|
Message-ID: <025d4742-5947-545e-f603-502a0c5ee03f@schaufler-ca.com> Date: Thu, 27 Sep 2018 15:39:54 -0700 From: Casey Schaufler <casey@...aufler-ca.com> To: James Morris <jmorris@...ei.org>, Casey Schaufler <casey.schaufler@...el.com> Cc: kristen@...ux.intel.com, kernel-hardening@...ts.openwall.com, deneen.t.dock@...el.com, linux-kernel@...r.kernel.org, dave.hansen@...el.com, linux-security-module@...r.kernel.org, selinux@...ho.nsa.gov, arjan@...ux.intel.com Subject: Re: [PATCH v5 5/5] sidechannel: Linux Security Module for sidechannel On 9/27/2018 2:45 PM, James Morris wrote: > On Wed, 26 Sep 2018, Casey Schaufler wrote: > >> + /* >> + * Namespace checks. Considered safe if: >> + * cgroup namespace is the same >> + * User namespace is the same >> + * PID namespace is the same >> + */ >> + if (current->nsproxy) >> + ccgn = current->nsproxy->cgroup_ns; >> + if (p->nsproxy) >> + pcgn = p->nsproxy->cgroup_ns; >> + if (ccgn != pcgn) >> + return -EACCES; >> + if (current->cred->user_ns != p->cred->user_ns) >> + return -EACCES; >> + if (task_active_pid_ns(current) != task_active_pid_ns(p)) >> + return -EACCES; >> + return 0; > I really don't like the idea of hard-coding namespace security semantics > in an LSM. Also, I'm not sure if these semantics make any sense. Checks on namespaces where explicitly requested. I think these are the most sensible, but I'm willing to be educated. I was also requested to check on potential issues between containers, but as there is no kernel concept of containers this is the best I see we can do. > It least make it user configurable. Would you have a suggested granularity? I could have a configuration option for each of cgroups, user and pid namespaces but that's getting to be a lot of knobs to twist.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.