From: Casey Schaufler <casey@schaufler-ca.com>
To: Stephen Smalley <sds@tycho.nsa.gov>,
LSM <linux-security-module@vger.kernel.org>,
SELinux <selinux@tycho.nsa.gov>, Paul Moore <paul@paul-moore.com>,
James Morris <jmorris@namei.org>
Subject: Re: [PATCH 00/23] LSM: Full security module stacking
Date: Tue, 15 May 2018 08:47:36 -0700 [thread overview]
Message-ID: <ad30d628-ed11-2dd6-6782-3089bf733702@schaufler-ca.com> (raw)
In-Reply-To: <5db90fec-7640-73d5-2e96-b4c996b7ae8d@tycho.nsa.gov>
On 5/15/2018 5:33 AM, Stephen Smalley wrote:
> On 05/14/2018 05:31 PM, Casey Schaufler wrote:
>> On 5/14/2018 1:07 PM, Stephen Smalley wrote:
>>> On 05/14/2018 03:52 PM, Stephen Smalley wrote:
>>>> On 05/10/2018 08:30 PM, Casey Schaufler wrote:
>>>>> Subject: [PATCH 00/23] LSM: Full security module stacking
>>>>>
>>>>> Here it is, the whole nine yards, broken into mostly
>>>>> review friendly pieces. I believe that it would make
>>>>> a good deal of sense to take this in two bites, with
>>>>> the infrastructure managed blobs going first and the
>>>>> secid conversion coming later. I hope there will be some
>>>>> debate around that.
>>>>>
>>>>> The blob management part is pretty clean by now. I
>>>>> welcome serious review on that. The secid part is more
>>>>> wobbly, but I am convinced that it's the right direction
>>>>> if not perhaps always the best possible implementation.
>>>>> AppArmor in in the process of a major overhaul, and that
>>>>> slowed me down a bit as I had to do new work to convert
>>>>> it to use the new mechanisms.
>>>>>
>>>>> I had experimented with secid "tokens" in the hope of
>>>>> minimizing API changes. That doesn't work. Changing
>>>>> the APIs to use a struct secids pointer in place of a
>>>>> u32 is brutal to the diffstat, but reduces the amount
>>>>> of active code that has to change, and really makes
>>>>> data management easier.
>>>>>
>>>>> If there are two possible ways to do a thing you will
>>>>> find them both in the networking code. AF_UNIX, netfilter,
>>>>> SO_PEERSEC and netlabel each has its own clever ways
>>>>> to manipulate security information. I think I nailed
>>>>> them all, but I'm not betting more than a beer on it.
>>>>>
>>>>> There could be issues in the audit code, although nothing
>>>>> jumped out immediately. The same goes for the integrity
>>>>> subsystem. I haven't tried Infiniband or very many
>>>>> filesystem types that don't com standard with Fedora or
>>>>> Ubuntu.
>>>>>
>>>>> I have fixed everything I've found. If you find something
>>>>> (please look!) let me know.
>>>>>
>>>>> Tested primarily on virtual machines.
>>>>> Fedora 25-27 - SELinux, Smack and the two together
>>>>> Ubuntu 17.04 - AppArmor and AppArmor + Smack
>>>>>
>>>>> The SELinux test suite completes successfully unless
>>>>> you add in Smack, in which case it fails where you would
>>>>> expect it to due to the different use models for netlabel.
>>>>> Smack tests work as well. AppArmor was tested by booting
>>>>> Ubuntu, but not beyond.
>>>> Getting this during boot with CONFIG_KASAN=y and SELinux+Smack stacked:
>>>>
>>>> [ 83.809008] ==================================================================
>>>> [ 83.809046] BUG: KASAN: use-after-free in string+0xab/0x180
>>>> [ 83.809051] Read of size 1 at addr ffff8803bb3ad508 by task systemd/1...
>> <snip>
>> I haven't seen that one. What distro/version/architecture are you using?
> Fedora 28 / x86_64
OK, found and fixed. Thanks for the report.
>
>>>> Also, networking seems to be dead:
>>>> [ 94.522829] Failed to initialize the IGMP autojoin socket (err -13)
>>>> ... <snip> ...
>>>> [ 500.736369] Failed to initialize the IGMP autojoin socket (err -13)
>>>>
>>>> And I can't bring up the interface.
