From: Stephen Smalley <sds@tycho.nsa.gov>
To: Daniel Colascione <dancol@google.com>
Cc: Tim Murray <timmurray@google.com>,
SElinux list <selinux@vger.kernel.org>,
LSM List <linux-security-module@vger.kernel.org>,
Linux FS Devel <linux-fsdevel@vger.kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
kvm@vger.kernel.org, Al Viro <viro@zeniv.linux.org.uk>,
paul@paul-moore.com, Nick Kralevich <nnk@google.com>,
Lokesh Gidra <lokeshgidra@google.com>,
Jeffrey Vander Stoep <jeffv@google.com>
Subject: Re: [PATCH 2/3] Teach SELinux about anonymous inodes
Date: Fri, 14 Feb 2020 15:24:43 -0500 [thread overview]
Message-ID: <6d8f2e69-85e0-5313-337f-53144cf08218@tycho.nsa.gov> (raw)
In-Reply-To: <97603935-9f6b-ccf4-4229-87f26380c3db@tycho.nsa.gov>
On 2/14/20 1:08 PM, Stephen Smalley wrote:
> On 2/14/20 1:02 PM, Stephen Smalley wrote:
>> It shouldn't fire for non-anon inodes because on a (non-anon) file
>> creation, security_transition_sid() is passed the parent directory SID
>> as the second argument and we only assign task SIDs to /proc/pid
>> directories, which don't support (userspace) file creation anyway.
>>
>> However, in the absence of a matching type_transition rule, we'll end
>> up defaulting to the task SID on the anon inode, and without a
>> separate class we won't be able to distinguish it from a /proc/pid
>> inode. So that might justify a separate anoninode or similar class.
>>
>> This however reminded me that for the context_inode case, we not only
>> want to inherit the SID but also the sclass from the context_inode.
>> That is so that anon inodes created via device node ioctls inherit the
>> same SID/class pair as the device node and a single allowx rule can
>> govern all ioctl commands on that device.
>
> At least that's the way our patch worked with the /dev/kvm example.
> However, if we are introducing a separate anoninode class for the
> type_transition case, maybe we should apply that to all anon inodes
> regardless of how they are labeled (based on context_inode or
> transition) and then we'd need to write two allowx rules, one for ioctls
> on the original device node and one for those on anon inodes created
> from it. Not sure how Android wants to handle that as the original
> developer and primary user of SELinux ioctl whitelisting.
I would tentatively argue for inheriting both sclass and SID from the
context_inode for the sake of sane policy writing. In the userfaultfd
case, that will still end up using the new SECCLASS_ANONINODE or
whatever since the sclass will be initially set to that value for the
transition SID case and then inherited on fork. But for /dev/kvm, it
would be the class from the /dev/kvm inode, i.e. SECCLASS_CHR_FILE.
next prev parent reply other threads:[~2020-02-14 20:23 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200211225547.235083-1-dancol@google.com>
[not found] ` <9ae20f6e-c5c0-4fd7-5b61-77218d19480b@schaufler-ca.com>
2020-02-11 23:27 ` [PATCH v2 0/6] Harden userfaultfd Daniel Colascione
2020-02-12 16:09 ` Stephen Smalley
2020-02-21 17:56 ` James Morris
2020-02-12 7:50 ` Kees Cook
2020-02-12 16:54 ` Jann Horn
2020-02-12 17:14 ` Peter Xu
2020-02-12 19:41 ` Andrea Arcangeli
2020-02-12 20:04 ` Daniel Colascione
2020-02-12 23:41 ` Andrea Arcangeli
2020-02-12 17:12 ` Daniel Colascione
