Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755370AbdFWU1L (ORCPT ); Fri, 23 Jun 2017 16:27:11 -0400 Received: from smtp.nsa.gov ([8.44.101.8]:60273 "EHLO emsm-gh1-uea10.nsa.gov" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754892AbdFWU1G (ORCPT ); Fri, 23 Jun 2017 16:27:06 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3AWFWyfxO5+VGtyJQesH8l6mtUPXoX/o7sNwtQ0KIM?= =?us-ascii?q?zox0K/v9rsbcNUDSrc9gkEXOFd2CrakV1KyH7+u5BTxIyK3CmUhKSIZLWR4BhJ?= =?us-ascii?q?detC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+?= =?us-ascii?q?KPjrFY7OlcS30P2594HObwlSijewZbF/IA+yoAjeucUanIRvJ6UswRbVv3VEfP?= =?us-ascii?q?hby3l1LlyJhRb84cmw/J9n8ytOvv8q6tBNX6bncakmVLJUFDspPXw7683trhnD?= =?us-ascii?q?UBCA5mAAXWUMkxpHGBbK4RfnVZrsqCT6t+592C6HPc3qSL0/RDqv47t3RBLulS?= =?us-ascii?q?wKLCAy/n3JhcNsjaJbuBOhqAJ5w47Ie4GeKf5ycrrAcd8GWWZNW8BcWCJbAoO4?= =?us-ascii?q?coABEewPM+hFpIX5vlcCsweyCQyqCejyyDFHm2X20LU53eo8EQ/IwgIuENAAsH?= =?us-ascii?q?TTsNr7M6gdX++uwanUzjjOde9a1C3h5IXKdB0qvPGCXah3ccrU0UQhCh/FgUuI?= =?us-ascii?q?qYzlITyV0PkGvXWe7+V6UeKvj3AoqgFsqTWo3ccjl5LJi5kJylHE6Sp5wIE1Kc?= =?us-ascii?q?e+SE5ge9GoCpRQtyaEN4ZvRM4pXmJmuD4ix7EbtpO2czIGxZQ6yxLFdfCKfJaE?= =?us-ascii?q?7gj+WOuXPDx2nmhqeKiliBa36UWgz+r8WdSq31tStSpFl8XMtmgK1xzO9siLUv?= =?us-ascii?q?t98Vml2TaIzw3T9vtLIVo1larGMJ4t2KIwl5oPvkTDGS/6gkP2g7ONdko44OSo?= =?us-ascii?q?7uXnYrH+qp+dMY97lB3+P7wzlsGwDuk0KAgDU3WB9eii27Dv41f1TKhSgv0ziK?= =?us-ascii?q?bZsZTaJcoBpq6+Bg9Yyp0j5AukDzq9zNQZnWUILFJCeB6diYjpIEvBLOr3Dfe4?= =?us-ascii?q?nVSgiC1ryOzePr39HpXNKWDOkK/7crZg705R0xIzwspC55JQE70BJfXzWkjrtN?= =?us-ascii?q?PGFBM2Lwu0w+P/AtVnyoweQX6PArOeMK7KtV+I5+QvI/SDZYMMozbyNeQq5+P0?= =?us-ascii?q?jX84hV8cfbCl3Z4QaH+lA/RmJ1uWbGHygtcOD2gKpBAyTO/0h12YVz5ceXKyU7?= =?us-ascii?q?g75jEhB4KsFZ3DSZy1gLydwCe7GYVbaXpDClCNC3fldYuJW/YIaC+JLc9hlyYL?= =?us-ascii?q?VbmlS4M7yR6uswr6waJ9LuXI4i0YqY7j1N9t6u3NmhEy8jx1AN6Z02yWVWF7gH?= =?us-ascii?q?4HRz8s06Bju0By1lCD0a1gifxCCdNT/+9JUhs9NZPE0+N6C8ryWgPafteVSVap?= =?us-ascii?q?WNOmDSsqQdIr2dAOfkB9FMu4jh3Y2iqlGb4Vl7iQC5wz/aPQxX/xJ9xyy3zezq?= =?us-ascii?q?kuk0EmQtdTNW2hnqNx8xLcB4vXnEWCjaqnaKMc3DLR9GeEyGqOuF9XUQ5rXKXF?= =?us-ascii?q?R38fYFDWosr/5kPaVbCuE6gnMg1fxs6YMatKatzpjU1cSPj/P9TeZnq7m32sCh?= =?us-ascii?q?aQ2rOMcI3qdn0B3CTdFEcEkwcT8G2bOgg5GiihoHzRDCZ0GV3zZEPs9PF0qGmn?= =?us-ascii?q?QU8s0wGKc0ph2qKu+hELn/ycRO0c06kEuCg7rzV0GFa839TMB9WcoApheb1WYc?= =?us-ascii?q?kh71dfyWLZqwt9M4ShLqBlhl4RaR53sljq1xV2DIVAjMcroGk0zAp0N62YzElN?= =?us-ascii?q?dzKD0pD1ILHYNm7y/BW3Ya7Mxl7eyMqW+rsI6Pkgr1XjvQepFlct8nl+0NlazW?= =?us-ascii?q?Gc5pPUAwoWSp/xTEk3+AZgp73AYSky+ZnU1XtyPqmwqDPC3MgpBOQ9wBa6Y9hf?= =?us-ascii?q?KL+EFBP1E8ACCMmuKfYlm1+tbhIDOuBS+7Q4PsO4ePad2a6rOvpgkyyijWhd/I?= =?us-ascii?q?991UeM/TJmSuHUx5YF3+2Y3gyfWjf4j1ehqtv6lZxZaT0IGWq/0yfkDpZLZqJu?= =?us-ascii?q?ZYYLFXuuI8qvy9pigJ7tXWJY+0SiB1MAxsCpYwGSYkf53Q1RzkQXvWenlTG8zz?= =?us-ascii?q?x1lTEps6We0DXAw+TlaRoHPHNES3N+jVftJoi0icoWXE+ybwgmjBGl/1r1x7BH?= =?us-ascii?q?pKRjKGneWVlHcDP3L258T6S/qKCCY8tU5ZIntCVXUf+8YUubSr76pRsWyT/sH2?= =?us-ascii?q?xbxDojbTGlpo35nwBmiGKaNHtzt2bZdt9+xRjF4tzTXuVc3j4HRCl+lDnWCUKw?= =?us-ascii?q?P8ev/dqKi5fPqOG+WHmkVpFJbSbryoaA52OH4jhRHRCxlvb7sND9HgUgmXvgy9?= =?us-ascii?q?RkXCPChBL9ZJT7kbq8PP4hf0NtQlT77pw+Uox0k4Y8iYsV8Wgfh46O/H0B12z0?= =?us-ascii?q?NJET0qX4cHMMQzMR2PbR4RP5wwtnL3SU18f3UWibzsJ9Zt68JGQM1XET9cdPXZ?= =?us-ascii?q?yI4aREkC09mV+xqQbccLAphTsG4ec/434dxecSsUwiyTvLUeNaJlVRISG5z0fA?= =?us-ascii?q?1Nu5tqgCIT/1KbU=3D?= X-IPAS-Result: =?us-ascii?q?A2H7AQB8eE1Z/wHyM5BeGQEBAQEBAQEBAQEBBwEBAQEBFAE?