[PATCH] security: selinux: allow per-file labeling for cgroupfs

[PATCH] security: selinux: allow per-file labeling for cgroupfs

[Antonio Murdaca]

This patch allows genfscon per-file labeling for cgroupfs. For instance,
this allows to label the "release_agent" file within each
cgroup mount and limit writes to it.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
---
 security/selinux/hooks.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 9a8f12f..5a3138e 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -808,6 +808,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 
 	if (!strcmp(sb->s_type->name, "debugfs") ||
 	    !strcmp(sb->s_type->name, "sysfs") ||
+	    !strcmp(sb->s_type->name, "cgroup") ||
+	    !strcmp(sb->s_type->name, "cgroup2") ||
 	    !strcmp(sb->s_type->name, "pstore"))
 		sbsec->flags |= SE_SBGENFS;
 
-- 
2.9.3

Re: [PATCH] security: selinux: allow per-file labeling for cgroupfs

[Paul Moore]

On Thu, Feb 9, 2017 at 10:58 AM, Antonio Murdaca <amurdaca@redhat.com> wrote:
> This patch allows genfscon per-file labeling for cgroupfs. For instance,
> this allows to label the "release_agent" file within each
> cgroup mount and limit writes to it.
>
> Signed-off-by: Antonio Murdaca <runcom@redhat.com>
> ---
>  security/selinux/hooks.c | 2 ++
>  1 file changed, 2 insertions(+)

Now that the merge window is behind us, let's get this merged, but
could you update it to use the selinux_policycap_cgroupseclabel policy
capability?  See 2651225b5ebcdde ("selinux: wrap cgroup seclabel
support with its own policy capability") for more information.

Also, how goes the testing?

> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 9a8f12f..5a3138e 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -808,6 +808,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
>
>         if (!strcmp(sb->s_type->name, "debugfs") ||
>             !strcmp(sb->s_type->name, "sysfs") ||
> +           !strcmp(sb->s_type->name, "cgroup") ||
> +           !strcmp(sb->s_type->name, "cgroup2") ||
>             !strcmp(sb->s_type->name, "pstore"))
>                 sbsec->flags |= SE_SBGENFS;
>
> --
> 2.9.3
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

-- 
paul moore
www.paul-moore.com

Re: [PATCH] security: selinux: allow per-file labeling for cgroupfs

[Stephen Smalley]

On Fri, 2017-03-10 at 15:01 -0500, Paul Moore wrote:
> On Thu, Feb 9, 2017 at 10:58 AM, Antonio Murdaca <amurdaca@redhat.com
> > wrote:
> > 
> > This patch allows genfscon per-file labeling for cgroupfs. For
> > instance,
> > this allows to label the "release_agent" file within each
> > cgroup mount and limit writes to it.
> > 
> > Signed-off-by: Antonio Murdaca <runcom@redhat.com>
> > ---
> >  security/selinux/hooks.c | 2 ++
> >  1 file changed, 2 insertions(+)
> 
> Now that the merge window is behind us, let's get this merged, but
> could you update it to use the selinux_policycap_cgroupseclabel
> policy
> capability?  See 2651225b5ebcdde ("selinux: wrap cgroup seclabel
> support with its own policy capability") for more information.

I don't think that is necessary.  This change unlike the other one
should not yield any difference in behavior with existing policy; it
just allows one to specify fine-grained labeling for cgroup nodes in
future policy.  It doesn't affect any userspace interface.


> Also, how goes the testing?
> 
> > 
> > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> > index 9a8f12f..5a3138e 100644
> > --- a/security/selinux/hooks.c
> > +++ b/security/selinux/hooks.c
> > @@ -808,6 +808,8 @@ static int selinux_set_mnt_opts(struct
> > super_block *sb,
> > 
> >         if (!strcmp(sb->s_type->name, "debugfs") ||
> >             !strcmp(sb->s_type->name, "sysfs") ||
> > +           !strcmp(sb->s_type->name, "cgroup") ||
> > +           !strcmp(sb->s_type->name, "cgroup2") ||
> >             !strcmp(sb->s_type->name, "pstore"))
> >                 sbsec->flags |= SE_SBGENFS;
> > 
> > --
> > 2.9.3
> > 
> > _______________________________________________
> > Selinux mailing list
> > Selinux@tycho.nsa.gov
> > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> > To get help, send an email containing "help" to Selinux-request@tyc
> > ho.nsa.gov.
> 

