Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp759556ybl; Thu, 23 Jan 2020 07:15:48 -0800 (PST) X-Google-Smtp-Source: APXvYqx3r808HK1qKmIfj2NdnN2Cy0Z5rd4UgA6FG3inxZcf+oS23tNi0XZZNPdkNKiAT2LzrAUj X-Received: by 2002:aca:1b19:: with SMTP id b25mr8940998oib.24.1579792548716; Thu, 23 Jan 2020 07:15:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579792548; cv=none; d=google.com; s=arc-20160816; b=IKZy9eE3yHVCxAphW8Fz9eGltn4Ldw3pGtzkiH6rZRangseQvqmDhlQNO9Ehl2fS6C cx8CWV29S6cpY1B4XH6AR5MTbTA3V7vLtsg8FTQufSVSGqlkY3riwRLofFfmnrAvZLOi ZvABYLRWZmI9A1PCj86a1lgyFZ6z0Z25hSqzkIKnDp9ZPNUGHh1b5A9J2MB5wnOLle6v KMePfOct7VY2EI6I4tAs1Mh744wxblt9K9PXnnOEU2nbngMPqDf8R74AJo02FiKGZGWI 9akWwJG4lwzSrTlyAO76FUSLnc4TyAJz81YOMBdIvhZASil2UBA8hC1Oitkvx75h8OGu 5Jtw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:content-transfer-encoding :content-id:mime-version:subject:cc:to:references:in-reply-to:from :organization:dkim-signature; bh=TOTDTwuaI0Kk0LUy5rbPDT0f6tV/bdzpgd5A51iAmQw=; b=qXM1kvpiTqYA5Cxd+i2PSNwA9df9NfFq/HZFOpeyAQx7vXrepo1MxVutTjaU1ULlY6 bi05NVFrLy185V58QkY04xXwTfDUVp7pcSBFTmlXUVa0Q56l/IUl+3jksdGpViHxHwEh Z9zKXKEWQ82e1WnfboxX9ibHY21/9eIsEJUTAOLN6RxjcxnNH2u+Q0iB0dZ/DizTg2d+ OatQDfE0Sl7OmM46sCzNCYPlDJocPnTB0pw/8fF9+tF7HiZ3/iyy1AXvNTAhvG9mWZ8z /lCDOQP2+1vvWsIgTn4+jrrq5PQ7THond4Xoh+GnWt6ndf53u6kWyGRp/d9yacNkPg1B ZEog== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Liw91XNp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l21si1260914otk.142.2020.01.23.07.15.35; Thu, 23 Jan 2020 07:15:48 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Liw91XNp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728925AbgAWPMK (ORCPT + 99 others); Thu, 23 Jan 2020 10:12:10 -0500 Received: from us-smtp-delivery-1.mimecast.com ([207.211.31.120]:60737 "EHLO us-smtp-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728904AbgAWPMK (ORCPT ); Thu, 23 Jan 2020 10:12:10 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1579792329; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=TOTDTwuaI0Kk0LUy5rbPDT0f6tV/bdzpgd5A51iAmQw=; b=Liw91XNpW2Keht2Q1ClXCZRASkSQSrbbFXovrJg/eoSftPuVRrPTVROh56KtVBukmsKYQ8 ukzjF39WdaasFdnPCRrFDGbUV8enhva+T6FdJ/tB7ocu+QX6jDutvGNybly36j43iyq3vv /8gPWvnKtrXZBCmCyraUHglegnx6sjE= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-207-dY3-Hz3EOVSB5G3kVMwjQA-1; Thu, 23 Jan 2020 10:12:04 -0500 X-MC-Unique: dY3-Hz3EOVSB5G3kVMwjQA-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id EED9D18B5F95; Thu, 23 Jan 2020 15:12:02 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-120-49.rdu2.redhat.com [10.10.120.49]) by smtp.corp.redhat.com (Postfix) with ESMTP id A3DED8CCCB; Thu, 23 Jan 2020 15:12:01 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: <8ee40192da117d9cdf4eab1e63ab5f77b359801c.camel@btinternet.com> References: <8ee40192da117d9cdf4eab1e63ab5f77b359801c.camel@btinternet.com> To: Stephen Smalley Cc: dhowells@redhat.com, Richard Haines , keyrings@vger.kernel.org, selinux@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: SELinux: How to split permissions for keys? MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <4057699.1579792320.1@warthog.procyon.org.uk> Content-Transfer-Encoding: quoted-printable Date: Thu, 23 Jan 2020 15:12:00 +0000 Message-ID: <4057700.1579792320@warthog.procyon.org.uk> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Stephen, I have patches to split the permissions that are used for keys to make the= m a bit finer grained and easier to use - and also to move to ACLs rather than fixed masks. See patch "keys: Replace uid/gid/perm permissions checking w= ith an ACL" here: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log= /?h=3Dkeys-acl However, I may not have managed the permission mask transformation inside SELinux correctly. Could you lend an eyeball? The change to the permissi= ons model is as follows: The SETATTR permission is split to create two new permissions: = (1) SET_SECURITY - which allows the key's owner, group and ACL to be changed and a restriction to be placed on a keyring. = (2) REVOKE - which allows a key to be revoked. = The SEARCH permission is split to create: = (1) SEARCH - which allows a keyring to be search and a key to be foun= d. = (2) JOIN - which allows a keyring to be joined as a session keyring. = (3) INVAL - which allows a key to be invalidated. = The WRITE permission is also split to create: = (1) WRITE - which allows a key's content to be altered and links to b= e added, removed and replaced in a keyring. = (2) CLEAR - which allows a keyring to be cleared completely. This is split out to make it possible to give just this to an administrat= or. = (3) REVOKE - see above. The change to SELinux is attached below. Should the split be pushed down into the SELinux policy rather than trying= to calculate it? Thanks, David --- diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 116b4d644f68..c8db5235b01f 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6556,6 +6556,7 @@ static int selinux_key_permission(key_ref_t key_ref, { struct key *key; struct key_security_struct *ksec; + unsigned oldstyle_perm; u32 sid; = /* if no specific permissions are requested, we skip the @@ -6564,13 +6565,26 @@ static int selinux_key_permission(key_ref_t key_re= f, if (perm =3D=3D 0) return 0; = + oldstyle_perm =3D perm & (KEY_NEED_VIEW | KEY_NEED_READ | KEY_NEED_WRITE= | + KEY_NEED_SEARCH | KEY_NEED_LINK); + if (perm & KEY_NEED_SETSEC) + oldstyle_perm |=3D OLD_KEY_NEED_SETATTR; + if (perm & KEY_NEED_INVAL) + oldstyle_perm |=3D KEY_NEED_SEARCH; + if (perm & KEY_NEED_REVOKE && !(perm & OLD_KEY_NEED_SETATTR)) + oldstyle_perm |=3D KEY_NEED_WRITE; + if (perm & KEY_NEED_JOIN) + oldstyle_perm |=3D KEY_NEED_SEARCH; + if (perm & KEY_NEED_CLEAR) + oldstyle_perm |=3D KEY_NEED_WRITE; + sid =3D cred_sid(cred); = key =3D key_ref_to_ptr(key_ref); ksec =3D key->security; = return avc_has_perm(&selinux_state, - sid, ksec->sid, SECCLASS_KEY, perm, NULL); + sid, ksec->sid, SECCLASS_KEY, oldstyle_perm, NULL); } = static int selinux_key_getsecurity(struct key *key, char **_buffer)