Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp1466379pxb; Fri, 18 Feb 2022 08:19:25 -0800 (PST) X-Google-Smtp-Source: ABdhPJzl1CkvJpuqLsWFpb7b53Nv/25EX9/qU6Tia+HCtwHErAoNp0LuIQAvSxedC11cHwylNZCu X-Received: by 2002:aa7:d98a:0:b0:410:b844:7889 with SMTP id u10-20020aa7d98a000000b00410b8447889mr9031125eds.109.1645201164824; Fri, 18 Feb 2022 08:19:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645201164; cv=none; d=google.com; s=arc-20160816; b=VVZXjNgFmDCRXSVX9HwViqxw1M9T/diasPdj2Ksl8FWbEHz5ervRa4czRixZPgUNnB x3Sh9R17QE5cBAvRcN2RGInuFG6dyqsX8mYoi6J/pivxXHLmecMMmU29GNRTYmuZhqfk cfYwQUavhzt7uPY/YFQZOpTEdEBKOcg1sOEL1nViZIZxtH6kZv1oSg5gXHnZgK//miVR wFpY+1WwKreNlGqYu0MMl46Pl74MPyvskwNBDJK3a4YwNz2FiTK2bcb14z6P6oTrL8bx TsixLnanbVIIReKb9b8ZYojTQQXt18QM2+h0gb6im2qoCwSYdVApLQwBX1kI1MKOz4xg moqA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id:dkim-signature; bh=+UHLQG+M4ZifbAygCfGQKWqjXrpBKvOYPwDad48Ye9E=; b=vM783p1YoQ2AA6H7mnVl60MU9DUJ4LMlVvt0NtPO/I2pAZffOV3bZjaaysHevLQbQv xfGaVNWG4I1q+S0g64oh+9XDEnPbBlBqasRPjLlxKKoRRQLwJ3w+Rd+k/jl+e20lRSaS 0GbaJY0aQGC7FCjIQCq07MdfKxBsfY9OzDuE1tikHA5QlIFIr7GY4KckgYNItuky8Klu 4Xwcfr+4rL4Llc5Vny1VHHFrxzL6/Cckctu9E8X1N2tXU1JploTQXVliRmfkc4ssHRtM TWVmdN/2lm7Kw+vRFpnEkMZwFJOTdsfSp1MCqXgkw6qtQMeiEvQMq72cfgq1Fz2Mo+oZ y72A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@btinternet.com header.s=btmx201904 header.b=r7QVE9XU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=btinternet.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id sb26si5824778ejc.613.2022.02.18.08.19.01; Fri, 18 Feb 2022 08:19:24 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@btinternet.com header.s=btmx201904 header.b=r7QVE9XU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=btinternet.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229642AbiBRPjj (ORCPT + 99 others); Fri, 18 Feb 2022 10:39:39 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:49744 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237104AbiBRPjf (ORCPT ); Fri, 18 Feb 2022 10:39:35 -0500 Received: from sa-prd-fep-043.btinternet.com (mailomta31-sa.btinternet.com [213.120.69.37]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D1F5B3DA52; Fri, 18 Feb 2022 07:39:16 -0800 (PST) Received: from sa-prd-rgout-004.btmx-prd.synchronoss.net ([10.2.38.7]) by sa-prd-fep-043.btinternet.com with ESMTP id <20220218153915.FDKV18908.sa-prd-fep-043.btinternet.com@sa-prd-rgout-004.btmx-prd.synchronoss.net>; Fri, 18 Feb 2022 15:39:15 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1645198755; bh=+UHLQG+M4ZifbAygCfGQKWqjXrpBKvOYPwDad48Ye9E=; h=Message-ID:Subject:From:To:Cc:Date:In-Reply-To:References:MIME-Version; b=r7QVE9XU8T7BdxLPY+hgO6sw5NVmnMpGziVQBP+VeHw70cYF0/1bXtERlwqGhLKD2VK4+czItKDmYsy27Bl2+5JolwSggxOTzX0mLxpPsrHq8hiDNBWC2fy4EYJC2Ow4oSIsh/BNMZKzWbmsnLUrhExH+Q+qdKlEAuMZ9ZxeqNfKWB67sAO0pCV4DJOsJzosXLzVL7muwN/V9ulPiOVXS4/MRd/T4S3vWH/P/r7b51jgs3uLZKn+83xGysN/1HBdst3U9zHYY1eX/8DznPOwuFIEGwdQ+8JU/Ba6Rh8KomKDWSkbN6M4ZNKTcP+B85Pljny1mBivPuATe3hAmCU/UQ== Authentication-Results: btinternet.com; auth=pass (LOGIN) smtp.auth=richard_c_haines@btinternet.com; bimi=skipped X-SNCR-Rigid: 613943C616036884 X-Originating-IP: [86.183.97.183] X-OWM-Source-IP: 86.183.97.183 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgedvvddrkedtgdejjecutefuodetggdotefrodftvfcurfhrohhfihhlvgemuceutffkvffkuffjvffgnffgvefqofdpqfgfvfenuceurghilhhouhhtmecufedtudenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepkffuhffvffgjfhgtfggggfesthekredttderjeenucfhrhhomheptfhitghhrghrugcujfgrihhnvghsuceorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqnecuggftrfgrthhtvghrnheptdefkeefudffheegueffuddtveehheduheekudekvdegjeduhfeghfdvhffhuedtnecuffhomhgrihhnpehsvghlihhnuhigphhrohhjvggtthdrohhrghdprghnughrohhiugdrtghomhenucfkphepkeeirddukeefrdeljedrudekfeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhephhgvlhhopegludelvddrudeikedruddrudelkegnpdhinhgvthepkeeirddukeefrdeljedrudekfedpmhgrihhlfhhrohhmpehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmpdhnsggprhgtphhtthhopeduuddprhgtphhtthhopegsihhllhdrtgdrrhhosggvrhhtshesghhmrghilhdrtghomhdprhgtphhtthhopegthhhpvggsvghniheslhhinhhugidrmhhitghrohhsohhfthdrtghomhdprhgtphhtthhopeguvghmihhosggvnhhouhhrsehgmhgrihhlrdgt