Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp5042724pxb; Wed, 26 Jan 2022 03:38:50 -0800 (PST) X-Google-Smtp-Source: ABdhPJzdf88oFsngFcnVol6PCU4Dh6pAzuSACcOw6rAwvDr99lwxdKvuwv1/O9PZAyFe/GFk450K X-Received: by 2002:a05:6402:5246:: with SMTP id t6mr17117738edd.35.1643197130188; Wed, 26 Jan 2022 03:38:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643197130; cv=none; d=google.com; s=arc-20160816; b=SYx2NndlzQ7kIoQJKjmXI+dWH/lpJWjgLAO0NPpOba6GLPicUDxKlwKE1V0UFZ+NA9 3bemabfooOWrFjVvYyJS/8Pc6YPL0ViQQr7Xg4qR8mCpG/3PSx3vSFP/eZRcpifAGi+n rMdG8QsNa0nyG3jbzABYMA+Kq3kX3fs0X9FRHCoZdLUENXjqEHXFzLiA/Fa/HwxKriS3 2QqqiBhqP6ye5MnsFRLYKKJh3HXoYgeMkueNWGiT6ovkeXBReHSYvWgTKKG7LLh1b2st q7s2fh8OTjt9raBq6MaaDE/IPjsxzVZuoC3HgODzsUr8dYbxi/yKK/UhvcKSB5Wpjf4x g1VA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=/1BiB0LlRhrBnkIdJld33ntWmu5J0JJj0Fcrw4TDuSI=; b=SC+y0bhrqRI/IEpqz9NhSMBrmMNaeR33lfc61C5qCHrBzzd80G4dQMDuaK9zrVc7FK MEzi/IF64cFF0y224pmJr3NNXlKToFRKaRJ0/VBF+urvV1HpHPGgYK7KCJ4EmSzMs+u9 MrhjvchBwVNOBZHdoF5LNT0aZELjiEEhStvoBgAfm2DvG4AAfzaQkxPgUj8K2f00bNGe Dh1R6tyxZ6pd445RQvNHtjNUtpO2L+lUIr9S6sJDGKUHmv6MSBbTe8ijjkQrAWbw8dnw MlMxIu9e4W5rlOVNcdsvWqre5baKN6+FY1JW/ctvgG6FWlSpVKH+GONwSmGAc0d8Opyk Zjyw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=codcubGy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c27si11707921ejj.9.2022.01.26.03.38.24; Wed, 26 Jan 2022 03:38:50 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=codcubGy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233801AbiAYW1Q (ORCPT + 99 others); Tue, 25 Jan 2022 17:27:16 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35100 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233746AbiAYW1P (ORCPT ); Tue, 25 Jan 2022 17:27:15 -0500 Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1CC36C06173B for ; Tue, 25 Jan 2022 14:27:15 -0800 (PST) Received: by mail-ed1-x52e.google.com with SMTP id w14so12937347edd.10 for ; Tue, 25 Jan 2022 14:27:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/1BiB0LlRhrBnkIdJld33ntWmu5J0JJj0Fcrw4TDuSI=; b=codcubGyPRRa9Co1DwYI2ifTPo2sxWpxhfC162hwvfv0Dvj34aQMGqFZRV+Fb2oImP YpQ02SJTC8gYN4g1JmYjUiqx+ZGdRf3JxCvvepEPZ3YpTdzCmnsRqP74xG00slnsfB+u 4xuSx8u/lS9VDpfe9MwjJKJneITNky/Le68TZyQyLDyUH4T+w+PWeJ8Igu2HT5b6VpEl cfIkvq3BZdEDsTfy/SW7uKUQAsA5A7Q0VdZ8kkr4a+Yp8jpTMnbe+KebgjevbzkM5X3l qpJbeaR8+ZXrHfrkX8i4u7kjQOIV0mBbZjfbgS5QSZSt7U+d7952i/y2bjS3bwCWniS9 NqCw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/1BiB0LlRhrBnkIdJld33ntWmu5J0JJj0Fcrw4TDuSI=; b=pewWE0LseDt5S4ugsVEUnpHx1bt6xkXR6NK9UzNa/p768RTv6MM52PwJGWU+Mh/le0 VcnhhRjYmSBcLNKyEfqI6B5V92GKNBvw+x3naprqWItZrb9R0muYwPSNZTFYQILH17ZC PeurVthNZjWcOivmYvf7Y6yBPDDXwWbezA5Q4JRQfh8fXljUYCLeuFCpQZSE/fSlfp1x 6UbRzdeUC/+rnzbBbqWoKZI5r6CEVkv3DCjCx+gepkvt2z+gTXibOMvBHJyPHvt3A8iz JTO3OlAiFJHfXYXiocz26l7pqGyyBurJiEFHi9ZOqVBtdcmIs0QEE/ltUJu5dvPovaMh NyoA== X-Gm-Message-State: AOAM530GgmtVNETC6lcdopdFBgckBS7W/tHCH63mMoq24A4dXMuImDyR r2WXB9wp23yMeGjwehGUM9yGliHhmwK1DVz0CA2u X-Received: by 2002:a05:6402:1e93:: with SMTP id f19mr21939603edf.343.1643149633597; Tue, 25 Jan 2022 14:27:13 -0800 (PST) MIME-Version: 1.0 References: <4df50e95-6173-4ed1-9d08-3c1c4abab23f@gmail.com> In-Reply-To: <4df50e95-6173-4ed1-9d08-3c1c4abab23f@gmail.com> From: Paul Moore Date: Tue, 25 Jan 2022 17:27:02 -0500 Message-ID: Subject: Re: [PATCH] SELinux: Always allow FIOCLEX and FIONCLEX To: Demi Marie Obenour Cc: Stephen Smalley , Eric Paris , selinux@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jan 25, 2022 at 4:34 PM Demi Marie Obenour wrote: > > These ioctls are equivalent to fcntl(fd, F_SETFD, flags), which SELinux > always allows too. Furthermore, a failed FIOCLEX could result in a file > descriptor being leaked to a process that should not have access to it. > > Signed-off-by: Demi Marie Obenour > --- > security/selinux/hooks.c | 5 +++++ > 1 file changed, 5 insertions(+) I'm not convinced that these two ioctls should be exempt from SELinux policy control, can you explain why allowing these ioctls with the file:ioctl permission is not sufficient for your use case? Is it a matter of granularity? > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 5b6895e4fc29..8f3b2f15c1f3 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -3728,6 +3728,11 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd, > error = file_has_perm(cred, file, FILE__GETATTR); > break; > > + /* must always succeed */ > + case FIOCLEX: > + case FIONCLEX: > + break; > + > case FS_IOC_SETFLAGS: > case FS_IOC_SETVERSION: > error = file_has_perm(cred, file, FILE__SETATTR); -- paul-moore.com