Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp1451955pxy; Fri, 23 Apr 2021 08:21:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyGs6LbWC+v8j6iJmYlhXMU2DKaFoP2pwsD60p/ikAi6q/hrucyC4axVlThAAsdIu3CZDTo X-Received: by 2002:a17:90b:14c5:: with SMTP id jz5mr3890253pjb.195.1619191276447; Fri, 23 Apr 2021 08:21:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619191276; cv=none; d=google.com; s=arc-20160816; b=PQ4PWGTSB3J54XLKC4RR8CRnL0qNww+lzJba/++1kdUVcLtD1UGgeQJbnze6K1b96Y l76a3xo/GnKE5SS//EYjTDU7Ly6PEjoV9/aLRYBpehkbbYjjzmgHVyNwKityCuKtfvBt iqTImZMN6g94LUgAMwkt1RjNw+AQugjY6vSs/L/Y9JAxMn+w6m0SDcf87hxMqijjTdu7 h5fUFKY1QHa6D5JkMOqN8HrxNoFmO04KOssKZ0nEt65vWm+Q/4NsVqrzJig/wJqW1NDi ulwW6XOc9VcKaP7y1DrD6RIXoOafpX+sbTH78QD2fOVdv3Ms9syfyMXSy2eHo2gUqCZc SRvg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=maceZlLfg4OAEQcp6cVbWohUhmFE6QpxzS6f5WTPWNE=; b=pnkbNKpUdZm00VOZWmxV6iemmRx8JHxn7Pymi5VHN651veQbYcMw+qfoA5aLci78zB PJuWk7MVZUxkUcerrP2nXp1iQ6cXrgS5w3+Wqb7acTYu3LN8cIbxXgqhYoXYSAduTSQI LPwdj3XvHAXTMn45RPdBuZBkgAFvu5oQiQp3LMSbP/qgdzApUjAltB44IV7RloWien1Q r+ifHtmjo7FiOQUWFen5pRT27XC0KvXVjrR7olgzkCgM2pHiljlmzP3LFtQs2kcki0tz YzI5Aw/UQf8ZofVYRhEwFutxk0c7QHAD3sOR4u64YorDqAjMLD2X0WzeLag1QGsYTU4I Vy+g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=OHGakvkY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x10si6829356pll.145.2021.04.23.08.21.04; Fri, 23 Apr 2021 08:21:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=OHGakvkY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242791AbhDWPUu (ORCPT + 99 others); Fri, 23 Apr 2021 11:20:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53742 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231857AbhDWPUu (ORCPT ); Fri, 23 Apr 2021 11:20:50 -0400 Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 56FF1C061574; Fri, 23 Apr 2021 08:20:13 -0700 (PDT) Received: by mail-lf1-x12f.google.com with SMTP id j18so78114920lfg.5; Fri, 23 Apr 2021 08:20:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=maceZlLfg4OAEQcp6cVbWohUhmFE6QpxzS6f5WTPWNE=; b=OHGakvkYEeEUMLkV2JOjAHwfxeEKV8RVr/JFfpH8TAPbOGL8o3S6gyxzmxLFCjnlpB XbnBsHxaUt/pbcO+LyiUjNu8jM9F82dlSX9fs+9hdPdogsDcbtMIKvy4vOBB9APADkjF zoQc2iJgmW47O2p8z+bZf0ORKBVEI6lyENaeBflViJ1dke3s2kPWQgPI8WfJoAp8yo8T uMxqK4DXlbfmCYkMVurCp8rECkN3XBRA45BLufDNLpI6tD934hU4ZHqWivC6CfprqLYa DkRar6zHg0dGzj4OKBsQPH6OuY4hRDxnoMSxuZ4LWGaIrj4ykqUY7MW1X3o9Tne4K4Lg IZkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=maceZlLfg4OAEQcp6cVbWohUhmFE6QpxzS6f5WTPWNE=; b=qhg2PBCn5XL1YbYtkizV1JEyGn0eDa8IRzH4ho+IkcZ+AWPE8S63k6LPQzeUhzV/1I s5oSZCcTuZBrcZ4alKPntHCY7DaeWenYfZeHadIAhwTNa5G9JyIslIa2kmr154OxltEJ sVNoAZU5lGFaGzfeMOYPEOQeNoG8EBrCh9jgpQYcF0EHqV2OnUPhCmL0Pfd8x15mJDyd kjTYAOqQCzpwSnGiVZcgGCcANVfac9M2SbZG1Xpo2pYJAexXNp0OotTNCjocUSKIn9R9 VJFzLJkVoJh/SCxrGfMEtt1U+rY8dQK5TOpmFl6WOrrzQgNB/xafIz430l7OA72YppQO UCXQ== X-Gm-Message-State: AOAM531PGSV6HPWbOYTsrK/gLIkPX0n3S/DzgJrcoB/RQIILwEUS2cGP wMxcA0ONeZJAq1we+E08sX6x19Kl+IFfVUZvhYwNYjcV X-Received: by 2002:a05:6512:6ca:: with SMTP id u10mr3131852lff.560.1619191211832; Fri, 23 Apr 2021 08:20:11 -0700 (PDT) MIME-Version: 1.0 References: <20210421171446.785507-1-omosnace@redhat.com> <20210421171446.785507-3-omosnace@redhat.com> In-Reply-To: From: Stephen Smalley Date: Fri, 23 Apr 2021 11:20:00 -0400 Message-ID: Subject: Re: [RFC PATCH 2/2] selinux: add capability to map anon inode types to separate classes To: Ondrej Mosnacek Cc: SElinux list , Paul Moore , LSM List , "open list:MEMORY MANAGEMENT" , Linux FS Devel , linux-kernel , Lokesh Gidra Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Apr 23, 2021 at 10:22 AM Stephen Smalley wrote: > > On Fri, Apr 23, 2021 at 9:41 AM Ondrej Mosnacek wrote: > > > > On Thu, Apr 22, 2021 at 3:21 PM Stephen Smalley > > wrote: > > > On Wed, Apr 21, 2021 at 1:14 PM Ondrej Mosnacek wrote: > > > > > > > > Unfortunately, the approach chosen in commit 29cd6591ab6f ("selinux: > > > > teach SELinux about anonymous inodes") to use a single class for all > > > > anon inodes and let the policy distinguish between them using named > > > > transitions turned out to have a rather unfortunate drawback. > > > > > > > > For example, suppose we have two types of anon inodes, "A" and "B", and > > > > we want to allow a set of domains (represented by an attribute "attr_x") > > > > certain set of permissions on anon inodes of type "A" that were created > > > > by the same domain, but at the same time disallow this set