Re: [PATCH] security: selinux: allow per-file labeling for cgroupfs

[Paul Moore]

On Fri, Mar 10, 2017 at 3:17 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Fri, 2017-03-10 at 15:01 -0500, Paul Moore wrote:
>> On Thu, Feb 9, 2017 at 10:58 AM, Antonio Murdaca <amurdaca@redhat.com
>> > wrote:
>> >
>> > This patch allows genfscon per-file labeling for cgroupfs. For
>> > instance,
>> > this allows to label the "release_agent" file within each
>> > cgroup mount and limit writes to it.
>> >
>> > Signed-off-by: Antonio Murdaca <runcom@redhat.com>
>> > ---
>> >  security/selinux/hooks.c | 2 ++
>> >  1 file changed, 2 insertions(+)
>>
>> Now that the merge window is behind us, let's get this merged, but
>> could you update it to use the selinux_policycap_cgroupseclabel
>> policy
>> capability?  See 2651225b5ebcdde ("selinux: wrap cgroup seclabel
>> support with its own policy capability") for more information.
>
> I don't think that is necessary.  This change unlike the other one
> should not yield any difference in behavior with existing policy; it
> just allows one to specify fine-grained labeling for cgroup nodes in
> future policy.  It doesn't affect any userspace interface.

Yes, I thought about that, and if the policy capability was already
present in a released kernel then I wouldn't worry about it much, but
since the policy capability still only lives in the v4.11-rcX kernels
I'd prefer to see this code wrapped with the policy capability ...
even if all it really does is give me that warm fuzzy feeling.

>> Also, how goes the testing?
>>
>> >
>> > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>> > index 9a8f12f..5a3138e 100644
>> > --- a/security/selinux/hooks.c
>> > +++ b/security/selinux/hooks.c
>> > @@ -808,6 +808,8 @@ static int selinux_set_mnt_opts(struct
>> > super_block *sb,
>> >
>> >         if (!strcmp(sb->s_type->name, "debugfs") ||
>> >             !strcmp(sb->s_type->name, "sysfs") ||
>> > +           !strcmp(sb->s_type->name, "cgroup") ||
>> > +           !strcmp(sb->s_type->name, "cgroup2") ||
>> >             !strcmp(sb->s_type->name, "pstore"))
>> >                 sbsec->flags |= SE_SBGENFS;
>> >
>> > --
>> > 2.9.3
>> >
>> > _______________________________________________
>> > Selinux mailing list
>> > Selinux@tycho.nsa.gov
>> > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> > To get help, send an email containing "help" to Selinux-request@tyc
>> > ho.nsa.gov.
>>



-- 
paul moore
www.paul-moore.com

Re: [PATCH] security: selinux: allow per-file labeling for cgroupfs

[Paul Moore]

On Fri, Mar 10, 2017 at 3:21 PM, Paul Moore <paul@paul-moore.com> wrote:
> On Fri, Mar 10, 2017 at 3:17 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> On Fri, 2017-03-10 at 15:01 -0500, Paul Moore wrote:
>>> On Thu, Feb 9, 2017 at 10:58 AM, Antonio Murdaca <amurdaca@redhat.com
>>> > wrote:
>>> >
>>> > This patch allows genfscon per-file labeling for cgroupfs. For
>>> > instance,
>>> > this allows to label the "release_agent" file within each
>>> > cgroup mount and limit writes to it.
>>> >
>>> > Signed-off-by: Antonio Murdaca <runcom@redhat.com>
>>> > ---
>>> >  security/selinux/hooks.c | 2 ++
>>> >  1 file changed, 2 insertions(+)
>>>
>>> Now that the merge window is behind us, let's get this merged, but
>>> could you update it to use the selinux_policycap_cgroupseclabel
>>> policy
>>> capability?  See 2651225b5ebcdde ("selinux: wrap cgroup seclabel
>>> support with its own policy capability") for more information.
>>
>> I don't think that is necessary.  This change unlike the other one
>> should not yield any difference in behavior with existing policy; it
>> just allows one to specify fine-grained labeling for cgroup nodes in
>> future policy.  It doesn't affect any userspace interface.
>
> Yes, I thought about that, and if the policy capability was already
> present in a released kernel then I wouldn't worry about it much, but
> since the policy capability still only lives in the v4.11-rcX kernels
> I'd prefer to see this code wrapped with the policy capability ...
> even if all it really does is give me that warm fuzzy feeling.

