Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp6969722ybi;
        Wed, 5 Jun 2019 09:07:26 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxOkdTPcIAhhjevfqFtf1odXzJPQrbJX2eB/MJGE8f089QIZxdSernyxnlrFTqSWkicXaV8
X-Received: by 2002:a17:90a:19d:: with SMTP id 29mr17631110pjc.71.1559750845980;
        Wed, 05 Jun 2019 09:07:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1559750845; cv=none;
        d=google.com; s=arc-20160816;
        b=xAnkZi2tyEmMJ3eWT2WMlp9ia1DNHRjfucaK6y+ugylPsLZoBRyrY9CI/R+O422x+T
         XdAdxOu/8hLLFnMyHtfvClqzHKBDwWQvfZol3n7VfhctPDYKaSGLTBQBINByrbX12/CG
         1wRkizCYhB0X04jh1PgzEzBiOavKgDFUtWQRWrempyOqWm6LVoPPAJDjwLSQBSWRysOR
         cODsEyRNcnBxaafuJZHyTj5Ty5He2WBXhxhAF4W+8jEQNzpNjj2PtoPzME7W9avGR2Aq
         vAQvotnaGiy9APePS/XPYGbI7kzBvoGT47iT9v8jOimMe9omqvAqIhRBJXLNcsr5raS8
         ZPUA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=NYfLNiioMDdoFlH1zl9AkN7VrHpgueGgoMfInSGi0ww=;
        b=CZORDlgui57zLtuDyVi6sEaAKT/XI4BDMxiNLYygToDM2/0ZtIOztNXgquPQjT+Jg4
         DdJ8ZdE6VKRdVBHZdHBDTltY2rpBfH4vnw3JplUUOqnEj2aHdQY+Q0/qDp7SJNv3fE9j
         MJrJBHWs75py9QjKkTPoJ/q5rcusnv2m17FWmCFa21UXdCZlCqhDjyYHvW2N7bH7ukhX
         ECG4FI0ABSsFNltvHErsiDGX6VA7gKX0CjkCXcujR8RxjOOVYlbs9pVb73De8A0qZft+
         P+8RqaZEXxy53WTU0aNCHrAPtwnN9RMm+pClGuEUK6z62IpQtohq8FnOVVVWxjd53CnK
         rhEg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=zCM8dKmI;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 61si28731107plr.51.2019.06.05.09.07.09;
        Wed, 05 Jun 2019 09:07:25 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=zCM8dKmI;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728574AbfFEQE0 (ORCPT <rfc822;israelpgz17@gmail.com>
        + 99 others); Wed, 5 Jun 2019 12:04:26 -0400
Received: from mail.kernel.org ([198.145.29.99]:37394 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1728523AbfFEQEX (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 5 Jun 2019 12:04:23 -0400
Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id BF2AD208E3
        for <linux-kernel@vger.kernel.org>; Wed,  5 Jun 2019 16:04:21 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1559750662;
        bh=Lo7tnf9FZTNHvc1tqXK13IgOoz9XYJY+Hs7siRq6iN8=;
        h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
        b=zCM8dKmIZC/YmQo55O+/z3T0vVxKq9qomamYvlrdyEVwbHhgrjvgxI6vSQM+B/m6U
         lDHcAxKBBswh8qiFQGdR/gEB092MzZtQeI2xIAfM5cn80eb1cEdwoSuc4Z9ACmgXA/
         1T1oOl+4u+MbrT19oCLSCzoOZtL7HZcAhnkrfblE=
Received: by mail-wm1-f48.google.com with SMTP id t5so2879758wmh.3
        for <linux-kernel@vger.kernel.org>; Wed, 05 Jun 2019 09:04:21 -0700 (PDT)
X-Gm-Message-State: APjAAAUDByv+0JYDg8y4mh29VuaWOjmCKt8Yp89QlSTRwOoUx/kDs3IY
        7TqJbdjI/twgl6ymz9RDeuFVzNhRyNpTiRIVpjjLFg==
X-Received: by 2002:a7b:cd84:: with SMTP id y4mr11012206wmj.79.1559750660137;
 Wed, 05 Jun 2019 09:04:20 -0700 (PDT)
MIME-Version: 1.0
References: <50c2ea19-6ae8-1f42-97ef-ba5c95e40475@schaufler-ca.com>
 <155966609977.17449.5624614375035334363.stgit@warthog.procyon.org.uk>
