linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* fuse doesn't use security_inode_init_security?
@ 2020-05-01  6:55 Chirantan Ekbote
  2020-05-01  7:53 ` Miklos Szeredi
  2020-05-01 15:46 ` Vivek Goyal
  0 siblings, 2 replies; 6+ messages in thread
From: Chirantan Ekbote @ 2020-05-01  6:55 UTC (permalink / raw)
  To: Miklos Szeredi; +Cc: linux-fsdevel, fuse-devel

Hello,

I noticed that the fuse module doesn't currently call
security_inode_init_security and I was wondering if there is a
specific reason for that.  I found a patch from 2013[1] that would
change fuse so that it would call that function but it doesn't appear
that the patch was merged.

For background: I currently have a virtio-fs server with a guest VM
that wants to use selinux.  I was able to enable selinux support
without much issue by adding

    fs_use_xattr virtiofs u:object_r:labeledfs:s0;

to the selinux policy in the guest.  This works for the most part
except that `setfscreatecon` doesn't appear to work.  From what I can
tell, this ends up writing to `/proc/[pid]/attr/fscreate` and the
attributes actually get set via the `inode_init_security` lsm hook in
selinux.  However, since fuse doesn't call
`security_inode_init_security` the hook never runs so the
file/directory doesn't have the right attributes.

Is it safe to just call `security_inode_init_security` whenever fuse
creates a new inode?  How does this affect non-virtiofs fuse servers?
Would we need a new flag so that servers could opt-in to this behavior
like in the patch from [1]?

Thank you,
Chirantan

[1] https://sourceforge.net/p/fuse/mailman/message/31624830/

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: fuse doesn't use security_inode_init_security?
  2020-05-01  6:55 fuse doesn't use security_inode_init_security? Chirantan Ekbote
@ 2020-05-01  7:53 ` Miklos Szeredi
  2020-05-01 18:32   ` Stephen Smalley
  2020-05-01 15:46 ` Vivek Goyal
  1 sibling, 1 reply; 6+ messages in thread
From: Miklos Szeredi @ 2020-05-01  7:53 UTC (permalink / raw)
  To: Chirantan Ekbote
  Cc: linux-fsdevel, fuse-devel, Vivek Goyal, LSM, virtio-fs-list

On Fri, May 1, 2020 at 8:55 AM Chirantan Ekbote <chirantan@chromium.org> wrote:
>
> Hello,
>
> I noticed that the fuse module doesn't currently call
> security_inode_init_security and I was wondering if there is a
> specific reason for that.  I found a patch from 2013[1] that would
> change fuse so that it would call that function but it doesn't appear
> that the patch was merged.
>
> For background: I currently have a virtio-fs server with a guest VM
> that wants to use selinux.  I was able to enable selinux support
> without much issue by adding
>
>     fs_use_xattr virtiofs u:object_r:labeledfs:s0;
>
> to the selinux policy in the guest.  This works for the most part
> except that `setfscreatecon` doesn't appear to work.  From what I can
> tell, this ends up writing to `/proc/[pid]/attr/fscreate` and the
> attributes actually get set via the `inode_init_security` lsm hook in
> selinux.  However, since fuse doesn't call
> `security_inode_init_security` the hook never runs so the
> file/directory doesn't have the right attributes.
>
> Is it safe to just call `security_inode_init_security` whenever fuse
> creates a new inode?  How does this affect non-virtiofs fuse servers?

Not sure,  Adding more Cc's.

I know there's a deadlock scenario with getxattr called on root inode
before mount returns, which causes a deadlock unless mount is run in
the background.  Current libfuse doesn't handle this, but I think some
fuse fs work around this by not using libfuse, or at least have some
special setup code (glusterfs? ceph-fuse? not sure...).  I also don't
know whether the ->inode_init_security hook is related to this or not.


