From: Stephen Smalley <sds@tycho.nsa.gov>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Andrew Morton <akpm@osdl.org>, Ingo Molnar <mingo@elte.hu>,
tglx@linutronix.de, linux-kernel@vger.kernel.org,
selinux@tycho.nsa.gov, James Morris <jmorris@namei.org>
Subject: Re: [PATCH 2/2] sysctl: Restore the selinux path based label lookup for sysctls.
Date: Thu, 08 Feb 2007 10:01:11 -0500 [thread overview]
Message-ID: <1170946871.11912.250.camel@moss-spartans.epoch.ncsc.mil> (raw)
In-Reply-To: <m17iutmmwh.fsf@ebiederm.dsl.xmission.com>
On Wed, 2007-02-07 at 18:57 -0700, Eric W. Biederman wrote:
> Stephen Smalley <sds@tycho.nsa.gov> writes:
>
> >
> > One related but separate issue is that the /proc/sys inode labeling is
> > also affected by the sysctl patch series. Those inodes used to be
> > labeled by selinux_proc_get_sid (from selinux_d_instantiate), but that
> > no longer works, so they now fall back to the superblock SID (generic
> > proc label). That changes the inode permission checks on an attempt to
> > access a /proc/sys node and will likely cause denials under current
> > policy for confined domains since one wouldn't generally be writing to
> > the generic proc label. If you always called sysctl_perm from the proc
> > sysctl code, we could possibly dispense with inode permission checking
> > on those inodes, e.g. marking them private.
>
> Like this?
>
> It seems a little weird but I'm happy with it if you are.
>
> Eric
>
> diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
> index b9d59c0..7d6f7c7 100644
> --- a/fs/proc/proc_sysctl.c
> +++ b/fs/proc/proc_sysctl.c
> @@ -47,6 +47,7 @@ static struct inode *proc_sys_make_inode(struct inode *dir, struct ctl_table *ta
> inode->i_mtime = inode->i_atime = inode->i_ctime = CURRENT_TIME;
> inode->i_op = &proc_sys_inode_operations;
> inode->i_fop = &proc_sys_file_operations;
> + inode->i_flags |= S_PRIVATE; /* tell selinux to ignore this inode */
> proc_sys_refresh_inode(inode, table);
> out:
> return inode;
Hmmm...turns out to not be quite enough, as the /proc/sys inodes aren't
truly private to the fs, so we can run into them in a variety of
security hooks beyond just the inode hooks, such as
security_file_permission (when reading and writing them via the vfs
helpers), security_sb_mount (when mounting other filesystems on
directories in proc like binfmt_misc), and deeper within the security
module itself (as in flush_unauthorized_files upon inheritance across
execve). So I think we have to add an IS_PRIVATE() guard within
SELinux, as below. Note however that the use of the private flag here
could be confusing, as these inodes are _not_ private to the fs, are
exposed to userspace, and security modules must implement the sysctl
hook to get any access control over them.
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 65fb5e8..21bf2f0 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1078,6 +1077,9 @@ static int inode_has_perm(struct task_st
struct inode_security_struct *isec;
struct avc_audit_data ad;
+ if (unlikely (IS_PRIVATE (inode)))
+ return 0;
+
tsec = tsk->security;
isec = inode->i_security;
--
Stephen Smalley
National Security Agency
WARNING: multiple messages have this Message-ID (diff)
From: Stephen Smalley <sds@tycho.nsa.gov>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Andrew Morton <akpm@osdl.org>, Ingo Molnar <mingo@elte.hu>,
tglx@linutronix.de, linux-kernel@vger.kernel.org,
selinux@tycho.nsa.gov, James Morris <jmorris@namei.org>
Subject: Re: [PATCH 2/2] sysctl: Restore the selinux path based label lookup for sysctls.
