Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp6311830ybv; Wed, 12 Feb 2020 09:47:14 -0800 (PST) X-Google-Smtp-Source: APXvYqxpdHVkN3/yL6H1Z5iS4XL35O21Cj+K7SD5v6/lDbJUiBPnJeGKCQRxYNjK6ToCmNl8WD2m X-Received: by 2002:a05:6808:4cc:: with SMTP id a12mr129732oie.115.1581529634594; Wed, 12 Feb 2020 09:47:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581529634; cv=none; d=google.com; s=arc-20160816; b=VeG6BdS+kRWAwELvtDFTlnRjXwuJtoGELLmpXCWtb1WqWkaKJnybvSKAyMCcj7f4II 38BqQi5tqxoJAkYYpde2Pd5H19rjHoQdNJoaNYYVXBMwYPBNFrQv7TjwoSFs0bYchalY eLSOf4sbWSdSOn1FSIhaDjdPYIQVzruyx8VIowLQjeKuRHCpKrTKKKbOtEqd0YWoRItl rfST+nRzevIU00m/lQ1F40qABH7NsAGFtwrngqWVuxslsCB4hOi0RAoVWgSm2IQ01xbH 2wBBLBc76xBHyCA4sS+DxupZ0jlUpqWXG57b8KgpqUtWEGKLbiX6XfCpAjnkGQeM56Yr dgkA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=8rx4KTasodBWEXi7d3hPmVYKTRypri6hdxgzackSE/8=; b=TCWIEEkd2EcvzgngJfvl6qjdUKeRPTBDK1tH0q2Oex8wEFVBBpMCarf9JpkeHzw7t7 WvxxkPP2yBxRwzgPKzAEkx1Gv39rjnhuEdhAGgfNJi97FXXEFhA3ICXLsYByIHQjwQ9H NueA1M40skzfR/XAlZMn4kYAMnKAoUulhbl7Wo/atbqsP24yN00mwRD0q5mpN29UrFgC 03CYsy9dS/NoyrUwNPC7HO9+u9cYF4+EQYWwVrdQU1V+cWBRvfUzqOiTiiTWMh3gWWaQ xAaVukaCFt5TxYI5Z+AQLGsRIEL3LMesDUoK/1SE0yqidbhE+9gaS534vKXOlYHU1Go5 WY6Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=RgNyFI+7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a64si3432700oif.256.2020.02.12.09.47.02; Wed, 12 Feb 2020 09:47:14 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=RgNyFI+7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728098AbgBLRq2 (ORCPT + 99 others); Wed, 12 Feb 2020 12:46:28 -0500 Received: from mail-wm1-f68.google.com ([209.85.128.68]:37840 "EHLO mail-wm1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726728AbgBLRq2 (ORCPT ); Wed, 12 Feb 2020 12:46:28 -0500 Received: by mail-wm1-f68.google.com with SMTP id a6so3571986wme.2 for ; Wed, 12 Feb 2020 09:46:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8rx4KTasodBWEXi7d3hPmVYKTRypri6hdxgzackSE/8=; b=RgNyFI+76hVVd9bLK+K7AyL04E02I76wIucJMcXl5K7Xs9e29L1e4y6DmBJ+cmRDO1 ekSS0P7f1Xn0j9tKFIMDKj48bggpN/JKyvPJeTOZ2EPXCC+DXsXy2DA7IRllzEfRwwTN NtkZAe82wVvZRE9Reu8M/e/zPM0CxKWLVjhAgqzc+8mA6m/oYjRy57M2JxAn9W8UIogk XYREUeWh3nHSN67bcWeY5YCezRcArl8cVZgLSYxIssxyO87A1LVKKPRBzyz+kF+XhuGa 8ReZcAViIyAVTE+is3eatf34Nsf3WAUqhHx6AXiIbyqCjX6vI0xxq6xwAvSomJD1ysNT ZhTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8rx4KTasodBWEXi7d3hPmVYKTRypri6hdxgzackSE/8=; b=JL7YeH+RPKkq6SI8clCqI5yca9AX1dZAh8OE3DeoLg0jH0HVodK+zc7iXqVfckGcCS oWis4QbcgEVwcC5ASsWi1hrIVRO7uT4CMJcHqM5iPFBi6Qu6Flhksmnu9B1QquklCu/9 97EQ8rOQ4i7p/zgboVNAUrRJ2nNCSPp2/Tlx0iylFDjoZYleiDgGw6GDSstArpEuSDzA FuL2jQ46WUgH/VL2wGLu+H4joTy4PxjAWqj1FnHzvG/Z/n2nT4GIBaUP1Msph73ngMel /jilTy7NmoXAEwt8j6udD84BcXwIjfsPFEg11nd41xmpj+xSx0SPaT7Kh3bYqq6amzSF EJ+g== X-Gm-Message-State: APjAAAV00QF9c/G46R3joTiaQ72PwsTr9B2x5k5XiLybNDYJn8ewMl7e 8qOuNWGtWep2TFhb4o/kSmYlCoAo+HG26bpCgI4xIA== X-Received: by 2002:a7b:c1da:: with SMTP id a26mr178793wmj.155.1581529585441; Wed, 12 Feb 2020 09:46:25 -0800 (PST) MIME-Version: 1.0 References: <20200206165527.211350-1-smoreland@google.com> <91465612-2fb2-5985-ba45-d4d9fcf0f70c@tycho.nsa.gov> In-Reply-To: From: Steven Moreland Date: Wed, 12 Feb 2020 09:46:13 -0800 Message-ID: Subject: Re: [PATCH] security: selinux: allow per-file labeling for bpffs To: Paul Moore Cc: Stephen Smalley , Colin Cross , "Connor O'Brien" , kernel-team@android.com, Eric Paris , Kees Cook , anton@enomsg.org, tony.luck@intel.com, selinux@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org And I strongly encourage our downstream in the