Received: by 10.223.185.116 with SMTP id b49csp986881wrg; Tue, 20 Feb 2018 11:06:45 -0800 (PST) X-Google-Smtp-Source: AH8x225ogiP52tAT8HJksQ6jf4mDPSyOF0iDlunjJskAhCXGoHdNsHXyHrC3rknvkBETLqscPlkH X-Received: by 2002:a17:902:40a:: with SMTP id 10-v6mr568079ple.245.1519153605377; Tue, 20 Feb 2018 11:06:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519153605; cv=none; d=google.com; s=arc-20160816; b=vtnfYk51iSBiLU9fGfXvrdOcEVw39FCjYcAgQj9bjyxGJog6Sq+kz2yu6ei6RoO6KQ WEcVnqSdo1sdbGbNJxnzAMPVWPga/4o59jjDrQmMv5U0u5UOtb/znyggkbZi+DRhLTN6 FDy20wZ/Wg8TSZuT03ousS4PjE/u3ohMJZsFF/d9c0yPGWBKoxOE3uwgtxLp+V/gtSou Mh30ACnJLYO67/ZDnwVDdu25Z/bVuI9LJDPWY0HMMyoZ9Z1eLuF5GgdLLsJS5QGpMTiN gd3627WI+hnFY+PK2If8UiLNZDJOuVyksSEDsFSKJU7ZDHlhzcOnw2lT8NWN4hZNjrK/ R1Pg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :ironport-phdr:arc-authentication-results; bh=ONfU9koxMQIyXNa6wMxpP6M1PzHVMaHFSBN7eol0dpk=; b=QNI2DRsbkXuhe1O+esE14kibgPD2q6XDc/J917xr4iLPlVd4orQPq3WjF2n4b1cEeg G99qd+jyYk2x+YgI+RwqMVBsSfjalLdwOOgeGC0ultxH76OGwaqVPla8vuH23LX3o/Bj 4hwIOc9X0JntnZ9btPnE78RSDQOaJq2HpzwaYLrQL6ntyZHyeNZ2t9OX/ZZ8ZXvOdFr5 1ZdkZKm3JKXguQe2GudiyGC3zzisIOkKhzeZgQlfiOv9ghC9iFUIe6/v6JfssMsIqF+o yi156G4CmkWTYu/Arso5Y1fTEwOM7jH1gotoE7Iopm+12zUvo4YWo29nfRMtFCUYnUJo Rw6A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x13si1233885pgt.412.2018.02.20.11.06.29; Tue, 20 Feb 2018 11:06:45 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751937AbeBTTFr (ORCPT + 99 others); Tue, 20 Feb 2018 14:05:47 -0500 Received: from upbd19pa09.eemsg.mail.mil ([214.24.27.84]:38901 "EHLO UPBD19PA09.eemsg.mail.mil" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751785AbeBTTFp (ORCPT ); Tue, 20 Feb 2018 14:05:45 -0500 X-Greylist: delayed 621 seconds by postgrey-1.27 at vger.kernel.org; Tue, 20 Feb 2018 14:05:43 EST Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3]) by UPBD19PA09.eemsg.mail.mil with ESMTP/TLS/AES256-SHA; 20 Feb 2018 18:55:16 +0000 X-IronPort-AV: E=Sophos;i="5.46,540,1511827200"; d="scan'208";a="9572133" IronPort-PHdr: =?us-ascii?q?9a23=3AXRQP2xfGqB2JgAJBx6bmo8n0lGMj4u6mDksu8pMi?= =?us-ascii?q?zoh2WeGdxc2zZxeN2/xhgRfzUJnB7Loc0qyK6/umATRIyK3CmUhKSIZLWR4BhJ?= =?us-ascii?q?detC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+?= =?us-ascii?q?KPjrFY7OlcS30P2594HObwlSizexfb1/IA+qoQnNq8IbnZZsJqEtxxXTv3BGYf?= =?us-ascii?q?5WxWRmJVKSmxbz+MK994N9/ipTpvws6ddOXb31cKokQ7NYCi8mM30u683wqRbD?