Re: fuse doesn't use security_inode_init_security?

From: Vivek Goyal <vgoyal@redhat.com>
To: Chirantan Ekbote <chirantan@chromium.org>
Cc: Miklos Szeredi <miklos@szeredi.hu>,
	linux-fsdevel@vger.kernel.org, fuse-devel@lists.sourceforge.net,
	Daniel J Walsh <dwalsh@redhat.com>
Subject: Re: fuse doesn't use security_inode_init_security?
Date: Fri, 1 May 2020 11:46:52 -0400	[thread overview]
Message-ID: <20200501154652.GA285331@redhat.com> (raw)
In-Reply-To: <CAJFHJroyC8SAFJZuQxcwHqph5EQRg=MqFdvfnwbK35Cv-A-neA@mail.gmail.com>

On Fri, May 01, 2020 at 03:55:20PM +0900, Chirantan Ekbote wrote:
> Hello,
> 
> I noticed that the fuse module doesn't currently call
> security_inode_init_security and I was wondering if there is a
> specific reason for that.  I found a patch from 2013[1] that would
> change fuse so that it would call that function but it doesn't appear
> that the patch was merged.
> 
> For background: I currently have a virtio-fs server with a guest VM
> that wants to use selinux.  I was able to enable selinux support
> without much issue by adding
> 
>     fs_use_xattr virtiofs u:object_r:labeledfs:s0;
> 
> to the selinux policy in the guest.  This works for the most part
> except that `setfscreatecon` doesn't appear to work.  From what I can
> tell, this ends up writing to `/proc/[pid]/attr/fscreate` and the
> attributes actually get set via the `inode_init_security` lsm hook in
> selinux.  However, since fuse doesn't call
> `security_inode_init_security` the hook never runs so the
> file/directory doesn't have the right attributes.
> 
> Is it safe to just call `security_inode_init_security` whenever fuse
> creates a new inode?  How does this affect non-virtiofs fuse servers?
> Would we need a new flag so that servers could opt-in to this behavior
> like in the patch from [1]?

I am wondering how would fuse initialize the security context of newly
created file. One way seems to be that it passes that information
as part of FUSE_CREATE/FUSE_MKNOD calls to server and server sets
its "fscreate" accordingly and then creates new file. This is similar
to virtiofsd changing its effective uid/gid to the fuse client so that
file is created with caller's uid/gid. Seems to be selinux context for
file creation probably should be handled similiarly.

Other method could be to first create new file and then new fuse
commands to do setxattrs. But that will be racy as file will have
some default label for sometime between creation and setxattr.

Having said that, I have a question. How do you reconcile host selinux
policy and guest selinux labels. I am assuming host selinux policy
will have to know about guest labels so that it allows virtiofsd do
set those labels? Dan, you might have more thoughts on this.

Thanks
Vivek