From: Casey Schaufler <casey@schaufler-ca.com>
To: David Howells <dhowells@redhat.com>
Cc: Andy Lutomirski <luto@kernel.org>,
Al Viro <viro@zeniv.linux.org.uk>,
raven@themaw.net, Linux FS Devel <linux-fsdevel@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>,
linux-block@vger.kernel.org, keyrings@vger.kernel.org,
LSM List <linux-security-module@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
casey@schaufler-ca.com
Subject: Re: [RFC][PATCH 0/8] Mount, FS, Block and Keyrings notifications [ver #2]
Date: Wed, 5 Jun 2019 07:50:57 -0700 [thread overview]
Message-ID: <e4c19d1b-9827-5949-ecb8-6c3cb4648f58@schaufler-ca.com> (raw)
In-Reply-To: <20192.1559724094@warthog.procyon.org.uk>
[-- Attachment #1.1: Type: text/plain, Size: 4255 bytes --]
On 6/5/2019 1:41 AM, David Howells wrote:
> Casey Schaufler <casey@schaufler-ca.com> wrote:
>
>> I will try to explain the problem once again. If process A
>> sends a signal (writes information) to process B the kernel
>> checks that either process A has the same UID as process B
>> or that process A has privilege to override that policy.
>> Process B is passive in this access control decision, while
>> process A is active. In the event delivery case, process A
>> does something (e.g. modifies a keyring) that generates an
>> event, which is then sent to process B's event buffer.
> I think this might be the core sticking point here. It looks like two
> different situations:
>
> (1) A explicitly sends event to B (eg. signalling, sendmsg, etc.)
>
> (2) A implicitly and unknowingly sends event to B as a side effect of some
> other action (eg. B has a watch for the event A did).
>
> The LSM treats them as the same: that is B must have MAC authorisation to send
> a message to A.
YES!
Threat is about what you can do, not what you intend to do.
And it would be really great if you put some thought into what
a rational model would be for UID based controls, too.
> But there are problems with not sending the event:
>
> (1) B's internal state is then corrupt (or, at least, unknowingly invalid).
Then B is a badly written program.
> (2) B can potentially figure out that the event happened by other means.
Then why does it need the event mechanism in the first place?
> I've implemented four event sources so far:
>
> (1) Keys/keyrings. You can only get events on a key you have View permission
> on and the other process has to have write access to it, so I think this
> is good enough.
Sounds fine.
> (2) Block layer. Currently this will only get you hardware error events,
> which is probably safe. I'm not sure you can manipulate those without
> permission to directly access the device files.
There's an argument to be made that this should require CAP_SYS_ADMIN,
or that an LSM like SELinux might include hardware error events in
policy, but generally I agree that system generated events like this
are both harmless and pointless for the general public to watch.
> (3) Superblock. This is trickier since it can see events that can be
> manufactured (R/W <-> R/O remounting, EDQUOT) as well as events that
> can't without hardware control (EIO, network link loss, RF kill).
The events generated by processes (the 1st set) need controls
like keys. The events generated by the system (the 2nd set) may
need controls like the block layer.
> (4) Mount topology. This is the trickiest since it allows you to see events
> beyond the point at which you placed your watch (in essence, you place a
> subtree watch).
Like keys.
> The question is what permission checking should I do? Ideally, I'd
> emulate a pathwalk between the watchpoint and the eventing object to see
> if the owner of the watchpoint could reach it.
That will depend, as I've been saying, on what causes
the event to be generated. If it's from a process, the
question is "can the active process, the one that generated
the event, write to the passive, watching process?"
If it's the system on a hardware event, you may want the watcher
to have CAP_SYS_ADMIN.
> I'd need to do a reverse walk, calling inode_permission(MAY_NOT_BLOCK)
> for each directory between the eventing object and the watchpoint to see
> if one rejects it - but some filesystems have a permission check that
> can't be called in this state.
This is for setting the watch, right?
> It would also be necessary to do this separately for each watchpoint in
> the parental chain.
>
> Further, each permissions check would generate an audit event and could
> generate FAN_ACCESS and/or FAN_ACCESS_PERM fanotify events - which could
> be a problem if fanotify is also trying to post those events to the same
> watch queue.
If you required that the watching process open(dir) what
you want to watch you'd get this for free. Or did I miss
something obvious?
> David
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2019-06-05 14:51 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-04 16:34 [RFC][PATCH 0/8] Mount, FS, Block and Keyrings notifications [ver #2] David Howells
2019-06-04 16:35 ` [PATCH 1/8] security: Override creds in __fput() with last fputter's creds " David Howells
2019-06-04 18:15 ` Andy Lutomirski
2019-06-04 16:35 ` [PATCH 2/8] General notification queue with user mmap()'able ring buffer " David Howells
2019-06-04 16:35 ` [PATCH 3/8] keys: Add a notification facility " David Howells
2019-06-04 16:35 ` [PATCH 4/8] vfs: Add a mount-notification " David Howells
2019-06-04 16:35 ` [PATCH 5/8] vfs: Add superblock notifications " David Howells
2019-06-04 16:36 ` [PATCH 6/8] fsinfo: Export superblock notification counter " David Howells
2019-06-04 16:36 ` [PATCH 7/8] block: Add block layer notifications " David Howells
2019-06-04 16:36 ` [PATCH 8/8] Add sample notification program " David Howells
2019-06-04 17:43 ` [RFC][PATCH 0/8] Mount, FS, Block and Keyrings notifications " Andy Lutomirski
2019-06-04 20:31 ` Casey Schaufler
2019-06-04 21:05 ` Andy Lutomirski
2019-06-04 22:03 ` Casey Schaufler
2019-06-05 8:41 ` David Howells
2019-06-05 14:50 ` Casey Schaufler [this message]
2019-06-05 16:04 ` Andy Lutomirski
2019-06-05 17:01 ` Casey Schaufler
2019-06-05 17:47 ` Andy Lutomirski
2019-06-05 18:12 ` Casey Schaufler
2019-06-05 18:25 ` Stephen Smalley
2019-06-05 19:28 ` Greg KH
2019-06-05 21:01 ` Stephen Smalley
2019-06-05 16:56 ` Rational model for UID based controls David Howells
2019-06-05 17:40 ` Casey Schaufler
2019-06-05 21:06 ` David Howells
2019-06-05 17:21 ` [RFC][PATCH 0/8] Mount, FS, Block and Keyrings notifications [ver #2] David Howells
2019-06-04 20:39 ` David Howells
2019-06-04 20:57 ` Andy Lutomirski
[not found] ` <CAB9W1A0AgMYOwGx9c-TmAt=1O6Bjsr2P3Nhd=2+QV39dgw0CrA@mail.gmail.com>
2019-06-05 4:19 ` Andy Lutomirski
2019-06-05 13:47 ` Stephen Smalley
2019-06-04 21:11 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e4c19d1b-9827-5949-ecb8-6c3cb4648f58@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=dhowells@redhat.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@kernel.org \
--cc=raven@themaw.net \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).