* [PATCH] security/landlock: use square brackets around "landlock-ruleset"
@ 2021-10-11 13:37 Christian Brauner
2021-10-11 14:38 ` Mickaël Salaün
0 siblings, 1 reply; 9+ messages in thread
From: Christian Brauner @ 2021-10-11 13:37 UTC (permalink / raw)
To: Mickaël Salaün; +Cc: linux-security-module, Christian Brauner
From: Christian Brauner <christian.brauner@ubuntu.com>
Make the name of the anon inode fd "[landlock-ruleset]" instead of
"landlock-ruleset". This is minor but most anon inode fds already
carry square brackets around their name:
[eventfd]
[eventpoll]
[fanotify]
[fscontext]
[io_uring]
[pidfd]
[signalfd]
[timerfd]
[userfaultfd]
For the sake of consistency lets do the same for the landlock-ruleset anon
inode fd that comes with landlock. We did the same in
1cdc415f1083 ("uapi, fsopen: use square brackets around "fscontext" [ver #2]")
for the new mount api.
Cc: Mickaël Salaün <mic@digikod.net>
Cc: linux-security-module@vger.kernel.org
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
security/landlock/syscalls.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
index 32396962f04d..7e27ce394020 100644
--- a/security/landlock/syscalls.c
+++ b/security/landlock/syscalls.c
@@ -192,7 +192,7 @@ SYSCALL_DEFINE3(landlock_create_ruleset,
return PTR_ERR(ruleset);
/* Creates anonymous FD referring to the ruleset. */
- ruleset_fd = anon_inode_getfd("landlock-ruleset", &ruleset_fops,
+ ruleset_fd = anon_inode_getfd("[landlock-ruleset]", &ruleset_fops,
ruleset, O_RDWR | O_CLOEXEC);
if (ruleset_fd < 0)
landlock_put_ruleset(ruleset);
base-commit: 9e1ff307c779ce1f0f810c7ecce3d95bbae40896
--
2.30.2
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH] security/landlock: use square brackets around "landlock-ruleset"
2021-10-11 13:37 [PATCH] security/landlock: use square brackets around "landlock-ruleset" Christian Brauner
@ 2021-10-11 14:38 ` Mickaël Salaün
2021-10-12 10:38 ` Christian Brauner
0 siblings, 1 reply; 9+ messages in thread
From: Mickaël Salaün @ 2021-10-11 14:38 UTC (permalink / raw)
To: Christian Brauner; +Cc: linux-security-module, Christian Brauner
On 11/10/2021 15:37, Christian Brauner wrote:
> From: Christian Brauner <christian.brauner@ubuntu.com>
>
> Make the name of the anon inode fd "[landlock-ruleset]" instead of
> "landlock-ruleset". This is minor but most anon inode fds already
> carry square brackets around their name:
>
> [eventfd]
> [eventpoll]
> [fanotify]
> [fscontext]
> [io_uring]
> [pidfd]
> [signalfd]
> [timerfd]
> [userfaultfd]
>
> For the sake of consistency lets do the same for the landlock-ruleset anon
> inode fd that comes with landlock. We did the same in
> 1cdc415f1083 ("uapi, fsopen: use square brackets around "fscontext" [ver #2]")
> for the new mount api.
Before creating "landlock-ruleset" FD, I looked at other anonymous FD
and saw this kind of inconsistency. I don't get why we need to add extra
characters to names, those brackets seem useless. If it should be part
of the interface, why is it not enforced by anon_inode_getfd()?
There is a lot of other names that come without brackets (e.g. inotify,
bpf-*, btf, kvm-*, iio*). Do you plan to send patches for those too?
Changing such FD names could break user space because they may already
be exposed and used (e.g. through SELinux).
