From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S964815AbcLVJAM (ORCPT <rfc822;w@1wt.eu>);
        Thu, 22 Dec 2016 04:00:12 -0500
Received: from smtp-sh2.infomaniak.ch ([128.65.195.6]:57276 "EHLO
        smtp-sh2.infomaniak.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1762158AbcLVJAK (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 22 Dec 2016 04:00:10 -0500
Subject: Re: [PATCH v1] security: Add a new hook: inode_touch_atime
To: Al Viro <viro@ZenIV.linux.org.uk>
References: <20161221231506.19800-1-mic@digikod.net>
 <f47921a9-bd93-34e4-bbc5-c9129d0c4426@schaufler-ca.com>
 <585B17E3.5040809@digikod.net> <20161222005725.GE1555@ZenIV.linux.org.uk>
Cc: Casey Schaufler <casey@schaufler-ca.com>, linux-kernel@vger.kernel.org,
        Andreas Gruenbacher <agruenba@redhat.com>,
        Andy Lutomirski <luto@amacapital.net>,
        Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
        Eric Paris <eparis@parisplace.org>,
        James Morris <james.l.morris@oracle.com>,
        John Johansen <john.johansen@canonical.com>,
        Kees Cook <keescook@chromium.org>,
        Kentaro Takeda <takedakn@nttdata.co.jp>,
        Mimi Zohar <zohar@linux.vnet.ibm.com>,
        Paul Moore <paul@paul-moore.com>,
        "Serge E . Hallyn" <serge@hallyn.com>,
        Stephen Smalley <sds@tycho.nsa.gov>,
        Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
        Vivek Goyal <vgoyal@redhat.com>, linux-fsdevel@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        Christoph Hellwig <hch@infradead.org>
From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= <mic@digikod.net>
Message-ID: <585B95C2.5050801@digikod.net>
Date: Thu, 22 Dec 2016 09:58:42 +0100
User-Agent: 
MIME-Version: 1.0
In-Reply-To: <20161222005725.GE1555@ZenIV.linux.org.uk>
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="P7KfNq6QRuX5jvqNwKHK83VqH6IodoNeo"
X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8
X-Antivirus-Code: 0x100000
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--P7KfNq6QRuX5jvqNwKHK83VqH6IodoNeo
Content-Type: multipart/mixed; boundary="6wXAaLjRH5kQjEML6NgjvQeJ4AWxdFf4X";
 protected-headers="v1"
From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= <mic@digikod.net>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Casey Schaufler <casey@schaufler-ca.com>, linux-kernel@vger.kernel.org,
 Andreas Gruenbacher <agruenba@redhat.com>,
 Andy Lutomirski <luto@amacapital.net>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
 Eric Paris <eparis@parisplace.org>, James Morris
 <james.l.morris@oracle.com>, John Johansen <john.johansen@canonical.com>,
 Kees Cook <keescook@chromium.org>, Kentaro Takeda <takedakn@nttdata.co.jp>,
 Mimi Zohar <zohar@linux.vnet.ibm.com>, Paul Moore <paul@paul-moore.com>,
 "Serge E . Hallyn" <serge@hallyn.com>, Stephen Smalley <sds@tycho.nsa.gov>,
 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
 Vivek Goyal <vgoyal@redhat.com>, linux-fsdevel@vger.kernel.org,
 linux-security-module@vger.kernel.org, Christoph Hellwig <hch@infradead.org>
Message-ID: <585B95C2.5050801@digikod.net>
Subject: Re: [PATCH v1] security: Add a new hook: inode_touch_atime
References: <20161221231506.19800-1-mic@digikod.net>
 <f47921a9-bd93-34e4-bbc5-c9129d0c4426@schaufler-ca.com>
 <585B17E3.5040809@digikod.net> <20161222005725.GE1555@ZenIV.linux.org.uk>
In-Reply-To: <20161222005725.GE1555@ZenIV.linux.org.uk>

--6wXAaLjRH5kQjEML6NgjvQeJ4AWxdFf4X
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable


On 22/12/2016 01:57, Al Viro wrote:
> On Thu, Dec 22, 2016 at 01:01:39AM +0100, Micka=EBl Sala=FCn wrote:
>=20
>> SELinux should be interested. This is useful to create sandboxes so
>> other LSM may be interested too
>>
>> I'm working on a new LSM and I would like this kind of hook to create =
a
>> real read-only environment.
>=20
> What the...?  Have you noticed
>         if (!sb_start_write_trylock(inode->i_sb))
>                 return;
>=20
>         if (__mnt_want_write(mnt) !=3D 0)
>                 goto skip_update;
> in touch_atime()?  Just mount them read-only in your sandbox (on either=

> level - both per-mountpoint and per-fs r/o will do) and be done
> with that; why bother with LSM when regular tools would suffice?
>=20

Of course a read-only mount point can do the trick (except for anonymous
inodes). However, a security policy (e.g. for SELinux) should not (and
can't always) rely on mount options. For example, a security policy can
come from a distro but they may not want to tie mount options with this
policy. We may also not want a sandbox to being able to change mount
options (even with user namespaces).

Being able to write (meta-)data, whereas a security policy said that
it's not allowed, seems like a flaw in this policy. Moreover, modifying
access time is an easy way to create cover-channels without any LSM
being able to notice it.


--6wXAaLjRH5kQjEML6NgjvQeJ4AWxdFf4X--

--P7KfNq6QRuX5jvqNwKHK83VqH6IodoNeo
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEUysCyY8er9Axt7hqIt7+33O9apUFAlhblcIACgkQIt7+33O9
apXaiQf/enkHTPa3XCdhK+sOAcYSupTli7ZDWyGOngYXiH5ZIQGolrGu0IoEauXo
gSgIlnHRS3414Lr4SsXA6rXYr/lsP5RR4QfGSgJfL3jcRxVPyQs4VJfpXKOkB+zg
pvArNmzw7zDvlSReYpu9ZGZqk/zaNAy/OOHSRVLZccryka0TwcgDCDknKJKl/Hf8
S0T8KTuSUX7fh6ZR0rgkJaSHaMruduLKNZiqr8fghJEiyCuYhVCCHb9tdgAJx7cu
FQ3KM73MLTyhqb5HoN4j0hYtEmpNLxEr80AJ81myLkcTCfXKAKIJX/4Qi/k797Ck
fyp+EapArIbZYi06qtkljO5JDsedMA==
=+bko
-----END PGP SIGNATURE-----

--P7KfNq6QRuX5jvqNwKHK83VqH6IodoNeo--