[PATCH v2 4/4] bpf, lsm: Allow editing capabilities in BPF-LSM hooks
Paul Moore
paul at paul-moore.com
Mon Jun 10 00:18:48 UTC 2024
On Sun, Jun 9, 2024 at 6:40 AM Jonathan Calmels <jcalmels at 3xx0.net> wrote:
>
> This patch allows modifying the various capabilities of the struct cred
> in BPF-LSM hooks. More specifically, the userns_create hook called
> prior to creating a new user namespace.
>
> With the introduction of userns capabilities, this effectively provides
> a simple way for LSMs to control the capabilities granted to a user
> namespace and all its descendants.
>
> Update the selftests accordingly by dropping CAP_SYS_ADMIN in
> namespaces and checking the resulting task's bounding set.
>
> Signed-off-by: Jonathan Calmels <jcalmels at 3xx0.net>
> ---
> include/linux/lsm_hook_defs.h | 2 +-
> include/linux/security.h | 4 +-
> kernel/bpf/bpf_lsm.c | 55 +++++++++++++++++++
> security/apparmor/lsm.c | 2 +-
> security/security.c | 6 +-
> security/selinux/hooks.c | 2 +-
> .../selftests/bpf/prog_tests/deny_namespace.c | 12 ++--
> .../selftests/bpf/progs/test_deny_namespace.c | 7 ++-
> 8 files changed, 76 insertions(+), 14 deletions(-)
I'm not sure we want to go down the path of a LSM modifying the POSIX
capabilities of a task, other than the capabilities/commoncap LSM. It
sets a bad precedent and could further complicate issues around LSM
ordering.
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list