to access > > > > anon inodes of type "B" entirely. Since all inodes share the same class > > > > and we want to distinguish both the inode types and the domains that > > > > created them, we have no choice than to create separate types for the > > > > cartesian product of (domains that belong to attr_x) x ("A", "B") and > > > > add all the necessary allow and transition rules for each domain > > > > individually. > > > > > > > > This makes it very impractical to write sane policies for anon inodes in > > > > the future, as more anon inode types are added. Therefore, this patch > > > > implements an alternative approach that assigns a separate class to each > > > > type of anon inode. This allows the example above to be implemented > > > > without any transition rules and with just a single allow rule: > > > > > > > > allow attr_x self:A { ... }; > > > > > > > > In order to not break possible existing users of the already merged > > > > original approach, this patch also adds a new policy capability > > > > "extended_anon_inode_class" that needs to be set by the policy to enable > > > > the new behavior. > > > > > > > > I decided to keep the named transition mechanism in the new variant, > > > > since there might eventually be some extra information in the anon inode > > > > name that could be used in transitions. > > > > > > > > One minor annoyance is that the kernel still expects the policy to > > > > provide both classes (anon_inode and userfaultfd) regardless of the > > > > capability setting and if one of them is not defined in the policy, the > > > > kernel will print a warning when loading the policy. However, it doesn't > > > > seem worth to work around that in the kernel, as the policy can provide > > > > just the definition of the unused class(es) (and permissions) to avoid > > > > this warning. Keeping the legacy anon_inode class with some fallback > > > > rules may also be desirable to keep the policy compatible with kernels > > > > that only support anon_inode. > > > > > > > > Signed-off-by: Ondrej Mosnacek > > > > > > NAK. We do not want to introduce a new security class for every user > > > of anon inodes - that isn't what security classes are for. > > > For things like kvm device inodes, those should ultimately use the > > > inherited context from the related inode (the /dev/kvm inode itself). > > > That was the original intent of supporting the related inode. > > > > Hmm, so are you implying that anon inodes should be thought of the > > same as control /dev nodes? I.e. that even though there may be many > > one-time actual inodes created by different processes, they should be > > thought of as a single "static interface" to the respective kernel > > functionality? That would justify having a common type/label for all > > of them, but I'm not sure if it doesn't open some gap due to the > > possibility to pass the associated file descriptors between processes > > (as AFAIK, these can hold some context)... > > That was the original design (and the original patchset that we posted > in parallel with Google's independently developed one). We even had > example policy/controls for /dev/kvm ioctls. > Imagine trying to write policy over /dev/kvm ioctls where you have to > deal with N different classes and/or types and remember which ioctl > commands are exercised on which class or type even though from the > users' perspective they all occurred through the /dev/kvm interface. > It seemed super fragile and difficult to maintain/analyze that way. > Versus writing a single allow rule for all /dev/kvm ioctls. > > I guess we could discuss the alternatives but please have a look at > those original patches and examples. If we go down this road, we need > some way to deal with scaling because we only have a limited number of > discrete classes available to us and potentially unbounded set of > distinct anon inode users (although hopefully in practice only a few > that we care about distinguishing). Actually, on second thought, we shouldn't be in any danger of running out of classes so nevermind on that point. > > > I thought this was supposed to resemble more the way BPF, perf_event, > > etc. support was implemented - the BPF and perf_event fds are also > > anon inodes under the hood, BTW - where each file descriptor is > > considered a separate object that inherits the label of its creator > > and there is some class separation (e.g. bpf vs. perf_event).