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] security/landlock: use square brackets around "landlock-ruleset"
2021-10-11 14:38 ` Mickaël Salaün
@ 2021-10-12 10:38 ` Christian Brauner
2021-10-12 18:11 ` Paul Moore
0 siblings, 1 reply; 9+ messages in thread
From: Christian Brauner @ 2021-10-12 10:38 UTC (permalink / raw)
To: Mickaël Salaün; +Cc: Christian Brauner, linux-security-module
On Mon, Oct 11, 2021 at 04:38:55PM +0200, Mickaël Salaün wrote:
>
> On 11/10/2021 15:37, Christian Brauner wrote:
> > From: Christian Brauner <christian.brauner@ubuntu.com>
> >
> > Make the name of the anon inode fd "[landlock-ruleset]" instead of
> > "landlock-ruleset". This is minor but most anon inode fds already
> > carry square brackets around their name:
> >
> > [eventfd]
> > [eventpoll]
> > [fanotify]
> > [fscontext]
> > [io_uring]
> > [pidfd]
> > [signalfd]
> > [timerfd]
> > [userfaultfd]
> >
> > For the sake of consistency lets do the same for the landlock-ruleset anon
> > inode fd that comes with landlock. We did the same in
> > 1cdc415f1083 ("uapi, fsopen: use square brackets around "fscontext" [ver #2]")
> > for the new mount api.
>
> Before creating "landlock-ruleset" FD, I looked at other anonymous FD
> and saw this kind of inconsistency. I don't get why we need to add extra
> characters to names, those brackets seem useless. If it should be part
Past inconsistency shouldn't justify future inconsistency. If you have a
strong opinion about this for landlock I'm not going to push for it.
Exchanging more than 2-3 email about something like this seems too much.
> of the interface, why is it not enforced by anon_inode_getfd()?
Sure, we can add that too.
>
> There is a lot of other names that come without brackets (e.g. inotify,
> bpf-*, btf, kvm-*, iio*). Do you plan to send patches for those too?
> Changing such FD names could break user space because they may already
> be exposed and used (e.g. through SELinux).
We didn't do it for bpf and kvm stuff because it has been that way for
a long time. We try to do it for all new ones.
Christian
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] security/landlock: use square brackets around "landlock-ruleset"
2021-10-12 10:38 ` Christian Brauner
@ 2021-10-12 18:11 ` Paul Moore
2021-10-12 20:38 ` Ondrej Mosnacek
0 siblings, 1 reply; 9+ messages in thread
From: Paul Moore @ 2021-10-12 18:11 UTC (permalink / raw)
To: Chris PeBenito, Petr Lautrbach
Cc: Mickaël Salaün, Christian Brauner, Christian Brauner,
linux-security-module, selinux
On Tue, Oct 12, 2021 at 6:38 AM Christian Brauner
<christian.brauner@ubuntu.com> wrote:
> On Mon, Oct 11, 2021 at 04:38:55PM +0200, Mickaël Salaün wrote:
> > On 11/10/2021 15:37, Christian Brauner wrote:
> > > From: Christian Brauner <christian.brauner@ubuntu.com>
> > >
> > > Make the name of the anon inode fd "[landlock-ruleset]" instead of
> > > "landlock-ruleset". This is minor but most anon inode fds already
> > > carry square brackets around their name:
> > >
> > > [eventfd]
> > > [eventpoll]
> > > [fanotify]
> > > [fscontext]
> > > [io_uring]
> > > [pidfd]
> > > [signalfd]
> > > [timerfd]
> > > [userfaultfd]
> > >
> > > For the sake of consistency lets do the same for the landlock-ruleset anon
> > > inode fd that comes with landlock. We did the same in
> > > 1cdc415f1083 ("uapi, fsopen: use square brackets around "fscontext" [ver #2]")
> > > for the new mount api.
> >
> > Before creating "landlock-ruleset" FD, I looked at other anonymous FD
> > and saw this kind of inconsistency. I don't get why we need to add extra
> > characters to names, those brackets seem useless. If it should be part
>
> Past inconsistency shouldn't justify future inconsistency. If you have a
> strong opinion about this for landlock I'm not going to push for it.
