Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp645048pxb; Fri, 8 Jan 2021 14:25:32 -0800 (PST) X-Google-Smtp-Source: ABdhPJx5OBllTop5Rc5IWpxVoy0BLYs8kEZQlMsj20oioDu67qYKdRBCbeV3nL8fGrUrjeUImOaW X-Received: by 2002:a50:8e19:: with SMTP id 25mr6687089edw.263.1610144732471; Fri, 08 Jan 2021 14:25:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610144732; cv=none; d=google.com; s=arc-20160816; b=plswjqPFrymyWaTcmwzt0Ic2hpNy79GYV7lMQ/if6BxeS1LQsp8UHwaR24qcgHKaXI CKwVlbelaoQ9yW+WdsNk4ulXLHSvPp5iGJnUHb+AkHxideGLbAWMYQN3RJkZt+Vki2p0 3EosWOeeXxEufd0BZjze/mcEbLDkJPJrRWZZ1W+2xhmNfPEpHCCWzqVA/z+kCrc7yCap pa23l5bWCmCz2S3gerf40iIQROUXCQ+let2onvUiUlaI3WqnsQtA6xdddty+SmT4Nu+G n0JqZk7vYVB9r01YG7ogaDrv7knjhN3p9yZJ7/Xc2fzMMda4EY1nLRhdRhEXH3oRufIn mUJA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:mime-version:message-id:date :sender:dkim-signature; bh=LdaCO9PuI/GJnppuVvwg+RGHm8M5CHk4YUsuvcElhEI=; b=NGOSbWuO2RQ9MRWWa2+E5WTrfXewkH1SirK06HzGw56Xw1xsP/68SHKcmorE/7FBw8 goCATmpJ4igQErROvFTThK3Zud/rRdOq/o6OLj3YU2VCanRj7Yg4ZH/FX3CPsD/0Cut+ eCB3+OSoStDEAUD8qecc6+iQR8b7j88NLcBv06ArnPRW3YT8zr/HyeHiJO2QuHwUaVt2 j4EyLpLAvrpnfbfwU+rZxPRc5fqx2kqqANskSV5JAB2FWqsrzFs+oWBrHOdwpYtEGYjb oy+GaCrrQh5ovI+FWGr77dUu6lfV4EJEJCBNmQI0UycFGrRFd0Wo0mo4SLuxZatfGGKc PFXg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Y37jVPhu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g4si4033640edu.577.2021.01.08.14.25.09; Fri, 08 Jan 2021 14:25:32 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Y37jVPhu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726379AbhAHWXO (ORCPT + 99 others); Fri, 8 Jan 2021 17:23:14 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44012 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725890AbhAHWXN (ORCPT ); Fri, 8 Jan 2021 17:23:13 -0500 Received: from mail-qt1-x849.google.com (mail-qt1-x849.google.com [IPv6:2607:f8b0:4864:20::849]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6AB69C061799 for ; Fri, 8 Jan 2021 14:22:26 -0800 (PST) Received: by mail-qt1-x849.google.com with SMTP id i13so9303073qtp.10 for ; Fri, 08 Jan 2021 14:22:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=sender:date:message-id:mime-version:subject:from:to:cc; bh=LdaCO9PuI/GJnppuVvwg+RGHm8M5CHk4YUsuvcElhEI=; b=Y37jVPhu7aFRi1H7jZYqdKPFCRwJaJshzfDxyFVi17KLBBtq81c3VrKnsmLu39NrRH 1JGrgnKDiWEUiBKFEjddkAfSg1GOWSpdeEO5oCDCWC54677U4FhLkB1uLGm4Sf6M2KEV Oe+7whKCYR0dDOf2vddxVmfOzbpG75VhrZA/oc7cy7Zgb6uvbDxa+3cL0aefOUaD41Kb 926yrz6I/MSSdvCDUzdqcFQO6ZF/eL6jOOkdY5Is5UTOD12zzZEOiHx2XMghE/CfLzKh B4jgx++MnQo+V1172WX55+C7LpkCndS6LHOo4wDFT9/DnxqW9GwrkwrKUGeEfuB3j13j cW0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:message-id:mime-version:subject:from :to:cc; bh=LdaCO9PuI/GJnppuVvwg+RGHm8M5CHk4YUsuvcElhEI=; b=t7BP6IV7otH9SosAVUNl09JZipOq/N2MPgzerM2Lnw5tOo9DIzCgPvLV1kZSxkgvhS 9yaC1p8TxXgaUz/i2fuufV+txqpywa85NeW0mPN1THEI9wFUHY7ObT1B7T0URZTFFIhZ kOA3hKAAPPYyUk9agBw1et4PzxxfYs9ZG+A0wBWDkQOWjokALxdMA3qJlARlyLcIcmpB gvAapw76akBAVcIc/SRx5B6N8FEFSKgfB62ALn6m+XuQg50rvrjMVu17zn3GffO3zv+n HUxTVovYnXFWbLolIRzO1b5HrnQeyXvojU036FB7PFPV8Hfzs3qD2G4d9Z6TubhmVRhK 0G8w== X-Gm-Message-State: AOAM532fHc/X/UUlw/HeEAeOijX0TtVyk9I6sscWB3RgSlsNPZouFwDI uqjtTr4Lz33e13oW2y8wKPOkLB4z/v++MfNIRA== Sender: "lokeshgidra via sendgmr" X-Received: from lg.mtv.corp.google.com ([2620:15c:211:202:f693:9fff:fef4:29dd]) (user=lokeshgidra job=sendgmr) by 2002:a05:6214:6af:: with SMTP id s15mr5740563qvz.34.1610144545425; Fri, 08 Jan 2021 14:22:25 -0800 (PST) Date: Fri, 8 Jan 2021 14:22:19 -0800 Message-Id: <20210108222223.952458-1-lokeshgidra@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.30.0.284.gd98b1dd5eaa7-goog Subject: [PATCH v15 0/4] SELinux support for anonymous inodes and UFFD From: Lokesh Gidra To: Andrea Arcangeli , Alexander Viro , James Morris , Stephen Smalley , Casey Schaufler , Eric Biggers , Paul Moore Cc: "Serge E. Hallyn" , Eric Paris , Lokesh Gidra , Daniel Colascione , Kees Cook , "Eric W. Biederman" , KP Singh , David Howells , Anders Roxell , Sami Tolvanen , Matthew Garrett , Randy Dunlap , "Joel Fernandes (Google)" , YueHaibing , Christian Brauner , Alexei Starovoitov , Adrian Reber , Aleksa Sarai , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, kaleshsingh@google.com, calin@google.com, surenb@google.com, jeffv@google.com, kernel-team@android.com, linux-mm@kvack.org, Andrew Morton , hch@infradead.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Userfaultfd in unprivileged contexts could be potentially very useful. We'd like to harden userfaultfd to make such unprivileged use less risky. This patch series allows SELinux to manage userfaultfd file descriptors and in the future, other kinds of anonymous-inode-based file descriptor. SELinux policy authors can apply policy types to anonymous inodes by providing name-based transition rules keyed off the anonymous inode internal name ( "[userfaultfd]" in the case of userfaultfd(2) file descriptors) and applying policy to the new SIDs thus produced. With SELinux managed userfaultfd, an admin can control creation and movement of the file descriptors. In particular, handling of a userfaultfd descriptor by a different process is essentially a ptrace access into the process, without any of the corresponding security_ptrace_access_check() checks. For privacy, the admin may want to deny such accesses, which is possible with SELinux support. Inside the kernel, a new anon_inode interface, anon_inode_getfd_secure, allows callers to opt into this SELinux management. In this new "secure" mode, anon_inodes create new ephemeral inodes for anonymous file objects instead of reusing the normal anon_inodes singleton dummy inode. A new LSM hook gives security modules an opportunity to configure and veto these ephemeral inodes. This patch series is one of two fork of [1] and is an alternative to [2]. The primary difference between the two patch series is that this partch series creates a unique inode for each "secure" anonymous inode, while the other patch series ([2]) continues using the singleton dummy anonymous inode and adds a way to attach SELinux security information directly to file objects. I prefer the approach in this patch series because 1) it's a smaller patch than [2], and 2) it produces a more regular security architecture: in this patch series, secure anonymous inodes aren't S_PRIVATE and they maintain the SELinux property that the label for a file is in its inode. We do need an additional inode per anonymous file, but per-struct-file inode creation doesn't seem to be a problem for pipes and sockets. The previous version of this feature ([1]) created a new SELinux security class for userfaultfd file descriptors. This version adopts the generic transition-based approach of [2]. This patch series also differs from [2] in that it doesn't affect all anonymous inodes right away --- instead requiring anon_inodes callers to opt in --- but this difference isn't one of basic approach. The important question to resolve is whether we should be creating new inodes or enhancing per-file data. Changes from the first version of the patch: - Removed