[PATCH] selinux-notebook: describe nosuid and NNP transitions

[PATCH] selinux-notebook: describe nosuid and NNP transitions

[Topi Miettinen]

Describe cases where nosuid_transition or nnp_transition are needed.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
---
 src/computing_security_contexts.md | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/computing_security_contexts.md b/src/computing_security_contexts.md
index bb946b5..7bd1d87 100644
--- a/src/computing_security_contexts.md
+++ b/src/computing_security_contexts.md
@@ -84,7 +84,14 @@ Processes inherit their security context as follows:
    *default_type* (policy version 28) or if a security-aware process,
    by calling ***setexeccon**(3)* if permitted by policy prior to
    invoking exec.
-3. At any time, a security-aware process may invoke ***setcon**(3)* to
+3. If the file system is mounted with *nosuid* flag, type transitions
+   require permission *nosuid_transition*. If the thread has
+   *no_new_privs* attribute set, the transition requires
+   *nnp_transition*. For both transitions, policy capability
+   *nnp_nosuid_transition* is also required. See also
+   [**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module-and-selinux)
+   section.
+4. At any time, a security-aware process may invoke ***setcon**(3)* to
    switch its security context (if permitted by policy) although this
    practice is generally discouraged - exec-based transitions are
    preferred.
-- 
2.30.2

Re: [PATCH] selinux-notebook: describe nosuid and NNP transitions

[Paul Moore]

On Sat, Jun 12, 2021 at 4:14 AM Topi Miettinen <toiwoton@gmail.com> wrote:
>
> Describe cases where nosuid_transition or nnp_transition are needed.
>
> Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
> ---
>  src/computing_security_contexts.md | 9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/src/computing_security_contexts.md b/src/computing_security_contexts.md
> index bb946b5..7bd1d87 100644
> --- a/src/computing_security_contexts.md
> +++ b/src/computing_security_contexts.md
> @@ -84,7 +84,14 @@ Processes inherit their security context as follows:
>     *default_type* (policy version 28) or if a security-aware process,
>     by calling ***setexeccon**(3)* if permitted by policy prior to
>     invoking exec.
> -3. At any time, a security-aware process may invoke ***setcon**(3)* to
> +3. If the file system is mounted with *nosuid* flag, type transitions
> +   require permission *nosuid_transition*. If the thread has
> +   *no_new_privs* attribute set, the transition requires
> +   *nnp_transition*. For both transitions, policy capability
> +   *nnp_nosuid_transition* is also required. See also
> +   [**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module-and-selinux)
> +   section.

Thanks for adding this text, however I might suggest the following changes:

"If the loaded SELinux policy has the nnp_nosuid_transition policy
capability enabled there are potentially two additional permissions
that are required to permit a domain transition: nosuid_transition for
nosuid mounted filesystems, and nnp_transition for for threads with
the no_new_privs flag."

... does that make sense?

> +4. At any time, a security-aware process may invoke ***setcon**(3)* to
>     switch its security context (if permitted by policy) although this
>     practice is generally discouraged - exec-based transitions are
>     preferred.
> --
> 2.30.2

-- 
paul moore
www.paul-moore.com

Re: [PATCH] selinux-notebook: describe nosuid and NNP transitions

[Topi Miettinen]

On 18.6.2021 6.50, Paul Moore wrote:
> On Sat, Jun 12, 2021 at 4:14 AM Topi Miettinen <toiwoton@gmail.com> wrote:
>>
>> Describe cases where nosuid_transition or nnp_transition are needed.
>>
>> Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
>> ---
>>   src/computing_security_contexts.md | 9 ++++++++-
>>   1 file changed, 8 insertions(+), 1 deletion(-)
>>
>> diff --git a/src/computing_security_contexts.md b/src/computing_security_contexts.md
>> index bb946b5..7bd1d87 100644
>> --- a/src/computing_security_contexts.md
>> +++ b/src/computing_security_contexts.md
>> @@ -84,7 +84,14 @@ Processes inherit their security context as follows:
>>      *default_type* (policy version 28) or if a security-aware process,
>>      by calling ***setexeccon**(3)* if permitted by policy prior to
>>      invoking exec.
>> -3. At any time, a security-aware process may invoke ***setcon**(3)* to
>> +3. If the file system is mounted with *nosuid* flag, type transitions
>> +   require permission *nosuid_transition*. If the thread has
>> +   *no_new_privs* attribute set, the transition requires
>> +   *nnp_transition*. For both transitions, policy capability
>> +   *nnp_nosuid_transition* is also required. See also
>> +   [**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module-and-selinux)
>> +   section.
> 
> Thanks for adding this text, however I might suggest the following changes:
> 
> "If the loaded SELinux policy has the nnp_nosuid_transition policy
> capability enabled there are potentially two additional permissions
> that are required to permit a domain transition: nosuid_transition for
> nosuid mounted filesystems, and nnp_transition for for threads with
> the no_new_privs flag."
> 
> ... does that make sense?