>> What you're seeing is SELinux and Smack being unable to agree on the
>> labeling for IP sockets. The socket() call is failing because
>> SELinux and Smack want different CIPSO on the packets from the sockets.
>> Paul and I discussed this at length, and in the end agreed that this is
>> safe, if "inconvenient", behavior. I believe that a netlabel configuration
>> that is useful is possible, but I don't have one to suggest just yet.
>>
>> On Fedora25 and 27 the services using IP sockets eventually time out,
>> after which I can successfully log on. Without being able to create sockets,
>> it's tough to start the interfaces.
> Hmm...SELinux shouldn't be doing anything with CIPSO by default (i.e. without additional config),
> so why is there a conflict just when booting without any SELinux NetLabel configuration at all?
Both SELinux and Smack use netlbl_sock_setattr() in their socket_post_create()
hooks to establish the CIPSO to use if nothing else interferes. An unfortunate
artifact of the Smack "ambient label" implementation is that the default
configuration is going to delete the netlbl attribute for the floor ("_")
label. This will conflict with any value that SELinux sets. :( Smack clearly
needs to have it's use of netlabel revised, and that is work that's going on
in parallel with stacking. That, however, is not an infrastructure issue, it's
an issue with how the two modules use the facilities.
WARNING: multiple messages have this Message-ID (diff)
From: casey@schaufler-ca.com (Casey Schaufler)
To: linux-security-module@vger.kernel.org
Subject: [PATCH 00/23] LSM: Full security module stacking
Date: Tue, 15 May 2018 08:47:36 -0700 [thread overview]
Message-ID: <ad30d628-ed11-2dd6-6782-3089bf733702@schaufler-ca.com> (raw)
In-Reply-To: <5db90fec-7640-73d5-2e96-b4c996b7ae8d@tycho.nsa.gov>
On 5/15/2018 5:33 AM, Stephen Smalley wrote:
> On 05/14/2018 05:31 PM, Casey Schaufler wrote:
>> On 5/14/2018 1:07 PM, Stephen Smalley wrote:
>>> On 05/14/2018 03:52 PM, Stephen Smalley wrote:
>>>> On 05/10/2018 08:30 PM, Casey Schaufler wrote:
>>>>> Subject: [PATCH 00/23] LSM: Full security module stacking
>>>>>
>>>>> Here it is, the whole nine yards, broken into mostly
>>>>> review friendly pieces. I believe that it would make
>>>>> a good deal of sense to take this in two bites, with
>>>>> the infrastructure managed blobs going first and the
>>>>> secid conversion coming later. I hope there will be some
>>>>> debate around that.
>>>>>
>>>>> The blob management part is pretty clean by now. I
>>>>> welcome serious review on that. The secid part is more
>>>>> wobbly, but I am convinced that it's the right direction
>>>>> if not perhaps always the best possible implementation.
>>>>> AppArmor in in the process of a major overhaul, and that
>>>>> slowed me down a bit as I had to do new work to convert
>>>>> it to use the new mechanisms.
>>>>>
>>>>> I had experimented with secid "tokens" in the hope of
>>>>> minimizing API changes. That doesn't work. Changing
>>>>> the APIs to use a struct secids pointer in place of a
>>>>> u32 is brutal to the diffstat, but reduces the amount
>>>>> of active code that has to change, and really makes
>>>>> data management easier.
>>>>>
>>>>> If there are two possible ways to do a thing you will
>>>>> find them both in the networking code. AF_UNIX, netfilter,
>>>>> SO_PEERSEC and netlabel each has its own clever ways
>>>>> to manipulate security information. I think I nailed
>>>>> them all, but I'm not betting more than a beer on it.
>>>>>
>>>>> There could be issues in the audit code, although nothing
>>>>> jumped out immediately. The same goes for the integrity
>>>>> subsystem. I haven't tried Infiniband or very many
>>>>> filesystem types that don't com standard with Fedora or
>>>>> Ubuntu.
>>>>>
>>>>> I have fixed everything I've found. If you find something
>>>>> (please look!) let me know.
>>>>>
>>>>> Tested primarily on virtual machines.
>>>>> Fedora 25-27 - SELinux, Smack and the two together
>>>>> Ubuntu 17.04 - AppArmor and AppArmor + Smack
>>>>>
>>>>> The SELinux test suite completes successfully unless
>>>>> you add in Smack, in which case it fails where you would
>>>>> expect it to due to the different use models for netlabel.