= =?us-ascii?q?VwqP6WACXWgQjxFFHhLK7BD+Xpf2ryv6qu9w0zSUMMHqUbw5Xymp4rx1QxH0li?= =?us-ascii?q?gIKz858HnWisNuiqJbvAmhrAF7z4LNfY2ZKOZycqbbcNwUX2pBWttaWTJHDI2y?= =?us-ascii?q?coADC/MNMfhEo4X4oVYFsBmwChS2BO73yTFGm3/407M03esjHwHJwAsuEN0Bvn?= =?us-ascii?q?nPsNX4Nr0fXfyvwaXUzzjOae5d1zfn6IjPdxAsueyCXa5ufsrJyUkgCQXFhUiN?= =?us-ascii?q?p4zgJTyV0uANvHab7uF9Uu+vkHMoqxpqrzizxsYjlonJhoUPxlDC7iV22pw5Jd?= =?us-ascii?q?K/SE5leNOpFoZbuSKCN4ZuX88vTG5ltDw6x7Ebo5K3YicHxIo9yxLCbfGMbpKG?= =?us-ascii?q?7Qj5VOmLJDd1nHdleLWiiBms6UWg0ej8VtWs0FZNsypFjsHAtnAT2BzX7ciKUu?= =?us-ascii?q?d98V272TaOygDT8ftIIVw0lKXHK54hxaQ8lpwPvkTYAiD6gkD2jK6Sdkk8++io?= =?us-ascii?q?7froYqn+q5OBOIJ5hRvyP6QzlsClH+g1PRYCU3KG9eik0b3s50z5QLFEjv0sla?= =?us-ascii?q?nZtYjXJd8Gqa6iGAJVzoYi5Aq/DzehytgYm2IHI0hfdBKIiIjpJUnCIOrkAven?= =?us-ascii?q?n1SsjDBryujYMb35GJrNNHnDkKz6cLZl8UFc0gszzctH55JQEL4OPOz8VlX2tN?= =?us-ascii?q?zCAR8zKxa0zPr/CNVhyoMeXnqCAreDP6PPtV+F/fovLPORZI8RoTr9Lv8l5/n0?= =?us-ascii?q?jXAng1MSYa6p3Z4PYnCiAvtmO1mZYWbrgtoZHmYFoBMyTOjriF2ETD5SaG++UL?= =?us-ascii?q?wz5zEnFo2mF4HDSZqpgLGawCi7H4ZWaXxBClyWDXjocICEUe8WaC2OOs9hjiAE?= =?us-ascii?q?Vb+5Ro8l1BGushL6yrV+IurP5CIXqY/j1MJ05+3PlRA+7Dl0D8OA3GGQS2F7gH?= =?us-ascii?q?gFRyE53K9hu0xx0FSD3rZig/xeC9NT4+lFUgAgNZ7T1+Z6Ecz9WhrdfteVT1ar?= =?us-ascii?q?WtGmATA3TtIszN4CekV9FMu4jhDFwSWqB6QYl6KEBJMq6KLQxXvxKNhny3bAyq?= =?us-ascii?q?Yhi0MqQsxVNW2pnqR/7RTcB5bVk0WFkKanbaAc3C/L9GeewmuCpVxXUAlsXqje?= =?us-ascii?q?Q3AfaVXZrc7j6kPBUbCuE7InPRVFycKYLatKcNLph01cRPj/INTef36xm2CoCB?= =?us-ascii?q?aL3LyMaZTle2MG3CXeCEkJiBwc/XedNQciASetuX7RDDtrFVj3eUPj7fF+qG+n?= =?us-ascii?q?Tk8z1wyKbkth17up+h4Pn/OcTv0T3qkftSc/pDV7Aky908jVC9WevQphertTYd?= =?us-ascii?q?cn7FdAz2LZuBR3Poa8IKB6ml4ebwN3slvs1xptD4VPj9MqoGkkzQZoLKKXzFZB?= =?us-ascii?q?eC2E0pDwILLXLHL//B+qa6HM21He1Mya9bsI6PQ9s1/jph2mFlI+83V71NlYy2?= =?us-ascii?q?eT5pLQDAUJT53xTl069xx0prHceCU94Z3b1WF0O6murjDCw84pBPciyhu4ftZf?= =?us-ascii?q?N6OEGxXoE8ABA8iuKeoqm0Wmbx4eIuBS8rA7P9+8e/uHw6GrOfxsky6hjWRC+I?= =?us-ascii?q?p9yF6D9zJgSu7U2JYI2+uY3gycWDrniFeuqMb3lp1AZT4MHmuz0y7kC5BNZqdq?= =?us-ascii?q?Z4YEFX+uI9GrxtV5n5PiQWRY9Fi+CF4dwsCpYxySYEHm0gFKyEsYv2StmTGkwD?= =?us-ascii?q?xsjzEpsq2f0TTQw+TjbhoHPXVGRWh8glfqIIi0kcoWXEypbwgviRuk6lz2x69B?= =?us-ascii?q?pKRwNWXTXERIdTDsL25+SquwqqaCY8lX5ZMoqSVYSv+xYFGaS77hpBsayTnvEH?= =?us-ascii?q?dZxDA+bzuqoIn2nwRmiGKBK3Z+tGbZdttzxRfY4tzTWORR0SAdSSZkiDnXHUSz?= =?us-ascii?q?P96z8dqIkJfDt7P2a2X0apRJeDKj7oSGuDGy+Wx3AlXrg/mwndvrCwES2i7g3N?