Date: Thu, 08 Feb 2007 10:01:11 -0500 [thread overview]
Message-ID: <1170946871.11912.250.camel@moss-spartans.epoch.ncsc.mil> (raw)
In-Reply-To: <m17iutmmwh.fsf@ebiederm.dsl.xmission.com>
On Wed, 2007-02-07 at 18:57 -0700, Eric W. Biederman wrote:
> Stephen Smalley <sds@tycho.nsa.gov> writes:
>
> >
> > One related but separate issue is that the /proc/sys inode labeling is
> > also affected by the sysctl patch series. Those inodes used to be
> > labeled by selinux_proc_get_sid (from selinux_d_instantiate), but that
> > no longer works, so they now fall back to the superblock SID (generic
> > proc label). That changes the inode permission checks on an attempt to
> > access a /proc/sys node and will likely cause denials under current
> > policy for confined domains since one wouldn't generally be writing to
> > the generic proc label. If you always called sysctl_perm from the proc
> > sysctl code, we could possibly dispense with inode permission checking
> > on those inodes, e.g. marking them private.
>
> Like this?
>
> It seems a little weird but I'm happy with it if you are.
>
> Eric
>
> diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
> index b9d59c0..7d6f7c7 100644
> --- a/fs/proc/proc_sysctl.c
> +++ b/fs/proc/proc_sysctl.c
> @@ -47,6 +47,7 @@ static struct inode *proc_sys_make_inode(struct inode *dir, struct ctl_table *ta
> inode->i_mtime = inode->i_atime = inode->i_ctime = CURRENT_TIME;
> inode->i_op = &proc_sys_inode_operations;
> inode->i_fop = &proc_sys_file_operations;
> + inode->i_flags |= S_PRIVATE; /* tell selinux to ignore this inode */
> proc_sys_refresh_inode(inode, table);
> out:
> return inode;
Hmmm...turns out to not be quite enough, as the /proc/sys inodes aren't
truly private to the fs, so we can run into them in a variety of
security hooks beyond just the inode hooks, such as
security_file_permission (when reading and writing them via the vfs
helpers), security_sb_mount (when mounting other filesystems on
directories in proc like binfmt_misc), and deeper within the security
module itself (as in flush_unauthorized_files upon inheritance across
execve). So I think we have to add an IS_PRIVATE() guard within
SELinux, as below. Note however that the use of the private flag here
could be confusing, as these inodes are _not_ private to the fs, are
exposed to userspace, and security modules must implement the sysctl
hook to get any access control over them.
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 65fb5e8..21bf2f0 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1078,6 +1077,9 @@ static int inode_has_perm(struct task_st
struct inode_security_struct *isec;
struct avc_audit_data ad;
+ if (unlikely (IS_PRIVATE (inode)))
+ return 0;
+
tsec = tsk->security;
isec = inode->i_security;
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2007-02-08 15:06 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-01-28 1:05 + clocksource-add-verification-watchdog-helper-fix-3.patch added to -mm tree akpm
[not found] ` <20070127172410.2b041952.akpm@osdl.org>
[not found] ` <1169972718.17469.164.camel@localhost.localdomain>
[not found] ` <20070128003549.2ca38dc8.akpm@osdl.org>
[not found] ` <20070128093358.GA2071@elte.hu>
[not found] ` <20070128095712.GA6485@elte.hu>
[not found] ` <20070128100627.GA8416@elte.hu>
[not found] ` <20070128104548.a835d859.akpm@osdl.org>
2007-01-28 19:21 ` [PATCH] sysctl selinux: Don't look at table->de Eric W. Biederman
