Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp1045006ybb;
        Wed, 1 Apr 2020 14:39:53 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vuC5iFqq14h8Op4ob5pq4zdgkhO9Z2CnvIy/tZ3A/sGWTKM+YGVYaPisb8+2No3CkyXLbAn
X-Received: by 2002:a9d:2074:: with SMTP id n107mr18103590ota.306.1585777193104;
        Wed, 01 Apr 2020 14:39:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1585777193; cv=none;
        d=google.com; s=arc-20160816;
        b=BT4NH/YOuxtPSt11FUwsxg0oUQiYpzX9hhATUHRK2Nx7bc6Lciezclb4V/znkDd+5e
         o0m1GAPMdUFhTTZyNLkr6XdN8jhjpgfebNpO0KP7UtD6YPGG6PXEY1YzacE122FLQ1KB
         jZfzoSiwsckp0i3Nt+djbcnOrkSFYwGB5lVLMTYsov+uKvMmys89m8Q2mdYYOhzWF5dP
         so5VK+9cG4z2b+Oh5oqlQLuPRDPa8gULb9QfzsblrgsS6StyouS4TqjB2f62Pek59tUL
         aH8A4vuCfCBh2NX9YjpbVH3k7e7ogEdJK8Zm9SzNc16O/DCnYOOeQDeBr3OJ5LZ/uGIM
         xt4Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:from:subject:references
         :mime-version:message-id:in-reply-to:date:dkim-signature;
        bh=HAGgUYyHHln+iAOn6yXYvlgWPJe/4zWvRIw0PRHR3XY=;
        b=Pwl8/YDT5cPqvXfeuRwmVCNgAZbz+26Xx6hNrE7+3AK/sqRKEgg13QXqjSwYMDUHk9
         m4XLYFi7yKfVcJr/u8o8vpbmojWEMTZ0rzrlGMJSd78T3MtqFcyjhaQsxM7PKnrwk7qk
         ZVZdY1dQ5y44Z45lI4QMMtZIFE9JkuFS5bxT0roBbcPEG1dBg4Uco7NcGBLek6lSlvWM
         +L6YGYdefhe1wXAxULKMTOBd8kCxszmG3yIGT9o/0I8VsXoxel4f3U1loeU7BdODDiXY
         fz8SDAcZ3wx8Uzfur+CSXcjiqfRXiJtiK7CkZvO8rfRbu3tpe5z+rqkyopWz5oa8fRzK
         CpYQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=HtoDxjxy;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t19si1535321oth.194.2020.04.01.14.39.40;
        Wed, 01 Apr 2020 14:39:53 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=HtoDxjxy;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732742AbgDAVjN (ORCPT <rfc822;1dalishi1@gmail.com> + 99 others);
        Wed, 1 Apr 2020 17:39:13 -0400
Received: from mail-pg1-f201.google.com ([209.85.215.201]:37094 "EHLO
        mail-pg1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1732537AbgDAVjM (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 1 Apr 2020 17:39:12 -0400
Received: by mail-pg1-f201.google.com with SMTP id q15so1195317pgb.4
        for <linux-kernel@vger.kernel.org>; Wed, 01 Apr 2020 14:39:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=HAGgUYyHHln+iAOn6yXYvlgWPJe/4zWvRIw0PRHR3XY=;
        b=HtoDxjxyzs5b33ZeGM32Er5kRybPkg8YGOpir27RQ+bUpw6BX/dsJ2vwWdB3AAxCmG
         bjMfAIMdlb4UR1AIOIFCN+uc1kmAxsGNUeUv/O7Of7mXZUnwD7KGKYartbCqcARuZu5S
         pfkX1UGvumlx5lTd6PNZtdcgvvGSJ7bd4ydHOqBQDCYH8LMYmqHxRXGVp/ZzYI03Cvnf
         V4GJQtkEQ2I/BOGpkkbnC2McxJw07GBcQ5N+j9kMTmPQ3mXOmGip3EI4TVF0z+UmDcdV
         yHb87MmDuy1wgu53qGGYxbpjE5SRwjOxs4/Vz56t9Aqd6UVnoio9UyUMS51Lxck57Al/
         2iVg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=HAGgUYyHHln+iAOn6yXYvlgWPJe/4zWvRIw0PRHR3XY=;
        b=k27aXmsaXA+FdhFWraMDayv2VVKnhZxu4K7AR8TCEeqPDjBDT42MlDERHVi33uOic0
         HUaWi9YQ95+zXOMPB+zS7cYIXaVhVjz/59ORb3s/kXxlcN/UtlShthh93NDQrqaUWSKh
         bzCUlVuC2zlXhSN/FEJ7ZEyQIUnOJsmyxZiSoUmgdRNuBgBhXr2gydTjfmadmZaqfm/v
         I5Ytb7ZPU5Bp76a4LmYIaK8oJa9Vf2dxMg+8W6NcfIpu0ghaBqEafyO6QqesKHqpzmqV
         bduXMnxQoArKqLsiTKdAHigMFHj69jh6LXZ7nwBgFPutWkS1vCQZxN28nNBaATUWhAIx
         TMFw==
X-Gm-Message-State: AGi0PuY6YJOdk12e3LQq6OTLldOZ98Dd9ypTzZuNaE02bvfHNIRzC4g8
        fjY37VNylXc9S6iGt9NhDK9datk8MDs=
X-Received: by 2002:a17:90b:3583:: with SMTP id mm3mr13268pjb.123.1585777151523;
 Wed, 01 Apr 2020 14:39:11 -0700 (PDT)
Date:   Wed,  1 Apr 2020 14:39:00 -0700
In-Reply-To: <20200326200634.222009-1-dancol@google.com>
Message-Id: <20200401213903.182112-1-dancol@google.com>
Mime-Version: 1.0
References: <20200326200634.222009-1-dancol@google.com>
X-Mailer: git-send-email 2.26.0.rc2.310.g2932bb562d-goog
Subject: [PATCH v5 0/3] SELinux support for anonymous inodes and UFFD
From:   Daniel Colascione <dancol@google.com>
To:     timmurray@google.com, selinux@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
        kvm@vger.kernel.org, viro@zeniv.linux.org.uk, paul@paul-moore.com,
        nnk@google.com, sds@tycho.nsa.gov, lokeshgidra@google.com,
        jmorris@namei.org
Cc:     Daniel Colascione <dancol@google.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Userfaultfd in unprivileged contexts could be potentially very
useful. We'd like to harden userfaultfd to make such unprivileged use
less risky. This patch series allows SELinux to manage userfaultfd
file descriptors and in the future, other kinds of
anonymous-inode-based file descriptor.  SELinux policy authors can
apply policy types to anonymous inodes by providing name-based
transition rules keyed off the anonymous inode internal name (
"[userfaultfd]" in the case of userfaultfd(2) file descriptors) and
applying policy to the new SIDs thus produced.

