Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp2605414pxa; Fri, 7 Aug 2020 15:51:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyQmEeRbXOTR4XKUyLlW57WbpWSAdYHORKR3NEihxLcRuXiBvD4tEWSR0VjL/zJGJN0GBZ3 X-Received: by 2002:a50:9fe6:: with SMTP id c93mr10612259edf.286.1596840676257; Fri, 07 Aug 2020 15:51:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596840676; cv=none; d=google.com; s=arc-20160816; b=cCQqZ/gj/huy9AFwAslwcfSOD80n3c5ZneSnf6fRae7ru14B+uGYpCRoyW7HHh+ol9 WYegXXBPBsUGbN2kKrNHP6Ed0zER9acp/PGam91UcRqgNXfOksPRhcb9tNvrp23ztGun bC0pp4dXWufl7F1wnKrLhlwAbZRa/1vH5zVMFnylttsyzKHq+jV4hAAAi9WP+RSPswkN JIXV/8BZwRcySzQ8aLyR1AQkDAd+mwH6vmqtADwAQMKxyFtkb6rMvkMEEX6pSABmMjjv py9AoaxCFsqPMwddKSSxc9UPgebBLd52Cfa06uQ62YuInxUbo3AYGS8DZsa2ijBJ3KRC KEsA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:mime-version :message-id:date:dkim-signature; bh=DQO/d2NW9ycP8DpTdbgC9T07rqomhGHKBXOmCuHa3fI=; b=qLSYfN52CkTXP3rr0UyDYx8DvMQS2/ZxpsKQROSHVC8TDTbVCgiSaV1oF6SHy68yty Hywe2ysbj7VmG+XwlGvHubzRpJdd0xyqQ3h5C3DF/zokB7sLeBRkGsHaw/oS/AvuT0Gq 6xPTMTprRg+Maw/shZjtoybL3TdpyGsjtpTSqy0XIOZtRvaud2LdSQtrFeQ3+hxWc+4K jgw6WF6VoXwmfmdDmMcPrIf8sdE19tOFjMDtQp5JOu2LI1PwMl+ISCQwZHH/AmyWH0SR nrWXJuA0aJ95IuRCnDQPD/1sduvz1WdwGWw7flRReIlS8TJmVTCqVH4QmsarNScZCeIx H4Fg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=skihW5Fs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m24si6012143edr.211.2020.08.07.15.50.50; Fri, 07 Aug 2020 15:51:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=skihW5Fs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726186AbgHGWuO (ORCPT + 99 others); Fri, 7 Aug 2020 18:50:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37620 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726015AbgHGWuN (ORCPT ); Fri, 7 Aug 2020 18:50:13 -0400 Received: from mail-qk1-x749.google.com (mail-qk1-x749.google.com [IPv6:2607:f8b0:4864:20::749]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 75EDFC061756 for ; Fri, 7 Aug 2020 15:50:13 -0700 (PDT) Received: by mail-qk1-x749.google.com with SMTP id c191so2544226qkb.4 for ; Fri, 07 Aug 2020 15:50:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=DQO/d2NW9ycP8DpTdbgC9T07rqomhGHKBXOmCuHa3fI=; b=skihW5FsoS5B78IzyrqqnSUBgOERm/DgSjBN+uMjnt0AZnPktaxaQbH2qQou65YQmU qP21JoLind2jMwtpvkUtQldXZyx2lxVWdw0ROo0fDFRei2PlwNCMAdF/NA7atmf1rSDB H7kEdhYhgDhiDrf8XmbVr9tEFsAU5rlfePr16DRyDkDz6gSCvwU4V8ZSUUK2oxRzfgsS munPXEMVTA90J6c38s3k83pWnxFTpLR9v9nQreC1CwIf7cllzdpDOGRD96jwPxYDm58R q6Qtrly3U9bt3QCQAvZaY2pCYItO38lzL923Ms6TFxmvinsPFI0AsgcvV6ABS9gDigIt DrWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=DQO/d2NW9ycP8DpTdbgC9T07rqomhGHKBXOmCuHa3fI=; b=L4Rk59FyemmqWr/TEqHk48d1jDZNInXwr99VKTQyCMjsyGK2fZyjXAwy61RnZN/4tw QfN1HE11T4m2JjN21UkIOMucluZSWWPtPBfhLDJ9gFPgyiZqja8ocmK0CmLA2op//pMc F1aPsUCYOH3mUYBGKKsDtbxXvwzKDAfcoGoQAkqRsENi9OFuPPrvtFiABjAdn+VHCyvY qNlLXELniPyrYa7IydnlOSDDHJgdyzhR4MP030GLDZgJt867cF2nqrhhpFzqNxPJZ/cG KTcgUVgxTGvQ3s6WvA9baO//p0gsAlSuqpBat2UsfKM0mGaKgaqDIW8cBheit9f5yAnc 7/dg== X-Gm-Message-State: AOAM530dGDTmTZqcAf2/Tc1C9U9eLrwo7Y913fTQz47EjaY74BBEx/Nn x4odazcWdR1IJeNd0HJcHUeJDplwwbo7evmbQg== X-Received: by 2002:a0c:e604:: with SMTP id z4mr17234420qvm.222.1596840612573; Fri, 07 Aug 2020 15:50:12 -0700 (PDT) Date: Fri, 7 Aug 2020 15:49:38 -0700 Message-Id: <20200807224941.3440722-1-lokeshgidra@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.28.0.236.gb10cc79966-goog Subject: [PATCH v6 0/3] SELinux support for anonymous inodes and UFFD From: Lokesh Gidra To: Alexander Viro , James Morris , Stephen Smalley , Casey Schaufler , Eric Biggers Cc: "Serge E. Hallyn" , Paul Moore , Eric Paris , Lokesh Gidra , Daniel Colascione , Kees Cook , "Eric W. Biederman" , KP Singh , David Howells , Thomas Cedeno , Anders Roxell , Sami Tolvanen , Matthew Garrett , Aaron Goidel , Randy Dunlap , "Joel Fernandes (Google)" , YueHaibing , Christian Brauner , Alexei Starovoitov , Alexey Budankov , Adrian Reber , Aleksa Sarai , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, kaleshsingh@google.com, calin@google.com, surenb@google.com, nnk@google.com, jeffv@google.com, kernel-team@android.