= =?us-ascii?q?4sXiLN+lK0KKmtn5y3Le99NmBuGl76oYIuGpl3upkhmJYKn3Mdg8PRtVMD2Vny?= =?us-ascii?q?K9ITjbz/dn0lVzMNwsCT5AnjxV0lKWiGgZ/6ADHV69Fna5GQb3kZ3ys76YgeAb?= =?us-ascii?q?2S4JRNhy15qBy0oFSVKcJ6lH85wP0i7HMLy7UTvwAFyiybDrQfDA9eMDC601yt?= =?us-ascii?q?7tW/5JdQZG+1Oeyi00p3h/ilDbefskdCXnvlPJYoGGl76cApdBru13v69oHtfp?= =?us-ascii?q?H7asgZuwHcxxzHleJYNLo1ifxMgyd7bya1n3QgxvVzqBdL0Jq6tY7Pf2dk+a+i?= =?us-ascii?q?RAEeMzbwasgT8zfFgqNXn8LQ1IeqSMZPADIOCaD0QOqoHTRajvHuMwKDAXVosX?= =?us-ascii?q?uAMabOFg+YrkF9pjTAFI79ZCLfH2UQ0dg3HErVH0dYmg1BGWxgxpM=3D?= X-IPAS-Result: =?us-ascii?q?A2CyAQDObYxa/wHyM5BcGQEBAQEBAQEBAQEBAQcBAQEBAYM?= =?us-ascii?q?iLYFWKINomCxFAQEBBoE0gReYX4VFAoJsWBQBAgEBAQEBAQIBaiiCOCQBgkYBA?= =?us-ascii?q?QEBAgEjBFIQCw4HAwICJgICVwYBEogCghQFCK0ugW06hBgBaYN6ghMBAQEBAQE?= =?us-ascii?q?EAQEBAQEBASGBD4N/giiBD4VehGwhFoMXgmUFklKBFpBNCZYKlEeZWzYigVErC?= =?us-ascii?q?AIYCCEPgn2CVBwZgTIBWCM3ilAFgkgBAQE?= Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 20 Feb 2018 18:55:15 +0000 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w1KItDu0003196; Tue, 20 Feb 2018 13:55:13 -0500 Message-ID: <1519152994.14218.15.camel@tycho.nsa.gov> Subject: Re: [PATCH v3 15/15] selinux: delay sid population for rootfs till init is complete From: Stephen Smalley To: Taras Kondratiuk , "H. Peter Anvin" , Al Viro , Arnd Bergmann , Rob Landley , Mimi Zohar , Jonathan Corbet , James McMechan Cc: initramfs@vger.kernel.org, Victor Kamensky , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, xe-linux-external@cisco.com, Paul Moore , Eric Paris Date: Tue, 20 Feb 2018 13:56:34 -0500 In-Reply-To: <1518813234-5874-19-git-send-email-takondra@cisco.com> References: <1518813234-5874-1-git-send-email-takondra@cisco.com> <1518813234-5874-19-git-send-email-takondra@cisco.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.4 (3.26.4-1.fc27) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 2018-02-16 at 20:33 +0000, Taras Kondratiuk wrote: > From: Victor Kamensky > > With initramfs cpio format that supports extended attributes > we need to skip sid population on sys_lsetxattr call from > initramfs for rootfs if security server is not initialized yet. > > Otherwise callback in selinux_inode_post_setxattr will try to > translate give security.selinux label into sid context and since > security server is not available yet inode will receive default > sid (typically kernel_t). Note that in the same time proper > label will be stored in inode xattrs. Later, since