Received: by 2002:a05:6a10:d5a5:0:0:0:0 with SMTP id gn37csp1648356pxb; Fri, 1 Oct 2021 16:00:52 -0700 (PDT) X-Google-Smtp-Source: ABdhPJza4JYVvXEa5bP48fzOButE0nHrHuQ5enNDPbVFGi9BOxYEyECGoqFCLb6MpBCGRSyHo5L1 X-Received: by 2002:a17:90a:8c82:: with SMTP id b2mr22986586pjo.173.1633129252415; Fri, 01 Oct 2021 16:00:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633129252; cv=none; d=google.com; s=arc-20160816; b=arkqAkx2vMVhP/oMdZLDZr6/0JtYuecUM+4c3m530P5xny/goklunp0Nk4IUr062NW GD4231quqrvo0jamf7LPMSIFyB24GP4LQJ0oXICJFVrVtFddqvPu6FdwUdaPkzQzBEUi o4w6beZ1IlzTGe2lKrheTH0HIRjIpDCwrz5dDrSX8cYBfY8TnUriLo5p7VgGAP25syRe Noou3mkJ6bzLRY5QdIvsvSz8MYMQT0r2HD35vwaZGyeZ6PZ62moIJkYQ8Ju70rmYluQ6 b04CquEEsGpxJx8Nwx7KFtVpfhwj5dMnE1ZCQ0l1sqXc0N8Wow29U7rWX67y5Grp/i2h SNbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=ZQM3XM8xdLXddRKZW1XX+RPtGmZTJVt7CAVEe+7hVj0=; b=vXaoLBTArD86pUgmLAZayvbsXuVEHWtSc2JTUqC0BYoZVUwygeivxL9yOtZyQ/1G6a E6UaN2zSXuAUKD7hHx7ZTZKfciH+Cz1hecqAhGe/2Eqecy5XBz8pQylD4gNGOu99Cmt9 W/npOil5MG/Y82mx4ErrHkUL/iU2Cu8mrfHP4IKujO40XDZ9Y4ht2VG8HgzjYUzuqKzU ZTYYmOeNjN5RD7L4Sov3VinCBclaBQVo6Vvpyvp3p4h+Z7Z3lZJCmSLDPYtIbXBNR+Pa 6q8FzIQ6Rf3RrDkRGSSpUmgEERtnSkVviEowVMqE0wukAfdYwc5YTv2JqXhkhMSDxYq2 FBpQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=HrPYP0UE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id qe18si12088606pjb.29.2021.10.01.16.00.39; Fri, 01 Oct 2021 16:00:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=HrPYP0UE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230417AbhJAXAS (ORCPT + 99 others); Fri, 1 Oct 2021 19:00:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58948 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230457AbhJAXAR (ORCPT ); Fri, 1 Oct 2021 19:00:17 -0400 Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 57A44C06177E for ; Fri, 1 Oct 2021 15:58:32 -0700 (PDT) Received: by mail-lf1-x136.google.com with SMTP id b20so44578264lfv.3 for ; Fri, 01 Oct 2021 15:58:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ZQM3XM8xdLXddRKZW1XX+RPtGmZTJVt7CAVEe+7hVj0=; b=HrPYP0UEVwuiTywHkbK3uNSlC5jNJRCt7l8EaoQMi0GpVMSFINwhrAt0s6xN2VsWnd Myc5mNipqTNZcxOhUQEgTc+wNrFHHij90mG+lt2XElY+2NHha97StErPB8G12+Q/FdL7 kv/yBjF0tdcFFbh62Zzs85vTUFMkD27saQD001r+EBb1yzThD0/29HuX9TwewcOvoPID 6NmUoW0KSr6AgRtw5foBD1kqg7x7DEk0pD9byZrdGV8vM4cRAhBOa6eltRHMuoC79vmd 2qSPM4v3FgGl7AoaJFBY9KUW1L0pWlhtgS3WiXRLGRjfXTBWphGxNH6YWjpddXQ9JqG2 uaRA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ZQM3XM8xdLXddRKZW1XX+RPtGmZTJVt7CAVEe+7hVj0=; b=NK4jiZBNYD291HvEKQEceG33Z/+aXVbEGDwFfQQfMAdTjpS60OcJKnYOOr181/PUjx cFczFerCsQ/0MJTo4sTool1OQGRI+nMIDGszOx5JKeGyXW/aQPcUPbnI29mfsCMNzdPV afLyCkgZ/eyvIsTRp96NpdnZND/KTllDewnnMs4OXwBm+GhlaXIVD67RwPoYa7jKeKAM /YpNNCCU4jp9oEaXG+CX/74w7MYhRSabzjhE+bH2Bo+M/s06R77zVx5W4Sk8uV6Mxhk2 rM15Mpbz7QEEytxsND0frZ0zZg12KG5RaSyLerjjgyvBzhSK63otcP8Ky4NGeYWGrdpE SBsA== X-Gm-Message-State: AOAM532KeY6kiE2Jf9DKsMFQjIqa+rBxm9xV/Xtc7kYU7ypQ6ljgIp1O YqyRBzbUAnE0TiJtV8AdfG+WQel/sXUZnoRM3fy68Q== X-Received: by 2002:a05:6512:20cb:: with SMTP id u11mr633226lfr.237.1633129110528; Fri, 01 Oct 2021 15:58:30 -0700 (PDT) MIME-Version: 1.0 References: <20211001175521.3853257-1-tkjos@google.com> In-Reply-To: From: Jann Horn Date: Sat, 2 Oct 2021 00:58:04 +0200 Message-ID: Subject: Re: [PATCH v2] binder: use cred instead of task for selinux checks To: Casey Schaufler Cc: Todd Kjos , gregkh@linuxfoundation.org, arve@android.com, tkjos@android.com, maco@android.com, christian@brauner.io, jmorris@namei.org, serge@hallyn.com, paul@paul-moore.com, stephen.smalley.work@gmail.com, eparis@parisplace.org, keescook@chromium.org, jeffv@google.com, zohar@linux.ibm.com, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org, joel@joelfernandes.org, kernel-team@android.com, stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Oct 1, 2021 at 10:10 PM Casey Schaufler wrote: > On 10/1/2021 12:50 PM, Jann Horn wrote: > > On Fri, Oct 1, 2021 at 9:36 PM Jann Horn wrote: > >> On Fri, Oct 1, 2021 at 8:46 PM Casey Schaufler wrote: > >>> On 10/1/2021 10:55 AM, Todd Kjos wrote: > >>>> Save the struct cred associated with a binder process > >>>> at initial open to avoid potential race conditions > >>>> when converting to a security ID. > >>>> > >>>> Since binder was integrated with selinux, it has passed > >>>> 'struct task_struct' associated with the binder_proc > >>>> to represent the source and target of transactions. > >>>> The conversion of task to SID was then done in the hook > >>>> implementations. It turns out that there are race conditions > >>>> which can result in an incorrect security context being used. > >>> In the LSM stacking patch set I've been posting for a while > >>> (on version 29 now) I use information from the task structure > >>> to ensure that the security information passed via the binder > >>> interface is agreeable to both sides. Passing the cred will > >>> make it impossible to do this check. The task information > >>> required is not appropriate to have in the cred. > >> Why not? Why can't you put the security identity of the task into the creds? > > Ah, I get it now, you're concerned about different processes wanting > > to see security contexts formatted differently (e.g. printing the > > SELinux label vs printing the AppArmor label), right? > > That is correct. > > > But still, I don't think you can pull that information from the > > receiving task. Maybe the easiest solution would be to also store that > > in the creds? Or you'd have to manually grab that information when > > /dev/binder is opened. > > I'm storing the information in the task security blob because that's > the appropriate scope. Today the LSM hook is given both task_struct's. Which is wrong, because you have no idea who the semantic "recipient task" is - any task that has a mapping of the binder fd can effectively receive transactions from it. (And the current "sender task" is also wrong, because binder looks at the task that opened the binder device, not the task currently performing the action.) > It's easy to compare to make sure the tasks are compatible. It would be, if you actually had a pair of tasks that accurately represent the sender and the recipient. > Adding the > information to the cred would be yet another case where the scope of > security information is wrong. Can you elaborate on why you think that?