Re: [PATCH] selinux-notebook: describe nosuid and NNP transitions

From: Topi Miettinen <toiwoton@gmail.com>
To: Paul Moore <paul@paul-moore.com>
Cc: selinux@vger.kernel.org
Subject: Re: [PATCH] selinux-notebook: describe nosuid and NNP transitions
Date: Fri, 18 Jun 2021 23:37:02 +0300	[thread overview]
Message-ID: <7d638d58-386f-b0e9-7a3d-e626fc8ba108@gmail.com> (raw)
In-Reply-To: <CAHC9VhQfVqRCuR4Gn7vAOrqVeZQtzE6GjuqvFhQHKVufCk_N3w@mail.gmail.com>

On 18.6.2021 22.32, Paul Moore wrote:
> On Fri, Jun 18, 2021 at 2:09 PM Topi Miettinen <toiwoton@gmail.com> wrote:
>> On 18.6.2021 6.50, Paul Moore wrote:
>>> On Sat, Jun 12, 2021 at 4:14 AM Topi Miettinen <toiwoton@gmail.com> wrote:
>>>>
>>>> Describe cases where nosuid_transition or nnp_transition are needed.
>>>>
>>>> Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
>>>> ---
>>>>    src/computing_security_contexts.md | 9 ++++++++-
>>>>    1 file changed, 8 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/src/computing_security_contexts.md b/src/computing_security_contexts.md
>>>> index bb946b5..7bd1d87 100644
>>>> --- a/src/computing_security_contexts.md
>>>> +++ b/src/computing_security_contexts.md
>>>> @@ -84,7 +84,14 @@ Processes inherit their security context as follows:
>>>>       *default_type* (policy version 28) or if a security-aware process,
>>>>       by calling ***setexeccon**(3)* if permitted by policy prior to
>>>>       invoking exec.
>>>> -3. At any time, a security-aware process may invoke ***setcon**(3)* to
>>>> +3. If the file system is mounted with *nosuid* flag, type transitions
>>>> +   require permission *nosuid_transition*. If the thread has
>>>> +   *no_new_privs* attribute set, the transition requires
>>>> +   *nnp_transition*. For both transitions, policy capability
>>>> +   *nnp_nosuid_transition* is also required. See also
>>>> +   [**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module-and-selinux)
>>>> +   section.
>>>
>>> Thanks for adding this text, however I might suggest the following changes:
>>>
>>> "If the loaded SELinux policy has the nnp_nosuid_transition policy
>>> capability enabled there are potentially two additional permissions
>>> that are required to permit a domain transition: nosuid_transition for
>>> nosuid mounted filesystems, and nnp_transition for for threads with
>>> the no_new_privs flag."
>>>
>>> ... does that make sense?
>>
>> Yes. I'd then add:
>>
>> "If nnp_nosuid_transition policy capability is disabled, such domain
>> transitions are denied."
> 
> In most cases, yes that is correct, but bounded domain transitions are
> still allowed in the case where the nnp_nosuid_transition policy
> capability is not enabled.

I see. May I propose then:

"If nnp_nosuid_transition policy capability is disabled, such domain
transitions are denied but bounded domain transitions are still allowed. 
In bounded transitions, target domain is only allowed a subset of the 
permissions of the source domain."

-Topi