• Linus Torvalds's avatar
    Merge tag 'lsm-pr-20221003' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm · 26b84401
    Linus Torvalds authored
    Pull LSM updates from Paul Moore:
     "Seven patches for the LSM layer and we've got a mix of trivial and
      significant patches. Highlights below, starting with the smaller bits
      first so they don't get lost in the discussion of the larger items:
    
       - Remove some redundant NULL pointer checks in the common LSM audit
         code.
    
       - Ratelimit the lockdown LSM's access denial messages.
    
         With this change there is a chance that the last visible lockdown
         message on the console is outdated/old, but it does help preserve
         the initial series of lockdown denials that started the denial
         message flood and my gut feeling is that these might be the more
         valuable messages.
    
       - Open userfaultfds as readonly instead of read/write.
    
         While this code obviously lives outside the LSM, it does have a
         noticeable impact on the LSMs with Ondrej explaining the situation
         in the commit description. It is worth noting that this patch
         languished on the VFS list for over a year without any comments
         (objections or otherwise) so I took the liberty of pulling it into
         the LSM tree after giving fair notice. It has been in linux-next
         since the end of August without any noticeable problems.
    
       - Add a LSM hook for user namespace creation, with implementations
         for both the BPF LSM and SELinux.
    
         Even though the changes are fairly small, this is the bulk of the
         diffstat as we are also including BPF LSM selftests for the new
         hook.
    
         It's also the most contentious of the changes in this pull request
         with Eric Biederman NACK'ing the LSM hook multiple times during its
         development and discussion upstream. While I've never taken NACK's
         lightly, I'm sending these patches to you because it is my belief
         that they are of good quality, satisfy a long-standing need of
         users and distros, and are in keeping with the existing nature of
         the LSM layer and the Linux Kernel as a whole.
    
         The patches in implement a LSM hook for user namespace creation
         that allows for a granular approach, configurable at runtime, which
         enables both monitoring and control of user namespaces. The general
         consensus has been that this is far preferable to the other
         solutions that have been adopted downstream including outright
         removal from the kernel, disabling via system wide sysctls, or
         various other out-of-tree mechanisms that users have been forced to
         adopt since we haven't been able to provide them an upstream
         solution for their requests. Eric has been steadfast in his
         objections to this LSM hook, explaining that any restrictions on
         the user namespace could have significant impact on userspace.
         While there is the possibility of impacting userspace, it is
         important to note that this solution only impacts userspace when it
         is requested based on the runtime configuration supplied by the
         distro/admin/user. Frederick (the pathset author), the LSM/security
         community, and myself have tried to work with Eric during
         development of this patchset to find a mutually acceptable
         solution, but Eric's approach and unwillingness to engage in a
         meaningful way have made this impossible. I have CC'd Eric directly
         on this pull request so he has a chance to provide his side of the
         story; there have been no objections outside of Eric's"
    
    * tag 'lsm-pr-20221003' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm:
      lockdown: ratelimit denial messages
      userfaultfd: open userfaultfds with O_RDONLY
      selinux: Implement userns_create hook
      selftests/bpf: Add tests verifying bpf lsm userns_create hook
      bpf-lsm: Make bpf_lsm_userns_create() sleepable
      security, lsm: Introduce security_create_user_ns()
      lsm: clean up redundant NULL pointer check
    26b84401
security.c 66.8 KB