Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp975478ybl;
        Fri, 24 Jan 2020 13:02:24 -0800 (PST)
X-Google-Smtp-Source: APXvYqwev21GJ3++UD66MzccBuGr9zLuTWHMcgwszhRgs4n/hATogJJbtjp9Q014JuofBXbny6tp
X-Received: by 2002:aca:1b08:: with SMTP id b8mr563092oib.62.1579899744441;
        Fri, 24 Jan 2020 13:02:24 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1579899744; cv=none;
        d=google.com; s=arc-20160816;
        b=Yn5kRsUViksTV9b9NnYhx/hOveZ7UeC5tCISHrp9+0l3SJD4Y3igUG8g1bs4gVyfEe
         UBwcHUKvSJ7Hu48q8/Vj/dvBq3xxJJNri2nfqRhZa1KmMwvvE1/8HpgtUz2nUlWUunjE
         TnRK0DXzeLeV21qlQu32UQt/vpWat/ua8/mLi9G47ZDBu/YEQhljw2NXpj6RYuKXxfZ1
         qbZF7ehBII+buHDh19DyWcwteMuXto4lrVT4iFdCnUmbRdWwyjVaN2rJ9zo2GgFK0wSW
         fpX3hKp7BXFO3KVY1xYuIqb83AI8kqiTmzGB34npilSGbId3O6y4gNJO94XWsZu1h5Rc
         NioA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=JykckUs2gCxAmF14L/8LuyMZHmH7QFoL3RGP2bW/Tt8=;
        b=BNbnC0E4URRc7PDYFZrqvx9RVjDfTEW149OAmHatr5SAbwJs6G9LOhDGvsYLJFxFig
         KkXPj9KpArPOQ9SomLL/3aBdEuxJFKnxGcGdZHzkfGVTFfFqPe/ZUN+eAB+jFiYshXzg
         rQJNNPwhXz3+/Z933hVRRzUz8LW/AxxIMIW01t4JkNKY8QBIkhJyKCtwlUOM7YQ3E9fO
         2OU+pzxuNpn0bHwVX4KW8DZ/9afwivvfF2wGzD8HeQWZ8YG9bcUcktrVBHWV9AoQANeT
         4uV2Hrb8vy6GKWSSHAra01X/263X8znTSEicLoxfBU2pkh3p1ZDKMHD6JWbZyrPq0U6l
         xSWw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@googlemail.com header.s=20161025 header.b=aUKY0OXu;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=googlemail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w77si295622oif.216.2020.01.24.13.02.11;
        Fri, 24 Jan 2020 13:02:24 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@googlemail.com header.s=20161025 header.b=aUKY0OXu;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=googlemail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2391812AbgAXTI5 (ORCPT <rfc822;daisukeokaopensource@gmail.com>
        + 99 others); Fri, 24 Jan 2020 14:08:57 -0500
Received: from mail-vs1-f68.google.com ([209.85.217.68]:40367 "EHLO
        mail-vs1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2387966AbgAXTI5 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 24 Jan 2020 14:08:57 -0500
Received: by mail-vs1-f68.google.com with SMTP id g23so1919180vsr.7;
        Fri, 24 Jan 2020 11:08:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=JykckUs2gCxAmF14L/8LuyMZHmH7QFoL3RGP2bW/Tt8=;
        b=aUKY0OXuOle2jrNxqk97t6NpgtVKyG+qEd80lI/bg62cNijzvPTOKTiL4kgMkYfe3K
         PhNQXTIMBokTfCBK3IUcnEQP+3jWgb40gzVq7JcFHKvLza0H4a+hpB88uNxnK5fESjfh
         vu/h7qRIkMVk1MCmzVZeqxkYF9yySOMmuyv8X/fkorgsbjbF4ARTMFsUo5ghDrMsVhyd
         vCoWTjkojC1v5fF67frWzdBNeSu7n4WsTVp97ueInoMFRd/OGexTeF1ClHuicE5YuTLv
         ejGkRkFSf18jhQzPDqwLMzDBt6MWkoD46urSQgQH8b2p4RVrPnZRA30QSfyBgwVmx/dE
         dT7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=JykckUs2gCxAmF14L/8LuyMZHmH7QFoL3RGP2bW/Tt8=;
        b=sVKRJ21PoOegC9vdAf5Ua6dMW2Fdw1LhyAo3LvLaLZ1gD1WSk8kiIb51Auw56JfuZk
         WPryb35vvPFxzstciJhw8A9iTQ2JAJDAFtn81bC8R+c6ND66WjXq1Xv3oVm5C1Wxplu4
         61DYiUMzQHTEItZotO0HDDgySV038o22MzYnenESDfBGOLq0C5FEsaNSZCA0XvRy2+Yt
         tntl4lkIubxBxPGn0h3l+TbJYeb9phNKVOlj/gssZzLII1DN2bHyiKynF2fzemG0A9F5
         gTAr6/4+LJVZ24zXWwYXRKtAmypERVpm3on3ZXQKzz526uedtPvSDhA2b1oft3oBwYRs
         beqg==
X-Gm-Message-State: APjAAAXL9p1JO5JKUc/RN6/ItQDfJUDjvEvQkv4yfgt4u69kCjM+JMWF
        xIB6pQjLfqCRPO0dxTShrMG5rpHijpKS/+894mI=
X-Received: by 2002:a67:cc3:: with SMTP id 186mr3373215vsm.200.1579892935648;
 Fri, 24 Jan 2020 11:08:55 -0800 (PST)
MIME-Version: 1.0
References: <20200124184221.322248-1-cgzones@googlemail.com> <6e33cbcd-31fd-2d50-5d0f-70eb475f9811@tycho.nsa.gov>
In-Reply-To: <6e33cbcd-31fd-2d50-5d0f-70eb475f9811@tycho.nsa.gov>
From:   =?UTF-8?Q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
Date:   Fri, 24 Jan 2020 20:08:44 +0100
Message-ID: <CAJ2a_DcS8e8OjRRHjbYhCphsLi3u=KxX5XorCEA_=5vfN+5q8g@mail.gmail.com>
Subject: Re: [PATCH] selinux: allow kernfs symlinks to inherit parent
 directory context
To:     Stephen Smalley <sds@tycho.nsa.gov>
Cc:     Paul Moore <paul@paul-moore.com>,
        Eric Paris <eparis@parisplace.org>,
        Ondrej Mosnacek <omosnace@redhat.com>, selinux@vger.kernel.org,
        linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Am Fr., 24. Jan. 2020 um 19:53 Uhr schrieb Stephen Smalley <sds@tycho.nsa.g=
ov>:
>
> On 1/24/20 1:42 PM, Christian G=C3=B6ttsche wrote:
> > Currently symlinks on kernel filesystems, like sysfs, are labeled on
> > creation with the parent fs root sid.
> >
> > Allow symlinks to inherit the parent directory context, so fine-grained
> > kernfs labeling can be applied to symlinks too and checking contexts
> > doesn't complain about them.
> >
> > For backward-compatibility this behavior is contained in a new policy
> > capability: kernfs_sovereign_symlinks
> >
> > Signed-off-by: Christian G=C3=B6ttsche <cgzones@googlemail.com>
> > ---
> >   security/selinux/hooks.c            | 5 ++++-
> >   security/selinux/include/security.h | 8 ++++++++
> >   security/selinux/ss/services.c      | 3 ++-
> >   3 files changed, 14 insertions(+), 2 deletions(-)
> >
> > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> > index d9e8b2131..1303bc8c4 100644
> > --- a/security/selinux/hooks.c
> > +++ b/security/selinux/hooks.c
> > @@ -1475,7 +1475,10 @@ static int inode_doinit_with_dentry(struct inode=
 *inode, struct dentry *opt_dent
> >               /* Default to the fs superblock SID. */
> >               sid =3D sbsec->sid;
> >
> > -             if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode=
)) {
> > +             if (((sbsec->flags & SE_SBGENFS) &&
> > +                  (!S_ISLNK(inode->i_mode))) ||
> > +                 (selinux_policycap_kernfs_sovereign_symlinks() &&
>
> Not fond of the name.  1) kernfs is a kernel implementation detail,
> shouldn't be exposed to policy; genfs is the policy construct 2)
> sovereign doesn't seem to fit the meaning of this capability; seclabel
> would be more appropriate.