ohhmpdhrtghpthhtohepughomhhinhhitghkrdhgrhhifhhtseguvghfvghnshgvtgdrnhhlpdhrtghpthhtohepvghprghrihhssehprghrihhsphhlrggtvgdrohhrghdprhgtphhtthhopehjvghffhhvsehgohhoghhlvgdrtghomhdprhgtphhtthhopehlihhnuhigqdhkvghrnhgvlhesvhhgvghrrdhkvghrnhgvlhdrohhrghdprhgtphhtthhopehprghulhesphgruhhlqdhmohhorhgvrdgtohhmpdhrtghpthhtohepshgvlhhinhhugidqrhgvfhhpohhlihgthiesvhhgvghrrdhkvghrnhgvlhdrohhrghdprhgtphhtthhopehsvghlihhnuhigsehvghgvrhdrkhgvrhhnvghlrdhorhhgpdhrtghpthhtohepshhtvghphhgvnhdrshhmrghllhgvhidrfihorhhksehgmhgrihhlrdgtohhm X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from [192.168.1.198] (86.183.97.183) by sa-prd-rgout-004.btmx-prd.synchronoss.net (5.8.716.04) (authenticated as richard_c_haines@btinternet.com) id 613943C616036884; Fri, 18 Feb 2022 15:39:14 +0000 Message-ID: <141da74b176cd3bae74a8a81226c661c032631dc.camel@btinternet.com> Subject: Re: [PATCH] SELinux: Always allow FIOCLEX and FIONCLEX From: Richard Haines To: Demi Marie Obenour , Paul Moore Cc: William Roberts , Dominick Grift , Chris PeBenito , Stephen Smalley , Eric Paris , SElinux list , Linux kernel mailing list , selinux-refpolicy@vger.kernel.org, Jeffrey Vander Stoep Date: Fri, 18 Feb 2022 15:39:10 +0000 In-Reply-To: References: <4df50e95-6173-4ed1-9d08-3c1c4abab23f@gmail.com> <478e1651-a383-05ff-d011-6dda771b8ce8@linux.microsoft.com> <875ypt5zmz.fsf@defensec.nl> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.42.4 (3.42.4-1.fc35) MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_PASS,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 2022-02-17 at 18:55 -0500, Demi Marie Obenour wrote: > On 2/15/22 15:34, Paul Moore wrote: > > On Mon, Feb 14, 2022 at 2:11 AM Jeffrey Vander Stoep > > wrote: > > > On Tue, Feb 8, 2022 at 3:18 PM William Roberts > > > wrote: > > > > > > > > > > > > > > > > This is getting too long for me. > > > > > > > > > > > > > > > > I don't have a strong opinion either way.  If one were to > > > > > > allow this > > > > > > using a policy rule, it would result in a major policy > > > > > > breakage.  The > > > > > > rule would turn on extended perm checks across the entire > > > > > > system, > > > > > > which the SELinux Reference Policy isn't written for.  I > > > > > > can't speak > > > > > > to the Android policy, but I would imagine it would be the > > > > > > similar > > > > > > problem there too. > > > > > > > > > > Excuse me if I am wrong but AFAIK adding a xperm rule does > > > > > not turn on > > > > > xperm checks across the entire system. > > > > > > > > It doesn't as you state below its target + class. > > > > > > > > > > > > > > If i am not mistaken it will turn on xperm checks only for > > > > > the > > > > > operations that have the same source and target/target class. > > > > > > > > That's correct. > > > > > > > > > > > > > > This is also why i don't (with the exception TIOSCTI for > > > > > termdev > > > > > chr_file) use xperms by default. > > > > > > > > > > 1. it is really easy to selectively filter ioctls by adding > > > > > xperm rules > > > > > for end users (and since ioctls are often device/driver > > > > > specific they > > > > > know best what is needed and what not) > > > > > > > > > > > > and FIONCLEX can be trivially bypassed unless > > > > > > > > fcntl(F_SETFD) > > > > > > > > > > 2. if you filter ioctls in upstream policy for example like i > > > > > do with > > > > > TIOSCTI using for example (allowx foo bar (ioctl chr_file > > > > > (not > > > > > (0xXXXX)))) then you cannot easily exclude additional ioctls > > > > > later where source is > > > > > foo and target/tclass is bar/chr_file because there is > > > > > already a rule in > > > > > place allowing the ioctl (and you cannot add rules) > > > > > > > > Currently, fcntl flag F_SETFD is never checked, it's silently > > > > allowed, but > > > > the equivalent FIONCLEX and FIOCLEX are checked. So if you > > > > wrote policy > > > > to block the FIO*CLEX flags, it would be bypassable through > > > > F_SETFD and > > > > FD_CLOEXEC. So the patch proposed makes the FIO flags behave > > > > like > > > > F_SETFD. Which means upstream policy users could drop this > > > > allow, which > > > > could then remove the target/class rule and allow all icotls. > > > > Which is easy > > > > to