Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp1969539imm; Tue, 2 Oct 2018 17:59:52 -0700 (PDT) X-Google-Smtp-Source: ACcGV63Psfo597DNfOCO+JSF30RhbmvdluLyvWEHDaBeDFFgXv5+7e6zbi2IUIVV6Px8ONKnaKjF X-Received: by 2002:a17:902:b70d:: with SMTP id d13-v6mr18835358pls.44.1538528392808; Tue, 02 Oct 2018 17:59:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538528392; cv=none; d=google.com; s=arc-20160816; b=wKh7+nv+2jWdPNQg4+lklw3/JuSNAWTBRrkE7gnym5u1PquqDc9NE0jtRiGSlcxHI3 iX4T22XlUk1S4wkKHgU2rTdGgxSe4jk9aNpxpmOzGCKXuXlvChfZTA4exVvKzMXVXqu5 r6Taifs5VCaJSD6Na5Icq74uE/prvi+acVTRn4G5kjnBGE/ozraK5lf8wP63Ue5Ld4td 5bRcFAh3EOnNoETdzN34LhMcpuXmIepNQP810sQRMr2i7/JK9L7rUYErMBcLvfbmkjU1 +vtFm8obcI7zPm/i7M/sKc0AsJlLC1qGPjMDv0alUgRYqjXZsvl8dqOYX++LYEh7ou13 Hysg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:date:subject:user-agent:message-id :references:cc:in-reply-to:from:to:content-transfer-encoding :mime-version:dkim-signature; bh=t33hXfqoDr4vN2bo2069q+HwtDxwbehoOArsp7Z2Oxw=; b=EBZB4z35xbZPbVzFNmV5yQHSdpYGsTi4QzudlloVcdKp01Qr8l1ahJ31e8cc//JaJq wpRitpQ9z4xUn7YY53ZPNBeRWjmudiFj59alJgiHMNVplubF6+vBrrJlD/gYfQiQT6o0 Cv60ZTZf9Lx5jOzqbWS0MaTxXowSrsE5kNmPRs9CuXRALxT129EuqRs0FYdSd12ovmlE A8yoOOVaKM4gb4oQH60QiRdcVgs4ZWVuxCm/cJdU2xciOCeikh5HqlhzgffHP3vevdsz co1ihq5WoQgVmzDsREcQNxz0EIWQPwhwAtBqwrUy9OFRamx4mwjsUPIb804mzrUqnuUJ w4QA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@cisco.com header.s=iport header.b=UcVv6ZKz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=cisco.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o7-v6si16950911pls.344.2018.10.02.17.59.05; Tue, 02 Oct 2018 17:59:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@cisco.com header.s=iport header.b=UcVv6ZKz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=cisco.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726568AbeJCHpC (ORCPT + 99 others); Wed, 3 Oct 2018 03:45:02 -0400 Received: from alln-iport-2.cisco.com ([173.37.142.89]:29188 "EHLO alln-iport-2.cisco.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726120AbeJCHpB (ORCPT ); Wed, 3 Oct 2018 03:45:01 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2842; q=dns/txt; s=iport; t=1538528337; x=1539737937; h=mime-version:content-transfer-encoding:to:from: in-reply-to:cc:references:message-id:subject:date; bh=EMjo9w6XVO9F3pc5CMJc+klTHx3E3QavcGlHhi1k2p4=; b=UcVv6ZKzyBjgipIrWVINt6VNTzPBC33EdUghzBP+w1ddL00q18r31o5+ RbmyzUVjjwntSKMcG31smXVHly1rVrjNYhx4JwgPMlzNRfhbxlHRjevFq 9vM+pKAfORFcfnNwxuIKmI2RAe8hmvLCmxcsd0NtgsbH1MoGFVZ8DHtY9 o=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ATAADoE7Rb/5hdJa1aGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAQGBUoINgWWEHIh0jSYliG2Nb4F6C4RsAoQOITUXAQMBAQI?= =?us-ascii?q?BAQJtKIU5AQUjBFIQCxgCAiYCAkcQBgGFKA2mK3szihQUd4l4F4FBP4FFgWF?= =?us-ascii?q?+hH6DAYJXAo8DjjsJkE8JAoE+jhKIe4xFgUQDM4FVcBV4BQZWgU+CJBeOOB+?= =?us-ascii?q?OUAEB?= X-IronPort-AV: E=Sophos;i="5.54,334,1534809600"; d="scan'208";a="180107152" Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 03 Oct 2018 00:58:56 +0000 Received: from localhost (sjc-vpn2-521.cisco.com [10.21.114.9]) by rcdn-core-1.cisco.com (8.15.2/8.15.2) with ESMTP id w930wuK0011886; Wed, 3 Oct 2018 00:58:56 GMT Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable To: Paul Moore , Stephen Smalley From: Taras Kondratiuk In-Reply-To: <91112a5a-2e67-28cf-b8a5-b80dc9385bb7@tycho.nsa.gov> Cc: linux-kernel@vger.kernel.org, selinux@tycho.nsa.gov, xe-linux-external@cisco.com References: <20180919165248.53090-1-takondra@cisco.com> <66ec16b0-a335-d9ef-deb3-ef391cdd66e0@tycho.nsa.gov> <153785433233.5039.17960184426345262866@takondra-t460s> <153790265614.6091.7582646556934797699@takondra-t460s> <153850609939.4490.12129272851093190248@takondra-t460s> <91112a5a-2e67-28cf-b8a5-b80dc9385bb7@tycho.nsa.gov> Message-ID: <153852833597.8135.14322052015672451164@takondra-t460s> User-Agent: alot/0.6 Subject: Re: [RFC PATCH] selinux: add a fallback to defcontext for native labeling Date: Tue, 02 Oct 2018 17:58:55 -0700 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-SMTP-Client: 10.21.114.9, sjc-vpn2-521.cisco.com X-Outbound-Node: rcdn-core-1.cisco.com Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Quoting Stephen Smalley (2018-10-02 12:41:54) > On 10/02/2018 02:48 PM, Taras Kondratiuk wrote: > > Quoting Stephen Smalley (2018-09-21 07:40:58) > >> If we set the inode sid to the superblock def_sid on an invalid > >> context, then we lose the association to the original context value. > >> The support for deferred mapping of contexts requires allocating a new > >> SID for the invalid context and storing that SID in the inode, so that > >> if the context later becomes valid upon a policy update/reload, the > >> inode SID will refer to the now valid context. > >> To combine the two, we would need security_context_to_sid_core() to > >> save the def_sid in the context structure for invalid contexts, and > >> change sidtab_search_core() to use that value instead of > >> SECINITSID_UNLABELED for invalid SIDs. Then the inode would be > >> treated as having the defcontext for access control and getxattr() w/o > >> CAP_MAC_ADMIN purposes, but a subsequent policy update/reload that > >> makes the context valid would automatically cause subsequent accesses > >> to the inode to start using the original context value for access > >> control and getxattr() purposes. I think that's the behavior you > >> want. > >> > > = > > While implementing the change I've realized that storing default context > > for sidtab_search_core() in the context structure is not enough to > > achieve the desired behavior. The same invalid context may exist in two > > mounts with different 'defcontext', so default context can't be a > > property of a context structure. > > = > > One way to address it is to propagate default context to sidtab_search(= ) all > > the way from inode hooks. But that will be a bit intrusive. Something l= ike > > avc_has_perm_default() will need to be added. > > = > > Other way is to check for context validity in inode hooks and provide a= default > > context to avc_has_perm() if the inode's sid is invalid. But this may h= ave > > performance implication since validity check will be done each time in = fast > > path. > > = > > Do you see any other options? > = > I think the original approach is still best. The def_sid can be part of = > the context structure; you just need to update context_cmp() to compare = > it (as part of the first return statement) so that the same invalid = > context in two mounts with different defcontext=3D values will allocate = > different SIDs. Likewise context_cpy() needs to copy the def_sid. > = > As a separate matter, you should also modify = > security_context_to_sid_force() to pass down the sbsec->def_sid so that = > when userspace with CAP_MAC_ADMIN sets an invalid context on an inode, = > the default context will be used in the same manner. Thanks. That's really a better approach.