Something like genfs_seclabel_symlinks?

> > +                  (sbsec->flags & SE_SBGENFS_XATTR))) {
>
> Why limit this to SE_SBGENFS_XATTR filesystems?  Why not just make the te=
st:
>         if ((sbsec->flags & SE_SBGENFS) && (!S_ISLNK(inode->i_mode) ||
> selinux_policycap_genfs_symlinkseclabel()))
> or similar.

I somehow thought that this functionality is limited to filesystems
with SE_SBGENFS_XATTR;
so I can expand the check to SE_SBGENFS.

> >                       /* We must have a dentry to determine the label o=
n
> >                        * procfs inodes */
> >                       if (opt_dentry) {
> > diff --git a/security/selinux/include/security.h b/security/selinux/inc=
lude/security.h
> > index a39f9565d..cc8217848 100644
> > --- a/security/selinux/include/security.h
> > +++ b/security/selinux/include/security.h
> > @@ -79,6 +79,7 @@ enum {
> >       POLICYDB_CAPABILITY_ALWAYSNETWORK,
> >       POLICYDB_CAPABILITY_CGROUPSECLABEL,
> >       POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION,
> > +     POLICYDB_CAPABILITY_KERNFS_SOVEREIGN_SYMLINKS,
> >       __POLICYDB_CAPABILITY_MAX
> >   };
> >   #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
> > @@ -209,6 +210,13 @@ static inline bool selinux_policycap_nnp_nosuid_tr=
ansition(void)
> >       return state->policycap[POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION=
];
> >   }
> >
> > +static inline bool selinux_policycap_kernfs_sovereign_symlinks(void)
> > +{
> > +     struct selinux_state *state =3D &selinux_state;
> > +
> > +     return state->policycap[POLICYDB_CAPABILITY_KERNFS_SOVEREIGN_SYML=
INKS];
> > +}
> > +
> >   int security_mls_enabled(struct selinux_state *state);
> >   int security_load_policy(struct selinux_state *state,
> >                        void *data, size_t len);
> > diff --git a/security/selinux/ss/services.c b/security/selinux/ss/servi=
ces.c
> > index 216ce602a..b70380947 100644
> > --- a/security/selinux/ss/services.c
> > +++ b/security/selinux/ss/services.c
> > @@ -73,7 +73,8 @@ const char *selinux_policycap_names[__POLICYDB_CAPABI=
LITY_MAX] =3D {
> >       "extended_socket_class",
> >       "always_check_network",
> >       "cgroup_seclabel",
> > -     "nnp_nosuid_transition"
> > +     "nnp_nosuid_transition",
> > +     "kernfs_sovereign_symlinks"
> >   };
> >
> >   static struct selinux_ss selinux_ss;
> >
>