2007-01-28 19:21 ` Eric W. Biederman
2007-01-29 13:04 ` Stephen Smalley
2007-01-29 13:04 ` Stephen Smalley
2007-01-29 15:23 ` James Morris
2007-01-29 15:23 ` James Morris
2007-01-29 17:55 ` Eric W. Biederman
2007-01-29 17:55 ` Eric W. Biederman
2007-01-29 19:26 ` Stephen Smalley
2007-01-29 19:26 ` Stephen Smalley
2007-01-29 17:43 ` Eric W. Biederman
2007-01-29 17:43 ` Eric W. Biederman
2007-01-29 18:43 ` Stephen Smalley
2007-01-29 18:43 ` Stephen Smalley
2007-01-29 19:08 ` Casey Schaufler
2007-01-29 19:08 ` Casey Schaufler
2007-01-29 20:07 ` Stephen Smalley
2007-01-29 20:07 ` Stephen Smalley
2007-01-30 10:25 ` Christoph Hellwig
2007-01-30 17:19 ` Casey Schaufler
2007-01-30 17:19 ` Casey Schaufler
2007-01-29 19:16 ` Eric W. Biederman
2007-01-29 19:16 ` Eric W. Biederman
2007-01-29 23:28 ` Russell Coker
2007-01-29 23:28 ` Russell Coker
2007-02-06 21:16 ` [PATCH 1/2] sysctl: Add a parent entry to ctl_table and set the parent entry Eric W. Biederman
2007-02-06 21:16 ` Eric W. Biederman
2007-02-06 21:21 ` [PATCH 2/2] sysctl: Restore the selinux path based label lookup for sysctls Eric W. Biederman
2007-02-06 21:21 ` Eric W. Biederman
2007-02-07 18:24 ` Stephen Smalley
2007-02-07 18:24 ` Stephen Smalley
2007-02-07 21:12 ` Stephen Smalley
2007-02-07 21:12 ` Stephen Smalley
2007-02-07 21:54 ` Stephen Smalley
2007-02-07 21:54 ` Stephen Smalley
2007-02-07 22:21 ` Eric W. Biederman
2007-02-07 22:21 ` Eric W. Biederman
2007-02-08 15:07 ` Stephen Smalley
2007-02-08 15:07 ` Stephen Smalley
2007-02-08 1:57 ` Eric W. Biederman
2007-02-08 1:57 ` Eric W. Biederman
2007-02-08 15:01 ` Stephen Smalley [this message]
2007-02-08 15:01 ` Stephen Smalley
2007-02-08 17:53 ` Eric W. Biederman
2007-02-08 17:53 ` Eric W. Biederman
2007-02-08 18:13 ` Stephen Smalley
2007-02-08 18:13 ` Stephen Smalley
2007-02-08 22:17 ` Eric W. Biederman
2007-02-08 22:17 ` Eric W. Biederman
2007-02-08 22:51 ` [PATCH 0/5] sysctl cleanup selinux fixes Eric W. Biederman
2007-02-08 22:51 ` Eric W. Biederman
2007-02-08 22:53 ` [PATCH 1/5] sysctl: Remove declaration of nonexistent sysctl_init() Eric W. Biederman
2007-02-08 22:53 ` Eric W. Biederman
2007-02-08 22:54 ` [PATCH 2/5] sysctl: Set the parent field in the root sysctl table Eric W. Biederman
2007-02-08 22:54 ` Eric W. Biederman
2007-02-08 22:55 ` [PATCH 3/5] sysctl: Fix the selinux_sysctl_get_sid Eric W. Biederman
2007-02-08 22:55 ` Eric W. Biederman
2007-02-08 23:02 ` [PATCH 4/5] selinux: Enhance selinux to always ignore private inodes Eric W. Biederman
2007-02-08 23:02 ` Eric W. Biederman
2007-02-08 23:04 ` [PATCH 5/5] sysctl: Hide the sysctl proc inodes from selinux Eric W. Biederman
2007-02-08 23:04 ` Eric W. Biederman
2007-02-09 12:26 ` [PATCH 4/5] selinux: Enhance selinux to always ignore private inodes Stephen Smalley
2007-02-09 12:26 ` Stephen Smalley
2007-02-09 12:24 ` [PATCH 3/5] sysctl: Fix the selinux_sysctl_get_sid Stephen Smalley
2007-02-09 12:24 ` Stephen Smalley
2007-02-09 11:05 ` [PATCH 0/5] sysctl cleanup selinux fixes Andrew Morton
2007-02-09 18:09 ` Eric W. Biederman
2007-02-09 18:09 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1170946871.11912.250.camel@moss-spartans.epoch.ncsc.mil \
--to=sds@tycho.nsa.gov \
--cc=akpm@osdl.org \
--cc=ebiederm@xmission.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=selinux@tycho.nsa.gov \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.