same way :) I try, I try. However, I am a n00b here (thanks for merging "my" first linux patch). Looking at this code, I was wondering, why isn't SELinux labelling completely orthogonal to the fs type? Is this a measurable memory/performance thing? On Tue, Feb 11, 2020 at 7:17 PM Paul Moore wrote: > > On Thu, Feb 6, 2020 at 1:12 PM Stephen Smalley wrote: > > On 2/6/20 12:41 PM, Steven Moreland wrote: > > > On Thu, Feb 6, 2020 at 9:35 AM Stephen Smalley wrote: > > >> > > >> On 2/6/20 12:21 PM, Stephen Smalley wrote: > > >>> On 2/6/20 11:55 AM, Steven Moreland wrote: > > >>>> From: Connor O'Brien > > >>>> > > >>>> Add support for genfscon per-file labeling of bpffs files. This allows > > >>>> for separate permissions for different pinned bpf objects, which may > > >>>> be completely unrelated to each other. > > >>> > > >>> Do you want bpf fs to also support userspace labeling of files via > > >>> setxattr()? If so, you'll want to also add it to > > >>> selinux_is_genfs_special_handling() as well. > > >>> > > > > > > Android doesn't currently have this use case. > > > > > >>> The only caveat I would note here is that it appears that bpf fs > > >>> supports rename, link, unlink, rmdir etc by userspace, which means that > > >>> name-based labeling via genfscon isn't necessarily safe/stable. See > > >>> https://github.com/SELinuxProject/selinux-kernel/issues/2 > > >>> > > > > > > Android restricts ownership of these files to a single process (bpfloader) and > > > so this isn't a concern in our architecture. Is it a concern in general? > > > > I guess if the inodes are pinned in memory, then only the original name > > under which the file is created will be relevant to determining the > > label and subsequent rename/link operations won't have any effect. So as > > long as the bpfloader creates the files with the same names being > > specified in policy, that should line up and be stable for the lifecycle > > of the inode. > > > > The alternative model is to have bpfloader look up a context from the > > userspace file_contexts configuration via selabel_lookup(3) and friends, > > and set it on the file explicitly. That's what e.g. ueventd does for > > device nodes. However, one difference here is that you could currently > > only do this via setxattr()/setfilecon() after creating the file so that > > the file would temporarily exist in the default label for bpf fs, if > > that matters. ueventd can instead use setfscreatecon(3) before creating > > the file so that it is originally created in the right label but that > > requires the filesystem to call security_inode_init_security() from its > > function that originally creates the inode, which tmpfs/devtmpfs does > > but bpf does not. So you'd have to add that to the bpf filesystem code > > if you wanted to support setfscreatecon(3) on it. > > Considering the relative maturity of bpf, and bpffs, I think it's okay > to take this small step right now, with the understanding that more > work may need to be done, depending on how this is generally adopted > by distros and users (for those of you not following the other thread, > I've merged the v3 draft of this patch). > > However, I've been noticing a trend from the Android folks of tossing > patches over the wall without much thought beyond the Android use > case. I understand the Android devs have a job to do, and products to > focus on, but I would strongly encourage them to think a bit longer > about more general use cases before submitting patches upstream. > > -- > paul moore > www.paul-moore.com