* Re: linux-next: manual merge of the selinux tree with the vfs tree [not found] ` <20181129235130.GI2217@ZenIV.linux.org.uk> @ 2018-11-30 0:57 ` Casey Schaufler 2018-11-30 1:27 ` Al Viro 0 siblings, 1 reply; 4+ messages in thread From: Casey Schaufler @ 2018-11-30 0:57 UTC (permalink / raw) To: Al Viro, Paul Moore Cc: omosnace, sfr, linux-next, linux-kernel, dhowells, selinux, linux-fsdevel, LSM On 11/29/2018 3:51 PM, Al Viro wrote: I've added linux-security-module to the CC list. > On Thu, Nov 29, 2018 at 05:23:24PM -0500, Paul Moore wrote: > >>> OK, I will verify that the SELinux submount fix rebased on top of >>> vfs/work.mount in the way I suggested above passes the same testing >>> (seliinux-testsuite + NFS crossmnt reproducer). I am now building two >>> kernels (vfs/work.mount with and without the fix) to test. Let me know >>> if there is anything more to do. >> Thanks. >> >> The big thing is just making sure that we don't regress on the fix in >> selinux/next if/when David's mount rework hits Linus' tree. > FWIW, the whole thing is getting massaged/reordered/etc. and I would > like some input from you guys at some point - assuming that I recover > the ability to talk about LSM without obscenities... > > Question: what *should* happen if we try to cross into a submount and find > that the thing on the other side is already mounted elsewhere, with incompatible > LSM options? Ditto for referrals, with an extra twist - what if we are given > 3 alternatives, the first two already mounted elsewhere with incompatible > options, the third one not mounted anywhere yet? I fear that the safe answer and the containers answer are likely to differ. The safe answer has to be to refuse the mount. > Incidentally, should smack have ->sb_clone_mnt_opts()? Probably, but I could never figure out what it was for, and haven't identified a problem with not using it. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: linux-next: manual merge of the selinux tree with the vfs tree 2018-11-30 0:57 ` linux-next: manual merge of the selinux tree with the vfs tree Casey Schaufler @ 2018-11-30 1:27 ` Al Viro 2018-11-30 1:36 ` Al Viro 0 siblings, 1 reply; 4+ messages in thread From: Al Viro @ 2018-11-30 1:27 UTC (permalink / raw) To: Casey Schaufler Cc: Paul Moore, omosnace, sfr, linux-next, linux-kernel, dhowells, selinux, linux-fsdevel, LSM On Thu, Nov 29, 2018 at 04:57:20PM -0800, Casey Schaufler wrote: > > Question: what *should* happen if we try to cross into a submount and find > > that the thing on the other side is already mounted elsewhere, with incompatible > > LSM options? Ditto for referrals, with an extra twist - what if we are given > > 3 alternatives, the first two already mounted elsewhere with incompatible > > options, the third one not mounted anywhere yet? > > I fear that the safe answer and the containers answer are likely > to differ. The safe answer has to be to refuse the mount. > > > Incidentally, should smack have ->sb_clone_mnt_opts()? > > Probably, but I could never figure out what it was for, > and haven't identified a problem with not using it. Transferring the Linux S&M options when crossing into a submount. Frankly, the set of mount-related hooks is atrocious - way too much duplication between them (sb_kern_mount vs. sb_set_mnt_opts vs. sb_parse_opts_str vs. sb_clone_mnt_opts) and that, actually, is the worst part of safely untangling the mount-API series ;-/ And then there's sb_mount, with 3 instances and arseloads of races in 2 out of 3. Consider e.g. this: if (need_dev) { /* Get mount point or device file. */ if (!dev_name || kern_path(dev_name, LOOKUP_FOLLOW, &path)) { error = -ENOENT; goto out; } obj.path1 = path; requested_dev_name = tomoyo_realpath_from_path(&path); if (!requested_dev_name) { error = -ENOENT; goto out; } in tomoyo. OK, so we do a pathname resolution of dev_name (including the source in mount --bind case). Then we apply checks to it... and proceed to... if (obj.path1.dentry) path_put(&obj.path1); ... discard the result of lookup. Then the caller proceeds to do the work, including (at various locations, depending upon the mount(2) flags, fs type, etc.) looking dev_name up. Could you spell TOCTOU? Or, for example, this: if (!dev_name || !