From: Stephen Smalley <sds@tycho.nsa.gov>
To: Ondrej Mosnacek <omosnace@redhat.com>
Cc: selinux@vger.kernel.org, Casey Schaufler <casey@schaufler-ca.com>,
Linux Security Module list
<linux-security-module@vger.kernel.org>,
Tejun Heo <tj@kernel.org>,
linux-fsdevel@vger.kernel.org, cgroups@vger.kernel.org
Subject: Re: [PATCH v2 0/3] Allow initializing the kernfs node's secctx based on its parent
Date: Tue, 22 Jan 2019 09:17:43 -0500 [thread overview]
Message-ID: <3f663024-98f0-98c9-6235-fa4ffafa6a03@tycho.nsa.gov> (raw)
In-Reply-To: <CAFqZXNsm2+79gMTqhxoZuPgibxfhSjJXu8742o7Ho7Yrf=2QCw@mail.gmail.com>
On 1/22/19 3:49 AM, Ondrej Mosnacek wrote:
> On Mon, Jan 14, 2019 at 10:01 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>> On Thu, Jan 10, 2019 at 6:55 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>>> Resending after email configuration repair.
>>>
>>> On 1/10/2019 6:15 AM, Stephen Smalley wrote:
>>>> On 1/9/19 5:03 PM, Casey Schaufler wrote:
>>>>> On 1/9/2019 12:37 PM, Stephen Smalley wrote:
>>>>>> On 1/9/19 12:19 PM, Casey Schaufler wrote:
>>>>>>> On 1/9/2019 8:28 AM, Ondrej Mosnacek wrote:
>>>>>>>> Changes in v2:
>>>>>>>> - add docstring for the new hook in union security_list_options
>>>>>>>> - initialize *ctx to NULL and *ctxlen to 0 in case the hook is not
>>>>>>>> implemented
>>>>>>>> v1: https://lore.kernel.org/selinux/20190109091028.24485-1-omosnace@redhat.com/T/
>>>>>>>>
>>>>>>>> This series adds a new security hook that allows to initialize the security
>>>>>>>> context of kernfs properly, taking into account the parent context. Kernfs
>>>>>>>> nodes require special handling here, since they are not bound to specific
>>>>>>>> inodes/superblocks, but instead represent the backing tree structure that
>>>>>>>> is used to build the VFS tree when the kernfs tree is mounted.
>>>>>>>>
>>>>>>>> The kernfs nodes initially do not store any security context and rely on
>>>>>>>> the LSM to assign some default context to inodes created over them.
>>>>>>>
>>>>>>> This seems like a bug in kernfs. Why doesn't kernfs adhere to the usual
>>>>>>> and expected filesystem behavior?
>>>>>>
>>>>>> sysfs / kernfs didn't support xattrs at all when we first added support for setting security contexts to it, so originally all sysfs / kernfs inodes had a single security context, and we only required separate storage for the inodes that were explicitly labeled by userspace.
>>>>>>
>>>>>> Later kernfs grew support for trusted.* xattrs using simple_xattrs but the existing security.* support was left mostly unchanged.
>>>>>
>>>>> OK, so as I said, this seems like a bug in kernfs.
>>>>>
>>>>>>
>>>>>>>
>>>>>>>> Kernfs
>>>>>>>> inodes, however, allow setting an explicit context via the *setxattr(2)
>>>>>>>> syscalls, in which case the context is stored inside the kernfs node's
>>>>>>>> metadata.
>>>>>>>>
>>>>>>>> SELinux (and possibly other LSMs) initialize the context of newly created
>>>>>>>> FS objects based on the parent object's context (usually the child inherits
>>>>>>>> the parent's context, unless the policy dictates otherwise).
>>>>>>>
>>>>>>> An LSM might use information about the parent other than the "context".
>>>>>>> Smack, for example, uses an attribute SMACK64TRANSMUTE from the parent
>>>>>>> to determine whether the Smack label of the new object should be taken
>>>>>>> from the parent or the process. Passing the "context" of the parent is
>>>>>>> insufficient for Smack.
