[RESEND RFC PATCH v2 00/14] device_cgroup: guard mknod for non-initial user namespace
Michael Weiß
michael.weiss at aisec.fraunhofer.de
Wed Oct 25 18:11:36 UTC 2023
On 25.10.23 15:17, Paul Moore wrote:
> On Wed, Oct 25, 2023 at 5:42 AM Michael Weiß
> <michael.weiss at aisec.fraunhofer.de> wrote:
>>
>> Introduce the flag BPF_DEVCG_ACC_MKNOD_UNS for bpf programs of type
>> BPF_PROG_TYPE_CGROUP_DEVICE which allows to guard access to mknod
>> in non-initial user namespaces.
>>
>> If a container manager restricts its unprivileged (user namespaced)
>> children by a device cgroup, it is not necessary to deny mknod()
>> anymore. Thus, user space applications may map devices on different
>> locations in the file system by using mknod() inside the container.
>>
>> A use case for this, we also use in GyroidOS, is to run virsh for
>> VMs inside an unprivileged container. virsh creates device nodes,
>> e.g., "/var/run/libvirt/qemu/11-fgfg.dev/null" which currently fails
>> in a non-initial userns, even if a cgroup device white list with the
>> corresponding major, minor of /dev/null exists. Thus, in this case
>> the usual bind mounts or pre populated device nodes under /dev are
>> not sufficient.
>>
>> To circumvent this limitation, allow mknod() by checking CAP_MKNOD
>> in the userns by implementing the security_inode_mknod_nscap(). The
>> hook implementation checks if the corresponding permission flag
>> BPF_DEVCG_ACC_MKNOD_UNS is set for the device in the bpf program.
>> To avoid to create unusable inodes in user space the hook also
>> checks SB_I_NODEV on the corresponding super block.
>>
>> Further, the security_sb_alloc_userns() hook is implemented using
>> cgroup_bpf_current_enabled() to allow usage of device nodes on super
>> blocks mounted by a guarded task.
>>
>> Patch 1 to 3 rework the current devcgroup_inode hooks as an LSM
>>
>> Patch 4 to 8 rework explicit calls to devcgroup_check_permission
>> also as LSM hooks and finalize the conversion of the device_cgroup
>> subsystem to a LSM.
>>
>> Patch 9 and 10 introduce new generic security hooks to be used
>> for the actual mknod device guard implementation.
>>
>> Patch 11 wires up the security hooks in the vfs
>>
>> Patch 12 and 13 provide helper functions in the bpf cgroup
>> subsystem.
>>
>> Patch 14 finally implement the LSM hooks to grand access
>>
>> Signed-off-by: Michael Weiß <michael.weiss at aisec.fraunhofer.de>
>> ---
>> Changes in v2:
>> - Integrate this as LSM (Christian, Paul)
>> - Switched to a device cgroup specific flag instead of a generic
>> bpf program flag (Christian)
>> - do not ignore SB_I_NODEV in fs/namei.c but use LSM hook in
>> sb_alloc_super in fs/super.c
>> - Link to v1: https://lore.kernel.org/r/20230814-devcg_guard-v1-0-654971ab88b1@aisec.fraunhofer.de
>>
>> Michael Weiß (14):
>> device_cgroup: Implement devcgroup hooks as lsm security hooks
>> vfs: Remove explicit devcgroup_inode calls
>> device_cgroup: Remove explicit devcgroup_inode hooks
>> lsm: Add security_dev_permission() hook
>> device_cgroup: Implement dev_permission() hook
>> block: Switch from devcgroup_check_permission to security hook
>> drm/amdkfd: Switch from devcgroup_check_permission to security hook
>> device_cgroup: Hide devcgroup functionality completely in lsm
>> lsm: Add security_inode_mknod_nscap() hook
>> lsm: Add security_sb_alloc_userns() hook
>> vfs: Wire up security hooks for lsm-based device guard in userns
>> bpf: Add flag BPF_DEVCG_ACC_MKNOD_UNS for device access
>> bpf: cgroup: Introduce helper cgroup_bpf_current_enabled()
>> device_cgroup: Allow mknod in non-initial userns if guarded
>>
>> block/bdev.c | 9 +-
>> drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 7 +-
>> fs/namei.c | 24 ++--
>> fs/super.c | 6 +-
>> include/linux/bpf-cgroup.h | 2 +
>> include/linux/device_cgroup.h | 67 -----------
>> include/linux/lsm_hook_defs.h | 4 +
>> include/linux/security.h | 18 +++
>> include/uapi/linux/bpf.h | 1 +
>> init/Kconfig | 4 +
>> kernel/bpf/cgroup.c | 14 +++
>> security/Kconfig | 1 +
>> security/Makefile | 2 +-
>> security/device_cgroup/Kconfig | 7 ++
>> security/device_cgroup/Makefile | 4 +
>> security/{ => device_cgroup}/device_cgroup.c | 3 +-
>> security/device_cgroup/device_cgroup.h | 20 ++++
>> security/device_cgroup/lsm.c | 114 +++++++++++++++++++
>> security/security.c | 75 ++++++++++++
>> 19 files changed, 294 insertions(+), 88 deletions(-)
>> delete mode 100644 include/linux/device_cgroup.h
>> create mode 100644 security/device_cgroup/Kconfig
>> create mode 100644 security/device_cgroup/Makefile
>> rename security/{ => device_cgroup}/device_cgroup.c (99%)
>> create mode 100644 security/device_cgroup/device_cgroup.h
>> create mode 100644 security/device_cgroup/lsm.c
>
> Hi Michael,
>
> I think this was lost because it wasn't CC'd to the LSM list (see
> below). I've CC'd the list on my reply, but future patch submissions
> that involve the LSM must be posted to the LSM list if you would like
> them to be considered.
>
> http://vger.kernel.org/vger-lists.html#linux-security-module
>
Hi Paul,
thanks, I'll keep this in mind for the next submissions.
I have also resend because, I realized that some spam filters my
have swallowed the last submission as I used my private smtp server
from another domain in the gitconfig. Sorry for that. I hope now
every one received it.
Thanks,
Michael
More information about the Linux-security-module-archive
mailing list