Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp477014pxx; Mon, 26 Oct 2020 12:53:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyXdBi3zXrkAQsdm11Q8jteSRs6vA4D66U6cE+FPQxcMLFnr6Tn/wc5v3aMBrP+8z1qcjyo X-Received: by 2002:a50:fd17:: with SMTP id i23mr1728441eds.50.1603742015357; Mon, 26 Oct 2020 12:53:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603742015; cv=none; d=google.com; s=arc-20160816; b=QjsWDAbfnZ9QIHJJqmJNdHrN8wGO+ezE8RaPt+isnECyP+5MIeu0RetpgkZdcIihl1 zxm0AHhxDVUTSCfb3jgGepnnCmg2IluQFjiv/3zZgllCp5iH0Xs29rCMH2kOJgPxpaO0 yHsKAheh6XP7BB5K/G1bSnuTvde4qLje0bS3wtCpwN0Dr18KNlLMVs5esFOECtYvFP+m VMR8lbmbi57N9oMETI1hdgJF8/f8lsC6E4Yi9hmBJXLZ13uYgnNWqtx4ubkYJyRy2Cjd nR3KHQkirjt3mqI6wMPhkNZrTMPPfGWFCTutok7Lxfc/Jo9yFgHQCKM7f2epcA/lV84I wREg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=o0HlbzC/PMbUoOBDvB5+gaRsmOaPMHvpgw6up7a4aZQ=; b=mdH1GHgHgHqpfaYpPgvWlG6NW/tsKdXlR0mI10GoKv/FeTki6LZjgt9PrIOdzWPc0y CdVMK2iOdA2O7yDIHGIMBCtpse0Qn+nRuemW/llYuiCKz/0XmtuccVe/3CrlGDCo+RJn fsX8XAyg6f7Z1HScbQIX0oOXaTd4eG4TA8YhNLq3v+coQmGaXK9sppFDD2Xu4BP09HgY CT9r2LeC1NHW+NjrxZePTd9MTh8wkN+phLuUm0XJYsKFNF2QgOoSyVof1CnmemUn64AZ zJw5jN1E5zWkCHyW20FDdhAK8QvaxNzhy8hcLJoF3KXZN0wRhjZiPdyVwLpobmwW8tdJ pmgg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=GBa7YXID; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bu15si7810547ejb.175.2020.10.26.12.53.13; Mon, 26 Oct 2020 12:53:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=GBa7YXID; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1786865AbgJZQ6x (ORCPT + 99 others); Mon, 26 Oct 2020 12:58:53 -0400 Received: from mail-il1-f196.google.com ([209.85.166.196]:45587 "EHLO mail-il1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1786708AbgJZQ5W (ORCPT ); Mon, 26 Oct 2020 12:57:22 -0400 Received: by mail-il1-f196.google.com with SMTP id g7so8953382ilr.12 for ; Mon, 26 Oct 2020 09:57:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=o0HlbzC/PMbUoOBDvB5+gaRsmOaPMHvpgw6up7a4aZQ=; b=GBa7YXIDiGtb+Nlv2bI3d/omOSevIhtZXCE3FrV/+H8FYa94InqigxYjoxTL2ZkQSC 30B9g1Y/K8gbpjEsnYDLrRSvP2PbZ221Oeh6zctLkDuFktZhGrZEdNrro6ytt7+vVe7v hkaP6yok+KgFS6aM2skIqVY1ViUnWxzvzAqktv7WjGtMyAffAyOzyqWSkfJwF6UjqWHQ vxvNxJX4FL67jsXfY2luZnUMO+Hs/wFz8yOUnYkn3LuZk48bpKPgE9Ji3Y+w+tqo/XFy h1sr8HK+oSOHprrb3QzJsRIFqserIdqxFIUC5Mn6sYhwferk3qADftvOvr73s6ubj9Js Zdlw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=o0HlbzC/PMbUoOBDvB5+gaRsmOaPMHvpgw6up7a4aZQ=; b=nL2jmoZYxC1rAX+mq1Pfi8QEFrANFIWuF2TIotGkiIb/1rSYvMH5tlqpW9DJ31/JTp BHUas+mcEB7cMmv2YYhJO3qN/b3CXhh0SnHvKhHC5bMhoXcmCTvFcAdJS8WEVwJtEGKf 9I8176lras09sIyl8PvJA/2wUOujRiYCx3rL/fHfiu2tgkPoh+k4MR+cUlCYIXYjnu5z mWk3LruEe2t6ZWrgs/saAbk25jwlahE71fXntjeNmhdJm1I/P9CtnFpLB+YjHiyMdCxr r15hWtms8rNd/WPtBWyU5vzp0w5a0XB54KF7pIlO1UwgUrScUXH2anuiXoDDae0v4zzq puow== X-Gm-Message-State: AOAM531cjnL5j6fhYieBhlOm6nFpZ8gKua61K5WQ4nrQ8O1wpmQu3W4q dJ05oaaVk/y9Acsmb/OdiLcZAcNaf46z9ey0eHmiWw== X-Received: by 2002:a05:6e02:5c7:: with SMTP id l7mr11810940ils.43.1603731440940; Mon, 26 Oct 2020 09:57:20 -0700 (PDT) MIME-Version: 1.0 References: <20201011082936.4131726-1-lokeshgidra@google.com> In-Reply-To: <20201011082936.4131726-1-lokeshgidra@google.com> From: Lokesh Gidra Date: Mon, 26 Oct 2020 