From: "Christian Göttsche" <cgzones@googlemail.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Demi Marie Obenour <demiobenour@gmail.com>,
William Roberts <bill.c.roberts@gmail.com>,
Dominick Grift <dominick.grift@defensec.nl>,
Chris PeBenito <chpebeni@linux.microsoft.com>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Eric Paris <eparis@parisplace.org>,
SElinux list <selinux@vger.kernel.org>,
Linux kernel mailing list <linux-kernel@vger.kernel.org>,
selinux-refpolicy@vger.kernel.org,
Jeffrey Vander Stoep <jeffv@google.com>
Subject: Re: [PATCH] SELinux: Always allow FIOCLEX and FIONCLEX
Date: Thu, 17 Feb 2022 16:04:58 +0100 [thread overview]
Message-ID: <CAJ2a_Ddh8p0fzJHf7R=BwAULfS8jYq08x=H45mF9jaR1QbWTww@mail.gmail.com> (raw)
In-Reply-To: <CAHC9VhQKuQuR1pJfa0h2Y5dCjmrpiYaGpymwxxE1sa6jR3h-bA@mail.gmail.com>
On Tue, 15 Feb 2022 at 21:35, Paul Moore <paul@paul-moore.com> wrote:
>
> On Mon, Feb 14, 2022 at 2:11 AM Jeffrey Vander Stoep <jeffv@google.com> wrote:
> > On Tue, Feb 8, 2022 at 3:18 PM William Roberts <bill.c.roberts@gmail.com> wrote:
> > >
> > > <snip>
> > >
> > > This is getting too long for me.
> > >
> > > > >
> > > > > I don't have a strong opinion either way. If one were to allow this
> > > > > using a policy rule, it would result in a major policy breakage. The
> > > > > rule would turn on extended perm checks across the entire system,
> > > > > which the SELinux Reference Policy isn't written for. I can't speak
> > > > > to the Android policy, but I would imagine it would be the similar
> > > > > problem there too.
> > > >
> > > > Excuse me if I am wrong but AFAIK adding a xperm rule does not turn on
> > > > xperm checks across the entire system.
> > >
> > > It doesn't as you state below its target + class.
> > >
> > > >
> > > > If i am not mistaken it will turn on xperm checks only for the
> > > > operations that have the same source and target/target class.
> > >
> > > That's correct.
> > >
> > > >
> > > > This is also why i don't (with the exception TIOSCTI for termdev
> > > > chr_file) use xperms by default.
> > > >
> > > > 1. it is really easy to selectively filter ioctls by adding xperm rules
> > > > for end users (and since ioctls are often device/driver specific they
> > > > know best what is needed and what not)
> > >
> > > > >>> and FIONCLEX can be trivially bypassed unless fcntl(F_SETFD)
> > > >
> > > > 2. if you filter ioctls in upstream policy for example like i do with
> > > > TIOSCTI using for example (allowx foo bar (ioctl chr_file (not
> > > > (0xXXXX)))) then you cannot easily exclude additional ioctls later where source is
> > > > foo and target/tclass is bar/chr_file because there is already a rule in
> > > > place allowing the ioctl (and you cannot add rules)
> > >
> > > Currently, fcntl flag F_SETFD is never checked, it's silently allowed, but
> > > the equivalent FIONCLEX and FIOCLEX are checked. So if you wrote policy
> > > to block the FIO*CLEX flags, it would be bypassable through F_SETFD and
> > > FD_CLOEXEC. So the patch proposed makes the FIO flags behave like
> > > F_SETFD. Which means upstream policy users could drop this allow, which
> > > could then remove the target/class rule and allow all icotls. Which is easy
> > > to prevent and fix you could be a rule in to allowx 0 as documented in the
> > > wiki: https://selinuxproject.org/page/XpermRules
> > >
> > > The questions I think we have here are:
> > > 1. Do we agree that the behavior between SETFD and the FIO flags are equivalent?
