Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp6317pxu;
        Wed, 6 Jan 2021 19:08:17 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzDTBrNzCRUWJE9JTgUlTEiQaBuXVqzieSt4LGezyoWViFftYuTXUJT71vC8bzVMpooDhdJ
X-Received: by 2002:aa7:c3c2:: with SMTP id l2mr80698edr.15.1609988897375;
        Wed, 06 Jan 2021 19:08:17 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1609988897; cv=none;
        d=google.com; s=arc-20160816;
        b=cNTQpbXCSxmDy+1d6PdJBiXH2P1bxDhFpKJm54Y+IdCY/7NiOn465NmDHT3+X0Pfi0
         mKCDgGknwlr4W7YrSsMFP787pdfY4XCFG8xbb880ofakXG8RTfP+N4I+u2KOpEgX1wJa
         Ue+et1Z6nm5ZKLv5koEn791izqbslZqmcigiVmUsYCtk1UdCV/op4xI/9JyRXcC51ptH
         cbYtYjCqaNVB5RZARX+C/rSt4pC8KmJ9AfdIbZr9V9qYDAhFU7I/DGLJr9dmM/Whz7Ex
         Q/NtsrzbuUPmMsl2ThQrkgGiSuTSwHIDfC6a6HZmVqxwvB0tHDCt4w17rbxF5sNw3rH3
         Q1XQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=6kwvfWjFnH4Pc0zsg+cAo49RaImmwcqEmlwY0Dyffcs=;
        b=nR6H6uxGx60lwJ6VBCKS9ses9bKndEQ7sOWDbeDfIzLUdetlC3vTuyH658EA2BG3OZ
         V/VtNqsfxGtI499v9lbCKlnPJdzYN0RNtqMC5XiUFD6hZv+n7wSvUgm0om2FPtCAL02K
         GwPCdgs5TgLApAYG8kuwW+RfnVpJsCU5LUNDw1cpkLeaams55BP2OVqrMH58PxtmR5dj
         Bmz8LZxSclpVLahYB8B81dtZXyIBBPYJI365mwTULSyWuEOoiQHxKIa7wJP7QArz7/AJ
         YZPN9dEs6g1soVGqT5BrJVgHCJRgPPQFS1JFKsKLUPrfaAOf6JLhW9A9OOTNuBId37T4
         8YdA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=M11mc+ji;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id q9si1636426edr.98.2021.01.06.19.07.51;
        Wed, 06 Jan 2021 19:08:17 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=M11mc+ji;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726461AbhAGDEf (ORCPT <rfc822;linux.s.jambekar@gmail.com>
        + 99 others); Wed, 6 Jan 2021 22:04:35 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34094 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726231AbhAGDEe (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 6 Jan 2021 22:04:34 -0500
Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com [IPv6:2a00:1450:4864:20::633])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 310C5C0612F3
        for <linux-kernel@vger.kernel.org>; Wed,  6 Jan 2021 19:03:54 -0800 (PST)
Received: by mail-ej1-x633.google.com with SMTP id 6so7820786ejz.5
        for <linux-kernel@vger.kernel.org>; Wed, 06 Jan 2021 19:03:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=6kwvfWjFnH4Pc0zsg+cAo49RaImmwcqEmlwY0Dyffcs=;
        b=M11mc+jiW0OYQkc9/dR28NTijrEoOw94j/VOx8Dg07F4MK1+HH6XznVqn9brS7Tmwn
         VZm/q6ON2mOW031Dx5roB5u0XEecDdQ2Alw/urDCe2ZqbsJoKEAJb/XOsX2cjhJpn+tj
         6Cvc74oeTvrjgZ0SBGJvMJOShhHnp01lTaSKxIqJpaSXGUMp2xFnBIBh4ZBvL9VOlQFc
         AL5v3K9JuY4NKBbhAko+8UuCxMJHDBldsqPzgGwiJfGWhVmHo5EvIvvosgAvJtBJz2Rz
         g8RoSYbnLb5SG2lykH7nZ+qGq6TexpA5lxLk+RXeQMoSbpNbYGkh1dufOfQRPUy1NpQ2
         zitw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=6kwvfWjFnH4Pc0zsg+cAo49RaImmwcqEmlwY0Dyffcs=;
        b=AaxUZRcr8MwFrlC4lpRVwxpfLAVF0z+t749KA/e2dConfWlrgFT20eEGGaJdaEvX6M