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Userfaultfd in unprivileged contexts could be potentially very useful. We'd like to harden userfaultfd to make such unprivileged use less risky. This patch series allows SELinux to manage userfaultfd file descriptors and in the future, other kinds of anonymous-inode-based file descriptor. SELinux policy authors can apply policy types to anonymous inodes by providing name-based transition rules keyed off the anonymous inode internal name ( "[userfaultfd]" in the case of userfaultfd(2) file descriptors) and applying policy to the new SIDs thus produced. Inside the kernel, a pair of new anon_inodes interface, anon_inode_getfile_secure and anon_inode_getfd_secure, allow callers to opt into this SELinux management. In this new "secure" mode, anon_inodes creates new ephemeral inodes for anonymous file objects instead of reusing the normal anon_inodes singleton dummy inode. A new LSM hook gives security modules an opportunity to configure and veto these ephemeral inodes. This patch series is one of two fork of [1] and is an alternative to [2]. The primary difference between the two patch series is that this partch series creates a unique inode for each "secure" anonymous inode, while the other patch series ([2]) continues using the singleton dummy anonymous inode and adds a way to attach SELinux security information directly to file objects. I prefer the approach in this patch series because 1) it's a smaller patch than [2], and 2) it produces a more regular security architecture: in this patch series, secure anonymous inodes aren't S_PRIVATE and they maintain the SELinux property that the label for a file is in its inode. We do need an additional inode per anonymous file, but per-struct-file inode creation doesn't seem to be a problem for pipes and sockets. The previous version of this feature ([1]) created a new SELinux security class for userfaultfd file descriptors. This version adopts the generic transition-based approach of [2]. This patch series also differs from [2] in that it doesn't affect all anonymous inodes right away --- instead requiring anon_inodes callers to opt in --- but this difference isn't one of basic approach. The important question to resolve is whether we should be creating new inodes or enhancing per-file data. Changes from the first version of the patch: - Removed some error checks - Defined a new anon_inode SELinux class to resolve the ambiguity in [3] - Inherit sclass as well as descriptor from context inode Changes from the second version of the patch: - Fixed example policy in the commit message to reflect the use of the new anon_inode class. Changes from the third version of the patch: - Dropped the fops parameter to the LSM hook - Documented hook parameters - Fixed incorrect class used for SELinux transition - Removed stray UFFD changed early in the series - Removed a redundant ERR_PTR(PTR_ERR()) Changes from the fourth version of the patch: - Removed an unused parameter from an internal function - Fixed function documentation Changes from the fifth version of the patch: - Fixed function documentation in fs/anon_inodes.c and include/linux/lsm_hooks.h - Used anon_inode_getfd_secure() in userfaultfd() syscall and removed owner from userfaultfd_ctx. [1] https://lore.kernel.org/lkml/20200211225547.235083-1-dancol@google.com/ [2] https://lore.kernel.org/linux-fsdevel/20200213194157.5877-1-sds@tycho.nsa.gov/ [3] https://lore.kernel.org/lkml/23f725ca-5b5a-5938-fcc8-5bbbfc9ba9bc@tycho.nsa.gov/ Daniel Colascione (3): Add a new LSM-supporting anonymous inode interface Teach SELinux about anonymous inodes Wire UFFD up to SELinux fs/anon_inodes.c | 193 ++++++++++++++++++++++------ fs/userfaultfd.c | 23 ++-- include/linux/anon_inodes.h | 13 ++ include/linux/lsm_hook_defs.h | 2 + include/linux/lsm_hooks.h | 7 + include/linux/security.h | 3 + security/security.c | 9 ++ security/selinux/hooks.c | 53 ++++++++ security/selinux/include/classmap.h | 2 + 9 files changed, 255 insertions(+), 50 deletions(-) -- 2.28.0.236.gb10cc79966-goog