> Exchanging more than 2-3 email about something like this seems too much.
[NOTE: adding the SELinux list as well as Chris (SELinux refrence
policy maintainer) and Petr (Fedora/RHEL SELinux)]
Chris and Petr, do either of you currently have any policy that
references the "landlock-ruleset" anonymous inode? In other words,
would adding the brackets around the name cause you any problems?
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] security/landlock: use square brackets around "landlock-ruleset"
2021-10-12 18:11 ` Paul Moore
@ 2021-10-12 20:38 ` Ondrej Mosnacek
2021-10-12 21:09 ` Paul Moore
0 siblings, 1 reply; 9+ messages in thread
From: Ondrej Mosnacek @ 2021-10-12 20:38 UTC (permalink / raw)
To: Paul Moore
Cc: Chris PeBenito, Petr Lautrbach, Mickaël Salaün,
Christian Brauner, Christian Brauner, Linux Security Module list,
SElinux list
On Tue, Oct 12, 2021 at 8:12 PM Paul Moore <paul@paul-moore.com> wrote:
> On Tue, Oct 12, 2021 at 6:38 AM Christian Brauner
> <christian.brauner@ubuntu.com> wrote:
> > On Mon, Oct 11, 2021 at 04:38:55PM +0200, Mickaël Salaün wrote:
> > > On 11/10/2021 15:37, Christian Brauner wrote:
> > > > From: Christian Brauner <christian.brauner@ubuntu.com>
> > > >
> > > > Make the name of the anon inode fd "[landlock-ruleset]" instead of
> > > > "landlock-ruleset". This is minor but most anon inode fds already
> > > > carry square brackets around their name:
> > > >
> > > > [eventfd]
> > > > [eventpoll]
> > > > [fanotify]
> > > > [fscontext]
> > > > [io_uring]
> > > > [pidfd]
> > > > [signalfd]
> > > > [timerfd]
> > > > [userfaultfd]
> > > >
> > > > For the sake of consistency lets do the same for the landlock-ruleset anon
> > > > inode fd that comes with landlock. We did the same in
> > > > 1cdc415f1083 ("uapi, fsopen: use square brackets around "fscontext" [ver #2]")
> > > > for the new mount api.
> > >
> > > Before creating "landlock-ruleset" FD, I looked at other anonymous FD
> > > and saw this kind of inconsistency. I don't get why we need to add extra
> > > characters to names, those brackets seem useless. If it should be part
> >
> > Past inconsistency shouldn't justify future inconsistency. If you have a
> > strong opinion about this for landlock I'm not going to push for it.
> > Exchanging more than 2-3 email about something like this seems too much.
>
> [NOTE: adding the SELinux list as well as Chris (SELinux refrence
> policy maintainer) and Petr (Fedora/RHEL SELinux)]
>
> Chris and Petr, do either of you currently have any policy that
> references the "landlock-ruleset" anonymous inode? In other words,
> would adding the brackets around the name cause you any problems?
AFAIU, the anon_inode transitions (the only mechanism where the "file
name" would be exposed to the policy) are done only for inodes created
by anon_inode_getfd_secure(), which is currently only used by
userfaultfd. So you don't even need to ask that question; at this
point it should be safe to change any of the names except
"[userfaultfd]" as far as SELinux policy is concerned.
