Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp5587856ybv; Tue, 11 Feb 2020 19:19:02 -0800 (PST) X-Google-Smtp-Source: APXvYqwqdrhO9QC6X8j+gw3DdKJ6YHDs36ykJPlMRHJN+VkUK3+YbuRenzc0dA/Gnkirm0CDyxHz X-Received: by 2002:aca:3114:: with SMTP id x20mr5016073oix.121.1581477542006; Tue, 11 Feb 2020 19:19:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581477541; cv=none; d=google.com; s=arc-20160816; b=erlCsg43BYT3WRZgObM9119ylplpR3k+naeZhAlJBLLxo0b8QkbzmZRkE7yohyafIE BpLoLMJ4NvHV9KL6plrywvnFI+2KgHVUvkOosIGoowuPhml9KWfoB0agLQuy+/n67xsM MQw0oi4g1tTduD1xwdgeSo/qvUuPyYq0445WyhjYO6NniZ2oZhQfDsMqYnBurVABPJGi xdLg/zFgXvQ+y4mhsTfluomwwPykvtJF8YNugAe7fgQxQxcXNH2nvx5l9LMIU5FJ6yYb U/8ZeQFcBE97pO8cKoBL0HXJz8MbopOy14uqpKMAMDwx5VjeYR3lN+OhW9aJkIMVTvvX ffSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=RE15EJdsIKQxzRJbIxCFVMJk+0seSzUjqA6IxkKMdfg=; b=osaIazu1DIFhkx0Fx6Ik1Z7GfGTA6FlE6JKAP3j2pi9efneI3TWF9nBj270FGUMlym v2dnEgIUCv8WVPdXj6vQFatbNMlhV43CTciVsChI5zUezJ9g7IEmyK4x4Bx1jsmco5e0 kbDdJdp3Ay8PZBJxGOOq6RzhLdcnaJUJJS+XRPeUXn1e+IzWRgXIl8n11GYj6KUpghzn OrcuU9kOGJGgd4MJmEkWec+tZbTksRJnbrSL3lZFYGQ1iAIZQGywbqzshQnS9lYhC18h +LoQB0ZNJs8g/bk4wEhLJGHPp6SuAZ1bt+4SdSBiX3sw6QvWF9s7Wpf7N7hgsyheHGh/ v0Fw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=uj1wCy2g; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a25si3065885otr.39.2020.02.11.19.18.49; Tue, 11 Feb 2020 19:19:01 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=uj1wCy2g; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727833AbgBLDR3 (ORCPT + 99 others); Tue, 11 Feb 2020 22:17:29 -0500 Received: from mail-ed1-f68.google.com ([209.85.208.68]:39387 "EHLO mail-ed1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727602AbgBLDR3 (ORCPT ); Tue, 11 Feb 2020 22:17:29 -0500 Received: by mail-ed1-f68.google.com with SMTP id m13so687509edb.6 for ; Tue, 11 Feb 2020 19:17:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RE15EJdsIKQxzRJbIxCFVMJk+0seSzUjqA6IxkKMdfg=; b=uj1wCy2gPcCZ7S0AqU83K19vwujH6Ply0s+P839a507GXDuVJ9UCPZM7BTeN3SVrxC G6Eq8RvMDyjxdDNAEOIfrViZlwMxEsbHxm5eiQiXIUzywzwWV0UzFce5IOmncS+MEuo1 9IU0AQW1kaFebYy6+WKjDu9CaC3dIH9RadhTkJex6VkgeRrL7vLnxTLOoHLsfr6A+Bf+ MY33psuPYIm2DbE7fj7419TLPxz/R+tElbTiifLgwrhEi4J/14HYFBG6Q4RxU+YTsnuS lYWNKP4fRpaa9+nbtrL3L3qh1PZUVzU/VuNU7pY1uXxhd8LNY2BbQLUDaEBU2CMqW8sm E9Ow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RE15EJdsIKQxzRJbIxCFVMJk+0seSzUjqA6IxkKMdfg=; b=td+TXlYgCRT8Qklzv5owQgQPqaZzyEYcx77F08rTPrWjrHDSnqL11krambywSDsHaR 8/9j+f3qzELi2iiDelZLkf0+P3B1nBDGVafvDsC7bIJDc7VSDnsTcxmbGza70LSU/T28 Fbbh+Tu7nsR7BMEg+o4Dd/+isD9PAt3QVjfKkA9+bxj4f2FB7FE7LfeqPNYdKhqMrIiI WK/wWIKvRRnjnVZQeDmamB/fE/QyRXeVD6hvS3kNyh24MvAG+1atdDqcIVQFLb7/knRy 7we6ZI2kNa5zM/dx/Xa3jqbVuL7TFCvunDKGfW/t52LHLl0rY7HE2VTsTOhVoggaGeNQ THtw== X-Gm-Message-State: APjAAAWwoqovOYRcGEHo+/1DAEos039MDhC7xKbntb6oS4/lWmFuCis8 DVKIoFviTa7ylUGhkprWlFdfdEGI7D1xwQD2+GbN X-Received: by 2002:a50:a7a5:: with SMTP id i34mr8996071edc.128.1581477447006; Tue, 11 Feb 2020 19:17:27 -0800 (PST) MIME-Version: 1.0 References: <20200206165527.211350-1-smoreland@google.com> <91465612-2fb2-5985-ba45-d4d9fcf0f70c@tycho.nsa.gov> In-Reply-To: From: Paul Moore Date: Tue, 11 Feb 2020 22:17:16 -0500 Message-ID: Subject: Re: [PATCH] security: selinux: allow per-file labeling for bpffs To: Stephen Smalley , Steven Moreland , Colin