Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp883562pxk;
        Thu, 17 Sep 2020 20:16:54 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwRhk9BOHLdVefeyBcNG3FRgmxecx80jeVuPOxMf9S0ipUZQeKIdO+hoRjPETW3HboTYwKq
X-Received: by 2002:aa7:cb92:: with SMTP id r18mr36413794edt.158.1600399014254;
        Thu, 17 Sep 2020 20:16:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1600399014; cv=none;
        d=google.com; s=arc-20160816;
        b=Om5iWMowNDOuZySzCHX0c0G7KU9FR/cLtugfy8/IZvq7GneWscAgP3ko4Vfe4lp94r
         d1xTcVuDFXAGJIbvF+2P0hd0+NrceBTuIOoUANprb+BW4rNwofUozsi++Gb4wtMuY7F9
         BCyiTrmJMbrBwaTf/KGwUwXNUsNjgV6gonadyU23QogkU49mWw6wCwY9TTCIE9J+tJ06
         DQZ3ApeQ1hZ5V1fy36CSf8CJGVViQPBUO4LyuDdLc6Xwa0TVD8DKM4ZL/oAqIMcOtVAn
         JFxjmgQgh1cRZUKsUTYNX5IzGekjlGxzMjW+h6GjF3eFkuucI4uVO6TcqGhoPGpHqhQL
         JH5g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=ouGaNZw3sMDutxgIfSoB/eQHGTghiKeU0G8ahDh5yus=;
        b=Q3YViY0lOGRLxmPPyGuTOYbjgVbcLDEum+p0coA46sC7Mnc/UQ1gi6hwcjE9KjCqeV
         zB4PwvmKHgIa0HkOsMj0D8l9aekAsgCLdxwiXYVEk5HrbxYq5usgEewCPv07Kf30NUM6
         s9m7G5Eb8gRFkswCbLKqoFWJyI4fJZeFyJM816r+igZvSNGLlvJZkv8xCgP4tILx5nQh
         I671XA7aJ9G3Lx5LSKyzbKMazV6CAj8LtMw7rdJ+BeNbkhUOPhv4xP3b8jqeGODODtvu
         9yBizFqc6YxnpRQntYDrForBKpS6Jj/HEgMHzHslGglsigxRxYXSDC+48RuZ34Jzc4nH
         iVxw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=tEttgHxo;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id s18si1617662ejd.305.2020.09.17.20.16.31;
        Thu, 17 Sep 2020 20:16:54 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=tEttgHxo;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726306AbgIRCBT (ORCPT <rfc822;luizmacielfranco@gmail.com>
        + 99 others); Thu, 17 Sep 2020 22:01:19 -0400
Received: from mail.kernel.org ([198.145.29.99]:45408 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726221AbgIRCBS (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 17 Sep 2020 22:01:18 -0400
Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id D014A208E4;
        Fri, 18 Sep 2020 02:01:16 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1600394477;
        bh=WXxXPySre0YM/NS4OlELtHdlnYCawUYpcYb+CjbhLTY=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=tEttgHxoPUXXUWIpumRTvAKHW5GFsImXG0+M7sWiri1iv8DhWPjo7lzhPK25wCNok
         4yb7CeqZ/rJCPG8y5VcgryecUbNQTZ4VjkNf7FqqwmvQK9JI6HtKB50OunjLdEMxlD
         y+uBKX5GOyHFTntNUqFN1njTT3p5cgeOR3fXGqyQ=
From:   Sasha Levin <sashal@kernel.org>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc:     Jonathan Lebon <jlebon@redhat.com>,
        Victor Kamensky <kamensky@cisco.com>,
        Paul Moore <paul@paul-moore.com>,
        Sasha Levin <sashal@kernel.org>, selinux@tycho.nsa.gov,
        linux-security-module@vger.kernel.org
Subject: [PATCH AUTOSEL 5.4 005/330] selinux: allow labeling before policy is loaded
Date:   Thu, 17 Sep 2020 21:55:45 -0400
Message-Id: <20200918020110.2063155-5-sashal@kernel.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20200918020110.2063155-1-sashal@kernel.org>
References: <20200918020110.2063155-1-sashal@kernel.org>
MIME-Version: 1.0
X-stable: review
X-Patchwork-Hint: Ignore
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Jonathan Lebon <jlebon@redhat.com>

[ Upstream commit 3e3e24b42043eceb97ed834102c2d094dfd7aaa6 ]

Currently, the SELinux LSM prevents one from setting the
`security.selinux` xattr on an inode without a policy first being
loaded. However, this restriction is problematic: it makes it impossible
to have newly created files with the correct label before actually
loading the policy.

This is relevant in distributions like Fedora, where the policy is
loaded by systemd shortly after pivoting out of the initrd. In such
instances, all files created prior to pivoting will be unlabeled. One
then has to relabel them after pivoting, an operation which inherently
races with other processes trying to access those same files.

Going further, there are use cases for creating the entire root
filesystem on first boot from the initrd (e.g. Container Linux supports
this today[1], and we'd like to support it in Fedora CoreOS as well[2]).
One can imagine doing this in two ways: at the block device level (e.g.
laying down a disk image), or at the filesystem level. In the former,
labeling can simply be part of the image. But even in the latter
scenario, one still really wants to be able to set the right labels when
populating the new filesystem.

This patch enables this by changing behaviour in the following two ways:
1. allow `setxattr` if we're not initialized
2. don't try to set the in-core inode SID if we're not initialized;
   instead leave it as `LABEL_INVALID` so that revalidation may be
   attempted at a later time

Note the first hunk of this patch is mostly the same as a previously
discussed one[3], though it was part of a larger series which wasn't
accepted.

[1] https://coreos.com/os/docs/latest/root-filesystem-placement.html
[2] https://github.com/coreos/fedora-coreos-tracker/issues/94
[3] https://www.spinics.net/lists/linux-initramfs/msg04593.html

Co-developed-by: Victor Kamensky <kamensky@cisco.com>
Signed-off-by: Victor Kamensky <kamensky@cisco.com>
Signed-off-by: Jonathan Lebon <jlebon@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 security/selinux/hooks.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 552e73d90fd25..212f48025db81 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3156,6 +3156,9 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
 	}
 
+	if (!selinux_state.initialized)
+		return (inode_owner_or_capable(inode) ? 0 : -EPERM);
+
 	sbsec = inode->i_sb->s_security;
 	if (!(sbsec->flags & SBLABEL_MNT))
 		return -EOPNOTSUPP;
@@ -3239,6 +3242,15 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
 		return;
 	}
 
+	if (!selinux_state.initialized) {
+		/* If we haven't even been initialized, then we can't validate
+		 * against a policy, so leave the label as invalid. It may
+		 * resolve to a valid label on the next revalidation try if
+		 * we've since initialized.
+		 */
+		return;
+	}
+
 	rc = security_context_to_sid_force(&selinux_state, value, size,
 					   &newsid);
 	if (rc) {
-- 
2.25.1