*dev_name) return -EINVAL; flags &= MS_REC | MS_BIND; error = kern_path(dev_name, LOOKUP_FOLLOW|LOOKUP_AUTOMOUNT, &old_path); if (error) return error; get_buffers(buffer, old_buffer); error = fn_for_each_confined(label, profile, match_mnt(profile, path, buffer, &old_path, old_buffer, NULL, flags, NULL, false)); put_buffers(buffer, old_buffer); path_put(&old_path); Same story, same TOCTOU race, this time in apparmour... ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: linux-next: manual merge of the selinux tree with the vfs tree 2018-11-30 1:27 ` Al Viro @ 2018-11-30 1:36 ` Al Viro 0 siblings, 0 replies; 4+ messages in thread From: Al Viro @ 2018-11-30 1:36 UTC (permalink / raw) To: Casey Schaufler Cc: Paul Moore, omosnace, sfr, linux-next, linux-kernel, dhowells, selinux, linux-fsdevel, LSM On Fri, Nov 30, 2018 at 01:27:07AM +0000, Al Viro wrote: > And then there's sb_mount, with 3 instances and arseloads of > races in 2 out of 3. PS: the 3rd one (in selinux) is, AFAICS, TOCTOU-free, because it ignores everything except the mountpoint, which is already looked up by the caller. No idea what any out-of-tree ones do, of course, but judging by the in-tree sample... ^ permalink raw reply [flat|nested] 4+ messages in thread
[parent not found: <CAFqZXNu_=MxcX5jvX4y=5nrCqi7_btOGVccbH1NZ=xm3TGvaYQ@mail.gmail.com>]
[parent not found: <CAFqZXNv642dfT0PpB0M7sO5J90cAM7Luv0A8nX7JtEXqw=yu1w@mail.gmail.com>]
[parent not found: <CAFqZXNuv_mF8Yt50J3giZjxzZX_WwCOePZeEtmR-G_m+vRyPrQ@mail.gmail.com>]
[parent not found: <20181203215639.GV2217@ZenIV.linux.org.uk>]
[parent not found: <CAFqZXNvSOzyhnTUxF2mP4BTFMVQ8H1uh-Yyn2fH2K=4yRDX-tQ@mail.gmail.com>]
[parent not found: <20181205161601.GW2217@ZenIV.linux.org.uk>]
* Re: linux-next: manual merge of the selinux tree with the vfs tree [not found] ` <20181205161601.GW2217@ZenIV.linux.org.uk> @ 2018-12-05 21:58 ` Casey Schaufler 0 siblings, 0 replies; 4+ messages in thread From: Casey Schaufler @ 2018-12-05 21:58 UTC (permalink / raw) To: Al Viro, Ondrej Mosnacek Cc: Paul Moore, Stephen Rothwell, linux-next, Linux kernel mailing list, David Howells, selinux, linux-fsdevel, LSM On 12/5/2018 8:16 AM, Al Viro wrote: > On Wed, Dec 05, 2018 at 10:37:56AM +0100, Ondrej Mosnacek wrote: > >> I just tested the Q28 branch rebased onto a recent Fedora rawhide >> kernel (4.20.0-0.rc5.git0.1) and that code seems to be working fine. Not so good with Smack. # mount -t tmpfs -o size=512m,smackfsroot=Pop tmpfs /mnt # attr -S -g SMACK64 /mnt Attribute "SMACK64" had a 1 byte value for /mnt: _ # attr should have reported a 3 byte value "Pop". ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-12-05 21:58 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <20181127115246.00967523@canb.auug.org.au> [not found] ` <CAFqZXNs6XTOx2-EQ5P9bK3vPsPby7rzryHPqzqsVD9XsbsG20w@mail.gmail.com> [not found] ` <20181127225013.133adc7d@canb.auug.org.au> [not found] ` <CAHC9VhSFSxBc+-O=GQMkiyiQz3S+_ZreicLhsoAuvR-oq2mi6g@mail.gmail.com> [not found] ` <CAFqZXNuZCof=7CtyMq8JDyAgRmONYRZhhqr6bFVy9-F70-Uwrw@mail.gmail.com> [not found] ` <CAHC9VhRthWKfgYenGq6Az+jVQ+76wCeBhBcMyo9zZwv+nBhy3A@mail.gmail.com> [not found] ` <20181129235130.GI2217@ZenIV.linux.org.uk> 2018-11-30 0:57 ` linux-next: manual merge of the selinux tree with the vfs tree Casey Schaufler 2018-11-30 1:27 ` Al Viro 2018-11-30 1:36 ` Al Viro [not found] ` <CAFqZXNu_=MxcX5jvX4y=5nrCqi7_btOGVccbH1NZ=xm3TGvaYQ@mail.gmail.com> [not found] ` <CAFqZXNv642dfT0PpB0M7sO5J90cAM7Luv0A8nX7JtEXqw=yu1w@mail.gmail.com> [not found] ` <CAFqZXNuv_mF8Yt50J3giZjxzZX_WwCOePZeEtmR-G_m+vRyPrQ@mail.gmail.com> [not found] ` <20181203215639.GV2217@ZenIV.linux.org.uk> [not found] ` <CAFqZXNvSOzyhnTUxF2mP4BTFMVQ8H1uh-Yyn2fH2K=4yRDX-tQ@mail.gmail.com> [not found] ` <20181205161601.GW2217@ZenIV.linux.org.uk> 2018-12-05 21:58 ` Casey Schaufler
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).