Re: [PATCH linux 0/3] [PATCH] userns: add sysctl "kernel.userns_group_range"
From: Paul Moore
Date: Fri Jun 02 2023 - 10:50:50 EST
On Thu, Jun 1, 2023 at 9:41 PM Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote:
> Paul Moore <paul@xxxxxxxxxxxxxx> writes:
> > On Thu, Jun 1, 2023 at 8:14 PM Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote:
> >> Paul Moore <paul@xxxxxxxxxxxxxx> writes:
> >> >
> >> > Given the challenges around adding access controls to userns
> >> > operations, have you considered using the LSM support that was added
> >> > upstream last year? The relevant LSM hook can be found in commit
> >> > 7cd4c5c2101c ("security, lsm: Introduce security_create_user_ns()"),
> >>
> >> Paul how have you handled the real world regression I reported against
> >> chromium?
> >
> > I don't track chromium development.
>
> You have chosen to be the maintainer and I reported it to you.
I just dug through all of the mail I've received from you over the
past two (?) years, as well as checking the LSM archive on lore and I
don't see any bug reports from you directed at the upstream LSM or
SELinux code ... perhaps I missed something, do you have a pointer?
Also, for the sake of clarification, I do not maintain any part of
Chromium or Chrome OS. I do maintain the upstream LSM, SELinux,
audit, and labeled networking subsystems in the Linux Kernel as well
as a couple of userspace packages.
> >> Paul are you aware that the LSM hook can not be used to achieve the
> >> objective of this patchset?
> >
> > /me shrugs
>
> [snip parts about performing a group id check]
My comments here were only discussing the possibility of performing a
group ID based access control check; I made no claims about the
desirability of such a check, and I have no interest in rehashing our
old debates.
--
paul-moore.com