>>>> >>>>> A user would think that the system didn't have enough memory, when >>>>> instead the action was denied. >>>>> >>>>> This problem occurs because prepare_creds() and prepare_kernel_cred() >>>>> return NULL when security_prepare_creds() returns an error code. Later, >>>>> functions calling prepare_creds() and prepare_kernel_cred() return >>>>> ENOMEM because they assume that a NULL meant there was no memory >>>>> allocated. >>>>> >>>>> Fix this by propagating an error code from security_prepare_creds() up >>>>> the callstack. >>>> Why would it make sense for security_prepare_creds to return an error >>>> code other than ENOMEM? >>>> > That seems a bit of a violation of what that function is supposed to do >>>> >>> >>> The API allows LSM authors to decide what error code is returned from the >>> cred_prepare hook. security_task_alloc() is a similar hook, and has its return >>> code propagated. >> It is not an api. It is an implementation detail of the linux kernel. >> It is a set of convenient functions that do a job. >> The general rule is we don't support cases without an in-tree user. I >> don't see an in-tree user. >> >>> I'm proposing we follow security_task_allocs() pattern, and add visibility for >>> failure cases in prepare_creds(). >> I am asking why we would want to. Especially as it is not an API, and I >> don't see any good reason for anything but an -ENOMEM failure to be >> supported. >> > We're writing a LSM BPF policy, and not a new LSM. Our policy aims to solve > unprivileged unshare, similar to Debian's patch [1]. We're in a position such > that we can't use that patch because we can't block _all_ of our applications > from performing an unshare. We prefer a granular approach. LSM BPF seems like a > good choice. I am quite puzzled why doesn't /proc/sys/user/max_user_namespaces work for you? > Because LSM BPF exposes these hooks, we should probably treat them as an > API. From that perspective, userspace expects unshare to return a EPERM > when the call is denied permissions. The BPF code gets to be treated as a out of tree kernel module. >> Without an in-tree user that cares it is probably better to go the >> opposite direction and remove the possibility of return anything but >> memory allocation failure. That will make it clearer to implementors >> that a general error code is not supported and this is not a location >> to implement policy, this is only a hook to allocate state for the LSM. >> > > That's a good point, and it's possible we're using the wrong hook for the > policy. Do you know of other hooks we can look into? Not off the top of my head. >>>> I have probably missed a very interesting discussion where that was >>>> mentioned but I don't see link to the discussion or anything explaining >>>> why we want to do that in this change. >>>> >>> >>> AFAIK, this is the start of the discussion. >> You were on v3 and had an out of tree piece of code so I assumed someone >> had at least thought about why you want to implement policy in a piece >> of code whose only purpose is to allocate memory to store state. >> > > No worries. > >> Eric >> >> > > Links: > 1: > https://sources.debian.org/patches/linux/3.16.56-1+deb8u1/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch/ Eric