From: "Mickaël Salaün" <mic@digikod.net>
To: Linux API <linux-api@vger.kernel.org>, stable <stable@vger.kernel.org>
Cc: Paul Moore <paul@paul-moore.com>,
Ondrej Mosnacek <omosnace@redhat.com>,
Christian Brauner <brauner@kernel.org>,
Chris PeBenito <pebenito@ieee.org>,
Petr Lautrbach <plautrba@redhat.com>,
Linux Security Module list
<linux-security-module@vger.kernel.org>,
SElinux list <selinux@vger.kernel.org>,
Christian Brauner <christian.brauner@ubuntu.com>
Subject: Re: [PATCH] security/landlock: use square brackets around "landlock-ruleset"
Date: Fri, 15 Oct 2021 13:47:48 +0200 [thread overview]
Message-ID: <d638892e-12fd-ab69-9230-ba0864cf173f@digikod.net> (raw)
In-Reply-To: <20211015091010.3ht6lvwoxw5ygkca@wittgenstein>
CCing linux-api and stable to give them a chance to confirm that
changing proc symlink content is OK.
On 15/10/2021 11:10, Christian Brauner wrote:
> On Wed, Oct 13, 2021 at 05:47:53PM +0200, Mickaël Salaün wrote:
>>
>> On 12/10/2021 23:09, Paul Moore wrote:
>>> On Tue, Oct 12, 2021 at 4:38 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>>>>
>>>> On Tue, Oct 12, 2021 at 8:12 PM Paul Moore <paul@paul-moore.com> wrote:
>>>>> On Tue, Oct 12, 2021 at 6:38 AM Christian Brauner
>>>>> <christian.brauner@ubuntu.com> wrote:
>>>>>> On Mon, Oct 11, 2021 at 04:38:55PM +0200, Mickaël Salaün wrote:
>>>>>>> On 11/10/2021 15:37, Christian Brauner wrote:
>>>>>>>> From: Christian Brauner <christian.brauner@ubuntu.com>
>>>>>>>>
>>>>>>>> Make the name of the anon inode fd "[landlock-ruleset]" instead of
>>>>>>>> "landlock-ruleset". This is minor but most anon inode fds already
>>>>>>>> carry square brackets around their name:
>>>>>>>>
>>>>>>>> [eventfd]
>>>>>>>> [eventpoll]
>>>>>>>> [fanotify]
>>>>>>>> [fscontext]
>>>>>>>> [io_uring]
>>>>>>>> [pidfd]
>>>>>>>> [signalfd]
>>>>>>>> [timerfd]
>>>>>>>> [userfaultfd]
>>>>>>>>
>>>>>>>> For the sake of consistency lets do the same for the landlock-ruleset anon
>>>>>>>> inode fd that comes with landlock. We did the same in
>>>>>>>> 1cdc415f1083 ("uapi, fsopen: use square brackets around "fscontext" [ver #2]")
>>>>>>>> for the new mount api.
>>>>>>>
>>>>>>> Before creating "landlock-ruleset" FD, I looked at other anonymous FD
>>>>>>> and saw this kind of inconsistency. I don't get why we need to add extra
>>>>>>> characters to names, those brackets seem useless. If it should be part
>>>>>>
>>>>>> Past inconsistency shouldn't justify future inconsistency. If you have a
>>>>>> strong opinion about this for landlock I'm not going to push for it.
>>>>>> Exchanging more than 2-3 email about something like this seems too much.
>>>>>
>>>>> [NOTE: adding the SELinux list as well as Chris (SELinux refrence
>>>>> policy maintainer) and Petr (Fedora/RHEL SELinux)]
>>>>>
>>>>> Chris and Petr, do either of you currently have any policy that
>>>>> references the "landlock-ruleset" anonymous inode? In other words,
>>>>> would adding the brackets around the name cause you any problems?
>>>>
>>>> AFAIU, the anon_inode transitions (the only mechanism where the "file
>>>> name" would be exposed to the policy) are done only for inodes created
>>>> by anon_inode_getfd_secure(), which is currently only used by
>>>> userfaultfd. So you don't even need to ask that question; at this
>>>> point it should be safe to change any of the names except
>>>> "[userfaultfd]" as far as SELinux policy is concerned.
>>>
>>> There is also io_uring if you look at selinux/next.
>>>
>>> Regardless, thanks, I didn't check to see if landlock was using the
>>> new anon inode interface, since both Mickaël and Christian were
>>> concerned about breaking SELinux I had assumed they were using it :)
>>>
>>
>> Ok, thanks Paul and Ondrej.
>>
>> Such anonymous inode names seem to be only exposed to proc for now.
>> Let's change this name then. I think it make sense to backport this
>> patch down to 5.13 to fix all the inconsistencies.
>
> Thank you. I do appreciate the point about this being annoying that we
> have this inconsistency and it has bothered me too.
>
> Christian
>
prev parent reply other threads:[~2021-10-15 11:55 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-11 13:37 [PATCH] security/landlock: use square brackets around "landlock-ruleset" Christian Brauner
2021-10-11 14:38 ` Mickaël Salaün
2021-10-12 10:38 ` Christian Brauner
2021-10-12 18:11 ` Paul Moore
2021-10-12 20:38 ` Ondrej Mosnacek
2021-10-12 21:09 ` Paul Moore
2021-10-13 15:47 ` Mickaël Salaün
2021-10-15 9:10 ` Christian Brauner
2021-10-15 11:47 ` Mickaël Salaün [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d638892e-12fd-ab69-9230-ba0864cf173f@digikod.net \
--to=mic@digikod.net \
--cc=brauner@kernel.org \
--cc=christian.brauner@ubuntu.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=pebenito@ieee.org \
--cc=plautrba@redhat.com \
--cc=selinux@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.