From: Stephen Smalley <sds@tycho.nsa.gov>
To: David Howells <dhowells@redhat.com>, viro@zeniv.linux.org.uk
Cc: Paul Moore <paul@paul-moore.com>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
linux-fsdevel@vger.kernel.org, torvalds@linux-foundation.org
Subject: Re: [PATCH 07/32] selinux: Implement the new mount API LSM hooks [ver #9]
Date: Wed, 11 Jul 2018 10:08:17 -0400 [thread overview]
Message-ID: <078bdc66-3726-72ae-cc1e-85290bb7a16a@tycho.nsa.gov> (raw)
In-Reply-To: <153126253554.14533.643647579195359736.stgit@warthog.procyon.org.uk>
On 07/10/2018 06:42 PM, David Howells wrote:
> Implement the new mount API LSM hooks for SELinux. At some point the old
> hooks will need to be removed.
>
> Question: Should the ->fs_context_parse_source() hook be implemented to
> check the labels on any source devices specified?
The hook interface doesn't appear to lend itself to such validation, since you are just passing a string, not an inode.
Looking up the inode within the security module could easily yield a different object than what is ultimately used for the actual mount.
>
> Signed-off-by: David Howells <dhowells@redhat.com>
> cc: Paul Moore <paul@paul-moore.com>
> cc: Stephen Smalley <sds@tycho.nsa.gov>
> cc: selinux@tycho.nsa.gov
> cc: linux-security-module@vger.kernel.org
> ---
>
> security/selinux/hooks.c | 264 ++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 264 insertions(+)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 5bb53edd74cc..bdecae4b7306 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -48,6 +48,7 @@
> #include <linux/fdtable.h>
> #include <linux/namei.h>
> #include <linux/mount.h>
> +#include <linux/fs_context.h>
> #include <linux/netfilter_ipv4.h>
> #include <linux/netfilter_ipv6.h>
> #include <linux/tty.h>
> @@ -2973,6 +2974,261 @@ static int selinux_umount(struct vfsmount *mnt, int flags)
> FILESYSTEM__UNMOUNT, NULL);
> }
>
> +/* fsopen mount context operations */
> +
> +static int selinux_fs_context_alloc(struct fs_context *fc,
> + struct dentry *reference)
> +{
> + struct security_mnt_opts *opts;
> +
> + opts = kzalloc(sizeof(*opts), GFP_KERNEL);
> + if (!opts)
> + return -ENOMEM;
> +
> + fc->security = opts;
> + return 0;
> +}
> +
> +static int selinux_fs_context_dup(struct fs_context *fc,
> + struct fs_context *src_fc)
> +{
> + const struct security_mnt_opts *src = src_fc->security;
> + struct security_mnt_opts *opts;
> + int i, n;
> +
> + opts = kzalloc(sizeof(*opts), GFP_KERNEL);
> + if (!opts)
> + return -ENOMEM;
> + fc->security = opts;
> +
> + if (!src || !src->num_mnt_opts)
> + return 0;
> + n = opts->num_mnt_opts = src->num_mnt_opts;
> +
> + if (src->mnt_opts) {
> + opts->mnt_opts = kcalloc(n, sizeof(char *), GFP_KERNEL);
> + if (!opts->mnt_opts)
> + return -ENOMEM;
> +
> + for (i = 0; i < n; i++) {
> + if (src->mnt_opts[i]) {
> + opts->mnt_opts[i] = kstrdup(src->mnt_opts[i],
> + GFP_KERNEL);
> + if (!opts->mnt_opts[i])
> + return -ENOMEM;
> + }
> + }
> + }
> +
> + if (src->mnt_opts_flags) {
> + opts->mnt_opts_flags = kmemdup(src->mnt_opts_flags,
> + n * sizeof(int), GFP_KERNEL);
> + if (!opts->mnt_opts_flags)
> + return -ENOMEM;
> + }
> +
> + return 0;
> +}
> +
> +static void selinux_fs_context_free(struct fs_context *fc)
> +{
> + struct security_mnt_opts *opts = fc->security;
> +
> + if (opts) {
> + security_free_mnt_opts(opts);
> + fc->security = NULL;
> + }
> +}
> +
> +static int selinux_fs_context_parse_option(struct fs_context *fc, char *opt, size_t len)
> +{
> + struct security_mnt_opts *opts = fc->security;
> + substring_t args[MAX_OPT_ARGS];