         pw2YC3v37bZyi3A/BWI8nb7fPyXSVsBKe6CNc6iyWJTmAZPU7sqEUPnXGBhvwZqolbDC
         IxYjVvLmCInXmvdUH9CxndjuCU9OjlnND7q+nNEl1l3gbcW+e5mqGED5F6w9n9+jKdQo
         7+XkjZhHfdcZy64dG2O34RWdfi9zGOyatDkWkXQ5SlRFYO+MqVZKUimbkZdKkBsuqf7M
         wJqzOOCMb1lmwrDDMbdLPKVmuMpZqtj+w2FiZNZj7f82gPLH1ZIXqB9AF5qojoMZTquD
         bP3w==
X-Gm-Message-State: AOAM532t/7uIS1/AWo3jU4e5rbEgKnH6IFY3n+BPrzWzT1eN5jPpskh2
        MxuGr+JBfjSUqjYhpcp528KvaEbDlwQfGfSIZu9l
X-Received: by 2002:a17:906:aec6:: with SMTP id me6mr4825292ejb.542.1609988632573;
 Wed, 06 Jan 2021 19:03:52 -0800 (PST)
MIME-Version: 1.0
References: <20201112015359.1103333-1-lokeshgidra@google.com> <20201112015359.1103333-4-lokeshgidra@google.com>
In-Reply-To: <20201112015359.1103333-4-lokeshgidra@google.com>
From:   Paul Moore <paul@paul-moore.com>
Date:   Wed, 6 Jan 2021 22:03:41 -0500
Message-ID: <CAHC9VhS2WNXn2cVAUcAY5AmmBv+=XsthCevofNNuEOU3=jtLrg@mail.gmail.com>
Subject: Re: [PATCH v13 3/4] selinux: teach SELinux about anonymous inodes
To:     Lokesh Gidra <lokeshgidra@google.com>
Cc:     Andrea Arcangeli <aarcange@redhat.com>,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        James Morris <jmorris@namei.org>,
        Stephen Smalley <stephen.smalley.work@gmail.com>,
        Casey Schaufler <casey@schaufler-ca.com>,
        Eric Biggers <ebiggers@kernel.org>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        Eric Paris <eparis@parisplace.org>,
        Daniel Colascione <dancol@dancol.org>,
        Kees Cook <keescook@chromium.org>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        KP Singh <kpsingh@google.com>,
        David Howells <dhowells@redhat.com>,
        Anders Roxell <anders.roxell@linaro.org>,
        Sami Tolvanen <samitolvanen@google.com>,
        Matthew Garrett <matthewgarrett@google.com>,
        Aaron Goidel <acgoide@tycho.nsa.gov>,
        Randy Dunlap <rdunlap@infradead.org>,
        "Joel Fernandes (Google)" <joel@joelfernandes.org>,
        YueHaibing <yuehaibing@huawei.com>,
        Christian Brauner <christian.brauner@ubuntu.com>,
        Alexei Starovoitov <ast@kernel.org>,
        Alexey Budankov <alexey.budankov@linux.intel.com>,
        Adrian Reber <areber@redhat.com>,
        Aleksa Sarai <cyphar@cyphar.com>,
        linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
        linux-security-module@vger.kernel.org, selinux@vger.kernel.org,
        kaleshsingh@google.com, calin@google.com, surenb@google.com,
        jeffv@google.com, kernel-team@android.com, linux-mm@kvack.org,
        Andrew Morton <akpm@linux-foundation.org>, hch@infradead.org,
        Daniel Colascione <dancol@google.com>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Nov 11, 2020 at 8:54 PM Lokesh Gidra <lokeshgidra@google.com> wrote:
> From: Daniel Colascione <dancol@google.com>
>
> This change uses the anon_inodes and LSM infrastructure introduced in
> the previous patches to give SELinux the ability to control
> anonymous-inode files that are created using the new
> anon_inode_getfd_secure() function.