Cross , "Connor O'Brien" , kernel-team@android.com Cc: Eric Paris , keescook@chromium.org, anton@enomsg.org, tony.luck@intel.com, selinux@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Feb 6, 2020 at 1:12 PM Stephen Smalley wrote: > On 2/6/20 12:41 PM, Steven Moreland wrote: > > On Thu, Feb 6, 2020 at 9:35 AM Stephen Smalley wrote: > >> > >> On 2/6/20 12:21 PM, Stephen Smalley wrote: > >>> On 2/6/20 11:55 AM, Steven Moreland wrote: > >>>> From: Connor O'Brien > >>>> > >>>> Add support for genfscon per-file labeling of bpffs files. This allows > >>>> for separate permissions for different pinned bpf objects, which may > >>>> be completely unrelated to each other. > >>> > >>> Do you want bpf fs to also support userspace labeling of files via > >>> setxattr()? If so, you'll want to also add it to > >>> selinux_is_genfs_special_handling() as well. > >>> > > > > Android doesn't currently have this use case. > > > >>> The only caveat I would note here is that it appears that bpf fs > >>> supports rename, link, unlink, rmdir etc by userspace, which means that > >>> name-based labeling via genfscon isn't necessarily safe/stable. See > >>> https://github.com/SELinuxProject/selinux-kernel/issues/2 > >>> > > > > Android restricts ownership of these files to a single process (bpfloader) and > > so this isn't a concern in our architecture. Is it a concern in general? > > I guess if the inodes are pinned in memory, then only the original name > under which the file is created will be relevant to determining the > label and subsequent rename/link operations won't have any effect. So as > long as the bpfloader creates the files with the same names being > specified in policy, that should line up and be stable for the lifecycle > of the inode. > > The alternative model is to have bpfloader look up a context from the > userspace file_contexts configuration via selabel_lookup(3) and friends, > and set it on the file explicitly. That's what e.g. ueventd does for > device nodes. However, one difference here is that you could currently > only do this via setxattr()/setfilecon() after creating the file so that > the file would temporarily exist in the default label for bpf fs, if > that matters. ueventd can instead use setfscreatecon(3) before creating > the file so that it is originally created in the right label but that > requires the filesystem to call security_inode_init_security() from its > function that originally creates the inode, which tmpfs/devtmpfs does > but bpf does not. So you'd have to add that to the bpf filesystem code > if you wanted to support setfscreatecon(3) on it. Considering the relative maturity of bpf, and bpffs, I think it's okay to take this small step right now, with the understanding that more work may need to be done, depending on how this is generally adopted by distros and users (for those of you not following the other thread, I've merged the v3 draft of this patch). However, I've been noticing a trend from the Android folks of tossing patches over the wall without much thought beyond the Android use case. I understand the Android devs have a job to do, and products to focus on, but I would strongly encourage them to think a bit longer about more general use cases before submitting patches upstream. -- paul moore www.paul-moore.com