prevent and fix you could be a rule in to allowx 0 as > > > > documented in the > > > > wiki: https://selinuxproject.org/page/XpermRules > > > > > > > > The questions I think we have here are: > > > > 1. Do we agree that the behavior between SETFD and the FIO > > > > flags are equivalent? > > > >   I think they are. > > > > 2. Do we want the interfaces to behave the same? > > > >   I think they should. > > > > 3. Do upstream users of the policy construct care? > > > >   The patch is backwards compat, but I don't want their to be > > > > cruft > > > > floating around with extra allowxperm rules. > > > > > > I think this proposed change is fine from Android's perspective. > > > It > > > implements in the kernel what we've already already put in place > > > in > > > our policy - that all domains are allowed to use these IOCLTs. > > > https://cs.android.com/android/platform/superproject/+/master:system/sepolicy/public/domain.te;l=312 > > > > > > It'll be a few years before we can clean up our policy since we > > > need > > > to support older kernels, but that's fine. > > > > Thanks for the discussion everyone, it sounds like everybody is > > okay > > with the change - that's good.  However, as I said earlier in this > > thread I think we need to put this behind a policy capability, how > > does POLICYDB_CAPABILITY_IOCTL_CLOEXEC/"ioctl_skip_cloexec" sound > > to > > everyone? > > > > Demi, are you able to respin this patch with policy capability > > changes? > > I can try, but this is something I am doing in my spare time and I > have no idea what adding a policy capability would involve.  While I > have written several policies myself, I believe this is the first > time > I have dealt with policy capabilities outside of kernel log output. > So it will be a while before I can make a patch.  You would probably > be > able to write a patch far more quickly and easily. RESEND: Forgot to add the updates for libsepol (I think it's complete now) # Adding A New Policy Capability - [Kernel Updates](#kernel-updates) - [*libsepol* Library Updates](#libsepol-library-updates) - [Reference Policy Updates](#reference-policy-updates) ## Kernel Updates In kernel source update the following three files with the new capability: ***security/selinux/include/policycap_names.h*** Add new entry at end of this list: ``` /* Policy capability names */ const char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX] = { ... "genfs_seclabel_symlinks", "new_polcap_name" }; ``` ***security/selinux/include/policycap.h*** Add new entry at end of this list: ``` /* Policy capabilities */ enum { ... POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS, POLICYDB_CAPABILITY_NEW_POLCAP_NAME, __POLICYDB_CAPABILITY_MAX }; ``` ***security/selinux/include/security.h*** Add a new entry that will initialise the new capability: ``` static inline bool selinux_policycap_new_name(void) { struct selinux_state *state = &selinux_state; return READ_ONCE(state- >policycap[POLICYDB_CAPABILITY_NEW_POLCAP_NAME]); } ``` Finally in the updated code that utilises the new policy capabilty do something like this: ``` if (selinux_policycap_new_name()) do this; else do that; ``` ## *libsepol* Library Updates In selinux userspace source update the following two files with the new capability: ***selinux/libsepol/src/polcaps.c*** Add new entry at end of this list: ``` static const char * const polcap_names[] = { ... "genfs_seclabel_symlinks", /* POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS */ "new_polcap_name", /* POLICYDB_CAPABILITY_NEW_POLCAP_NAME */ NULL }; ``` ***selinux/libsepol/include/sepol/policydb/polcaps.h*** Add new entry at end of this list: ``` /* Policy capabilities */ enum { ... POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS, POLICYDB_CAPABILITY_NEW_POLCAP_NAME, __POLICYDB_CAPABILITY_MAX }; ``` ## Reference Policy Updates The new policy capability entry is then added to the Reference Policy file: ***policy/policy_capabilities*** An example entry that enables the capability in policy is: ``` # A description of the capability policycap new_polcap_name; ``` To disable the capability in policy comment out the entry: ``` # A description of the capability #policycap new_polcap_name; ```