> + unsigned int have;
> + char *c, **oo;
> + int token, ctx, i, *of;
> +
> + token = match_token(opt, tokens, args);
> + if (token == Opt_error)
> + return 0; /* Doesn't belong to us. */
> +
> + have = 0;
> + for (i = 0; i < opts->num_mnt_opts; i++)
> + have |= 1 << opts->mnt_opts_flags[i];
> + if (have & (1 << token))
> + return -EINVAL;
> +
> + switch (token) {
> + case Opt_context:
> + if (have & (1 << Opt_defcontext))
> + goto incompatible;
> + ctx = CONTEXT_MNT;
> + goto copy_context_string;
> +
> + case Opt_fscontext:
> + ctx = FSCONTEXT_MNT;
> + goto copy_context_string;
> +
> + case Opt_rootcontext:
> + ctx = ROOTCONTEXT_MNT;
> + goto copy_context_string;
> +
> + case Opt_defcontext:
> + if (have & (1 << Opt_context))
> + goto incompatible;
> + ctx = DEFCONTEXT_MNT;
> + goto copy_context_string;
> +
> + case Opt_labelsupport:
> + return 1;
> +
> + default:
> + return -EINVAL;
> + }
> +
> +copy_context_string:
> + if (opts->num_mnt_opts > 3)
> + return -EINVAL;
> +
> + of = krealloc(opts->mnt_opts_flags,
> + (opts->num_mnt_opts + 1) * sizeof(int), GFP_KERNEL);
> + if (!of)
> + return -ENOMEM;
> + of[opts->num_mnt_opts] = 0;
> + opts->mnt_opts_flags = of;
> +
> + oo = krealloc(opts->mnt_opts,
> + (opts->num_mnt_opts + 1) * sizeof(char *), GFP_KERNEL);
> + if (!oo)
> + return -ENOMEM;
> + oo[opts->num_mnt_opts] = NULL;
> + opts->mnt_opts = oo;
> +
> + c = match_strdup(&args[0]);
> + if (!c)
> + return -ENOMEM;
> + opts->mnt_opts[opts->num_mnt_opts] = c;
> + opts->mnt_opts_flags[opts->num_mnt_opts] = ctx;
> + opts->num_mnt_opts++;
> + return 1;
> +
> +incompatible:
> + return -EINVAL;
> +}
> +
> +/*
> + * Validate the security parameters supplied for a reconfiguration/remount
> + * event.
> + */
> +static int selinux_validate_for_sb_reconfigure(struct fs_context *fc)
> +{
> + struct super_block *sb = fc->root->d_sb;
> + struct superblock_security_struct *sbsec = sb->s_security;
> + struct security_mnt_opts *opts = fc->security;
> + int rc, i, *flags;
> + char **mount_options;
> +
> + if (!(sbsec->flags & SE_SBINITIALIZED))
> + return 0;
> +
> + mount_options = opts->mnt_opts;
> + flags = opts->mnt_opts_flags;
> +
> + for (i = 0; i < opts->num_mnt_opts; i++) {
> + u32 sid;
> +
> + if (flags[i] == SBLABEL_MNT)
> + continue;
> +
> + rc = security_context_str_to_sid(&selinux_state, mount_options[i],
> + &sid, GFP_KERNEL);
> + if (rc) {
> + pr_warn("SELinux: security_context_str_to_sid"
> + "(%s) failed for (dev %s, type %s) errno=%d\n",
> + mount_options[i], sb->s_id, sb->s_type->name, rc);
> + goto inval;
> + }
> +
> + switch (flags[i]) {
> + case FSCONTEXT_MNT:
> + if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
> + goto bad_option;
> + break;
> + case CONTEXT_MNT:
> + if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
> + goto bad_option;
> + break;
> + case ROOTCONTEXT_MNT: {
> + struct inode_security_struct *root_isec;
> + root_isec = backing_inode_security(sb->s_root);
> +
> + if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
> + goto bad_option;
> + break;
> + }
> + case DEFCONTEXT_MNT:
> + if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
> + goto bad_option;
> + break;
> + default:
> + goto inval;
> + }
> + }
> +
> + rc = 0;
> +out:
> + return rc;
> +
> +bad_option:
> + pr_warn("SELinux: unable to change security options "
> + "during remount (dev %s, type=%s)\n",
> + sb->s_id, sb->s_type->name);
> +inval:
> + rc = -EINVAL;
> + goto out;
> +}
> +
> +/*
> + * Validate the security context assembled from the option data supplied to
> + * mount.
