linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Ian Kent <raven@themaw.net>
To: Casey Schaufler <casey@schaufler-ca.com>,
	David Howells <dhowells@redhat.com>
Cc: viro@zeniv.linux.org.uk, linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org, keyrings@vger.kernel.org,
	linux-security-module@vger.kernel.org
Subject: Re: [RFC][PATCH 0/5] Mount, Filesystem and Keyrings notifications
Date: Wed, 25 Jul 2018 13:39:56 +0800	[thread overview]
Message-ID: <1532497196.2688.65.camel@themaw.net> (raw)
In-Reply-To: <04b05dbd-0aa4-7789-1314-52108246291a@schaufler-ca.com>

On Tue, 2018-07-24 at 11:57 -0700, Casey Schaufler wrote:
> On 7/24/2018 9:00 AM, David Howells wrote:
> > Casey Schaufler <casey@schaufler-ca.com> wrote:
> > 
> > > >  (1) Mount topology and reconfiguration change events.
> > > 
> > > With the possibility of unprivileged mounting you're going to have to
> > > address access control on events.  If root in a user namespace mounts a
> > > filesystem you may have a case where the "real" user wouldn't want the
> > > listener to receive a notification.
> > 
> > Can you clarify who the listener is in this case?
> 
> That would be anyone with a watchpoint set.

And that process would have had the privilege to do so ...

> 
> > Note that mount topology events don't leak outside of the mount namespace
> > they're generated in.
> > 
> > That said, if you, a random user, put a watchpoint on "/" you can see the
> > mount events triggered by another random user in the same mount
> > namespace.  I
> > don't see a way to control this except by resorting to the LSM since UNIX
> > doesn't have 'notify' permission bits.
> 
> I would call that a write operation from the process that triggered
> the watchpoint to the one watching it. Like a signal. Signals have a
> rudimentary DAC policy (write only to the same UID) that could be
> your model.

I'm not sure signals are a good comparison.

They can affect a process in significant ways whereas triggering
a notification is less invasive so the security requirements
should take that into consideration.

But there is a problem here I think.

How about the case where a user name space is created or entered
without a newly created mount name space and mounts and umounts
are done, the user name space necessarily expects the table of
mounts it sees to be up to date.

But, if the methods here are used by user space, say libmount
was updated to use it, to gain the efficiency of not constantly
re-reading the proc mount table then restrictions on notifications
would mean the mount table seen in the user name space might not
be updated and would no longer be correct.

The converse is more interesting, where the user name space does
create or enter a new mount name space, then libmount would see ???,
probably not the updated mount information ... unless it opens a
new file handle to get mount update information ... a long running
daemon that uses libmount and dispenses or uses mount information
would very likely have a problem ...

The current proc file system method or providing the mount table
forces a new file handle to be opened whenever getting the mount
table so it always sees only the current mount name space mount
table.

At the very least I need to think more about this ...

> 
> > But for each event, I can associate an object label, derived from the
> > source,
> > and use f_cred on the notification queue to provide a subject label.
> 
> ... or UID or groups.
> 
> > 
> > > >  (2) Superblocks EIO, ENOSPC and EDQUOT events (not complete yet).
> > > 
> > > Here, too. If SELinux (for example) policy says you can't see
> > > anything on a filesystem you shouldn't get notifications about
> > > things that happen to that filesystem.
> > 
> > Yep.  Sounds like I need to refer that to the LSM as above.
> > 
> > It's a bit easier for specifically nominated sb sources since you might only
> > need to do the check once at sb_notify() time.  If there's a general queue
> > that all sbs contribute to, however, then things become more complicated as
> > the checks have to be done at do-we-write-into-this-queue? time.
> > 
> > > >  (3) Key/keyring changes events
> > > 
> > > And again, I should only get notifications about keys and
> > > keyrings I have access to.
> > 
> > Currently, you can only watch keys that grant you View permission, which
> > might
> > suffice.
> 
> That seems appropriate.
> 
> > > I expect that you intentionally left off
> > > 
> > >    (4) User injected events
> > > 
> > > at this point, but it's an obvious extension. That is going
> > > to require access controls (remember kdbus) so I think you'd
> > > do well to design them in now rather than have some security
> > > module hack like me come along later and "fix" it. 
> > 
> > Yeah - the thought had occurred to me, but there needs to be some way to
> > define a 'source' and a way to connect them.  Also, would you want a general
> > source that anyone can contribute through, specific sources where you have
> > to
> > directly connect or namespace-restricted sources?
> 
> My guess is that the consensus would be "Yes" to all the above.
> 
> > 
> > David
> > 
> 
> 

  reply	other threads:[~2018-07-25  6:50 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-07-23 15:25 [RFC][PATCH 0/5] Mount, Filesystem and Keyrings notifications David Howells
2018-07-23 15:25 ` [PATCH 1/5] General notification queue with user mmap()'able ring buffer David Howells
2018-07-23 15:25 ` [PATCH 2/5] KEYS: Add a notification facility David Howells
2018-07-23 15:26 ` [PATCH 3/5] vfs: Add a mount-notification facility David Howells
2018-07-23 15:26 ` [PATCH 4/5] vfs: Add superblock notifications David Howells
2018-07-23 15:26 ` [PATCH 5/5] Add sample notification program David Howells
2018-07-23 16:31 ` [RFC][PATCH 0/5] Mount, Filesystem and Keyrings notifications Casey Schaufler
2018-07-24  0:37   ` Ian Kent
2018-07-24 16:00 ` David Howells
2018-07-24 18:57   ` Casey Schaufler
2018-07-25  5:39     ` Ian Kent [this message]
2018-07-25 15:48       ` Casey Schaufler
2018-07-26  1:18         ` Ian Kent
2018-07-26 16:09           ` Casey Schaufler
2018-07-24 19:22   ` David Howells
2018-08-01 21:04 ` LSM hook for mount, superblock and keys watch notifications David Howells
2018-08-01 21:49   ` Casey Schaufler
2018-08-01 22:50   ` David Howells

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1532497196.2688.65.camel@themaw.net \
    --to=raven@themaw.net \
    --cc=casey@schaufler-ca.com \
    --cc=dhowells@redhat.com \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).