• Frederick Lawler's avatar
    security, lsm: Introduce security_create_user_ns() · 7cd4c5c2
    Frederick Lawler authored
    User namespaces are an effective tool to allow programs to run with
    permission without requiring the need for a program to run as root. User
    namespaces may also be used as a sandboxing technique. However, attackers
    sometimes leverage user namespaces as an initial attack vector to perform
    some exploit. [1,2,3]
    
    While it is not the unprivileged user namespace functionality, which
    causes the kernel to be exploitable, users/administrators might want to
    more granularly limit or at least monitor how various processes use this
    functionality, while vulnerable kernel subsystems are being patched.
    
    Preventing user namespace already creation comes in a few of forms in
    order of granularity:
    
            1. /proc/sys/user/max_user_namespaces sysctl
            2. Distro specific patch(es)
            3. CONFIG_USER_NS
    
    To block a task based on its attributes, the LSM hook cred_prepare is a
    decent candidate for use because it provides more granular control, and
    it is called before create_user_ns():
    
            cred = prepare_creds()
                    security_prepare_creds()
                            call_int_hook(cred_prepare, ...
            if (cred)
                    create_user_ns(cred)
    
    Since security_prepare_creds() is meant for LSMs to copy and prepare
    credentials, access control is an unintended use of the hook. [4]
    Further, security_prepare_creds() will always return a ENOMEM if the
    hook returns any non-zero error code.
    
    This hook also does not handle the clone3 case which requires us to
    access a user space pointer to know if we're in the CLONE_NEW_USER
    call path which may be subject to a TOCTTOU attack.
    
    Lastly, cred_prepare is called in many call paths, and a targeted hook
    further limits the frequency of calls which is a beneficial outcome.
    Therefore introduce a new function security_create_user_ns() with an
    accompanying userns_create LSM hook.
    
    With the new userns_create hook, users will have more control over the
    observability and access control over user namespace creation. Users
    should expect that normal operation of user namespaces will behave as
    usual, and only be impacted when controls are implemented by users or
    administrators.
    
    This hook takes the prepared creds for LSM authors to write policy
    against. On success, the new namespace is applied to credentials,
    otherwise an error is returned.
    
    Links:
    1. https://nvd.nist.gov/vuln/detail/CVE-2022-0492
    2. https://nvd.nist.gov/vuln/detail/CVE-2022-25636
    3. https://nvd.nist.gov/vuln/detail/CVE-2022-34918
    4. https://lore.kernel.org/all/1c4b1c0d-12f6-6e9e-a6a3-cdce7418110c@schaufler-ca.com/Reviewed-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
    Reviewed-by: default avatarKP Singh <kpsingh@kernel.org>
    Signed-off-by: default avatarFrederick Lawler <fred@cloudflare.com>
    Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
    7cd4c5c2
security.c 66.7 KB