All of lore.kernel.org
 help / color / mirror / Atom feed
From: Paul Moore <paul@paul-moore.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: selinux@tycho.nsa.gov
Subject: Re: [RFC][PATCH] selinux: Introduce a policy capability and permission for NNP transitions
Date: Tue, 11 Jul 2017 17:00:41 -0400	[thread overview]
Message-ID: <CAHC9VhQ_uQid=iqetWk3mpehn82sts9NW6oeZzFk0Fq3Td7xFA@mail.gmail.com> (raw)
In-Reply-To: <20170710202553.20668-1-sds@tycho.nsa.gov>

On Mon, Jul 10, 2017 at 4:25 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> As systemd ramps up enabling NoNewPrivileges (either explicitly in
> service unit files or as a side effect of other security-related
> settings in service unit files), we're increasingly running afoul of
> its interactions with SELinux...

We already talked about this in the other thread so I'll refrain from
repeating myself.

> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 3a06afb..f0c11c2 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -2326,24 +2326,37 @@ static int check_nnp_nosuid(const struct linux_binprm *bprm,
>                 return 0; /* No change in credentials */
>
>         /*
> -        * The only transitions we permit under NNP or nosuid
> -        * are transitions to bounded SIDs, i.e. SIDs that are
> -        * guaranteed to only be allowed a subset of the permissions
> -        * of the current SID.
> +        * If the policy enables the nnp_transition policy capability,
> +        * then we permit transitions under NNP or nosuid if the
> +        * policy explicitly allows nnp_transition permission between
> +        * the old and new contexts.
>          */
> -       rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
> -       if (rc) {
> +       if (selinux_policycap_nnptransition) {
> +               rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
> +                                 SECCLASS_PROCESS,
> +                                 PROCESS__NNP_TRANSITION, NULL);
> +               if (!rc)
> +                       return 0;

This is interesting, we had been talking about domain transitions
under NNP, but we never really discussed transitions under nosuid
mounts, and the motivation for this patch appears to be entirely
around NNP alone.

I think the policycap/permission approach is reasonable, but I wonder
if we should separate this into two permissions, e.g. process {
nnp_transition nosuid_transition }, especially since such a change in
the future would likely require another policycap?

-- 
paul moore
www.paul-moore.com

  parent reply	other threads:[~2017-07-11 21:00 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-07-10 20:25 [RFC][PATCH] selinux: Introduce a policy capability and permission for NNP transitions Stephen Smalley
2017-07-11 19:52 ` Stephen Smalley
2017-07-11 20:05   ` Dominick Grift
2017-07-11 20:10     ` Dominick Grift
2017-07-11 20:23       ` Stephen Smalley
2017-07-11 20:44         ` Dominick Grift
2017-07-12 13:01           ` Stephen Smalley
2017-07-12 13:30             ` Dominick Grift
2017-07-12 13:38               ` Dominick Grift
2017-07-12 13:42                 ` Dominick Grift
2017-07-12 13:52                   ` Stephen Smalley
2017-07-12 13:51                 ` Stephen Smalley
2017-07-11 21:00 ` Paul Moore [this message]
2017-07-12 13:26   ` Stephen Smalley
2017-07-12 21:38     ` Paul Moore
2017-07-13  0:27       ` Chris PeBenito
2017-07-13 12:44         ` Stephen Smalley
2017-07-13 13:25           ` Paul Moore
2017-07-13 15:48             ` Stephen Smalley
2017-07-13 15:59               ` Stephen Smalley
2017-07-13 16:55                 ` Dominick Grift
2017-07-13 18:13                   ` Stephen Smalley
2017-07-13 18:16                     ` Dominick Grift
2017-07-13 18:50                       ` Dominick Grift
2017-07-13 19:29                       ` Stephen Smalley
2017-07-13 19:28                         ` Dominick Grift
2017-07-13 19:43                           ` Dominick Grift
2017-07-13 19:59                             ` Stephen Smalley
2017-07-13 20:11                               ` Dominick Grift
2017-07-13 23:55                                 ` Chris PeBenito
2017-07-14  6:43                                   ` Dominick Grift
2017-07-13 20:15               ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAHC9VhQ_uQid=iqetWk3mpehn82sts9NW6oeZzFk0Fq3Td7xFA@mail.gmail.com' \
    --to=paul@paul-moore.com \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.