FWIW, I just decided I didn't care that much about the policy
capability restriction for this patch and went ahead and merged it
into selinux/next.

-- 
paul moore
www.paul-moore.com

Re: [PATCH] security: selinux: allow per-file labeling for cgroupfs

[Daniel J Walsh]

On 02/09/2017 06:04 PM, Paul Moore wrote:
> On Thu, Feb 9, 2017 at 5:32 PM, Antonio Murdaca <amurdaca@redhat.com> wrote:
>>
>> On Feb 9, 2017 20:23, "Paul Moore" <paul@paul-moore.com> wrote:
>>
>> On Thu, Feb 9, 2017 at 12:39 PM, Antonio Murdaca <amurdaca@redhat.com>
>> wrote:
>>> On Feb 9, 2017 17:14, "Paul Moore" <paul@paul-moore.com> wrote:
>>> On Thu, Feb 9, 2017 at 11:02 AM, Antonio Murdaca <amurdaca@redhat.com>
>>> wrote:
>>>> From: Antonio Murdaca <runcom@redhat.com>
>>>>
>>>> This patch allows genfscon per-file labeling for cgroupfs. For instance,
>>>> this allows to label the "release_agent" file within each
>>>> cgroup mount and limit writes to it.
>>>>
>>>> Signed-off-by: Antonio Murdaca <amurdaca@redhat.com>
>>>> ---
>>>>  security/selinux/hooks.c | 2 ++
>>>>  1 file changed, 2 insertions(+)
>>> This was already merged ... ?
>>>
>>>
>>> This is adding cgroup and cgroup2 to the other whitelist (afaict).
>> Yes, my apologies, I read this patch too quickly and confused it with
>> the previous cgroups patch.
>>
>> Just to set expectations, this patch is too late for the upcoming
>> merge window, we can consider it in a few weeks once the merge window
>> has closed.  This should give you some time to do some further testing
>> (hint, hint).
>>
>>
>> Sure, I'm going to test this and add tests in selinux-testsuite as well
> Great, thank you.
>
No problem on waiting for this patch.  Stephen asked for this, but this is
not something we are currently planning on using with containers.

Re: [PATCH] security: selinux: allow per-file labeling for cgroupfs

[Paul Moore]

On Thu, Feb 9, 2017 at 5:32 PM, Antonio Murdaca <amurdaca@redhat.com> wrote:
>
>
> On Feb 9, 2017 20:23, "Paul Moore" <paul@paul-moore.com> wrote:
>
> On Thu, Feb 9, 2017 at 12:39 PM, Antonio Murdaca <amurdaca@redhat.com>
> wrote:
>> On Feb 9, 2017 17:14, "Paul Moore" <paul@paul-moore.com> wrote:
>> On Thu, Feb 9, 2017 at 11:02 AM, Antonio Murdaca <amurdaca@redhat.com>
>> wrote:
>>> From: Antonio Murdaca <runcom@redhat.com>
>>>
>>> This patch allows genfscon per-file labeling for cgroupfs. For instance,
>>> this allows to label the "release_agent" file within each
>>> cgroup mount and limit writes to it.
>>>
>>> Signed-off-by: Antonio Murdaca <amurdaca@redhat.com>
>>> ---
>>>  security/selinux/hooks.c | 2 ++
>>>  1 file changed, 2 insertions(+)
>>
>> This was already merged ... ?
>>
>>
>> This is adding cgroup and cgroup2 to the other whitelist (afaict).
>
> Yes, my apologies, I read this patch too quickly and confused it with
> the previous cgroups patch.
>
> Just to set expectations, this patch is too late for the upcoming
> merge window, we can consider it in a few weeks once the merge window
> has closed.  This should give you some time to do some further testing
> (hint, hint).
>
>
> Sure, I'm going to test this and add tests in selinux-testsuite as well

Great, thank you.