>>>>>>
>>>>>> IIUC, this would involve switching the handling of security.* xattrs in kernfs over to use simple_xattrs too (so that we can store multiple such attributes), and then pass the entire simple_xattrs list or at least anything with a security.* prefix when initializing a new node or refreshing an existing inode. Then the security module could extract any security.* attributes of interest for use in determining the label of new inodes and in refreshing the label of an inode.
>>
>> I actually had a patch to do just that at one point because I thought
>> for a while that it would be required to call
>> security_inode_init_security() (which I had tried to somehow force
>> into the kernfs node creation at some point), but then I realized it
>> is not actually needed (although would make thing a bit nicer) and put
>> it away... I will try to dig it out and reuse here.
>
> Okay, now that I tried to do this with full xattr support I ran into a
> problem. Along with converting kernfs to use simple_xattrs for
> security attributes, I removed the call to
> security_inode_notifysecctx() from kernfs_refresh_inode(), as it no
> longer makes sense (kernfs doesn't know which attribute contains the
> context; the LSM should now be able to pull it out via
> vfs_getxattr()). However, SELinux now doesn't set the right security
> context in the selinux_d_instantiate() hook, because the policy tells
> it to use genfs, not xattr.
>
> So... I'm not sure how to fix this. Setting fs_use_xattr for cgroupfs
> in the policy won't work, because then all nodes will be unlabeled_t
> by default. Maybe we could patch the genfs case in
> inode_doinit_with_dentry() to try fetching the xattr first? I'm not
> very confident about touching that part of the code, so I would
> welcome some advice here.
>
> This is the code I have so far, in case it helps:
> https://gitlab.com/omos/linux-public/compare/selinux-next...selinux-fix-cgroupfs-v8
I would have left security_inode_notifysecctx() or an equivalent that
passes all of the xattrs to push the security attributes to the security
module.
Blindly calling __vfs_getxattr() on genfs could be a problem; IIRC,
doing so on fuse filesytems can create a deadlock during mount. Or at
least that was the issue with switching fuse to fs_use_xattr in the past.
next prev parent reply other threads:[~2019-01-22 14:15 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-09 16:28 [PATCH v2 0/3] Allow initializing the kernfs node's secctx based on its parent Ondrej Mosnacek
2019-01-09 16:28 ` [PATCH v2 1/3] LSM: Add new hook for generic node initialization Ondrej Mosnacek
2019-01-09 17:08 ` Casey Schaufler
2019-01-11 1:57 ` Paul Moore
2019-01-11 18:30 ` Casey Schaufler
2019-01-14 9:01 ` Ondrej Mosnacek
2019-01-09 16:28 ` [PATCH v2 2/3] selinux: Implement the object_init_security hook Ondrej Mosnacek
2019-01-09 16:28 ` [PATCH v2 3/3] kernfs: Initialize security of newly created nodes Ondrej Mosnacek
2019-01-11 20:52 ` Tejun Heo
2019-01-09 17:19 ` [PATCH v2 0/3] Allow initializing the kernfs node's secctx based on its parent Casey Schaufler
2019-01-09 20:37 ` Stephen Smalley
2019-01-09 22:03 ` Casey Schaufler
2019-01-10 14:15 ` Stephen Smalley
2019-01-10 17:54 ` Casey Schaufler
2019-01-10 19:37 ` Stephen Smalley
2019-01-11 2:20 ` Paul Moore
2019-01-14 9:01 ` Ondrej Mosnacek
2019-01-11 18:22 ` Casey Schaufler
2019-01-14 9:01 ` Ondrej Mosnacek
2019-01-22 8:49 ` Ondrej Mosnacek
2019-01-22 14:17 ` Stephen Smalley [this message]
2019-01-22 15:26 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3f663024-98f0-98c9-6235-fa4ffafa6a03@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=casey@schaufler-ca.com \
--cc=cgroups@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=selinux@vger.kernel.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).