Yes. I'd then add:

"If nnp_nosuid_transition policy capability is disabled, such domain 
transitions are denied."

-Topi

>> +4. At any time, a security-aware process may invoke ***setcon**(3)* to
>>      switch its security context (if permitted by policy) although this
>>      practice is generally discouraged - exec-based transitions are
>>      preferred.
>> --
>> 2.30.2
> 

Re: [PATCH] selinux-notebook: describe nosuid and NNP transitions

[Paul Moore]

On Fri, Jun 18, 2021 at 2:09 PM Topi Miettinen <toiwoton@gmail.com> wrote:
> On 18.6.2021 6.50, Paul Moore wrote:
> > On Sat, Jun 12, 2021 at 4:14 AM Topi Miettinen <toiwoton@gmail.com> wrote:
> >>
> >> Describe cases where nosuid_transition or nnp_transition are needed.
> >>
> >> Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
> >> ---
> >>   src/computing_security_contexts.md | 9 ++++++++-
> >>   1 file changed, 8 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/src/computing_security_contexts.md b/src/computing_security_contexts.md
> >> index bb946b5..7bd1d87 100644
> >> --- a/src/computing_security_contexts.md
> >> +++ b/src/computing_security_contexts.md
> >> @@ -84,7 +84,14 @@ Processes inherit their security context as follows:
> >>      *default_type* (policy version 28) or if a security-aware process,
> >>      by calling ***setexeccon**(3)* if permitted by policy prior to
> >>      invoking exec.
> >> -3. At any time, a security-aware process may invoke ***setcon**(3)* to
> >> +3. If the file system is mounted with *nosuid* flag, type transitions
> >> +   require permission *nosuid_transition*. If the thread has
> >> +   *no_new_privs* attribute set, the transition requires
> >> +   *nnp_transition*. For both transitions, policy capability
> >> +   *nnp_nosuid_transition* is also required. See also
> >> +   [**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module-and-selinux)
> >> +   section.
> >
> > Thanks for adding this text, however I might suggest the following changes:
> >
> > "If the loaded SELinux policy has the nnp_nosuid_transition policy
> > capability enabled there are potentially two additional permissions
> > that are required to permit a domain transition: nosuid_transition for
> > nosuid mounted filesystems, and nnp_transition for for threads with
> > the no_new_privs flag."
> >
> > ... does that make sense?
>
> Yes. I'd then add:
>
> "If nnp_nosuid_transition policy capability is disabled, such domain
> transitions are denied."

In most cases, yes that is correct, but bounded domain transitions are
still allowed in the case where the nnp_nosuid_transition policy
capability is not enabled.

Did you want to respin the patch with the above changes?

-- 
paul moore
www.paul-moore.com

Re: [PATCH] selinux-notebook: describe nosuid and NNP transitions

[Topi Miettinen]