-- 
paul moore
www.paul-moore.com

Re: [PATCH] security: selinux: allow per-file labeling for cgroupfs

[Paul Moore]

On Thu, Feb 9, 2017 at 12:39 PM, Antonio Murdaca <amurdaca@redhat.com> wrote:
> On Feb 9, 2017 17:14, "Paul Moore" <paul@paul-moore.com> wrote:
> On Thu, Feb 9, 2017 at 11:02 AM, Antonio Murdaca <amurdaca@redhat.com>
> wrote:
>> From: Antonio Murdaca <runcom@redhat.com>
>>
>> This patch allows genfscon per-file labeling for cgroupfs. For instance,
>> this allows to label the "release_agent" file within each
>> cgroup mount and limit writes to it.
>>
>> Signed-off-by: Antonio Murdaca <amurdaca@redhat.com>
>> ---
>>  security/selinux/hooks.c | 2 ++
>>  1 file changed, 2 insertions(+)
>
> This was already merged ... ?
>
>
> This is adding cgroup and cgroup2 to the other whitelist (afaict).

Yes, my apologies, I read this patch too quickly and confused it with
the previous cgroups patch.

Just to set expectations, this patch is too late for the upcoming
merge window, we can consider it in a few weeks once the merge window
has closed.  This should give you some time to do some further testing
(hint, hint).

-- 
paul moore
www.paul-moore.com

Re: [PATCH] security: selinux: allow per-file labeling for cgroupfs

[Paul Moore]

On Thu, Feb 9, 2017 at 11:02 AM, Antonio Murdaca <amurdaca@redhat.com> wrote:
> From: Antonio Murdaca <runcom@redhat.com>
>
> This patch allows genfscon per-file labeling for cgroupfs. For instance,
> this allows to label the "release_agent" file within each
> cgroup mount and limit writes to it.
>
> Signed-off-by: Antonio Murdaca <amurdaca@redhat.com>
> ---
>  security/selinux/hooks.c | 2 ++
>  1 file changed, 2 insertions(+)

This was already merged ... ?

* https://marc.info/?l=selinux&m=148652458620202&w=2

> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 9a8f12f..5a3138e 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -808,6 +808,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
>
>         if (!strcmp(sb->s_type->name, "debugfs") ||
>             !strcmp(sb->s_type->name, "sysfs") ||
> +           !strcmp(sb->s_type->name, "cgroup") ||
> +           !strcmp(sb->s_type->name, "cgroup2") ||
>             !strcmp(sb->s_type->name, "pstore"))
>                 sbsec->flags |= SE_SBGENFS;
>
> --
> 2.9.3

-- 
paul moore
www.paul-moore.com

[PATCH] security: selinux: allow per-file labeling for cgroupfs

[Antonio Murdaca]

From: Antonio Murdaca <runcom@redhat.com>

This patch allows genfscon per-file labeling for cgroupfs. For instance,
this allows to label the "release_agent" file within each
cgroup mount and limit writes to it.

Signed-off-by: Antonio Murdaca <amurdaca@redhat.com>
---
 security/selinux/hooks.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 9a8f12f..5a3138e 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -808,6 +808,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 
 	if (!strcmp(sb->s_type->name, "debugfs") ||
 	    !strcmp(sb->s_type->name, "sysfs") ||
+	    !strcmp(sb->s_type->name, "cgroup") ||
+	    !strcmp(sb->s_type->name, "cgroup2") ||
 	    !strcmp(sb->s_type->name, "pstore"))
 		sbsec->flags |= SE_SBGENFS;
 
-- 
2.9.3