> + */
> +static int selinux_fs_context_validate(struct fs_context *fc)
> +{
> + if (fc->purpose == FS_CONTEXT_FOR_RECONFIGURE)
> + return selinux_validate_for_sb_reconfigure(fc);
> + return 0;
> +}
> +
> +/*
> + * Set the security context on a superblock.
> + */
> +static int selinux_sb_get_tree(struct fs_context *fc)
> +{
> + const struct cred *cred = current_cred();
> + struct common_audit_data ad;
> + int rc;
> +
> + rc = selinux_set_mnt_opts(fc->root->d_sb, fc->security, 0, NULL);
> + if (rc)
> + return rc;
> +
> + /* Allow all mounts performed by the kernel */
> + if (fc->purpose == FS_CONTEXT_FOR_KERNEL_MOUNT)
> + return 0;
> +
> + ad.type = LSM_AUDIT_DATA_DENTRY;
> + ad.u.dentry = fc->root;
> + return superblock_has_perm(cred, fc->root->d_sb, FILESYSTEM__MOUNT, &ad);
> +}
> +
> +static int selinux_sb_mountpoint(struct fs_context *fc, struct path *mountpoint,
> + unsigned int mnt_flags)
> +{
> + const struct cred *cred = current_cred();
> +
> + return path_has_perm(cred, mountpoint, FILE__MOUNTON);
> +}
> +
> /* inode security operations */
>
> static int selinux_inode_alloc_security(struct inode *inode)
> @@ -6905,6 +7161,14 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
> LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
> LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
>
> + LSM_HOOK_INIT(fs_context_alloc, selinux_fs_context_alloc),
> + LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
> + LSM_HOOK_INIT(fs_context_free, selinux_fs_context_free),
> + LSM_HOOK_INIT(fs_context_parse_option, selinux_fs_context_parse_option),
> + LSM_HOOK_INIT(fs_context_validate, selinux_fs_context_validate),
> + LSM_HOOK_INIT(sb_get_tree, selinux_sb_get_tree),
> + LSM_HOOK_INIT(sb_mountpoint, selinux_sb_mountpoint),
> +
> LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
> LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
> LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
>
next prev parent reply other threads:[~2018-07-11 14:08 UTC|newest]
Thread overview: 113+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-10 22:41 [PATCH 00/32] VFS: Introduce filesystem context [ver #9] David Howells
2018-07-10 22:41 ` [PATCH 01/32] vfs: syscall: Add open_tree(2) to reference or clone a mount " David Howells
2018-07-10 22:41 ` [PATCH 02/32] vfs: syscall: Add move_mount(2) to move mounts around " David Howells
2018-07-10 22:41 ` [PATCH 03/32] teach move_mount(2) to work with OPEN_TREE_CLONE " David Howells
2018-07-10 22:41 ` [PATCH 04/32] vfs: Suppress MS_* flag defs within the kernel unless explicitly enabled " David Howells
2018-07-10 22:42 ` [PATCH 05/32] vfs: Introduce the basic header for the new mount API's filesystem context " David Howells
2018-07-10 22:42 ` [PATCH 06/32] vfs: Add LSM hooks for the new mount API " David Howells
