Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp1297689pxb; Wed, 2 Feb 2022 01:25:25 -0800 (PST) X-Google-Smtp-Source: ABdhPJwKOiqAPwiVpXSjXrtcmD1anx9GvoYFk0c2H5qzySuOfj7K1sSJiBApw2Zd3CIhbp78s2fo X-Received: by 2002:a05:6402:4305:: with SMTP id m5mr29039564edc.342.1643793925314; Wed, 02 Feb 2022 01:25:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643793925; cv=none; d=google.com; s=arc-20160816; b=tLS9v9+AOypiYk9Dku6SUGaRvt16t5nvzGoJLG164BW8RJkEtYgl24lpermWnDDYyA D7Ac6o+HdlJdZyL3DeE05wu4j5i8ppp3cx2V80xy61jSY5OeBkmgxHRGPjsLryssUjmI eRLlHdfg+TVH5vX6Uj4yPNA8n4niXJ8hKKsZQE1qbBTx3tq1e0yIIrG6FO5PEWXS7T6o plbK7UoLW5AokHsfrpVmBxVqssFNS0/ocQI2++PkHWcjP9j25LMr0/IEgUqXxpwmzuWY rDPsvBlfU8ONb0sYQZqHBzrMakOzJkFHnclUHFg8nvs59/R6I7nUuSn6xAjrJTA6UiC6 +7rw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=+FUAlOlMa07eJpdtWBtFxltqcXW5pKh9hMDtYHtwGqE=; b=bK9JrufebpdLLFouke31wVQLpWpZesL/NCSVLGy1wJqeln/BD7WII5bVT81FBejYVk FNMLi9BKj6LKUuP6S9AkTLKNOn1MfO65bUbS9pr3q9N+g5U0HdnQwkbYzO5zgEVtz86F R3h85EcR+uvVsbTWItFG/ps+fqw7P/W+1w5uWls3FPj0PqryZ5ok/GAD3HjNwg42VnnY SRP/rNq4BhxA88aiAOdzQzy1M/BO+Dc6SE6jNVmOd197lhuzdsKECMHoOnD5w7fRlLu2 5sfkgkW9HBYdFmq0ZdRMsH5/mXSDxpWdZHyBhVvYF1BJ+pSL71wtqsQ1j0DcvEwvcStJ +fVg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=SQ4fed4k; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id qa9si4906305ejc.827.2022.02.02.01.25.00; Wed, 02 Feb 2022 01:25:25 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=SQ4fed4k; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241481AbiBAR0W (ORCPT + 99 others); Tue, 1 Feb 2022 12:26:22 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38038 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237515AbiBAR0S (ORCPT ); Tue, 1 Feb 2022 12:26:18 -0500 Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 36BB1C06173D for ; Tue, 1 Feb 2022 09:26:18 -0800 (PST) Received: by mail-ej1-x629.google.com with SMTP id s5so56132360ejx.2 for ; Tue, 01 Feb 2022 09:26:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+FUAlOlMa07eJpdtWBtFxltqcXW5pKh9hMDtYHtwGqE=; b=SQ4fed4ky5Yr+isS1uetmg/gwgm8f0vVjIfE7jcqJuXtyxLJi8F17af80tpltf0pzw 0XK1qOovI5k+anlfTXeEbgW43YyCHRclMUqwQwItNE5mAvmUDTmXOnxO9vDZKrgKXeok T3YxoBoWwklT3IkIo4bIqtjzOr0tLUpSY2jY3AN+Gm7oTNIhKh1ijX0dlK0HVxU3OWD7 ZfDTX/CazHRKW8p/ZUAipqSm8UbRtVJbY2DgAj7HzQ+CBg0HMZnwmXD84sBNBI9bGZmp Fy2jmq/uEGMEL7eRCCJq1yWHmkwWtLitt4fDRGkr5PjWn7bLIGTAqJztrpiM/m5vug5m 5dog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+FUAlOlMa07eJpdtWBtFxltqcXW5pKh9hMDtYHtwGqE=; b=M6PWHyVZhKW3DzEcZAIi6kRi3Cfcb9UP644WnDmD8fTZbtHE/tRxinGBhLrBy18iLf LVluRUrYq8fPBEP8mHJ5DQCH1xNQ6vDM5f3ehwMxlraKUFq2cQwRKeraQkb0ElCfUg3R B2DWgBGU1a9PHSNj52TZDXZX/ROCGyNt1JP7ndpBG90EKc74/4bwTlA+NTImje29IPZi ANmQRyH32ChYr9bOl7Fe3CJCUioczSP2E6GAYpGPgPR06ERVKwN+RAEO9+xqrEc63xsQ /BovRFRo3U2JNVeEiVYetclZpII2qb/8he8a7aeGCh/84JTfjBTSL/Ds8VN03EPDldZQ J8RA== X-Gm-Message-State: AOAM531CgtXkk+Pq2jn/560Mes2YUMVAeMzzlNT4g29nWeBJ3tCHCQ4W 8CtE2nTtz5X3XVb7KmWqoJBroMKLtphKfBzZeR0/e+5GSg== X-Received: by 2002:a17:907:3e8a:: with SMTP id hs10mr21951252ejc.112.1643736376357; Tue, 01 Feb 2022 09:26:16 -0800 (PST) MIME-Version: 1.0 References: <4df50e95-6173-4ed1-9d08-3c1c4abab23f@gmail.com> In-Reply-To: From: Paul Moore Date: Tue, 1 Feb 2022 12:26:05 -0500 Message-ID: Subject: Re: [PATCH] SELinux: Always allow FIOCLEX and FIONCLEX To: Demi Marie Obenour Cc: Stephen Smalley , Eric Paris , selinux@vger.kernel.org, linux-kernel@vger.kernel.org, selinux-refpolicy@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Jan 29, 2022 at 10:40 PM Demi Marie Obenour wrote: > On 1/26/22 17:41, Paul Moore wrote: > > On Tue, Jan 25, 2022 at 5:50 PM Demi Marie Obenour > > wrote: > >> On 1/25/22 17:27, Paul Moore wrote: > >>> On Tue, Jan 25, 2022 at 4:34 PM Demi Marie Obenour > >>> wrote: > >>>> > >>>> These ioctls are equivalent to fcntl(fd, F_SETFD, flags), which SELinux > >>>> always allows too. Furthermore, a failed FIOCLEX could result in a file > >>>> descriptor being leaked to a process that should not have access to it. > >>>> > >>>> Signed-off-by: Demi Marie Obenour > >>>> --- > >>>> security/selinux/hooks.c | 5 +++++ > >>>> 1 file changed, 5 insertions(+) > >>> > >>> I'm not convinced that these two ioctls should be exempt from SELinux > >>> policy control, can you explain why allowing these ioctls with the > >>> file:ioctl permission is not sufficient for your use case? Is it a > >>> matter of granularity? > >> > >> FIOCLEX and FIONCLEX are applicable to *all* file descriptors, not just > >> files. If I want to allow them with SELinux policy, I have to grant > >> *:ioctl to all processes and use xperm rules to determine what ioctls > >> are actually allowed. That is incompatible with existing policies and > >> needs frequent maintenance when new ioctls are added. > >> > >> Furthermore, these ioctls do not allow one to do anything that cannot > >> already be done by fcntl(F_SETFD), and (unless I have missed something) > >> SELinux unconditionally allows that. Therefore, blocking these ioctls > >> does not improve security, but does risk breaking userspace programs. > >> The risk is especially great because in the absence of SELinux, I > >> believe FIOCLEX and FIONCLEX *will* always succeed, and userspace > >> programs may rely on this. Worse, if a failure of FIOCLEX is ignored, > >> a file descriptor can be leaked to a child process that should not have > >> access to it, but which SELinux allows access to. Userspace > >> SELinux-naive sandboxes are one way this could happen. Therefore, > >> blocking FIOCLEX may *create* a security issue, and it cannot solve one. > > > > I can see you are frustrated with my initial take on this, but please > > understand that excluding an operation from the security policy is not > > something to take lightly and needs discussion. I've added the > > SELinux refpolicy list to this thread as I believe their input would > > be helpful here. > > Absolutely it is not something that should be taken lightly, though I > strongly believe it is correct in this case. Is one of my assumptions > mistaken? My concern is that there is a distro/admin somewhere which is relying on their SELinux policy enforcing access controls on these ioctls and removing these controls would cause them a regression. -- paul-moore.com