* RFC: BUG: overlayfs getxattr recursion leaves a poison sid.
@ 2019-07-09 16:23 Mark Salyzyn
2019-07-09 16:33 ` Casey Schaufler
0 siblings, 1 reply; 3+ messages in thread
From: Mark Salyzyn @ 2019-07-09 16:23 UTC (permalink / raw)
To: linux-kernel, Stephen Smalley, Miklos Szeredi, James Morris,
Serge E. Hallyn, Paul Moore, Eric Paris, selinux, kernel-team
For EACCES return for getxattr, sid appears to be expected updated in
parent node. For some accesses purely cosmetic for correct avc logging,
and depending on kernel vintage for others (older than 4.4) the lack of
the corrected sid in the parent overlay inode poisons the security cache
and results in false denials.
The avc denials would contain an (incorrect) unlabelled target
references, we could fix this by copying up the sid to the parent inode.
However the test (below) needs to refactored to the pleasure of the
security, selinux and overlayfs maintainers. The security_socket_accept
function is _close_, it will copy sid and class from the old socket to
the new. Along those lines, we probably need to add a new
security_copy_to_upper handler that takes the upper and lower dentries
and ensures that the upper contains all the security information
associated with the lower.
Prototype adjustment (tested in 3.18 to ToT)
int ovl_xattr_get(struct dentry *dentry, struct inode *inode, const char
*name, { ssize_t res; const struct cred *old_cred; struct dentry
*realdentry = ovl_i_dentry_upper(inode) ?: ovl_dentry_lower(dentry);
old_cred = ovl_override_creds(dentry->d_sb); res =
vfs_getxattr(realdentry, name, value, size); ovl_revert_creds(old_cred);
+ if (res == -EACCES) { + selinux_copy_sid(dentry, realdentry); return
res; }
. . .
+ void selinux_copy_sid(struct dentry *parent, struct dentry *child) + {
+ struct inode *pinode, *cinode; + struct inode_security_struct *pisec,
*cisec; + + if (!parent || !child) + return; + pinode = parent->d_inode;
+ cinode = child->d_inode; + if (!pinode || !cinode) + return; + pisec =
pinode->i_security; + cisec = cinode->i_security; + if (!pisec ||
!cisec) + return; + pisec->sid = cisec->sid; + } +
EXPORT_SYMBOL_GPL(selinux_copy_sid);
Sincerely -- Mark Salyzyn
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: RFC: BUG: overlayfs getxattr recursion leaves a poison sid.
2019-07-09 16:23 RFC: BUG: overlayfs getxattr recursion leaves a poison sid Mark Salyzyn
@ 2019-07-09 16:33 ` Casey Schaufler
2019-07-09 16:41 ` Mark Salyzyn
0 siblings, 1 reply; 3+ messages in thread
From: Casey Schaufler @ 2019-07-09 16:33 UTC (permalink / raw)
To: Mark Salyzyn, linux-kernel, Stephen Smalley, Miklos Szeredi,
James Morris, Serge E. Hallyn, Paul Moore, Eric Paris, selinux,
kernel-team, Linux Security Module list
Cc: casey
On 7/9/2019 9:23 AM, Mark Salyzyn wrote:
> For EACCES return for getxattr, sid appears to be expected updated in parent node. For some accesses purely cosmetic for correct avc logging, and depending on kernel vintage for others (older than 4.4) the lack of the corrected sid in the parent overlay inode poisons the security cache and results in false denials.
>
> The avc denials would contain an (incorrect) unlabelled target references, we could fix this by copying up the sid to the parent inode. However the test (below) needs to refactored to the pleasure of the security, selinux and overlayfs maintainers. The security_socket_accept function is _close_, it will copy sid and class from the old socket to the new. Along those lines, we probably need to add a new security_copy_to_upper handler that takes the upper and lower dentries and ensures that the upper contains all the security information associated with the lower.
Please include the LSM (CCed) list on all LSM impacting discussions.
Your mailer mangled the patch. Please resend in plain text.
Thank you.