2018-07-10 22:42 ` [PATCH 07/32] selinux: Implement the new mount API LSM hooks " David Howells
2018-07-11 14:08 ` Stephen Smalley [this message]
2018-07-10 22:42 ` [PATCH 08/32] smack: Implement filesystem context security " David Howells
2018-07-10 23:13 ` Casey Schaufler
2018-07-10 23:19 ` David Howells
2018-07-10 23:28 ` Casey Schaufler
2018-07-10 22:42 ` [PATCH 09/32] apparmor: Implement security hooks for the new mount API " David Howells
2018-07-10 22:42 ` [PATCH 10/32] tomoyo: " David Howells
2018-07-10 23:34 ` Tetsuo Handa
2018-07-10 22:42 ` [PATCH 11/32] vfs: Require specification of size of mount data for internal mounts " David Howells
2018-07-10 22:51 ` Linus Torvalds
2018-07-10 22:42 ` [PATCH 12/32] vfs: Separate changing mount flags full remount " David Howells
2018-07-10 22:42 ` [PATCH 13/32] vfs: Implement a filesystem superblock creation/configuration context " David Howells
2018-07-10 22:43 ` [PATCH 14/32] vfs: Remove unused code after filesystem context changes " David Howells
2018-07-10 22:43 ` [PATCH 15/32] procfs: Move proc_fill_super() to fs/proc/root.c " David Howells
2018-07-10 22:43 ` [PATCH 16/32] proc: Add fs_context support to procfs " David Howells
2018-07-10 22:43 ` [PATCH 17/32] ipc: Convert mqueue fs to fs_context " David Howells
2018-07-10 22:43 ` [PATCH 18/32] cpuset: Use " David Howells
2018-07-10 22:43 ` [PATCH 19/32] kernfs, sysfs, cgroup, intel_rdt: Support " David Howells
2018-07-10 22:43 ` [PATCH 20/32] hugetlbfs: Convert to " David Howells
2018-07-10 22:43 ` [PATCH 21/32] vfs: Remove kern_mount_data() " David Howells
2018-07-10 22:43 ` [PATCH 22/32] vfs: Provide documentation for new mount API " David Howells
2018-07-13 1:37 ` Randy Dunlap
2018-07-13 9:45 ` David Howells
2018-07-10 22:44 ` [PATCH 23/32] Make anon_inodes unconditional " David Howells
2018-07-10 22:44 ` [PATCH 24/32] vfs: syscall: Add fsopen() to prepare for superblock creation " David Howells
2018-07-10 23:59 ` Andy Lutomirski
2018-07-11 1:05 ` Linus Torvalds
2018-07-11 1:15 ` Al Viro
2018-07-11 1:33 ` Andy Lutomirski
2018-07-11 1:48 ` Linus Torvalds
2018-07-11 8:43 ` David Howells
2018-07-11 1:14 ` Jann Horn
2018-07-11 1:16 ` Al Viro
2018-07-11 8:42 ` David Howells
2018-07-11 16:03 ` Linus Torvalds
2018-07-11 7:22 ` David Howells
2018-07-11 16:38 ` Eric Biggers
2018-07-11 17:06 ` Andy Lutomirski
2018-07-12 14:54 ` David Howells
2018-07-12 15:50 ` Linus Torvalds
2018-07-12 16:00 ` Al Viro
2018-07-12 16:07 ` Linus Torvalds
2018-07-12 16:31 ` Al Viro
2018-07-12 16:39 ` Linus Torvalds
2018-07-12 17:14 ` Linus Torvalds
2018-07-12 17:44 ` Al Viro
2018-07-12 17:54 ` Linus Torvalds
2018-07-12 17:52 ` Al Viro
2018-07-12 16:23 ` Andy Lutomirski
2018-07-12 16:31 ` Linus Torvalds
2018-07-12 16:41 ` Al Viro
2018-07-12 16:58 ` Al Viro
2018-07-12 17:54 ` Andy Lutomirski