09:57:09 -0700 Message-ID: Subject: Re: [PATCH v10 0/3] SELinux support for anonymous inodes and UFFD To: Alexander Viro , James Morris , Stephen Smalley , Casey Schaufler , Eric Biggers Cc: "Serge E. Hallyn" , Paul Moore , Eric Paris , Daniel Colascione , Kees Cook , "Eric W. Biederman" , KP Singh , David Howells , Thomas Cedeno , Anders Roxell , Sami Tolvanen , Matthew Garrett , Aaron Goidel , Randy Dunlap , "Joel Fernandes (Google)" , YueHaibing , Christian Brauner , Alexei Starovoitov , Alexey Budankov , Adrian Reber , Aleksa Sarai , Linux FS Devel , linux-kernel , LSM List , SElinux list , Kalesh Singh , Calin Juravle , Suren Baghdasaryan , Nick Kralevich , Jeffrey Vander Stoep , "Cc: Android Kernel" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Oct 11, 2020 at 1:29 AM Lokesh Gidra wrote: > > Userfaultfd in unprivileged contexts could be potentially very > useful. We'd like to harden userfaultfd to make such unprivileged use > less risky. This patch series allows SELinux to manage userfaultfd > file descriptors and in the future, other kinds of > anonymous-inode-based file descriptor. SELinux policy authors can > apply policy types to anonymous inodes by providing name-based > transition rules keyed off the anonymous inode internal name ( > "[userfaultfd]" in the case of userfaultfd(2) file descriptors) and > applying policy to the new SIDs thus produced. > > With SELinux managed userfaultfd, an admin can control creation and > movement of the file descriptors. In particular, handling of > a userfaultfd descriptor by a different process is essentially a > ptrace access into the process, without any of the corresponding > security_ptrace_access_check() checks. For privacy, the admin may > want to deny such accesses, which is possible with SELinux support. > > Inside the kernel, a new anon_inode interface, anon_inode_getfd_secure, > allows callers to opt into this SELinux management. In this new "secure" > mode, anon_inodes create new ephemeral inodes for anonymous file objects > instead of reusing the normal anon_inodes singleton dummy inode. A new > LSM hook gives security modules an opportunity to configure and veto > these ephemeral inodes. > > This patch series is one of two fork of [1] and is an > alternative to [2]. > > The primary difference between the two patch series is that this > partch series creates a unique inode for each "secure" anonymous > inode, while the other patch series ([2]) continues using the > singleton dummy anonymous inode and adds a way to attach SELinux > security information directly to file objects. > > I prefer the approach in this patch series because 1) it's a smaller > patch than [2], and 2) it produces a more regular security > architecture: in this patch series, secure anonymous inodes aren't > S_PRIVATE and they maintain the SELinux property that the label for a > file is in its inode. We do need an additional inode per anonymous > file, but per-struct-file inode creation doesn't seem to be a problem > for pipes and sockets. > > The previous version of this feature ([1]) created a new SELinux > security class for userfaultfd file descriptors. This version adopts > the generic transition-based