Thanks,
Miklos

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: fuse doesn't use security_inode_init_security?
  2020-05-01  6:55 fuse doesn't use security_inode_init_security? Chirantan Ekbote
  2020-05-01  7:53 ` Miklos Szeredi
@ 2020-05-01 15:46 ` Vivek Goyal
  1 sibling, 0 replies; 6+ messages in thread
From: Vivek Goyal @ 2020-05-01 15:46 UTC (permalink / raw)
  To: Chirantan Ekbote
  Cc: Miklos Szeredi, linux-fsdevel, fuse-devel, Daniel J Walsh

On Fri, May 01, 2020 at 03:55:20PM +0900, Chirantan Ekbote wrote:
> Hello,
> 
> I noticed that the fuse module doesn't currently call
> security_inode_init_security and I was wondering if there is a
> specific reason for that.  I found a patch from 2013[1] that would
> change fuse so that it would call that function but it doesn't appear
> that the patch was merged.
> 
> For background: I currently have a virtio-fs server with a guest VM
> that wants to use selinux.  I was able to enable selinux support
> without much issue by adding
> 
>     fs_use_xattr virtiofs u:object_r:labeledfs:s0;
> 
> to the selinux policy in the guest.  This works for the most part
> except that `setfscreatecon` doesn't appear to work.  From what I can
> tell, this ends up writing to `/proc/[pid]/attr/fscreate` and the
> attributes actually get set via the `inode_init_security` lsm hook in
> selinux.  However, since fuse doesn't call
> `security_inode_init_security` the hook never runs so the
> file/directory doesn't have the right attributes.
> 
> Is it safe to just call `security_inode_init_security` whenever fuse
> creates a new inode?  How does this affect non-virtiofs fuse servers?
> Would we need a new flag so that servers could opt-in to this behavior
> like in the patch from [1]?

I am wondering how would fuse initialize the security context of newly
created file. One way seems to be that it passes that information
as part of FUSE_CREATE/FUSE_MKNOD calls to server and server sets
its "fscreate" accordingly and then creates new file. This is similar
to virtiofsd changing its effective uid/gid to the fuse client so that
file is created with caller's uid/gid. Seems to be selinux context for
file creation probably should be handled similiarly.

Other method could be to first create new file and then new fuse
commands to do setxattrs. But that will be racy as file will have
some default label for sometime between creation and setxattr.

Having said that, I have a question. How do you reconcile host selinux
policy and guest selinux labels. I am assuming host selinux policy
will have to know about guest labels so that it allows virtiofsd do
set those labels? Dan, you might have more thoughts on this.

Thanks
Vivek


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: fuse doesn't use security_inode_init_security?
  2020-05-01  7:53 ` Miklos Szeredi
@ 2020-05-01 18:32   ` Stephen Smalley
  2020-05-07  7:53     ` Chirantan Ekbote
  0 siblings, 1 reply; 6+ messages in thread
From: Stephen Smalley @ 2020-05-01 18:32 UTC (permalink / raw)
  To: Miklos Szeredi
  Cc: Chirantan Ekbote, Linux FS Devel, fuse-devel, Vivek Goyal, LSM,
	virtio-fs-list, SElinux list

On Fri, May 1, 2020 at 3:54 AM Miklos Szeredi <miklos@szeredi.hu> wrote:
>
> On Fri, May 1, 2020 at 8:55 AM Chirantan Ekbote <chirantan@chromium.org> wrote:
> >
> > Hello,
> >
> > I noticed that the fuse module doesn't currently call
> > security_inode_init_security and I was wondering if there is a
> > specific reason for that.  I found a patch from 2013[1] that would
> > change fuse so that it would call that function but it doesn't appear
> > that the patch was merged.
> >
> > For background: I currently have a virtio-fs server with a guest VM
> > that wants to use selinux.  I was able to enable selinux support
> > without much issue by adding
> >
> >     fs_use_xattr virtiofs u:object_r:labeledfs:s0;
> >
> > to the selinux policy in the guest.  This works for the most part
> > except that `setfscreatecon` doesn't appear to work.  From what I can
> > tell, this ends up writing to `/proc/[pid]/attr/fscreate` and the
> > attributes actually get set via the `inode_init_security` lsm hook in
> > selinux.  However, since fuse doesn't call
> > `security_inode_init_security` the hook never runs so the
> > file/directory doesn't have the right attributes.
> >
> > Is it safe to just call `security_inode_init_security` whenever fuse
> > creates a new inode?  How does this affect non-virtiofs fuse servers?
>
> Not sure,  Adding more Cc's.
>
> I know there's a deadlock scenario with getxattr called on root inode
> before mount returns, which causes a deadlock unless mount is run in
> the background.  Current libfuse doesn't handle this, but I think some
> fuse fs work around this by not using libfuse, or at least have some
> special setup code (glusterfs? ceph-fuse? not sure...).  I also don't
> know whether the ->inode_init_security hook is related to this or not.