2018-07-12 20:23 ` David Howells
2018-07-12 20:25 ` Andy Lutomirski
2018-07-12 20:34 ` Linus Torvalds
2018-07-12 20:36 ` Linus Torvalds
2018-07-12 21:26 ` David Howells
2018-07-12 21:40 ` Linus Torvalds
2018-07-12 22:32 ` Theodore Y. Ts'o
2018-07-12 22:54 ` David Howells
2018-07-12 23:21 ` Andy Lutomirski
2018-07-12 23:23 ` Jann Horn
2018-07-12 23:33 ` Jann Horn
2018-07-12 23:35 ` David Howells
2018-07-12 23:50 ` Andy Lutomirski
2018-07-13 0:03 ` David Howells
2018-07-13 0:24 ` Andy Lutomirski
2018-07-13 7:30 ` David Howells
2018-07-19 1:30 ` Eric W. Biederman
2018-07-13 2:35 ` Theodore Y. Ts'o
2018-07-12 21:00 ` David Howells
2018-07-12 21:29 ` Linus Torvalds
2018-07-13 13:27 ` David Howells
2018-07-13 15:01 ` Andy Lutomirski
2018-07-13 15:40 ` David Howells
2018-07-13 17:14 ` Andy Lutomirski
2018-07-17 9:40 ` David Howells
2018-07-11 15:51 ` Jonathan Corbet
2018-07-11 16:18 ` David Howells
2018-07-12 17:15 ` Greg KH
2018-07-12 17:20 ` Al Viro
2018-07-12 18:03 ` Greg KH
2018-07-12 18:30 ` Andy Lutomirski
2018-07-12 18:34 ` Al Viro
2018-07-12 18:35 ` Al Viro
2018-07-12 19:08 ` Greg KH
2018-07-10 22:44 ` [PATCH 25/32] vfs: syscall: Add fsmount() to create a mount for a superblock " David Howells
2018-07-10 22:44 ` [PATCH 26/32] vfs: syscall: Add fspick() to select a superblock for reconfiguration " David Howells
2018-07-10 22:44 ` [PATCH 27/32] vfs: Implement logging through fs_context " David Howells
2018-07-10 22:44 ` [PATCH 28/32] vfs: Add some logging to the core users of the fs_context log " David Howells
2018-07-10 22:44 ` [PATCH 29/32] afs: Add fs_context support " David Howells
2018-07-10 22:44 ` [PATCH 30/32] afs: Use fs_context to pass parameters over automount " David Howells
2018-07-10 22:44 ` [PATCH 31/32] vfs: syscall: Add fsinfo() to query filesystem information " David Howells
2018-07-10 22:45 ` [PATCH 32/32] afs: Add fsinfo support " David Howells
2018-07-10 22:52 ` [MANPAGE PATCH] Add manpages for move_mount(2) and open_tree(2) David Howells
2019-10-09 9:51 ` Michael Kerrisk (man-pages)
2018-07-10 22:54 ` [MANPAGE PATCH] Add manpage for fsopen(2), fspick(2) and fsmount(2) David Howells
2019-10-09 9:52 ` Michael Kerrisk (man-pages)
2018-07-10 22:55 ` [MANPAGE PATCH] Add manpage for fsinfo(2) David Howells
2019-10-09 9:52 ` Michael Kerrisk (man-pages)
2019-10-09 12:02 ` David Howells
2018-07-10 23:01 ` [PATCH 00/32] VFS: Introduce filesystem context [ver #9] Linus Torvalds
2018-07-12 0:46 ` David Howells
2018-07-18 21:29 ` Getting rid of the usage of write() -- was " David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=078bdc66-3726-72ae-cc1e-85290bb7a16a@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=dhowells@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=selinux@tycho.nsa.gov \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).