On 18.6.2021 22.32, Paul Moore wrote:
> On Fri, Jun 18, 2021 at 2:09 PM Topi Miettinen <toiwoton@gmail.com> wrote:
>> On 18.6.2021 6.50, Paul Moore wrote:
>>> On Sat, Jun 12, 2021 at 4:14 AM Topi Miettinen <toiwoton@gmail.com> wrote:
>>>>
>>>> Describe cases where nosuid_transition or nnp_transition are needed.
>>>>
>>>> Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
>>>> ---
>>>>    src/computing_security_contexts.md | 9 ++++++++-
>>>>    1 file changed, 8 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/src/computing_security_contexts.md b/src/computing_security_contexts.md
>>>> index bb946b5..7bd1d87 100644
>>>> --- a/src/computing_security_contexts.md
>>>> +++ b/src/computing_security_contexts.md
>>>> @@ -84,7 +84,14 @@ Processes inherit their security context as follows:
>>>>       *default_type* (policy version 28) or if a security-aware process,
>>>>       by calling ***setexeccon**(3)* if permitted by policy prior to
>>>>       invoking exec.
>>>> -3. At any time, a security-aware process may invoke ***setcon**(3)* to
>>>> +3. If the file system is mounted with *nosuid* flag, type transitions
>>>> +   require permission *nosuid_transition*. If the thread has
>>>> +   *no_new_privs* attribute set, the transition requires
>>>> +   *nnp_transition*. For both transitions, policy capability
>>>> +   *nnp_nosuid_transition* is also required. See also
>>>> +   [**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module-and-selinux)
>>>> +   section.
>>>
>>> Thanks for adding this text, however I might suggest the following changes:
>>>
>>> "If the loaded SELinux policy has the nnp_nosuid_transition policy
>>> capability enabled there are potentially two additional permissions
>>> that are required to permit a domain transition: nosuid_transition for
>>> nosuid mounted filesystems, and nnp_transition for for threads with
>>> the no_new_privs flag."
>>>
>>> ... does that make sense?
>>
>> Yes. I'd then add:
>>
>> "If nnp_nosuid_transition policy capability is disabled, such domain
>> transitions are denied."
> 
> In most cases, yes that is correct, but bounded domain transitions are
> still allowed in the case where the nnp_nosuid_transition policy
> capability is not enabled.

I see. May I propose then:

"If nnp_nosuid_transition policy capability is disabled, such domain
transitions are denied but bounded domain transitions are still allowed. 
In bounded transitions, target domain is only allowed a subset of the 
permissions of the source domain."

-Topi

Re: [PATCH] selinux-notebook: describe nosuid and NNP transitions

[Topi Miettinen]

On 18.6.2021 23.37, Topi Miettinen wrote:
> On 18.6.2021 22.32, Paul Moore wrote:
>> On Fri, Jun 18, 2021 at 2:09 PM Topi Miettinen <toiwoton@gmail.com> 
>> wrote:
>>> On 18.6.2021 6.50, Paul Moore wrote:
>>>> On Sat, Jun 12, 2021 at 4:14 AM Topi Miettinen <toiwoton@gmail.com> 
>>>> wrote:
>>>>>
>>>>> Describe cases where nosuid_transition or nnp_transition are needed.
>>>>>
>>>>> Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
>>>>> ---
>>>>>    src/computing_security_contexts.md | 9 ++++++++-
>>>>>    1 file changed, 8 insertions(+), 1 deletion(-)
>>>>>
>>>>> diff --git a/src/computing_security_contexts.md 
>>>>> b/src/computing_security_contexts.md
>>>>> index bb946b5..7bd1d87 100644
>>>>> --- a/src/computing_security_contexts.md
>>>>> +++ b/src/computing_security_contexts.md
>>>>> @@ -84,7 +84,14 @@ Processes inherit their security context as 
>>>>> follows:
>>>>>       *default_type* (policy version 28) or if a security-aware 
>>>>> process,
>>>>>       by calling ***setexeccon**(3)* if permitted by policy prior to
>>>>>       invoking exec.
>>>>> -3. At any time, a security-aware process may invoke 
>>>>> ***setcon**(3)* to
>>>>> +3. If the file system is mounted with *nosuid* flag, type transitions
>>>>> +   require permission *nosuid_transition*. If the thread has
>>>>> +   *no_new_privs* attribute set, the transition requires
>>>>> +   *nnp_transition*. For both transitions, policy capability
>>>>> +   *nnp_nosuid_transition* is also required. See also
>>>>> +   [**Linux Security Module and 
>>>>> SELinux**](lsm_selinux.md#linux-security-module-and-selinux)
>>>>> +   section.
>>>>
>>>> Thanks for adding this text, however I might suggest the following 
>>>> changes:
>>>>
>>>> "If the loaded SELinux policy has the nnp_nosuid_transition policy
>>>> capability enabled there are potentially two additional permissions
>>>> that are required to permit a domain transition: nosuid_transition for
>>>> nosuid mounted filesystems, and nnp_transition for for threads with
>>>> the no_new_privs flag."
>>>>
>>>> ... does that make sense?
>>>
>>> Yes. I'd then add:
>>>
>>> "If nnp_nosuid_transition policy capability is disabled, such domain
>>> transitions are denied."
>>
>> In most cases, yes that is correct, but bounded domain transitions are
>> still allowed in the case where the nnp_nosuid_transition policy
>> capability is not enabled.
> 
> I see. May I propose then:
> 
> "If nnp_nosuid_transition policy capability is disabled, such domain
> transitions are denied but bounded domain transitions are still allowed. 
> In bounded transitions, target domain is only allowed a subset of the 
> permissions of the source domain."