Inside the kernel, a pair of new anon_inodes interface,
anon_inode_getfile_secure and anon_inode_getfd_secure, allow callers
to opt into this SELinux management. In this new "secure" mode,
anon_inodes creates new ephemeral inodes for anonymous file objects
instead of reusing the normal anon_inodes singleton dummy inode. A new
LSM hook gives security modules an opportunity to configure and veto
these ephemeral inodes.

This patch series is one of two fork of [1] and is an
alternative to [2].

The primary difference between the two patch series is that this
partch series creates a unique inode for each "secure" anonymous
inode, while the other patch series ([2]) continues using the
singleton dummy anonymous inode and adds a way to attach SELinux
security information directly to file objects.

I prefer the approach in this patch series because 1) it's a smaller
patch than [2], and 2) it produces a more regular security
architecture: in this patch series, secure anonymous inodes aren't
S_PRIVATE and they maintain the SELinux property that the label for a
file is in its inode. We do need an additional inode per anonymous
file, but per-struct-file inode creation doesn't seem to be a problem
for pipes and sockets.

The previous version of this feature ([1]) created a new SELinux
security class for userfaultfd file descriptors. This version adopts
the generic transition-based approach of [2].

This patch series also differs from [2] in that it doesn't affect all
anonymous inodes right away --- instead requiring anon_inodes callers
to opt in --- but this difference isn't one of basic approach. The
important question to resolve is whether we should be creating new
inodes or enhancing per-file data.

Changes from the first version of the patch:

  - Removed some error checks
  - Defined a new anon_inode SELinux class to resolve the
    ambiguity in [3]
  - Inherit sclass as well as descriptor from context inode

Changes from the second version of the patch:

  - Fixed example policy in the commit message to reflect the use of
    the new anon_inode class.

Changes from the third version of the patch:

  - Dropped the fops parameter to the LSM hook
  - Documented hook parameters
  - Fixed incorrect class used for SELinux transition
  - Removed stray UFFD changed early in the series
  - Removed a redundant ERR_PTR(PTR_ERR())

Changes from the fourth version of the patch:

  - Removed an unused parameter from an internal function
  - Fixed function documentation

[1] https://lore.kernel.org/lkml/20200211225547.235083-1-dancol@google.com/
[2] https://lore.kernel.org/linux-fsdevel/20200213194157.5877-1-sds@tycho.nsa.gov/
[3] https://lore.kernel.org/lkml/23f725ca-5b5a-5938-fcc8-5bbbfc9ba9bc@tycho.nsa.gov/

Daniel Colascione (3):
  Add a new LSM-supporting anonymous inode interface
  Teach SELinux about anonymous inodes
  Wire UFFD up to SELinux

 fs/anon_inodes.c                    | 191 ++++++++++++++++++++++------
 fs/userfaultfd.c                    |  30 ++++-
 include/linux/anon_inodes.h         |  13 ++
 include/linux/lsm_hooks.h           |  11 ++
 include/linux/security.h            |   3 +
 security/security.c                 |   9 ++
 security/selinux/hooks.c            |  53 ++++++++
 security/selinux/include/classmap.h |   2 +
 8 files changed, 267 insertions(+), 45 deletions(-)

-- 
2.26.0.rc2.310.g2932bb562d-goog