>
> A SELinux policy author detects and controls these anonymous inodes by
> adding a name-based type_transition rule that assigns a new security
> type to anonymous-inode files created in some domain. The name used
> for the name-based transition is the name associated with the
> anonymous inode for file listings --- e.g., "[userfaultfd]" or
> "[perf_event]".
>
> Example:
>
> type uffd_t;
> type_transition sysadm_t sysadm_t : anon_inode uffd_t "[userfaultfd]";
> allow sysadm_t uffd_t:anon_inode { create };
>
> (The next patch in this series is necessary for making userfaultfd
> support this new interface.  The example above is just
> for exposition.)
>
> Signed-off-by: Daniel Colascione <dancol@google.com>
> Signed-off-by: Lokesh Gidra <lokeshgidra@google.com>
> ---
>  security/selinux/hooks.c            | 56 +++++++++++++++++++++++++++++
>  security/selinux/include/classmap.h |  2 ++
>  2 files changed, 58 insertions(+)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 6b1826fc3658..d092aa512868 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -2927,6 +2927,61 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
>         return 0;
>  }
>
> +static int selinux_inode_init_security_anon(struct inode *inode,
> +                                           const struct qstr *name,
> +                                           const struct inode *context_inode)
> +{
> +       const struct task_security_struct *tsec = selinux_cred(current_cred());
> +       struct common_audit_data ad;
> +       struct inode_security_struct *isec;
> +       int rc;
> +
> +       if (unlikely(!selinux_initialized(&selinux_state)))
> +               return 0;
> +
> +       isec = selinux_inode(inode);
> +
> +       /*
> +        * We only get here once per ephemeral inode.  The inode has
> +        * been initialized via inode_alloc_security but is otherwise
> +        * untouched.
> +        */
> +
> +       if (context_inode) {
> +               struct inode_security_struct *context_isec =
> +                       selinux_inode(context_inode);
> +               if (context_isec->initialized != LABEL_INITIALIZED)
> +                       return -EACCES;
> +
> +               isec->sclass = context_isec->sclass;

Taking the object class directly from the context_inode is
interesting, and I suspect problematic.  In the case below where no
context_inode is supplied the object class is set to
SECCLASS_ANON_INODE, which is correct, but when a context_inode is
supplied there is no guarantee that the object class will be set to
SECCLASS_ANON_INODE.  This could both pose a problem for policy
writers (how do you distinguish the anon inode from other normal file
inodes in this case?) as well as an outright fault later in this
function when we try to check the ANON_INODE__CREATE on an object
other than a SECCLASS_ANON_INODE object.

It works in the userfaultfd case because the context_inode is
originally created with this function so the object class is correctly
set to SECCLASS_ANON_INODE, but can we always guarantee that to be the
case?  Do we ever need or want to support using a context_inode that
is not SECCLASS_ANON_INODE?

> +               isec->sid = context_isec->sid;
> +       } else {
> +               isec->sclass = SECCLASS_ANON_INODE;
> +               rc = security_transition_sid(
> +                       &selinux_state, tsec->sid, tsec->sid,
> +                       isec->sclass, name, &isec->sid);
> +               if (rc)
> +                       return rc;
> +       }
> +
> +       isec->initialized = LABEL_INITIALIZED;
> +
> +       /*
> +        * Now that we've initialized security, check whether we're
> +        * allowed to actually create this type of anonymous inode.
> +        */
> +
> +       ad.type = LSM_AUDIT_DATA_INODE;
> +       ad.u.inode = inode;
> +
> +       return avc_has_perm(&selinux_state,
> +                           tsec->sid,
> +                           isec->sid,
> +                           isec->sclass,
> +                           ANON_INODE__CREATE,
> +                           &ad);
> +}

-- 
paul moore
www.paul-moore.com