--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] security/landlock: use square brackets around "landlock-ruleset"
2021-10-12 20:38 ` Ondrej Mosnacek
@ 2021-10-12 21:09 ` Paul Moore
2021-10-13 15:47 ` Mickaël Salaün
0 siblings, 1 reply; 9+ messages in thread
From: Paul Moore @ 2021-10-12 21:09 UTC (permalink / raw)
To: Ondrej Mosnacek
Cc: Chris PeBenito, Petr Lautrbach, Mickaël Salaün,
Christian Brauner, Christian Brauner, Linux Security Module list,
SElinux list
On Tue, Oct 12, 2021 at 4:38 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> On Tue, Oct 12, 2021 at 8:12 PM Paul Moore <paul@paul-moore.com> wrote:
> > On Tue, Oct 12, 2021 at 6:38 AM Christian Brauner
> > <christian.brauner@ubuntu.com> wrote:
> > > On Mon, Oct 11, 2021 at 04:38:55PM +0200, Mickaël Salaün wrote:
> > > > On 11/10/2021 15:37, Christian Brauner wrote:
> > > > > From: Christian Brauner <christian.brauner@ubuntu.com>
> > > > >
> > > > > Make the name of the anon inode fd "[landlock-ruleset]" instead of
> > > > > "landlock-ruleset". This is minor but most anon inode fds already
> > > > > carry square brackets around their name:
> > > > >
> > > > > [eventfd]
> > > > > [eventpoll]
> > > > > [fanotify]
> > > > > [fscontext]
> > > > > [io_uring]
> > > > > [pidfd]
> > > > > [signalfd]
> > > > > [timerfd]
> > > > > [userfaultfd]
> > > > >
> > > > > For the sake of consistency lets do the same for the landlock-ruleset anon
> > > > > inode fd that comes with landlock. We did the same in
> > > > > 1cdc415f1083 ("uapi, fsopen: use square brackets around "fscontext" [ver #2]")
> > > > > for the new mount api.
> > > >
> > > > Before creating "landlock-ruleset" FD, I looked at other anonymous FD
> > > > and saw this kind of inconsistency. I don't get why we need to add extra
> > > > characters to names, those brackets seem useless. If it should be part
> > >
> > > Past inconsistency shouldn't justify future inconsistency. If you have a
> > > strong opinion about this for landlock I'm not going to push for it.
> > > Exchanging more than 2-3 email about something like this seems too much.
> >
> > [NOTE: adding the SELinux list as well as Chris (SELinux refrence
> > policy maintainer) and Petr (Fedora/RHEL SELinux)]
> >
> > Chris and Petr, do either of you currently have any policy that
> > references the "landlock-ruleset" anonymous inode? In other words,
> > would adding the brackets around the name cause you any problems?
>
> AFAIU, the anon_inode transitions (the only mechanism where the "file
> name" would be exposed to the policy) are done only for inodes created
> by anon_inode_getfd_secure(), which is currently only used by
> userfaultfd. So you don't even need to ask that question; at this
> point it should be safe to change any of the names except
> "[userfaultfd]" as far as SELinux policy is concerned.
There is also io_uring if you look at selinux/next.
Regardless, thanks, I didn't check to see if landlock was using the
new anon inode interface, since both Mickaël and Christian were
concerned about breaking SELinux I had assumed they were using it :)
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] security/landlock: use square brackets around "landlock-ruleset"
2021-10-12 21:09 ` Paul Moore
@ 2021-10-13 15:47 ` Mickaël Salaün
2021-10-15 9:10 ` Christian Brauner
0 siblings, 1 reply; 9+ messages in thread
From: Mickaël Salaün @ 2021-10-13 15:47 UTC (permalink / raw)
To: Paul Moore, Ondrej Mosnacek, Christian Brauner
Cc: Chris PeBenito, Petr Lautrbach, Christian Brauner,
Linux Security Module list, SElinux list
On 12/10/2021 23:09, Paul Moore wrote:
> On Tue, Oct 12, 2021 at 4:38 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>>
>> On Tue, Oct 12, 2021 at 8:12 PM Paul Moore <paul@paul-moore.com> wrote:
>>> On Tue, Oct 12, 2021 at 6:38 AM Christian Brauner
>>> <christian.brauner@ubuntu.com> wrote:
>>>> On Mon, Oct 11, 2021 at 04:38:55PM +0200, Mickaël Salaün wrote:
>>>>> On 11/10/2021 15:37, Christian Brauner wrote:
>>>>>> From: Christian Brauner <christian.brauner@ubuntu.com>
>>>>>>
>>>>>> Make the name of the anon inode fd "[landlock-ruleset]" instead of
>>>>>> "landlock-ruleset". This is minor but most anon inode fds already
>>>>>> carry square brackets around their name:
>>>>>>
>>>>>> [eventfd]
>>>>>> [eventpoll]
>>>>>> [fanotify]
>>>>>> [fscontext]
>>>>>> [io_uring]
>>>>>> [pidfd]
>>>>>> [signalfd]
>>>>>> [timerfd]
>>>>>> [userfaultfd]
>>>>>>
>>>>>> For the sake of consistency lets do the same for the landlock-ruleset anon
>>>>>> inode fd that comes with landlock. We did the same in
>>>>>> 1cdc415f1083 ("uapi, fsopen: use square brackets around "fscontext" [ver #2]")
>>>>>> for the new mount api.
