Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp8492734ybi; Thu, 6 Jun 2019 13:19:38 -0700 (PDT) X-Google-Smtp-Source: APXvYqwTqxMgIahtsfd4/tkJRY1ajfcKJNfFF7ySAWzrWlFrYGb6qg1n9Rm0GlOt+QPkG5jReeHX X-Received: by 2002:aa7:9aaf:: with SMTP id x15mr2668304pfi.214.1559852378797; Thu, 06 Jun 2019 13:19:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559852378; cv=none; d=google.com; s=arc-20160816; b=aVpZ34ceqHrhqiaOiFH0g1IKEilAPndeFNCRo8GUDzbInH/REIGi0MNQMglRYyynBz egmd+aVv3oKcQrRj4+Any3UgglyRHy4BQ70F8GNiInx09XWVYX0cWhTbSHWk17aRyyQ2 F1h8tgfaliANwrKEMLiNaHmJeFENttFVGhj825GS7lXtlWpZdNRv2ZaesvivIyHpppew yXOjDZS6XCVNkIj8x58G8+zxgBAwN81sSGMmBWeKCYKSonfjuST71Cg4wvD8z/976GQT DMQO+21j3tBfFS/1c4aEI1UHfLeYkRt2cBAb7TbHspCnAPC2rtB1YlAz1MtR+Dt/NBwH 89bQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=YtHGtfxX2yoS6rWMSDCUn2N79mU1UGKhExNkSf0aqTk=; b=g2Saw3d48/bN4FPwdO7/yAJU2/pZL2zNMM/+ai68ABJCb/KUYluiKYU6AwxEl+U0P6 DaMhmgUi4oTHY7rliTEDVps4k6eW12vD+F0o86KRtYp61HaaJpjrP/RrrlPSowPUAjFm HwwbxB31eVw+0RVStHPK3g7TB82vt6rqPRqCrYh80qA/dNKYGWAZcJ3UMIlzmJraHnam syMg+zzrT8qWeTZ8pqbRCTrHH0l65hP/M5Ty+WTanbTAOraziBm3KQBzYpFqOv+mQZOY +9V4Ntbc4UkmI9lPUPI1UbYJBca8cVlmpyIRAiBuaRZCxXLTtya4hUYe9ZA0hS51aRsI NvVw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=eQwvwcju; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k17si2738132pfi.230.2019.06.06.13.19.22; Thu, 06 Jun 2019 13:19:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=eQwvwcju; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727993AbfFFTy4 (ORCPT + 99 others); Thu, 6 Jun 2019 15:54:56 -0400 Received: from mail.kernel.org ([198.145.29.99]:34224 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727962AbfFFTyx (ORCPT ); Thu, 6 Jun 2019 15:54:53 -0400 Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 8CF4121479 for ; Thu, 6 Jun 2019 19:54:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1559850891; bh=CwGMuE+WEe/QCirkYuKg8095g413T6AAKaG29fZ0SGQ=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=eQwvwcju3KjnhZ83Kd4AaOrth9m4z53DeQp6LenCs72nKfO38LO/vJA0nqcu6QMbU IyPfe96L/vuzq7/JfV6upFI4P0etLFkwpz5qGPi/yaOXQubr8y2/C6sq3/jpxnxEym ChcrDS8gGZxAFu/JAu4djfMGvCRA3Sr95xzJmlqw= Received: by mail-wr1-f54.google.com with SMTP id x17so3657650wrl.9 for ; Thu, 06 Jun 2019 12:54:51 -0700 (PDT) X-Gm-Message-State: APjAAAURcgptJ/7WBx66S0HU80KSshcf0MSy14Y5mNVL+gOUqZ5LoXUr Xfu1X/q+3c1p7J4uiNbWcOlKsexLGFlN+eEya9s3Kg== X-Received: by 2002:a5d:6207:: with SMTP id y7mr12434458wru.265.1559850890024; Thu, 06 Jun 2019 12:54:50 -0700 (PDT) MIME-Version: 1.0 References: <155981411940.17513.7137844619951358374.stgit@warthog.procyon.org.uk> <3813.1559827003@warthog.procyon.org.uk> <8382af23-548c-f162-0e82-11e308049735@tycho.nsa.gov> <0eb007c5-b4a0-9384-d915-37b0e5a158bf@schaufler-ca.com> <07e92045-2d80-8573-4d36-643deeaff9ec@schaufler-ca.com> In-Reply-To: <07e92045-2d80-8573-4d36-643deeaff9ec@schaufler-ca.com> From: Andy Lutomirski Date: Thu, 6 Jun 2019 12:54:38 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC][PATCH 00/10] Mount, FS, Block and Keyrings notifications [ver #3] To: Casey Schaufler Cc: Stephen Smalley , David Howells , Al Viro , Greg Kroah-Hartman , USB list , raven@themaw.net, Linux FS Devel , Linux API , linux-block@vger.kernel.org, keyrings@vger.kernel.org, LSM List , LKML , Paul Moore Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 6, 2019 at 11:56 AM Casey Schaufler wrote: > > On 6/6/2019 10:16 AM, Stephen Smalley wrote: > > On 6/6/19 12:43 PM, Casey Schaufler wrote: > >> ... > >> I don't agree. That is, I don't believe it is sufficient. > >> There is no guarantee that being able to set a watch on an > >> object implies that every process that can trigger the event > >> can send it to you. > >> > >> Watcher has Smack label W > >> Triggerer has Smack label T > >> Watched object has Smack label O > >> > >> Relevant Smack rules are > >> > >> W O rw > >> T O rw > >> > >> The watcher will be able to set the watch, > >> the triggerer will be able to trigger the event, > >> but there is nothing that would allow the watcher > >> to receive the event. This is not a case of watcher > >> reading the watched object, as the event is delivered > >> without any action by watcher. > > > > You are allowing arbitrary information flow between T and W above. Who cares about notifications? > > I do. If Watched object is /dev/null no data flow is possible. > There are many objects on a modern Linux system for which this > is true. Even if it's "just a file" the existence of one path > for data to flow does not justify ignoring the rules for other > data paths. Aha! Even ignoring security, writes to things like /dev/null should probably not trigger notifications to people who are watching /dev/null. (There are probably lots of things like this: /dev/zero, /dev/urandom, etc.) David, are there any notification types that have this issue in your patchset? If so, is there a straightforward way to fix it? Generically, it seems like maybe writes to device nodes shouldn't trigger notifications since, despite the fact that different openers of a device node share an inode, there isn't necessarily any connection between them. Casey, if this is fixed in general, do you have another case where the right to write and the right to read do not imply the right to communicate? > An analogy is that two processes with different UIDs can open a file, > but still can't signal each other. What do you mean "signal"? If two processes with different UIDs can open the same file for read and write, then they can communicate with each other in many ways. For example, one can write to the file and the other can read it. One can take locks and the other can read the lock state. They can both map it and use any number of memory access side channels to communicate. But, of course, they can't send each other signals with kill(). If, however, one of these processes is using some fancy mechanism (inotify, dnotify, kqueue, fanotify, whatever) to watch the file, and the other one writes it, then it seems inconsistent to lie to the watching process and say that the file wasn't written because some security policy has decided to allow the write, allow the read, but suppress this particular notification. Hence my request for a real example: when would it make sense to do this?