All of lore.kernel.org
 help / color / mirror / Atom feed
From: Ondrej Mosnacek <omosnace@redhat.com>
To: selinux@vger.kernel.org, Paul Moore <paul@paul-moore.com>
Cc: linux-security-module@vger.kernel.org, linux-mm@kvack.org,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	Lokesh Gidra <lokeshgidra@google.com>,
	Stephen Smalley <stephen.smalley.work@gmail.com>
Subject: [RFC PATCH 0/2] selinux,anon_inodes: Use a separate SELinux class for each type of anon inode
Date: Wed, 21 Apr 2021 19:14:44 +0200	[thread overview]
Message-ID: <20210421171446.785507-1-omosnace@redhat.com> (raw)

This series aims to correct a design flaw in the original anon_inode
SELinux support that would make it hard to write policies for anonymous
inodes once more types of them are supported (currently only userfaultfd
inodes are). A more detailed rationale is provided in the second patch.

The first patch extends the anon_inode_getfd_secure() function to accept
an additional numeric identifier that represents the type of the
anonymous inode being created, which is passed to the LSMs via
security_inode_init_security_anon().

The second patch then introduces a new SELinux policy capability that
allow policies to opt-in to have a separate class used for each type of
anon inode. That means that the "old way" will still 

I wish I had realized the practical consequences earlier, while the
patches were still under review, but it only started to sink in after
the authors themselves later raised the issue in an off-list
conversation. Even then, I still hoped it wouldn't be that bad, but the
more I thought about how to apply this in an actual policy, the more I
realized how much pain it would be to work with the current design, so
I decided to propose these changes.

I hope this will be an acceptable solution.

A selinux-testsuite patch that adapts the userfaultfd test to work also
with the new policy capability enabled will follow.

Ondrej Mosnacek (2):
  LSM,anon_inodes: explicitly distinguish anon inode types
  selinux: add capability to map anon inode types to separate classes

 fs/anon_inodes.c                           | 42 +++++++++++++---------
 fs/userfaultfd.c                           |  6 ++--
 include/linux/anon_inodes.h                |  4 ++-
 include/linux/lsm_hook_defs.h              |  3 +-
 include/linux/security.h                   | 19 ++++++++++
 security/security.c                        |  3 +-
 security/selinux/hooks.c                   | 28 ++++++++++++++-
 security/selinux/include/classmap.h        |  2 ++
 security/selinux/include/policycap.h       |  1 +
 security/selinux/include/policycap_names.h |  3 +-
 security/selinux/include/security.h        |  7 ++++
 11 files changed, 95 insertions(+), 23 deletions(-)

-- 
2.30.2


             reply	other threads:[~2021-04-21 17:15 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-21 17:14 Ondrej Mosnacek [this message]
2021-04-21 17:14 ` [RFC PATCH 1/2] LSM,anon_inodes: explicitly distinguish anon inode types Ondrej Mosnacek
2021-04-21 17:14 ` [RFC PATCH 2/2] selinux: add capability to map anon inode types to separate classes Ondrej Mosnacek
2021-04-22 13:21   ` Stephen Smalley
2021-04-22 13:21     ` Stephen Smalley
2021-04-23 13:41     ` Ondrej Mosnacek
2021-04-23 13:41       ` Ondrej Mosnacek
2021-04-23 14:22       ` Stephen Smalley
2021-04-23 14:22         ` Stephen Smalley
2021-04-23 15:20         ` Stephen Smalley
2021-04-23 15:20           ` Stephen Smalley
2021-04-26 16:00           ` Ondrej Mosnacek
2021-04-26 16:00             ` Ondrej Mosnacek
2021-04-21 20:38 ` [RFC PATCH 0/2] selinux,anon_inodes: Use a separate SELinux class for each type of anon inode Paul Moore
2021-04-21 20:38   ` Paul Moore
2021-04-22 11:39   ` Ondrej Mosnacek
2021-04-22 11:39     ` Ondrej Mosnacek
2021-04-22 13:48     ` Paul Moore
2021-04-22 13:48       ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210421171446.785507-1-omosnace@redhat.com \
    --to=omosnace@redhat.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=lokeshgidra@google.com \
    --cc=paul@paul-moore.com \
    --cc=selinux@vger.kernel.org \
    --cc=stephen.smalley.work@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.