approach of [2]. > > This patch series also differs from [2] in that it doesn't affect all > anonymous inodes right away --- instead requiring anon_inodes callers > to opt in --- but this difference isn't one of basic approach. The > important question to resolve is whether we should be creating new > inodes or enhancing per-file data. > > Changes from the first version of the patch: > > - Removed some error checks > - Defined a new anon_inode SELinux class to resolve the > ambiguity in [3] > - Inherit sclass as well as descriptor from context inode > > Changes from the second version of the patch: > > - Fixed example policy in the commit message to reflect the use of > the new anon_inode class. > > Changes from the third version of the patch: > > - Dropped the fops parameter to the LSM hook > - Documented hook parameters > - Fixed incorrect class used for SELinux transition > - Removed stray UFFD changed early in the series > - Removed a redundant ERR_PTR(PTR_ERR()) > > Changes from the fourth version of the patch: > > - Removed an unused parameter from an internal function > - Fixed function documentation > > Changes from the fifth version of the patch: > > - Fixed function documentation in fs/anon_inodes.c and > include/linux/lsm_hooks.h > - Used anon_inode_getfd_secure() in userfaultfd() syscall and removed > owner from userfaultfd_ctx. > > Changes from the sixth version of the patch: > > - Removed definition of anon_inode_getfile_secure() as there are no > callers. > - Simplified function description of anon_inode_getfd_secure(). > - Elaborated more on the purpose of 'context_inode' in commit message. > > Changes from the seventh version of the patch: > > - Fixed error handling in _anon_inode_getfile(). > - Fixed minor comment and indentation related issues. > > Changes from the eighth version of the patch: > > - Replaced selinux_state.initialized with selinux_state.initialized > > Changes from the ninth version of the patch: > > - Fixed function names in fs/anon_inodes.c > - Fixed comment of anon_inode_getfd_secure() > - Fixed name of the patch wherein userfaultfd code uses > anon_inode_getfd_secure() > > [1] https://lore.kernel.org/lkml/20200211225547.235083-1-dancol@google.com/ > [2] https://lore.kernel.org/linux-fsdevel/20200213194157.5877-1-sds@tycho.nsa.gov/ > [3] https://lore.kernel.org/lkml/23f725ca-5b5a-5938-fcc8-5bbbfc9ba9bc@tycho.nsa.gov/ > > Daniel Colascione (3): > Add a new LSM-supporting anonymous inode interface > Teach SELinux about anonymous inodes > Use secure anon inodes for userfaultfd > > fs/anon_inodes.c | 148 ++++++++++++++++++++-------- > fs/userfaultfd.c | 19 ++-- > include/linux/anon_inodes.h | 8 ++ > include/linux/lsm_hook_defs.h | 2 + > include/linux/lsm_hooks.h | 9 ++ > include/linux/security.h | 10 ++ > security/security.c | 8 ++ > security/selinux/hooks.c | 53 ++++++++++ > security/selinux/include/classmap.h | 2 + > 9 files changed, 210 insertions(+), 49 deletions(-) > > -- > 2.28.0.1011.ga647a8990f-goog > Any suggestions on how to get VFS folks' (already CC'ed) attention on this patch series? In the meantime, I humbly request the SELinux/LSM/UFFD reviewers/maintainers to provide their reviews.