>>>>>
>>>>> Before creating "landlock-ruleset" FD, I looked at other anonymous FD
>>>>> and saw this kind of inconsistency. I don't get why we need to add extra
>>>>> characters to names, those brackets seem useless. If it should be part
>>>>
>>>> Past inconsistency shouldn't justify future inconsistency. If you have a
>>>> strong opinion about this for landlock I'm not going to push for it.
>>>> Exchanging more than 2-3 email about something like this seems too much.
>>>
>>> [NOTE: adding the SELinux list as well as Chris (SELinux refrence
>>> policy maintainer) and Petr (Fedora/RHEL SELinux)]
>>>
>>> Chris and Petr, do either of you currently have any policy that
>>> references the "landlock-ruleset" anonymous inode? In other words,
>>> would adding the brackets around the name cause you any problems?
>>
>> AFAIU, the anon_inode transitions (the only mechanism where the "file
>> name" would be exposed to the policy) are done only for inodes created
>> by anon_inode_getfd_secure(), which is currently only used by
>> userfaultfd. So you don't even need to ask that question; at this
>> point it should be safe to change any of the names except
>> "[userfaultfd]" as far as SELinux policy is concerned.
>
> There is also io_uring if you look at selinux/next.
>
> Regardless, thanks, I didn't check to see if landlock was using the
> new anon inode interface, since both Mickaël and Christian were
> concerned about breaking SELinux I had assumed they were using it :)
>
Ok, thanks Paul and Ondrej.
Such anonymous inode names seem to be only exposed to proc for now.
Let's change this name then. I think it make sense to backport this
patch down to 5.13 to fix all the inconsistencies.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] security/landlock: use square brackets around "landlock-ruleset"
2021-10-13 15:47 ` Mickaël Salaün
@ 2021-10-15 9:10 ` Christian Brauner
2021-10-15 11:47 ` Mickaël Salaün
0 siblings, 1 reply; 9+ messages in thread
From: Christian Brauner @ 2021-10-15 9:10 UTC (permalink / raw)
To: Mickaël Salaün
Cc: Paul Moore, Ondrej Mosnacek, Christian Brauner, Chris PeBenito,
Petr Lautrbach, Linux Security Module list, SElinux list
On Wed, Oct 13, 2021 at 05:47:53PM +0200, Mickaël Salaün wrote:
>
> On 12/10/2021 23:09, Paul Moore wrote:
> > On Tue, Oct 12, 2021 at 4:38 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> >>
> >> On Tue, Oct 12, 2021 at 8:12 PM Paul Moore <paul@paul-moore.com> wrote:
> >>> On Tue, Oct 12, 2021 at 6:38 AM Christian Brauner
> >>> <christian.brauner@ubuntu.com> wrote:
> >>>> On Mon, Oct 11, 2021 at 04:38:55PM +0200, Mickaël Salaün wrote:
> >>>>> On 11/10/2021 15:37, Christian Brauner wrote:
> >>>>>> From: Christian Brauner <christian.brauner@ubuntu.com>
> >>>>>>
> >>>>>> Make the name of the anon inode fd "[landlock-ruleset]" instead of
> >>>>>> "landlock-ruleset". This is minor but most anon inode fds already
> >>>>>> carry square brackets around their name:
> >>>>>>
> >>>>>> [eventfd]
> >>>>>> [eventpoll]
> >>>>>> [fanotify]
> >>>>>> [fscontext]
> >>>>>> [io_uring]
> >>>>>> [pidfd]
> >>>>>> [signalfd]
> >>>>>> [timerfd]
> >>>>>> [userfaultfd]
> >>>>>>
> >>>>>> For the sake of consistency lets do the same for the landlock-ruleset anon
> >>>>>> inode fd that comes with landlock. We did the same in
> >>>>>> 1cdc415f1083 ("uapi, fsopen: use square brackets around "fscontext" [ver #2]")
> >>>>>> for the new mount api.