>>>>> Smack tests work as well. AppArmor was tested by booting
>>>>> Ubuntu, but not beyond.
>>>> Getting this during boot with CONFIG_KASAN=y and SELinux+Smack stacked:
>>>>
>>>> [ 83.809008] ==================================================================
>>>> [ 83.809046] BUG: KASAN: use-after-free in string+0xab/0x180
>>>> [ 83.809051] Read of size 1 at addr ffff8803bb3ad508 by task systemd/1...
>> <snip>
>> I haven't seen that one. What distro/version/architecture are you using?
> Fedora 28 / x86_64
OK, found and fixed. Thanks for the report.
>
>>>> Also, networking seems to be dead:
>>>> [ 94.522829] Failed to initialize the IGMP autojoin socket (err -13)
>>>> ... <snip> ...
>>>> [ 500.736369] Failed to initialize the IGMP autojoin socket (err -13)
>>>>
>>>> And I can't bring up the interface.
>> What you're seeing is SELinux and Smack being unable to agree on the
>> labeling for IP sockets. The socket() call is failing because
>> SELinux and Smack want different CIPSO on the packets from the sockets.
>> Paul and I discussed this at length, and in the end agreed that this is
>> safe, if "inconvenient", behavior. I believe that a netlabel configuration
>> that is useful is possible, but I don't have one to suggest just yet.
>>
>> On Fedora25 and 27 the services using IP sockets eventually time out,
>> after which I can successfully log on. Without being able to create sockets,
>> it's tough to start the interfaces.
> Hmm...SELinux shouldn't be doing anything with CIPSO by default (i.e. without additional config),
> so why is there a conflict just when booting without any SELinux NetLabel configuration at all?
Both SELinux and Smack use netlbl_sock_setattr() in their socket_post_create()
hooks to establish the CIPSO to use if nothing else interferes. An unfortunate
artifact of the Smack "ambient label" implementation is that the default
configuration is going to delete the netlbl attribute for the floor ("_")
label. This will conflict with any value that SELinux sets. :( Smack clearly
needs to have it's use of netlabel revised, and that is work that's going on
in parallel with stacking. That, however, is not an infrastructure issue, it's
an issue with how the two modules use the facilities.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-05-15 15:47 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-11 0:30 [PATCH 00/23] LSM: Full security module stacking Casey Schaufler
2018-05-11 0:30 ` Casey Schaufler
2018-05-11 0:30 ` Casey Schaufler
2018-05-11 0:52 ` [PATCH 01/23] procfs: add smack subdir to attrs Casey Schaufler
2018-05-11 0:52 ` Casey Schaufler
2018-05-11 0:52 ` [PATCH 02/23] Smack: Abstract use of cred security blob Casey Schaufler
2018-05-11 0:52 ` Casey Schaufler
2018-05-11 0:52 ` [PATCH 03/23] SELinux: " Casey Schaufler
2018-05-11 0:52 ` Casey Schaufler
2018-05-11 0:52 ` [PATCH 04/23] LSM: Infrastructure management of the cred security Casey Schaufler
2018-05-11 0:52 ` Casey Schaufler
2018-05-11 0:52 ` [PATCH 05/23] SELinux: Abstract use of file security blob Casey Schaufler
2018-05-11 0:52 ` Casey Schaufler
2018-05-11 0:53 ` [PATCH 06/23] LSM: Infrastructure management of the file security Casey Schaufler
2018-05-11 0:53 ` Casey Schaufler
2018-05-11 0:53 ` [PATCH 07/23] LSM: Infrastructure management of the task security Casey Schaufler
2018-05-11 0:53 ` Casey Schaufler
2018-05-11 0:53 ` [PATCH 08/23] SELinux: Abstract use of inode security blob Casey Schaufler
2018-05-11 0:53 ` Casey Schaufler
