Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp3589094ybi; Mon, 10 Jun 2019 12:55:40 -0700 (PDT) X-Google-Smtp-Source: APXvYqwpO0mafo3ve3pkqSqC3alfGDpekoL2OEZNupo9WRDt0XnMJbm0Ex/BhB6DYPypVXbSxYPe X-Received: by 2002:aa7:8052:: with SMTP id y18mr44401451pfm.169.1560196540037; Mon, 10 Jun 2019 12:55:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560196540; cv=none; d=google.com; s=arc-20160816; b=jNEVxKA5yy7x3QtM716sZWB9jT7tW0Y049bexYzUEp+JhS+tqMpjhdWeN5KxJY7lN7 hbLaCkD2wHbNNUwBk8JMCA+ZEY7+xCqcsFyOinmobX0GXDoFoFztWI+CpZRchMWZpgz9 +VPLXIpyL2OR2i5NWckrZBqBK99j5Ak+NWtdHTVOzy+wMx8eC0755XzL/NLYBd/Z6Nn+ Ss1Y5dLnYVFbhD/QhZumh/wLrHCgeTj/B2h77iOUkD99tK5RmckCuGqq58uUFYqgwhiU OS8wInUZ99k2KbcfGzEFDqdCX+xex8QvbcTblqnIiyYodFgZs6ITvsaWc6K2AluwzCog ocPQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=drt8YLemSZDX7OMdH6+sgReWjH/efiEmXxVotTKKmHw=; b=AWV59yMNWVGJ8+oseD9hOh9AVjCSZwS69tLG+b8MCb6L6ADjjo4dS/JM/sA57skYUR SaJo57thIiL5OogUsUC1owwIjbT2LcgWQREIpomcBLKfOlXruxxKewCX3CrD1qGYGSSX WALfLKFSqSrQ84Zm7JaXZjytgH2TXCy4XyxCMAk9viYMuxqjtkPq6ZcGpSyAt7EuHRYs Z/G2cKwqryIazrirG1JTP8LzpDaf0tey9v+wbRUCe8V56FRlGSZsNaI8W+WHQrrmCiVG 6OYO3BWtCu7oXGhk7vO2bwUwZ2ZPzeQQV1s163C4VmvmS3reJCaLgxnqKxHapmWWPrPd vKLw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=uAFo3TEM; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y2si1526588pgh.524.2019.06.10.12.55.25; Mon, 10 Jun 2019 12:55:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=uAFo3TEM; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389352AbfFJTx2 (ORCPT + 99 others); Mon, 10 Jun 2019 15:53:28 -0400 Received: from mail.kernel.org ([198.145.29.99]:60916 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389240AbfFJTx2 (ORCPT ); Mon, 10 Jun 2019 15:53:28 -0400 Received: from mail-wr1-f43.google.com (mail-wr1-f43.google.com [209.85.221.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3BC6A20859 for ; Mon, 10 Jun 2019 19:53:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1560196407; bh=wOihLllZn9jb+HP18QFES48hPN0FStRExpBhK0fzcWc=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=uAFo3TEMkLIhsip7s70tLqYegboY8gx4x/AFMwOE/1EV8+gh+Qz6VXsvzhUyEopLq +3VyxpS1eU7uOSfZrvSP/pTKxzyroqF3Hx9xHOOCBXy5SdOAn6sXZCiuLldV+Ojp4W MtATR0O33RIzYknn7ST2vlYr9R159z1eD9/lH5/o= Received: by mail-wr1-f43.google.com with SMTP id n9so10464942wru.0 for ; Mon, 10 Jun 2019 12:53:27 -0700 (PDT) X-Gm-Message-State: APjAAAXwD2XOuPmwZITg/vZx6B7WIWfBntWjfZowNhGZjojCaa827T5a kODvsoQiOoQSwew45aaNcjQjPU/Gm9WlzXnX0ITBwg== X-Received: by 2002:a5d:6207:: with SMTP id y7mr27028791wru.265.1560196405847; Mon, 10 Jun 2019 12:53:25 -0700 (PDT) MIME-Version: 1.0 References: <155991702981.15579.6007568669839441045.stgit@warthog.procyon.org.uk> <0cf7a49d-85f6-fba9-62ec-a378e0b76adf@schaufler-ca.com> <4b7d02b2-2434-8a7c-66cc-7dbebc37efbc@schaufler-ca.com> In-Reply-To: <4b7d02b2-2434-8a7c-66cc-7dbebc37efbc@schaufler-ca.com> From: Andy Lutomirski Date: Mon, 10 Jun 2019 12:53:14 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC][PATCH 00/13] Mount, FS, Block and Keyrings notifications [ver #4] To: Casey Schaufler Cc: Andy Lutomirski , Stephen Smalley , David Howells , Al Viro , USB list , LSM List , Greg Kroah-Hartman , raven@themaw.net, Linux FS Devel , Linux API , linux-block@vger.kernel.org, keyrings@vger.kernel.org, LKML , Paul Moore Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 10, 2019 at 12:34 PM Casey Schaufler w= rote: > >>> I think you really need to give an example of a coherent policy that > >>> needs this. > >> I keep telling you, and you keep ignoring what I say. > >> > >>> As it stands, your analogy seems confusing. > >> It's pretty simple. I have given both the abstract > >> and examples. > > You gave the /dev/null example, which is inapplicable to this patchset. > > That addressed an explicit objection, and pointed out > an exception to a generality you had asserted, which was > not true. It's also a red herring regarding the current > discussion. This argument is pointless. Please humor me and just give me an example. If you think you have already done so, feel free to repeat yourself. If you have no example, then please just say so. > > >>> If someone > >>> changes the system clock, we don't restrict who is allowed to be > >>> notified (via, for example, TFD_TIMER_CANCEL_ON_SET) that the clock > >>> was changed based on who changed the clock. > >> That's right. The system clock is not an object that > >> unprivileged processes can modify. In fact, it is not > >> an object at all. If you care to look, you will see that > >> Smack does nothing with the clock. > > And this is different from the mount tree how? > > The mount tree can be modified by unprivileged users. > If nothing that unprivileged users can do to the mount > tree can trigger a notification you are correct, the > mount tree is very like the system clock. Is that the > case? The mount tree can't be modified by unprivileged users, unless a privileged user very carefully configured it as such. An unprivileged user can create a new userns and a new mount ns, but then they're modifying a whole different mount tree. > > >>> Similarly, if someone > >>> tries to receive a packet on a socket, we check whether they have the > >>> right to receive on that socket (from the endpoint in question) and, > >>> if the sender is local, whether the sender can send to that socket. > >>> We do not check whether the sender can send to the receiver. > >> Bzzzt! Smack sure does. > > This seems dubious. I=E2=80=99m still trying to get you to explain to a= non-Smack person why this makes sense. > > Process A sends a packet to process B. > If A has access to TopSecret data and B is not > allowed to see TopSecret data, the delivery should > be prevented. Is that nonsensical? It makes sense. As I see it, the way that a sensible policy should do this is by making sure that there are no sockets, pipes, etc that Process A can write and that Process B can read. If you really want to prevent a malicious process with TopSecret data from sending it to a different process, then you can't use Linux on x86 or ARM. Maybe that will be fixed some day, but you're going to need to use an extremely tight sandbox to make this work. > > >>> The signal example is inapplicable. > >> From a modeling viewpoint the actions are identical. > > This seems incorrect to me > > What would be correct then? Some convoluted combination > of system entities that aren't owned or controlled by > any mechanism? > POSIX signal restrictions aren't there to prevent two processes from communicating. They're there to prevent the sender from manipulating or crashing the receiver without appropriate privilege. > > and, I think, to most everyone else reading this. > > That's quite the assertion. You may even be correct. > > > Can you explain? > > > > In SELinux-ese, when you write to a file, the subject is the writer and= the object is the file. When you send a signal to a process, the object i= s the target process. > > YES!!!!!!!!!!!! > > And when a process triggers a notification it is the subject > and the watching process is the object! > > Subject =3D=3D active entity > Object =3D=3D passive entity > > Triggering an event is, like calling kill(), an action! > And here is where I disagree with your interpretation. Triggering an event is a side effect of writing to the file. There are *two* security relevant actions, not one, and they are: First, the write: Subject =3D=3D the writer Action =3D=3D write Object =3D=3D the file Then the event, which could be modeled in a couple of ways: Subject =3D=3D the file Action =3D=3D notify Object =3D=3D the recipient or Subject =3D=3D the recipient Action =3D=3D watch Object =3D=3D the file By conflating these two actions into one, you've made the modeling very hard, and you start running into all these nasty questions like "who actually closed this open file"