> >>>>>
> >>>>> Before creating "landlock-ruleset" FD, I looked at other anonymous FD
> >>>>> and saw this kind of inconsistency. I don't get why we need to add extra
> >>>>> characters to names, those brackets seem useless. If it should be part
> >>>>
> >>>> Past inconsistency shouldn't justify future inconsistency. If you have a
> >>>> strong opinion about this for landlock I'm not going to push for it.
> >>>> Exchanging more than 2-3 email about something like this seems too much.
> >>>
> >>> [NOTE: adding the SELinux list as well as Chris (SELinux refrence
> >>> policy maintainer) and Petr (Fedora/RHEL SELinux)]
> >>>
> >>> Chris and Petr, do either of you currently have any policy that
> >>> references the "landlock-ruleset" anonymous inode? In other words,
> >>> would adding the brackets around the name cause you any problems?
> >>
> >> AFAIU, the anon_inode transitions (the only mechanism where the "file
> >> name" would be exposed to the policy) are done only for inodes created
> >> by anon_inode_getfd_secure(), which is currently only used by
> >> userfaultfd. So you don't even need to ask that question; at this
> >> point it should be safe to change any of the names except
> >> "[userfaultfd]" as far as SELinux policy is concerned.
> >
> > There is also io_uring if you look at selinux/next.
> >
> > Regardless, thanks, I didn't check to see if landlock was using the
> > new anon inode interface, since both Mickaël and Christian were
> > concerned about breaking SELinux I had assumed they were using it :)
> >
>
> Ok, thanks Paul and Ondrej.
>
> Such anonymous inode names seem to be only exposed to proc for now.
> Let's change this name then. I think it make sense to backport this
> patch down to 5.13 to fix all the inconsistencies.
Thank you. I do appreciate the point about this being annoying that we
have this inconsistency and it has bothered me too.
Christian
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] security/landlock: use square brackets around "landlock-ruleset"
2021-10-15 9:10 ` Christian Brauner
@ 2021-10-15 11:47 ` Mickaël Salaün
0 siblings, 0 replies; 9+ messages in thread
From: Mickaël Salaün @ 2021-10-15 11:47 UTC (permalink / raw)
To: Linux API, stable
Cc: Paul Moore, Ondrej Mosnacek, Christian Brauner, Chris PeBenito,
Petr Lautrbach, Linux Security Module list, SElinux list,
Christian Brauner
CCing linux-api and stable to give them a chance to confirm that
changing proc symlink content is OK.