2018-05-11 0:53 ` [PATCH 09/23] Smack: " Casey Schaufler
2018-05-11 0:53 ` Casey Schaufler
2018-05-11 0:53 ` [PATCH 10/23] LSM: Infrastructure management of the inode security Casey Schaufler
2018-05-11 0:53 ` Casey Schaufler
2018-05-14 15:04 ` Stephen Smalley
2018-05-14 15:04 ` Stephen Smalley
2018-05-14 16:32 ` Casey Schaufler
2018-05-14 16:32 ` Casey Schaufler
2018-05-11 0:54 ` [PATCH 11/23] LSM: Infrastructure management of the superblock Casey Schaufler
2018-05-11 0:54 ` Casey Schaufler
2018-05-11 0:54 ` [PATCH 12/23] LSM: Infrastructure management of the sock security Casey Schaufler
2018-05-11 0:54 ` Casey Schaufler
2018-05-11 0:54 ` [PATCH 13/23] LSM: Infrastructure management of the ipc security blob Casey Schaufler
2018-05-11 0:54 ` Casey Schaufler
2018-05-11 0:54 ` [PATCH 14/23] LSM: Infrastructure management of the key " Casey Schaufler
2018-05-11 0:54 ` Casey Schaufler
2018-05-11 0:55 ` [PATCH 15/23] LSM: Mark security blob allocation failures as unlikely Casey Schaufler
2018-05-11 0:55 ` Casey Schaufler
2018-05-11 0:55 ` [PATCH 16/23] LSM: Sharing of security blobs Casey Schaufler
2018-05-11 0:55 ` Casey Schaufler
2018-05-11 0:55 ` [PATCH 17/23] LSM: Allow mount options from multiple security modules Casey Schaufler
2018-05-11 0:55 ` Casey Schaufler
2018-05-11 0:55 ` [PATCH 18/23] LSM: Use multiple secids in security module interfaces Casey Schaufler
2018-05-11 0:55 ` Casey Schaufler
2018-05-11 0:55 ` [PATCH 19/23] LSM: Use multiple secids in LSM interfaces Casey Schaufler
2018-05-11 0:55 ` Casey Schaufler
2018-05-11 0:55 ` [PATCH 20/23] LSM: Move common usercopy into Casey Schaufler
2018-05-11 0:55 ` Casey Schaufler
2018-05-14 15:12 ` Stephen Smalley
2018-05-14 15:12 ` Stephen Smalley
2018-05-14 16:53 ` Stephen Smalley
2018-05-14 16:53 ` Stephen Smalley
2018-05-14 18:55 ` Casey Schaufler
2018-05-14 18:55 ` Casey Schaufler
2018-05-11 0:56 ` [PATCH 21/23] LSM: Multiple concurrent major security modules Casey Schaufler
2018-05-11 0:56 ` Casey Schaufler
2018-05-28 11:42 ` [lkp-robot] [LSM] acde387a6d: vm-scalability.throughput -58.0% regression kernel test robot
2018-05-11 0:56 ` [PATCH 22/23] LSM: Fix setting of the IMA data in inode init Casey Schaufler
2018-05-11 0:56 ` Casey Schaufler
2018-05-11 0:56 ` [PATCH 23/23] Netfilter: Add a selection for Smack Casey Schaufler
2018-05-11 0:56 ` Casey Schaufler
2018-05-11 0:58 ` [PATCH 00/23] LSM: Full security module stacking Casey Schaufler
2018-05-11 0:58 ` Casey Schaufler
2018-05-11 20:25 ` [PATCH 24/23] LSM: Functions for dealing with struct secids Casey Schaufler
2018-05-11 20:25 ` Casey Schaufler
[not found] ` <523afc0b-5bfc-8b95-05ee-450679254a47@tycho.nsa.gov>
[not found] ` <5716ab22-4d3c-1935-41f1-ba848570ccab@tycho.nsa.gov>
[not found] ` <eab001ca-10ff-1cfe-9436-805840628784@schaufler-ca.com>
2018-05-15 12:33 ` [PATCH 00/23] LSM: Full security module stacking Stephen Smalley
2018-05-15 12:33 ` Stephen Smalley
2018-05-15 15:47 ` Casey Schaufler [this message]
2018-05-15 15:47 ` Casey Schaufler
2018-05-15 21:49 ` James Morris
2018-05-15 21:49 ` James Morris
2018-05-16 17:42 ` Casey Schaufler
2018-05-16 17:42 ` Casey Schaufler
2018-05-17 0:19 ` Paul Moore
2018-05-17 0:19 ` Paul Moore
2018-05-17 1:05 ` Casey Schaufler
2018-05-17 1:05 ` Casey Schaufler
2018-05-18 0:28 ` Paul Moore
2018-05-18 0:28 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ad30d628-ed11-2dd6-6782-3089bf733702@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.