> > > I think they are.
> > > 2. Do we want the interfaces to behave the same?
> > > I think they should.
> > > 3. Do upstream users of the policy construct care?
> > > The patch is backwards compat, but I don't want their to be cruft
> > > floating around with extra allowxperm rules.
> >
> > I think this proposed change is fine from Android's perspective. It
> > implements in the kernel what we've already already put in place in
> > our policy - that all domains are allowed to use these IOCLTs.
> > https://cs.android.com/android/platform/superproject/+/master:system/sepolicy/public/domain.te;l=312
> >
> > It'll be a few years before we can clean up our policy since we need
> > to support older kernels, but that's fine.
>
> Thanks for the discussion everyone, it sounds like everybody is okay
> with the change - that's good. However, as I said earlier in this
> thread I think we need to put this behind a policy capability, how
> does POLICYDB_CAPABILITY_IOCTL_CLOEXEC/"ioctl_skip_cloexec" sound to
> everyone?
May I ask why?
To my understanding policy capabilities exist to retain backwards
compatibility for older
policies, e.g. if a new check is introduced or a new essential class
or permission, which
would break systems running an updated kernel with a non updated policy.
In this case no check or class/permission is added, the xperm checks
against FIO(N)CLEX
are just dropped. Old policies still defining related allow rules
continue to work. Existing
polices explicitly not allowing them and relying on SELinux to block changes on
the close-on-exec flag are already broken due to the bypasses via
fnctl(2) and dup(2).
>
> Demi, are you able to respin this patch with policy capability changes?
>
> --
> paul-moore.com
next prev parent reply other threads:[~2022-02-17 15:05 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-25 21:34 [PATCH] SELinux: Always allow FIOCLEX and FIONCLEX Demi Marie Obenour
2022-01-25 22:27 ` Paul Moore
2022-01-25 22:50 ` Demi Marie Obenour
2022-01-26 22:41 ` Paul Moore
2022-01-30 3:40 ` Demi Marie Obenour
2022-02-01 17:26 ` Paul Moore
2022-02-02 10:13 ` Demi Marie Obenour
2022-02-03 23:44 ` Paul Moore
2022-02-04 13:48 ` Chris PeBenito
2022-02-05 11:19 ` Dominick Grift
2022-02-05 13:13 ` Demi Marie Obenour
2022-02-08 14:17 ` William Roberts
2022-02-08 15:47 ` Chris PeBenito
2022-02-08 16:47 ` Dominick Grift
2022-02-08 23:44 ` David Laight
2022-02-14 7:11 ` Jeffrey Vander Stoep
2022-02-15 20:34 ` Paul Moore
2022-02-17 15:04 ` Christian Göttsche [this message]
2022-02-17 22:25 ` Paul Moore
2022-02-17 23:55 ` Demi Marie Obenour
2022-02-18 15:06 ` Richard Haines
2022-02-18 15:39 ` Richard Haines
2022-02-20 1:15 ` Demi Marie Obenour
2022-02-07 17:00 ` William Roberts
2022-02-07 17:08 ` Demi Marie Obenour
2022-02-07 18:35 ` William Roberts
2022-02-07 21:12 ` Demi Marie Obenour
2022-02-07 21:42 ` William Roberts
2022-02-07 21:50 ` William Roberts
2022-02-08 0:01 ` Paul Moore
2022-02-08 14:05 ` William Roberts
2022-02-08 16:26 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJ2a_Ddh8p0fzJHf7R=BwAULfS8jYq08x=H45mF9jaR1QbWTww@mail.gmail.com' \
--to=cgzones@googlemail.com \
--cc=bill.c.roberts@gmail.com \
--cc=chpebeni@linux.microsoft.com \
--cc=demiobenour@gmail.com \
--cc=dominick.grift@defensec.nl \
--cc=eparis@parisplace.org \
--cc=jeffv@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=selinux-refpolicy@vger.kernel.org \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.