Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp1311658pxb; Tue, 8 Feb 2022 14:23:25 -0800 (PST) X-Google-Smtp-Source: ABdhPJwzsOCPkOSADDW/460/+Z3AGiRz7NgwVx3YXqx0nlPijOJqNzdTLCADINOcVtMbdsw5RH1f X-Received: by 2002:a17:90a:ae03:: with SMTP id t3mr109082pjq.55.1644359005236; Tue, 08 Feb 2022 14:23:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644359005; cv=none; d=google.com; s=arc-20160816; b=SW70CSneZsK6yc24+JrFKc8zDdqJ/g5jjBQabSt5i3QhcjabR1g8TYguN7i6abr+My UAD1IGd18T/syjRBQDVLDahNYhuamA+yyhAZiSliZtfygSkBOJixx7ohWNXPMfC0SWaA mKfRIDrfatYllVI6a4fbrDbns3OmSNPssGG1l//mCOH1yswq59CXXYkpolrphzWW/qWK RNJZD69Uo0mx8d0PSzL3bDMvng2RZKFhjUoe1vWeQ1Fvc7ak2RcumcuzJAgWSs2UM0dG +UxJTOFzxwsqFYrHM7PNwASqrmKGeMtyB5hIygjFeR1rT34PV9TsTeNJJ6MbE1BnFHHR xTJw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature:dkim-filter; bh=KmL07M010/ylefc6zNElZjQYbSBmTpd/e1SNOQwetTM=; b=YzN3FjPwDCVg305QcwWZQ4DqEkmPg7lll0NBcehlmqnotrQKH0RNsrV/nOZVEL2+wN 7MERNDfMuM3lrfXrQKon5IytIynVvrqn4JoZPA+o2HhHhY7z8kVQpu8vSBN2e8LUQWvs unjwL+djQntkQu4WdLwMYcytUja4SxYiKcpfWs+YdVpDXT/zqzeuhJ4C1ICyABOXaDMm fwXb7tGiWaU3Wbj7qXjDXf5cnqrv6JnzSAWujEeVeCAv8ZnlqxGMPxnOI1tkoMuQp7ix Mows0upudeGrYUZEVqYyjurvOCIfplrdsynyqbPF0Hpw+sHx2Y7dX+ZVvrgR8cGfVkOq 66qw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=PJMmBh8H; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q13si13652762pfu.205.2022.02.08.14.23.12; Tue, 08 Feb 2022 14:23:25 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=PJMmBh8H; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1381830AbiBHPru (ORCPT + 99 others); Tue, 8 Feb 2022 10:47:50 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57588 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231406AbiBHPrs (ORCPT ); Tue, 8 Feb 2022 10:47:48 -0500 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 8FB65C061578; Tue, 8 Feb 2022 07:47:47 -0800 (PST) Received: from [192.168.254.13] (unknown [72.85.44.115]) by linux.microsoft.com (Postfix) with ESMTPSA id 3DB4E20B90C6; Tue, 8 Feb 2022 07:47:46 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 3DB4E20B90C6 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1644335267; bh=KmL07M010/ylefc6zNElZjQYbSBmTpd/e1SNOQwetTM=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=PJMmBh8HudgS0Eyy3CtKlIqOzn5Pav8NmMnir/hQca15xoFu+ZCXljT+Qd5p/gQsg lLQqq0eq4lL6zH6U75lA+xrszXmWz9NcLfRErWB8pbDLJQBhiRZN/4P8Oj8OFWK0Dy tAsi618Vp/hGxc8RkNyk9WTWmDUR1PVWipWf9V5U= Message-ID: <4be3fef6-63ca-af97-7fc6-d93d85a9b706@linux.microsoft.com> Date: Tue, 8 Feb 2022 10:47:44 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.5.1 Subject: Re: [PATCH] SELinux: Always allow FIOCLEX and FIONCLEX Content-Language: en-US To: William Roberts , Dominick Grift Cc: Paul Moore , Demi Marie Obenour , Stephen Smalley , Eric Paris , SElinux list , Linux kernel mailing list , selinux-refpolicy@vger.kernel.org References: <4df50e95-6173-4ed1-9d08-3c1c4abab23f@gmail.com> <478e1651-a383-05ff-d011-6dda771b8ce8@linux.microsoft.com> <875ypt5zmz.fsf@defensec.nl> From: Chris PeBenito In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-19.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,ENV_AND_HDR_SPF_MATCH,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS,T_SCC_BODY_TEXT_LINE, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2/8/2022 09:17, William Roberts wrote: > > > This is getting too long for me. > >>> >>> I don't have a strong opinion either way. If one were to allow this >>> using a policy rule, it would result in a major policy breakage. The >>> rule would turn on extended perm checks across the entire system, >>> which the SELinux Reference Policy isn't written for. I can't speak >>> to the Android policy, but I would imagine it would be the similar >>> problem there too. >> >> Excuse me if I am wrong but AFAIK adding a xperm rule does not turn on >> xperm checks across the entire system. > > It doesn't as you state below its target + class. > >> >> If i am not mistaken it will turn on xperm checks only for the >> operations that have the same source and target/target class. > > That's correct. Just to clarify (Demi Marie also mentioned this earlier in the thread), what I originally meant was how to emulate this patch by using policy rules means you need a rule that allows the two ioctls on all domains for all objects. That results in xperms checks enabled everywhere. >> This is also why i don't (with the exception TIOSCTI for termdev >> chr_file) use xperms by default. >> >> 1. it is really easy to selectively filter ioctls by adding xperm rules >> for end users (and since ioctls are often device/driver specific they >> know best what is needed and what not) > >>>>> and FIONCLEX can be trivially bypassed unless fcntl(F_SETFD) >> >> 2. if you filter ioctls in upstream policy for example like i do with >> TIOSCTI using for example (allowx foo bar (ioctl chr_file (not >> (0xXXXX)))) then you cannot easily exclude additional ioctls later where source is >> foo and target/tclass is bar/chr_file because there is already a rule in >> place allowing the ioctl (and you cannot add rules) > > Currently, fcntl flag F_SETFD is never checked, it's silently allowed, but > the equivalent FIONCLEX and FIOCLEX are checked. So if you wrote policy > to block the FIO*CLEX flags, it would be bypassable through F_SETFD and > FD_CLOEXEC. So the patch proposed makes the FIO flags behave like > F_SETFD. Which means upstream policy users could drop this allow, which > could then remove the target/class rule and allow all icotls. Which is easy > to prevent and fix you could be a rule in to allowx 0 as documented in the > wiki: https://selinuxproject.org/page/XpermRules > > The questions I think we have here are: > 1. Do we agree that the behavior between SETFD and the FIO flags are equivalent? > I think they are. > 2. Do we want the interfaces to behave the same? > I think they should. If you can bypass FIONCLEX and FIOCLEX checks by F_SETFD and FD_CLOEXEC, then I agree that the two FIO checks don't have value and can be skipped as F_SETFD is. > 3. Do upstream users of the policy construct care? > The patch is backwards compat, but I don't want their to be cruft > floating around with extra allowxperm rules. Reference policy does not have any xperm rules at this time. I looked at the Fedora policy, and that doesn't have any. -- Chris PeBenito