(cc selinux list)

security_inode_init_security() calls the initxattrs callback to
actually set each xattr in the backing store (if any), so unless you
have a way to pass that to the daemon along with the create request
the attribute won't be persisted with the file.  Setting the xattrs is
supposed to be atomic with the file creation, not a separate
setxattr() operation after creating the file, similar to ACL
inheritance on new files.

Also possibly related
https://lore.kernel.org/selinux/6df9b58c-fe9b-28f3-c151-f77aa6dd67e7@tycho.nsa.gov/.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: fuse doesn't use security_inode_init_security?
  2020-05-01 18:32   ` Stephen Smalley
@ 2020-05-07  7:53     ` Chirantan Ekbote
  2020-05-07 13:06       ` Stephen Smalley
  0 siblings, 1 reply; 6+ messages in thread
From: Chirantan Ekbote @ 2020-05-07  7:53 UTC (permalink / raw)
  To: Stephen Smalley
  Cc: Miklos Szeredi, Linux FS Devel, fuse-devel, Vivek Goyal, LSM,
	virtio-fs-list, SElinux list

On Sat, May 2, 2020 at 12:46 AM Vivek Goyal <vgoyal@redhat.com> wrote:
>
> I am wondering how would fuse initialize the security context of newly
> created file. One way seems to be that it passes that information
> as part of FUSE_CREATE/FUSE_MKNOD calls to server and server sets
> its "fscreate" accordingly and then creates new file. This is similar
> to virtiofsd changing its effective uid/gid to the fuse client so that
> file is created with caller's uid/gid. Seems to be selinux context for
> file creation probably should be handled similiarly.
>

How would the fuse driver get the correct context without going
through security_inode_init_security?

> Other method could be to first create new file and then new fuse
> commands to do setxattrs. But that will be racy as file will have
> some default label for sometime between creation and setxattr.
>
> Having said that, I have a question. How do you reconcile host selinux
> policy and guest selinux labels. I am assuming host selinux policy
> will have to know about guest labels so that it allows virtiofsd do
> set those labels? Dan, you might have more thoughts on this.
>

My understanding is that we currently merge the guest and host
policies so that all types in the guest are available on the host.
The host itself uses selinux in permissive mode.  The top-level
directory is also owned exclusively by the guest and host processes
don't have access to it.


On Sat, May 2, 2020 at 3:32 AM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
>
> (cc selinux list)
>
> security_inode_init_security() calls the initxattrs callback to
> actually set each xattr in the backing store (if any), so unless you
> have a way to pass that to the daemon along with the create request
> the attribute won't be persisted with the file.  Setting the xattrs is
> supposed to be atomic with the file creation, not a separate
> setxattr() operation after creating the file, similar to ACL
> inheritance on new files.
>

But it's not truly atomic, is it?  The underlying file system creates
the inode and then the inode_init_security selinux hook actually sets
the attributes.  What would happen if the computer lost power after
the file system driver created the inode but before the selinux hook
set the attributes?

> Also possibly related
> https://lore.kernel.org/selinux/6df9b58c-fe9b-28f3-c151-f77aa6dd67e7@tycho.nsa.gov/.

Interesting.  Let me pull out the relevant bits and respond inline.

> - deadlock during mount with userspace waiting for mount(2) to complete
> and the kernel blocked on requesting the security.selinux xattr of the
> root directory as part of superblock setup during mount

I haven't personally run into this.  It Just Works, except for the
fscreate issue.

> - there was an attempt to introduce distinctions based on filesystem
> "subtype" so that whitelisted fuse filesystems could have xattr support
> enabled when it was known that their userspace would handle mount(2)
> safely [3] but this was apparently always broken and later reverted [4].

I think we kind of side-stepped this issue.  The fstype for virtiofs
is "virtiofs" instead of something like "fuse.virtiofs" so there is no
subtype handling required.

> - there is the issue of trusting the fuse filesystem for its labeling
> information and for domain/context transitions

This is definitely an issue for regular fuse file systems.  However,
the virtiofs device has read/write access to all the VM's memory so
there isn't much the VM can do if it doesn't trust the device.