2020-02-14 3:26 ` [PATCH 0/3] SELinux support for anonymous inodes and UFFD Daniel Colascione
2020-02-14 3:26 ` [PATCH 1/3] Add a new LSM-supporting anonymous inode interface Daniel Colascione
2020-02-14 3:26 ` [PATCH 2/3] Teach SELinux about anonymous inodes Daniel Colascione
2020-02-14 16:39 ` Stephen Smalley
2020-02-14 17:21 ` Daniel Colascione
2020-02-14 18:02 ` Stephen Smalley
2020-02-14 18:08 ` Stephen Smalley
2020-02-14 20:24 ` Stephen Smalley [this message]
2020-02-14 3:26 ` [PATCH 3/3] Wire UFFD up to SELinux Daniel Colascione
2020-03-25 23:02 ` [PATCH v2 0/3] SELinux support for anonymous inodes and UFFD Daniel Colascione
2020-03-25 23:02 ` [PATCH v2 1/3] Add a new LSM-supporting anonymous inode interface Daniel Colascione
2020-03-26 13:53 ` Stephen Smalley
2020-03-25 23:02 ` [PATCH v2 2/3] Teach SELinux about anonymous inodes Daniel Colascione
2020-03-26 13:58 ` Stephen Smalley
2020-03-26 17:59 ` Daniel Colascione
2020-03-26 17:37 ` Stephen Smalley
2020-03-25 23:02 ` [PATCH v2 3/3] Wire UFFD up to SELinux Daniel Colascione
2020-03-25 23:49 ` Casey Schaufler
2020-03-26 18:14 ` [PATCH v3 0/3] SELinux support for anonymous inodes and UFFD Daniel Colascione
2020-03-26 18:14 ` [PATCH v3 1/3] Add a new LSM-supporting anonymous inode interface Daniel Colascione
2020-03-26 19:00 ` Stephen Smalley
2020-03-26 18:14 ` [PATCH v3 2/3] Teach SELinux about anonymous inodes Daniel Colascione
2020-03-26 19:02 ` Stephen Smalley
2020-03-26 18:14 ` [PATCH v3 3/3] Wire UFFD up to SELinux Daniel Colascione
2020-03-26 20:06 ` [PATCH v4 0/3] SELinux support for anonymous inodes and UFFD Daniel Colascione
2020-03-26 20:06 ` [PATCH v4 1/3] Add a new LSM-supporting anonymous inode interface Daniel Colascione
2020-03-27 13:40 ` Stephen Smalley
2020-03-26 20:06 ` [PATCH v4 2/3] Teach SELinux about anonymous inodes Daniel Colascione
2020-03-27 13:41 ` Stephen Smalley
2020-03-26 20:06 ` [PATCH v4 3/3] Wire UFFD up to SELinux Daniel Colascione
2020-04-01 21:39 ` [PATCH v5 0/3] SELinux support for anonymous inodes and UFFD Daniel Colascione
2020-04-01 21:39 ` [PATCH v5 1/3] Add a new LSM-supporting anonymous inode interface Daniel Colascione
2020-05-07 16:02 ` James Morris
2020-08-04 21:22 ` Eric Biggers
2020-04-01 21:39 ` [PATCH v5 2/3] Teach SELinux about anonymous inodes Daniel Colascione
2020-04-01 21:39 ` [PATCH v5 3/3] Wire UFFD up to SELinux Daniel Colascione
2020-08-04 21:16 ` Eric Biggers
2020-04-13 13:29 ` [PATCH v5 0/3] SELinux support for anonymous inodes and UFFD Daniel Colascione
2020-04-22 16:55 ` James Morris
2020-04-22 17:12 ` Casey Schaufler
2020-04-23 22:24 ` Casey Schaufler
2020-04-27 16:18 ` Casey Schaufler
2020-04-27 16:48 ` Stephen Smalley
2020-04-27 17:12 ` Casey Schaufler
2020-04-29 17:02 ` Stephen Smalley
2020-04-27 17:15 ` Casey Schaufler
2020-04-27 19:40 ` Stephen Smalley
2020-06-04 3:56 ` James Morris
2020-06-04 18:51 ` Stephen Smalley
2020-06-04 19:24 ` Lokesh Gidra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6d8f2e69-85e0-5313-337f-53144cf08218@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=dancol@google.com \
--cc=jeffv@google.com \
--cc=kvm@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lokeshgidra@google.com \
--cc=nnk@google.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=timmurray@google.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).