On 15/10/2021 11:10, Christian Brauner wrote:
> On Wed, Oct 13, 2021 at 05:47:53PM +0200, Mickaël Salaün wrote:
>>
>> On 12/10/2021 23:09, Paul Moore wrote:
>>> On Tue, Oct 12, 2021 at 4:38 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>>>>
>>>> On Tue, Oct 12, 2021 at 8:12 PM Paul Moore <paul@paul-moore.com> wrote:
>>>>> On Tue, Oct 12, 2021 at 6:38 AM Christian Brauner
>>>>> <christian.brauner@ubuntu.com> wrote:
>>>>>> On Mon, Oct 11, 2021 at 04:38:55PM +0200, Mickaël Salaün wrote:
>>>>>>> On 11/10/2021 15:37, Christian Brauner wrote:
>>>>>>>> From: Christian Brauner <christian.brauner@ubuntu.com>
>>>>>>>>
>>>>>>>> Make the name of the anon inode fd "[landlock-ruleset]" instead of
>>>>>>>> "landlock-ruleset". This is minor but most anon inode fds already
>>>>>>>> carry square brackets around their name:
>>>>>>>>
>>>>>>>> [eventfd]
>>>>>>>> [eventpoll]
>>>>>>>> [fanotify]
>>>>>>>> [fscontext]
>>>>>>>> [io_uring]
>>>>>>>> [pidfd]
>>>>>>>> [signalfd]
>>>>>>>> [timerfd]
>>>>>>>> [userfaultfd]
>>>>>>>>
>>>>>>>> For the sake of consistency lets do the same for the landlock-ruleset anon
>>>>>>>> inode fd that comes with landlock. We did the same in
>>>>>>>> 1cdc415f1083 ("uapi, fsopen: use square brackets around "fscontext" [ver #2]")
>>>>>>>> for the new mount api.
>>>>>>>
>>>>>>> Before creating "landlock-ruleset" FD, I looked at other anonymous FD
>>>>>>> and saw this kind of inconsistency. I don't get why we need to add extra
>>>>>>> characters to names, those brackets seem useless. If it should be part
>>>>>>
>>>>>> Past inconsistency shouldn't justify future inconsistency. If you have a
>>>>>> strong opinion about this for landlock I'm not going to push for it.
>>>>>> Exchanging more than 2-3 email about something like this seems too much.
>>>>>
>>>>> [NOTE: adding the SELinux list as well as Chris (SELinux refrence
>>>>> policy maintainer) and Petr (Fedora/RHEL SELinux)]
>>>>>
>>>>> Chris and Petr, do either of you currently have any policy that
>>>>> references the "landlock-ruleset" anonymous inode? In other words,
>>>>> would adding the brackets around the name cause you any problems?
>>>>
>>>> AFAIU, the anon_inode transitions (the only mechanism where the "file
>>>> name" would be exposed to the policy) are done only for inodes created
>>>> by anon_inode_getfd_secure(), which is currently only used by
>>>> userfaultfd. So you don't even need to ask that question; at this
>>>> point it should be safe to change any of the names except
>>>> "[userfaultfd]" as far as SELinux policy is concerned.
>>>
>>> There is also io_uring if you look at selinux/next.
>>>
>>> Regardless, thanks, I didn't check to see if landlock was using the
>>> new anon inode interface, since both Mickaël and Christian were
>>> concerned about breaking SELinux I had assumed they were using it :)
>>>
>>
>> Ok, thanks Paul and Ondrej.
>>
>> Such anonymous inode names seem to be only exposed to proc for now.
>> Let's change this name then. I think it make sense to backport this
>> patch down to 5.13 to fix all the inconsistencies.
>
> Thank you. I do appreciate the point about this being annoying that we
> have this inconsistency and it has bothered me too.
>
> Christian
>
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2021-10-15 11:55 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-11 13:37 [PATCH] security/landlock: use square brackets around "landlock-ruleset" Christian Brauner
2021-10-11 14:38 ` Mickaël Salaün
2021-10-12 10:38 ` Christian Brauner
2021-10-12 18:11 ` Paul Moore
2021-10-12 20:38 ` Ondrej Mosnacek
2021-10-12 21:09 ` Paul Moore
2021-10-13 15:47 ` Mickaël Salaün
2021-10-15 9:10 ` Christian Brauner
2021-10-15 11:47 ` Mickaël Salaün
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.