I guess what I'm trying to understand is: what are the issues with
having the fuse driver call the inode_init_security hooks?  Even if
it's not something that can be turned on by default in mainline, I'd
like to evaluate whether we can turn it on locally in our restricted
environment.

One issue is the lack of atomicity guarantees.  This is likely a
deal-breaker for general fuse usage.  However, I don't think it's an
issue for our restricted use of virtiofs because the attributes will
be set "atomically" from the guest userspace's perspective.  It won't
be atomic on the host side, but host processes don't have access to
those directories anyway.

Are there any other issues?

Thank you,
Chirantan

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: fuse doesn't use security_inode_init_security?
  2020-05-07  7:53     ` Chirantan Ekbote
@ 2020-05-07 13:06       ` Stephen Smalley
  0 siblings, 0 replies; 6+ messages in thread
From: Stephen Smalley @ 2020-05-07 13:06 UTC (permalink / raw)
  To: Chirantan Ekbote
  Cc: Miklos Szeredi, Linux FS Devel, fuse-devel, Vivek Goyal, LSM,
	virtio-fs-list, SElinux list

On Thu, May 7, 2020 at 3:53 AM Chirantan Ekbote <chirantan@chromium.org> wrote:
> On Sat, May 2, 2020 at 3:32 AM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> >
> > (cc selinux list)
> >
> > security_inode_init_security() calls the initxattrs callback to
> > actually set each xattr in the backing store (if any), so unless you
> > have a way to pass that to the daemon along with the create request
> > the attribute won't be persisted with the file.  Setting the xattrs is
> > supposed to be atomic with the file creation, not a separate
> > setxattr() operation after creating the file, similar to ACL
> > inheritance on new files.
> >
>
> But it's not truly atomic, is it?  The underlying file system creates
> the inode and then the inode_init_security selinux hook actually sets
> the attributes.  What would happen if the computer lost power after
> the file system driver created the inode but before the selinux hook
> set the attributes?

IIUC, in the case of ext4 and xfs at least, the setting of the
security.selinux xattr is performed in the same transaction as the
file create, so a crash will either yield a file that has its xattr
set or no file at all.  This is also true of POSIX ACLs.  Labeled NFS
(NFSv4.2) likewise is supposed to send the MAC label with the file
create request and either create it with that label or not create it
at all.  Note that nfs however uses security_dentry_init_security() to
get the MAC label since it doesn't yet have an inode and MAC labels
are a first class abstraction in NFS not merely xattrs.

> > - deadlock during mount with userspace waiting for mount(2) to complete
> > and the kernel blocked on requesting the security.selinux xattr of the
> > root directory as part of superblock setup during mount
>
> I haven't personally run into this.  It Just Works, except for the
> fscreate issue.

Yes, this can be worked around in your fuse daemon if it supports
handling getxattr during mount (e.g. multi-threaded, other threads can
service the getxattr request while the mount(2) is still in progress).
But not supported by stock fuse userspace IIUC.

> I guess what I'm trying to understand is: what are the issues with
> having the fuse driver call the inode_init_security hooks?  Even if
> it's not something that can be turned on by default in mainline, I'd
> like to evaluate whether we can turn it on locally in our restricted
> environment.
>
> One issue is the lack of atomicity guarantees.  This is likely a
> deal-breaker for general fuse usage.  However, I don't think it's an
> issue for our restricted use of virtiofs because the attributes will
> be set "atomically" from the guest userspace's perspective.  It won't
> be atomic on the host side, but host processes don't have access to
> those directories anyway.
>
> Are there any other issues?

I don't have a problem with fuse calling the hook (either
security_inode_init_security or security_dentry_init_security).  It is
just a question of what it will do with the result (i.e. what its
initxattr callback will do for the former or what it will do with the
returned label in the latter). Optimally it will take the label
information and bundle it up along with the create request to the
daemon, which can then handle it as a single transaction.  Failing
that, it needs to support setting the label in some manner during file
creation that at least provides atomicity with respect to the user of
the filesystem (the guest in your case).

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2020-05-07 13:06 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-01  6:55 fuse doesn't use security_inode_init_security? Chirantan Ekbote
2020-05-01  7:53 ` Miklos Szeredi
2020-05-01 18:32   ` Stephen Smalley
2020-05-07  7:53     ` Chirantan Ekbote
2020-05-07 13:06       ` Stephen Smalley
2020-05-01 15:46 ` Vivek Goyal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).