From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 410AEC4332F for ; Wed, 6 Oct 2021 02:27:54 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2586B61100 for ; Wed, 6 Oct 2021 02:27:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237225AbhJFC3n (ORCPT ); Tue, 5 Oct 2021 22:29:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42164 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237168AbhJFC3m (ORCPT ); Tue, 5 Oct 2021 22:29:42 -0400 Received: from mail-vs1-xe2c.google.com (mail-vs1-xe2c.google.com [IPv6:2607:f8b0:4864:20::e2c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E38F2C06174E for ; Tue, 5 Oct 2021 19:27:50 -0700 (PDT) Received: by mail-vs1-xe2c.google.com with SMTP id v4so1274266vsg.12 for ; Tue, 05 Oct 2021 19:27:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4OYSce36HFIDKSweIZsHOeEUQcMTMlRZW+u2FdUpafE=; b=gHppIZL0NNL41Ah+TizK4cJGOSQt6n8ckgXCCWKJaVG6WuNu6D39wA8hcCUdEJ2ZBF qP4uE8XmPBjyiFvPVso2jkrCUkzwGiwtyJdgYFh1W5jA3tUXXB194CJSf1C7SEgMRs4W P6IDsUGsVQQvAQ7Amh1603Oup30JJYY0v3AZShcjcLS2cXmQ+BJ6vQoFS+wc7BMdd6bh 3EMeA44QQpjNXBGt2u4IpozI3Xy6CHpvFOfLvcPRLEmIVi6pIMRUrkMqgtyU0i2mHuuj Q0k1kaP8hRW26c/ju0oSzrupcbkC9MJyflrfUTGXotsjd/k5vs3AS5biUUCmwpkqPkfE RsZw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4OYSce36HFIDKSweIZsHOeEUQcMTMlRZW+u2FdUpafE=; b=y/9kCOPtKzJC06hKJ2wFy7gClqU2JptiJACQ31GeXghg8+++twbuffKa8PH5Rwl83p M2v/ay64h3bW7pC6Aoix0mLQ69j9e98q+ZC0W1qp4lGcmn1X5AK4XGlWX+nVPMd1EZsY NQgnxMfULUNViXTIt3Yefl8uhYFJD35KJziNLBXiPAFo5sd4oiM635NlKdvEX32Usfty NqOBKQo6fUI+UDwTtf49TZCHINu/6yeC9tTSSLQXMOxtYVLjvBLJQyCiuCqN4/po+kIm 1ejvzwi+8lYytsGyndPXuKAOXJWSFwp1mQ3yDCPfRd1Ov/A8EcbzjIbrLQAnoab6FM/V aYbA== X-Gm-Message-State: AOAM531y3Bn4CbX++hXzxMr7R1G9bAbwq1axpEnQZ/iaXwzvOigBZ7Km U9C2t7OXWByLz3BeQhH8MoQwI1zPH38Ah/hi2gUxRw== X-Google-Smtp-Source: ABdhPJyTH29CQo/Jwiml4RScXu5onK6nUS1xqUF5+/gSLGjq9q1MVF4srzfle3qW/NbIcsfW6Jj+di+yUzIVAAeTe7Y= X-Received: by 2002:a67:fd67:: with SMTP id h7mr382372vsa.52.1633487269836; Tue, 05 Oct 2021 19:27:49 -0700 (PDT) MIME-Version: 1.0 References: <20211001175521.3853257-1-tkjos@google.com> <6bd2de29-b46a-1d24-4c73-9e4e0f3f6eea@schaufler-ca.com> <7ec1090d-5bd7-bd05-4f38-07b1cc993721@schaufler-ca.com> In-Reply-To: <7ec1090d-5bd7-bd05-4f38-07b1cc993721@schaufler-ca.com> From: Jann Horn Date: Wed, 6 Oct 2021 04:27:22 +0200 Message-ID: Subject: Re: [PATCH v2] binder: use cred instead of task for selinux checks To: Casey Schaufler Cc: Stephen Smalley , Todd Kjos , Greg Kroah-Hartman , arve@android.com, tkjos@android.com, maco@android.com, christian@brauner.io, James Morris , "Serge E. Hallyn" , Paul Moore , Eric Paris , Kees Cook , Jeffrey Vander Stoep , Mimi Zohar , LSM List , SElinux list , devel@driverdev.osuosl.org, linux-kernel , "Joel Fernandes (Google)" , "Cc: Android Kernel" , stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 5, 2021 at 6:59 PM Casey Schaufler wrote: > On 10/5/2021 8:21 AM, Stephen Smalley wrote: > > On Mon, Oct 4, 2021 at 8:27 PM Jann Horn wrote: > >> On Tue, Oct 5, 2021 at 1:38 AM Casey Schaufler wrote: > >>> On 10/4/2021 3:28 PM, Jann Horn wrote: > >>>> You can't really attribute binder transactions to specific tasks that > >>>> are actually involved in the specific transaction, neither on the > >>>> sending side nor on the receiving side, because binder is built around > >>>> passing data through memory mappings. Memory mappings can be accessed > >>>> by multiple tasks, and even a task that does not currently have it > >>>> mapped could e.g. map it at a later time. And on top of that you have > >>>> the problem that the receiving task might also go through privileged > >>>> execve() transitions. > >>> OK. I'm curious now as to why the task_struct was being passed to the > >>> hook in the first place. > >> Probably because that's what most other LSM hooks looked like and the > >> authors/reviewers of the patch didn't realize that this model doesn't > >> really work for binder? FWIW, these hooks were added in commit > >> 79af73079d75 ("Add security hooks to binder and implement the hooks > >> for SELinux."). The commit message also just talks about "processes". > > Note that in the same code path (binder_transaction), sender_euid is > > set from proc->tsk and security_ctx is based on proc->tsk. If we are > > changing the hooks to operate on the opener cred, then presumably we > > should be doing that for sender_euid and replace the > > security_task_getsecid_obj() call with security_cred_getsecid()? > > > > NB Mandatory Access Control doesn't allow uncontrolled delegation, > > hence typically checks against the subject credential either at > > delegation/transfer or use or both. That's true in other places too, > > e.g. file_permission, socket_sendmsg. > > Terrific. Now I'm even less convinced that either the proposed change > or the existing code make sense. It's also disturbing that the change > log claims that the reason for the change is fix a race condition when > in fact it changes the data being sent to the hook completely. The race it's referring to is the one between security_binder_transaction() (which checks for permission to send a transaction and checks for delegation) and security_task_getsecid_obj() (which tells the recipient what the sender's security context is). (It's a good thing Paul noticed that the v1 patch didn't actually change the security_task_getsecid_obj() call... somehow I missed that.)