By the way, the background for this patch (and others for mount(2), 
mount(8) and selinux(8)) was that I recently proposed new heuristics for 
systemd where in case no_new_privileges would be implied (for example, 
due to use of seccomp), all file systems would be mounted `nosuid` since 
setuid/setgid wouldn't be allowed anyway. The heuristics patch was 
applied but later reverted because of problems it may cause for SELinux. 
I didn't know then how SELinux uses the flag to also control domain 
transitions. Also the case seems to be underdocumented, which I'm trying 
to improve with the patches.

Regarding the heuristics, perhaps instead of tying MAC behavior (also FS 
capabilities) to a DAC concept of setuid/setgid with MS_NOSUID, there 
should be new mount flags which would allow more precise handling of all 
combinations of SUID, SELinux domain transitions and FS capabilities. 
For example 
"nosuid,security=selinux=domain_transitions_allowed:capability=fs_caps_allowed". 
Then systemd could safely mount all file systems "nosuid" (when NNP is 
already going to be enforced) while keeping behavior of SELinux domain 
transitions and FS capabilities unchanged.

-Topi

Re: [PATCH] selinux-notebook: describe nosuid and NNP transitions

[Paul Moore]

On Fri, Jun 18, 2021 at 4:37 PM Topi Miettinen <toiwoton@gmail.com> wrote:
> On 18.6.2021 22.32, Paul Moore wrote:
> > On Fri, Jun 18, 2021 at 2:09 PM Topi Miettinen <toiwoton@gmail.com> wrote:
> >> On 18.6.2021 6.50, Paul Moore wrote:
> >>> On Sat, Jun 12, 2021 at 4:14 AM Topi Miettinen <toiwoton@gmail.com> wrote:
> >>>>
> >>>> Describe cases where nosuid_transition or nnp_transition are needed.
> >>>>
> >>>> Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
> >>>> ---
> >>>>    src/computing_security_contexts.md | 9 ++++++++-
> >>>>    1 file changed, 8 insertions(+), 1 deletion(-)
> >>>>
> >>>> diff --git a/src/computing_security_contexts.md b/src/computing_security_contexts.md
> >>>> index bb946b5..7bd1d87 100644
> >>>> --- a/src/computing_security_contexts.md
> >>>> +++ b/src/computing_security_contexts.md
> >>>> @@ -84,7 +84,14 @@ Processes inherit their security context as follows:
> >>>>       *default_type* (policy version 28) or if a security-aware process,
> >>>>       by calling ***setexeccon**(3)* if permitted by policy prior to
> >>>>       invoking exec.
> >>>> -3. At any time, a security-aware process may invoke ***setcon**(3)* to
> >>>> +3. If the file system is mounted with *nosuid* flag, type transitions
> >>>> +   require permission *nosuid_transition*. If the thread has
> >>>> +   *no_new_privs* attribute set, the transition requires
> >>>> +   *nnp_transition*. For both transitions, policy capability
> >>>> +   *nnp_nosuid_transition* is also required. See also
> >>>> +   [**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module-and-selinux)
> >>>> +   section.
> >>>
> >>> Thanks for adding this text, however I might suggest the following changes:
> >>>
> >>> "If the loaded SELinux policy has the nnp_nosuid_transition policy
> >>> capability enabled there are potentially two additional permissions
> >>> that are required to permit a domain transition: nosuid_transition for
> >>> nosuid mounted filesystems, and nnp_transition for for threads with
> >>> the no_new_privs flag."
> >>>
> >>> ... does that make sense?
> >>
> >> Yes. I'd then add:
> >>
> >> "If nnp_nosuid_transition policy capability is disabled, such domain
> >> transitions are denied."
> >
> > In most cases, yes that is correct, but bounded domain transitions are
> > still allowed in the case where the nnp_nosuid_transition policy
> > capability is not enabled.
>
> I see. May I propose then:
>
> "If nnp_nosuid_transition policy capability is disabled, such domain
> transitions are denied but bounded domain transitions are still allowed.
> In bounded transitions, target domain is only allowed a subset of the
> permissions of the source domain."

That sounds good to me.

-- 
paul moore
www.paul-moore.com