inode sid > would be already populated system will never look back at > actual xattrs. But if we skip sid population for rootfs and > we have policy that direct use of xattrs for rootfs, proper > sid will be filled in from extended attributes one node is > accessed and server is initialized. > > Note new DELAYAFTERINIT_MNT super block flag is introduced > to only mark rootfs for such behavior. For other types of > tmpfs original logic is still used. (cc selinux maintainers) Wondering if we shouldn't just do this always, for all filesystem types. Also, I think this should likely also be done in selinux_inode_setsecurity() for consistency. > > Signed-off-by: Victor Kamensky > --- > security/selinux/hooks.c | 9 ++++++++- > security/selinux/include/security.h | 1 + > 2 files changed, 9 insertions(+), 1 deletion(-) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index f3fe65589f02..bb25268f734e 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -716,7 +716,7 @@ static int selinux_set_mnt_opts(struct > super_block *sb, > */ > if (!strncmp(sb->s_type->name, "rootfs", > sizeof("rootfs"))) > - sbsec->flags |= SBLABEL_MNT; > + sbsec->flags |= > SBLABEL_MNT|DELAYAFTERINIT_MNT; > > /* Defer initialization until > selinux_complete_init, > after the initial policy is loaded and > the security > @@ -3253,6 +3253,7 @@ static void selinux_inode_post_setxattr(struct > dentry *dentry, const char *name, > { > struct inode *inode = d_backing_inode(dentry); > struct inode_security_struct *isec; > + struct superblock_security_struct *sbsec; > u32 newsid; > int rc; > > @@ -3261,6 +3262,12 @@ static void selinux_inode_post_setxattr(struct > dentry *dentry, const char *name, > return; > } > > + if (!ss_initialized) { > + sbsec = inode->i_sb->s_security; > + if (sbsec->flags & DELAYAFTERINIT_MNT) > + return; > + } > + > rc = security_context_to_sid_force(value, size, &newsid); > if (rc) { > printk(KERN_ERR "SELinux: unable to map context to > SID" > diff --git a/security/selinux/include/security.h > b/security/selinux/include/security.h > index 02f0412d42f2..585acfd6cbcf 100644 > --- a/security/selinux/include/security.h > +++ b/security/selinux/include/security.h > @@ -52,6 +52,7 @@ > #define ROOTCONTEXT_MNT 0x04 > #define DEFCONTEXT_MNT 0x08 > #define SBLABEL_MNT 0x10 > +#define DELAYAFTERINIT_MNT 0x20 > /* Non-mount related flags */ > #define SE_SBINITIALIZED 0x0100 > #define SE_SBPROC 0x0200