 <CALCETrWzDR=Ap8NQ5-YrVhXCEBgr+hwpjw9fBn0m2NkZzZ7XLQ@mail.gmail.com>
 <20192.1559724094@warthog.procyon.org.uk> <e4c19d1b-9827-5949-ecb8-6c3cb4648f58@schaufler-ca.com>
In-Reply-To: <e4c19d1b-9827-5949-ecb8-6c3cb4648f58@schaufler-ca.com>
From:   Andy Lutomirski <luto@kernel.org>
Date:   Wed, 5 Jun 2019 09:04:09 -0700
X-Gmail-Original-Message-ID: <CALCETrVSBwHEm-1pgBXxth07PZ0XF6FD+7E25=WbiS7jxUe83A@mail.gmail.com>
Message-ID: <CALCETrVSBwHEm-1pgBXxth07PZ0XF6FD+7E25=WbiS7jxUe83A@mail.gmail.com>
Subject: Re: [RFC][PATCH 0/8] Mount, FS, Block and Keyrings notifications [ver #2]
To:     Casey Schaufler <casey@schaufler-ca.com>
Cc:     David Howells <dhowells@redhat.com>,
        Andy Lutomirski <luto@kernel.org>,
        Al Viro <viro@zeniv.linux.org.uk>, raven@themaw.net,
        Linux FS Devel <linux-fsdevel@vger.kernel.org>,
        Linux API <linux-api@vger.kernel.org>,
        linux-block@vger.kernel.org, keyrings@vger.kernel.org,
        LSM List <linux-security-module@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Jun 5, 2019 at 7:51 AM Casey Schaufler <casey@schaufler-ca.com> wrote:
>
> On 6/5/2019 1:41 AM, David Howells wrote:
> > Casey Schaufler <casey@schaufler-ca.com> wrote:
> >
> >> I will try to explain the problem once again. If process A
> >> sends a signal (writes information) to process B the kernel
> >> checks that either process A has the same UID as process B
> >> or that process A has privilege to override that policy.
> >> Process B is passive in this access control decision, while
> >> process A is active. In the event delivery case, process A
> >> does something (e.g. modifies a keyring) that generates an
> >> event, which is then sent to process B's event buffer.
> > I think this might be the core sticking point here.  It looks like two
> > different situations:
> >
> >  (1) A explicitly sends event to B (eg. signalling, sendmsg, etc.)
> >
> >  (2) A implicitly and unknowingly sends event to B as a side effect of some
> >      other action (eg. B has a watch for the event A did).
> >
> > The LSM treats them as the same: that is B must have MAC authorisation to send
> > a message to A.
>
> YES!
>
> Threat is about what you can do, not what you intend to do.
>
> And it would be really great if you put some thought into what
> a rational model would be for UID based controls, too.
>
> > But there are problems with not sending the event:
> >
> >  (1) B's internal state is then corrupt (or, at least, unknowingly invalid).
>
> Then B is a badly written program.

Either I'm misunderstanding you or I strongly disagree.  If B has
authority to detect a certain action, and A has authority to perform
that action, then refusing to notify B because B is somehow missing
some special authorization to be notified by A is nuts.  This is just
introducing incorrectness into the design in support of a
not-actually-helpful security idea.

If I can read /proc/self/mounts, I can detect changes to my mount
namespace.  Giving me a faster and nicer way to do this is fine, AS
LONG AS IT ACTUALLY WORKS.  "Works" means it needs to detect all
changes.