Re: [RFC PATCH v8 1/3] fs: Introduce AT_INTERPRETED flag for faccessat2(2)

From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: "Mickaël Salaün" <mic@digikod.net>,
	linux-kernel <linux-kernel@vger.kernel.org>,
	"Aleksa Sarai" <cyphar@cyphar.com>,
	"Alexei Starovoitov" <ast@kernel.org>,
	"Al Viro" <viro@zeniv.linux.org.uk>,
	"Andrew Morton" <akpm@linux-foundation.org>,
	"Andy Lutomirski" <luto@kernel.org>,
	"Christian Brauner" <christian.brauner@ubuntu.com>,
	"Christian Heimes" <christian@python.org>,
	"Daniel Borkmann" <daniel@iogearbox.net>,
	"Deven Bowers" <deven.desai@linux.microsoft.com>,
	"Dmitry Vyukov" <dvyukov@google.com>,
	"Eric Biggers" <ebiggers@kernel.org>,
	"Eric Chiang" <ericchiang@google.com>,
	"Florian Weimer" <fweimer@redhat.com>,
	"James Morris" <jmorris@namei.org>, "Jan Kara" <jack@suse.cz>,
	"Jann Horn" <jannh@google.com>,
	"Jonathan Corbet" <corbet@lwn.net>,
	"Kees Cook" <keescook@chromium.org>,
	"Lakshmi Ramasubramanian" <nramas@linux.microsoft.com>,
	"Matthew Garrett" <mjg59@google.com>,
	"Matthew Wilcox" <willy@infradead.org>,
	"Michael Kerrisk" <mtk.manpages@gmail.com>,
	"Miklos Szeredi" <mszeredi@redhat.com>,
	"Philippe Trébuchet" <philippe.trebuchet@ssi.gouv.fr>,
	"Scott Shell" <scottsh@microsoft.com>,
	"Sean Christopherson" <sean.j.christopherson@intel.com>,
	"Shuah Khan" <shuah@kernel.org>,
	"Steve Dower" <steve.dower@python.org>,
	"Steve Grubb" <sgrubb@redhat.com>,
	"Tetsuo Handa" <penguin-kernel@i-love.sakura.ne.jp>,
	"Thibaut Sautereau" <thibaut.sautereau@clip-os.org>,
	"Vincent Strubel" <vincent.strubel@ssi.gouv.fr>,
	kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org,
	linux-integrity@vger.kernel.org,
	"LSM List" <linux-security-module@vger.kernel.org>,
	"Linux FS Devel" <linux-fsdevel@vger.kernel.org>,
	"Thibaut Sautereau" <thibaut.sautereau@ssi.gouv.fr>,
	"Mickaël Salaün" <mic@linux.microsoft.com>,
	"John Johansen" <john.johansen@canonical.com>
Subject: Re: [RFC PATCH v8 1/3] fs: Introduce AT_INTERPRETED flag for faccessat2(2)
Date: Tue, 8 Sep 2020 09:42:30 -0400	[thread overview]
Message-ID: <CAEjxPJ5evWDSv-T-p=4OX29Pr584ZRAsnYoxSRd4qFDoryB+fQ@mail.gmail.com> (raw)
In-Reply-To: <bdc10ab89cf9197e104f02a751009cf0d549ddf5.camel@linux.ibm.com>

On Tue, Sep 8, 2020 at 9:29 AM Mimi Zohar <zohar@linux.ibm.com> wrote:
>
> On Tue, 2020-09-08 at 08:52 -0400, Stephen Smalley wrote:
> > On Tue, Sep 8, 2020 at 8:50 AM Stephen Smalley
> > <stephen.smalley.work@gmail.com> wrote:
> > >
> > > On Tue, Sep 8, 2020 at 8:43 AM Mickaël Salaün <mic@digikod.net> wrote:
> > > >
> > > >
> > > > On 08/09/2020 14:28, Mimi Zohar wrote:
> > > > > Hi Mickael,
> > > > >
> > > > > On Tue, 2020-09-08 at 09:59 +0200, Mickaël Salaün wrote:
> > > > >> +                    mode |= MAY_INTERPRETED_EXEC;
> > > > >> +                    /*
> > > > >> +                     * For compatibility reasons, if the system-wide policy
> > > > >> +                     * doesn't enforce file permission checks, then
> > > > >> +                     * replaces the execute permission request with a read
> > > > >> +                     * permission request.
> > > > >> +                     */
> > > > >> +                    mode &= ~MAY_EXEC;
> > > > >> +                    /* To be executed *by* user space, files must be readable. */
> > > > >> +                    mode |= MAY_READ;
> > > > >
> > > > > After this change, I'm wondering if it makes sense to add a call to
> > > > > security_file_permission().  IMA doesn't currently define it, but
> > > > > could.
> > > >
> > > > Yes, that's the idea. We could replace the following inode_permission()
> > > > with file_permission(). I'm not sure how this will impact other LSMs though.
>
> I wasn't suggesting replacing the existing security_inode_permission
> hook later, but adding a new security_file_permission hook here.
>
> > >
> > > They are not equivalent at least as far as SELinux is concerned.
> > > security_file_permission() was only to be used to revalidate
> > > read/write permissions previously checked at file open to support
> > > policy changes and file or process label changes.  We'd have to modify
> > > the SELinux hook if we wanted to have it check execute access even if
> > > nothing has changed since open time.
> >
> > Also Smack doesn't appear to implement file_permission at all, so it
> > would skip Smack checking.
>
> My question is whether adding a new security_file_permission call here
> would break either SELinux or Apparmor?

selinux_inode_permission() has special handling for MAY_ACCESS so we'd
need to duplicate that into selinux_file_permission() ->
selinux_revalidate_file_permission().  Also likely need to adjust
selinux_file_permission() to explicitly check whether the mask
includes any permissions not checked at open time.  So some changes
would be needed here.  By default, it would be a no-op unless there
was a policy reload or the file was relabeled between the open(2) and
the faccessat(2) call.