>
> Prototype adjustment (tested in 3.18 to ToT)
>
> int ovl_xattr_get(struct dentry *dentry, struct inode *inode, const char *name, { ssize_t res; const struct cred *old_cred; struct dentry *realdentry = ovl_i_dentry_upper(inode) ?: ovl_dentry_lower(dentry); old_cred = ovl_override_creds(dentry->d_sb); res = vfs_getxattr(realdentry, name, value, size); ovl_revert_creds(old_cred); + if (res == -EACCES) { + selinux_copy_sid(dentry, realdentry); return res; }
>
> . . .
>
> + void selinux_copy_sid(struct dentry *parent, struct dentry *child) + { + struct inode *pinode, *cinode; + struct inode_security_struct *pisec, *cisec; + + if (!parent || !child) + return; + pinode = parent->d_inode; + cinode = child->d_inode; + if (!pinode || !cinode) + return; + pisec = pinode->i_security; + cisec = cinode->i_security; + if (!pisec || !cisec) + return; + pisec->sid = cisec->sid; + } + EXPORT_SYMBOL_GPL(selinux_copy_sid);
>
> Sincerely -- Mark Salyzyn
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: RFC: BUG: overlayfs getxattr recursion leaves a poison sid.
2019-07-09 16:33 ` Casey Schaufler
@ 2019-07-09 16:41 ` Mark Salyzyn
0 siblings, 0 replies; 3+ messages in thread
From: Mark Salyzyn @ 2019-07-09 16:41 UTC (permalink / raw)
To: Casey Schaufler, linux-kernel, Stephen Smalley, Miklos Szeredi,
James Morris, Serge E. Hallyn, Paul Moore, Eric Paris, selinux,
kernel-team, Linux Security Module list
On 7/9/19 9:33 AM, Casey Schaufler wrote:
> On 7/9/2019 9:23 AM, Mark Salyzyn wrote:
>> For EACCES return for getxattr, sid appears to be expected updated in parent node. For some accesses purely cosmetic for correct avc logging, and depending on kernel vintage for others (older than 4.4) the lack of the corrected sid in the parent overlay inode poisons the security cache and results in false denials.
>>
>> The avc denials would contain an (incorrect) unlabelled target references, we could fix this by copying up the sid to the parent inode. However the test (below) needs to refactored to the pleasure of the security, selinux and overlayfs maintainers. The security_socket_accept function is _close_, it will copy sid and class from the old socket to the new. Along those lines, we probably need to add a new security_copy_to_upper handler that takes the upper and lower dentries and ensures that the upper contains all the security information associated with the lower.
> Please include the LSM (CCed) list on all LSM impacting discussions.
> Your mailer mangled the patch. Please resend in plain text.
>
> Thank you.
>
>> Prototype adjustment (tested in 3.18 to ToT)
(annoyed that Thunderbird let me down even after selecting text plain text)
int ovl_xattr_get(struct dentry *dentry, struct inode *inode, const
char *name,
{
ssize_t res;
const struct cred *old_cred;
struct dentry *realdentry =
ovl_i_dentry_upper(inode) ?: ovl_dentry_lower(dentry);
old_cred = ovl_override_creds(dentry->d_sb);
res = vfs_getxattr(realdentry, name, value, size);
ovl_revert_creds(old_cred);
+ if (res == -EACCES)
+ selinux_copy_sid(dentry, realdentry);
return res;
}
. . .
+ void selinux_copy_sid(struct dentry *parent, struct dentry *child)
+ {
+ struct inode *pinode, *cinode;
+ struct inode_security_struct *pisec, *cisec;
+
+ if (!parent || !child)
+ return;
+ pinode = parent->d_inode;
+ cinode = child->d_inode;
+ if (!pinode || !cinode)
+ return;
+ pisec = pinode->i_security;
+ cisec = cinode->i_security;
+ if (!pisec || !cisec)
+ return;
+ pisec->sid = cisec->sid;
+ }
+ EXPORT_SYMBOL_GPL(selinux_copy_sid);
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-07-09 16:41 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-09 16:23 RFC: BUG: overlayfs getxattr recursion leaves a poison sid Mark Salyzyn
2019-07-09 16:33 ` Casey Schaufler
2019-07-09 16:41 ` Mark Salyzyn
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).