some error checks - Defined a new anon_inode SELinux class to resolve the ambiguity in [3] - Inherit sclass as well as descriptor from context inode Changes from the second version of the patch: - Fixed example policy in the commit message to reflect the use of the new anon_inode class. Changes from the third version of the patch: - Dropped the fops parameter to the LSM hook - Documented hook parameters - Fixed incorrect class used for SELinux transition - Removed stray UFFD changed early in the series - Removed a redundant ERR_PTR(PTR_ERR()) Changes from the fourth version of the patch: - Removed an unused parameter from an internal function - Fixed function documentation Changes from the fifth version of the patch: - Fixed function documentation in fs/anon_inodes.c and include/linux/lsm_hooks.h - Used anon_inode_getfd_secure() in userfaultfd() syscall and removed owner from userfaultfd_ctx. Changes from the sixth version of the patch: - Removed definition of anon_inode_getfile_secure() as there are no callers. - Simplified function description of anon_inode_getfd_secure(). - Elaborated more on the purpose of 'context_inode' in commit message. Changes from the seventh version of the patch: - Fixed error handling in _anon_inode_getfile(). - Fixed minor comment and indentation related issues. Changes from the eighth version of the patch: - Replaced selinux_state.initialized with selinux_state.initialized Changes from the ninth version of the patch: - Fixed function names in fs/anon_inodes.c - Fixed comment of anon_inode_getfd_secure() - Fixed name of the patch wherein userfaultfd code uses anon_inode_getfd_secure() Changes from the tenth version of the patch: - Split first patch into VFS and LSM specific patches - Fixed comments in fs/anon_inodes.c - Fixed comment of alloc_anon_inode() Changes from the eleventh version of the patch: - Removed comment of alloc_anon_inode() for consistency with the code - Fixed explanation of LSM hook in the commit message Changes from the twelfth version of the patch: - Replaced FILE__CREATE with ANON_INODE__CREATE while initializing anon-inode's SELinux security struct. - Check context_inode's SELinux label and return -EACCES if it's invalid. Changes from the thirteenth version of the patch: - Initialize anon-inode's sclass with SECCLASS_ANON_INODE. - Check if context_inode has sclass set to SECCLASS_ANON_INODE. Changes from the forteenth version of the patch: - Revert changes of v14. - Use FILE__CREATE (instead of ANON_INODE__CREATE) while initializing anon-inode's SELinux security struct. - Added a pr_err() message if context_inode is not initialized. [1] https://lore.kernel.org/lkml/20200211225547.235083-1-dancol@google.com/ [2] https://lore.kernel.org/linux-fsdevel/20200213194157.5877-1-sds@tycho.nsa.gov/ [3] https://lore.kernel.org/lkml/23f725ca-5b5a-5938-fcc8-5bbbfc9ba9bc@tycho.nsa.gov/ Daniel Colascione (3): fs: add LSM-supporting anon-inode interface selinux: teach SELinux about anonymous inodes userfaultfd: use secure anon inodes for userfaultfd Lokesh Gidra (1): security: add inode_init_security_anon() LSM hook fs/anon_inodes.c | 150 ++++++++++++++++++++-------- fs/libfs.c | 5 - fs/userfaultfd.c | 19 ++-- include/linux/anon_inodes.h | 5 + include/linux/lsm_hook_defs.h | 2 + include/linux/lsm_hooks.h | 9 ++ include/linux/security.h | 10 ++ security/security.c | 8 ++ security/selinux/hooks.c | 57 +++++++++++ security/selinux/include/classmap.h | 2 + 10 files changed, 213 insertions(+), 54 deletions(-) -- 2.30.0.284.gd98b1dd5eaa7-goog