= =?us-ascii?q?BAQEBAQEBAQEBBwEBAQEBgwIrgW+DbJpGAQEBAQEBBoEoc5cWhiQCgwhXAQEBA?= =?us-ascii?q?QEBAQECAQJoKIIzJAGCQQEFIw8BRhALDQsCAiYCAlcGARKIC4IUDa4sgiYkAos?= =?us-ascii?q?2AQEBAQEFAQEBAQEBIoELghyDBYIognA0h32CYQWQQY4ik2OCCYkqhlyJJYdKK?= =?us-ascii?q?YN+WIEKJwkCHwghD4VWHIICJDYBihQBAQE?= Message-ID: <1498249800.2063.9.camel@tycho.nsa.gov> Subject: Re: [PATCH 3/3] Enable security.selinux in user namespaces From: Stephen Smalley To: Stefan Berger , ebiederm@xmission.com, containers@lists.linux-foundation.org Cc: lkp@01.org, xiaolong.ye@intel.com, linux-kernel@vger.kernel.org, zohar@linux.vnet.ibm.com, serge@hallyn.com, tycho@docker.com, James.Bottomley@HansenPartnership.com, christian.brauner@mailbox.org, vgoyal@redhat.com, amir73il@gmail.com, linux-security-module@vger.kernel.org, Paul Moore , selinux@tycho.nsa.gov Date: Fri, 23 Jun 2017 16:30:00 -0400 In-Reply-To: <1498157989-11814-4-git-send-email-stefanb@linux.vnet.ibm.com> References: <1498157989-11814-1-git-send-email-stefanb@linux.vnet.ibm.com> <1498157989-11814-4-git-send-email-stefanb@linux.vnet.ibm.com> Organization: National Security Agency Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.22.6 (3.22.6-2.fc25) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2189 Lines: 49 On Thu, 2017-06-22 at 14:59 -0400, Stefan Berger wrote: > Before the current modifications, SELinux extended attributes were > visible inside the user namespace but changes in patch 1 hid them. > This patch enables security.selinux in user namespaces and allows > them to be written to in the same way as security.capability. > > Signed-off-by: Stefan Berger > --- >  fs/xattr.c | 1 + >  1 file changed, 1 insertion(+) > > diff --git a/fs/xattr.c b/fs/xattr.c > index 045be85..37686ee 100644 > --- a/fs/xattr.c > +++ b/fs/xattr.c > @@ -138,6 +138,7 @@ xattr_permission(struct inode *inode, const char > *name, int mask) >   */ >  static const char *const userns_xattrs[] = { >   XATTR_NAME_CAPS, > + XATTR_NAME_SELINUX, >   NULL >  }; >   (cc SELinux maintainers, curiously omitted from these patches) I don't think this works for SELinux. You don't deal with actually supporting multiple security.selinux attributes within SELinux itself (and I'm not asking you to do so), and without such support, this can't operate as intended. With these patches applied, IIUC, a setxattr() of security.selinux within a userns will end up setting only security.seli nux@uid=1000 on disk, but will then tell SELinux to update its in-core security label to the new value (via security_inode_post_setxattr). Meanwhile, on a subsequent getxattr(), you'll call security_inode_getsecurity() with the security.selinux@uid=1000 name, which will always fail because SELinux doesn't know anything about your new scheme, and then you'll call the filesystem handler and returns its value, which is no longer connected in any way to the actual label being used by SELinux. Also, SELinux itself makes calls to __vfs_getxattr() and __vfs_setxattr_noperm(), and I don't think your name remapping is correct in those cases. You also can't hide security.selinux within user namespaces. Today userspace can get and set security.selinux attributes within user namespaces (if allowed by policy), and further can specify the label to use for new files via /proc/self/attr/fscreate, which unsurprisingly isn't addressed by your changes. Changing that would be a userspace break.