stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Daniel Burgener <dburgener@linux.microsoft.com>
To: stable@vger.kernel.org
Cc: stephen.smalley.work@gmail.com, paul@paul-moore.com,
	selinux@vger.kernel.org, jmorris@namei.org, sashal@kernel.org
Subject: [PATCH v5.4 0/3] Update SELinuxfs out of tree and then swapover
Date: Thu, 15 Oct 2020 15:29:53 -0400	[thread overview]
Message-ID: <20201015192956.1797021-1-dburgener@linux.microsoft.com> (raw)

This is a backport for stable of my series to fix a race condition in
selinuxfs during policy load:

selinux: Create function for selinuxfs directory cleanup
https://lore.kernel.org/selinux/20200819195935.1720168-2-dburgener@linux.microsoft.com/

selinux: Refactor selinuxfs directory populating functions
https://lore.kernel.org/selinux/20200819195935.1720168-3-dburgener@linux.microsoft.com/

selinux: Standardize string literal usage for selinuxfs directory names
https://lore.kernel.org/selinux/20200819195935.1720168-4-dburgener@linux.microsoft.com/

selinux: Create new booleans and class dirs out of tree
https://lore.kernel.org/selinux/20200819195935.1720168-5-dburgener@linux.microsoft.com/

Several changes were necessary to backport.  They are detailed in the
commit message for the third commit in the series.  I also dropped the
original third commit from this because it was only a style change.

The bulk of the original cover letter is reproduced below.

In the current implementation, on policy load /sys/fs/selinux is updated
by deleting the previous contents of
/sys/fs/selinux/{class,booleans} and then recreating them.  This means
that there is a period of time when the contents of these directories do
not exist which can cause race conditions as userspace relies on them for
information about the policy.  In addition, it means that error recovery
in the event of failure is challenging.

This patch series follows the design outlined by Al Viro in a previous
e-mail to the list[1].  This approach is to first create the new
directory structures out of tree, then to perform the swapover, and
finally to delete the old directories.  Not handled in this series is
error recovery in the event of failure.

Error recovery in the selinuxfs recreation is unhandled in the current
code, so this series will not cause any regression in this regard.
Handling directory recreation in this manner is a prerequisite to make
proper error handling possible.

In order to demonstrate the race condition that this series fixes, you
can use the following commands:

while true; do cat /sys/fs/selinux/class/service/perms/status
>/dev/null; done &
while true; do load_policy; done;

In the existing code, this will display errors fairly often as the class
lookup fails.  (In normal operation from systemd, this would result in a
permission check which would be allowed or denied based on policy settings
around unknown object classes.) After applying this patch series you
should expect to no longer see such error messages.

Daniel Burgener (3):
  selinux: Create function for selinuxfs directory cleanup
  selinux: Refactor selinuxfs directory populating functions
  selinux: Create new booleans and class dirs out of tree

 security/selinux/selinuxfs.c | 160 +++++++++++++++++++++++++++--------
 1 file changed, 123 insertions(+), 37 deletions(-)

-- 
2.25.4


             reply	other threads:[~2020-10-15 19:30 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-15 19:29 Daniel Burgener [this message]
2020-10-15 19:29 ` [PATCH v5.4 1/3] selinux: Create function for selinuxfs directory cleanup Daniel Burgener
2020-10-16  4:59   ` Greg KH
2020-10-15 19:29 ` [PATCH v5.4 2/3] selinux: Refactor selinuxfs directory populating functions Daniel Burgener
2020-10-15 19:29 ` [PATCH v5.4 3/3] selinux: Create new booleans and class dirs out of tree Daniel Burgener
2020-10-16  1:50   ` Sasha Levin
2020-10-16  5:00 ` [PATCH v5.4 0/3] Update SELinuxfs out of tree and then swapover Greg KH
2020-10-16 13:05   ` Daniel Burgener
2020-10-16 13:55     ` Paul Moore
2020-10-16 14:02       ` Daniel Burgener
2020-10-16 14:22       ` Sasha Levin
2020-10-16 14:36         ` Daniel Burgener

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201015192956.1797021-1-dburgener@linux.microsoft.com \
    --to=dburgener@linux.microsoft.com \
    --cc=jmorris@namei.org \
    --cc=paul@paul-moore.com \
    --cc=sashal@kernel.org \
    --cc=selinux@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=stephen.smalley.work@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).