Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp3467559pxp; Tue, 8 Mar 2022 15:13:54 -0800 (PST) X-Google-Smtp-Source: ABdhPJwUEm76hwmA9hiOGT/wgYATTkTyn2hzmlHDLb6W6h2gxg7r2BOl9N8iesg/+98hwDBLTzfb X-Received: by 2002:a17:90b:3a8f:b0:1bf:ccc:59bc with SMTP id om15-20020a17090b3a8f00b001bf0ccc59bcmr7241686pjb.234.1646781234195; Tue, 08 Mar 2022 15:13:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1646781234; cv=none; d=google.com; s=arc-20160816; b=oDTmBny2dmCE/KXXkkkpHcoxufiHIo2UrmJj4mv4H8q5iZWuRtxL+V2j/eMJY7QiC/ ry3nV/1l1rmqoPjRq/ajDmI0RZTL06IWbriPH590wK9F8Icd45SppNhC2tS4uGpJfM5z YNnjzs7HmRo1cZOoZVoTYqMynLvQUbfTCIreLdVXoKBC7tKcw2PrSwnP2t+izkHtUgTE YsPXpSOFjShO2k4VCI4r+sVSAmYrSZbO+ur5HB5/Ad8mcKhp0CeJhzlnDdGBPALs53Nu zmrtEGspb7oGVziZiZWl0SO5BjLfNwRKVZjzhfOc9TMhK5dXKAtC26KEaYvulR9W6z3K +LJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=FRTETGecuG6wFvpJiWj2QB7gtWBg3s5Eo853/+tZlW8=; b=udNbwh9QU8pvHDQbvTfBvY9xDjP5XNP1saITphZovNwyWHvVFOggSks8zE/VvcPlRP Qj8Gac928/JY8gOAwrKIjnOHGCasADiPUPhyu5oWH/VpOaGzpUZj8mWwCqQ4MOyKzCeb g8ebaLB8fnmZTqRbQcNRBOSq25ZhR2sygGT9TSvvkqf0OQJhzgX5Iuj3Cil+THwXekS4 tK3/stlPei6sHAYw2pk1LNMVhvAfobuBjKmpc08E9FEVVgSnFY8M817HsX2fqEnPXg4W AArDdb2NF9cxm3izZu6CmbcsF30K1+cD9PcE80ik0L6yMJt3WJY3I/eWYv62O5AksHRb 3Ezg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@googlemail.com header.s=20210112 header.b=WxX6Vsrn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=googlemail.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id n11-20020a170903404b00b00151d043b327si225492pla.150.2022.03.08.15.13.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Mar 2022 15:13:54 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@googlemail.com header.s=20210112 header.b=WxX6Vsrn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=googlemail.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 1E34F6E4EF; Tue, 8 Mar 2022 15:09:31 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348649AbiCHRNf (ORCPT + 99 others); Tue, 8 Mar 2022 12:13:35 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40654 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1348628AbiCHRNd (ORCPT ); Tue, 8 Mar 2022 12:13:33 -0500 Received: from mail-oo1-xc29.google.com (mail-oo1-xc29.google.com [IPv6:2607:f8b0:4864:20::c29]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E87DB25E0; Tue, 8 Mar 2022 09:12:35 -0800 (PST) Received: by mail-oo1-xc29.google.com with SMTP id x26-20020a4a621a000000b00320d7d4af22so9651054ooc.4; Tue, 08 Mar 2022 09:12:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=FRTETGecuG6wFvpJiWj2QB7gtWBg3s5Eo853/+tZlW8=; b=WxX6Vsrn74ymtFqVMdNmUFhV7bRO8ZdIijHBTmDXbqPTWEWKhLXzmaIaq4HV3IpIJ7 Vwe5GzLp4wmt4oPD8QFb0EwAeUYMRn3VCRYU3xkbQNqM9QF8gjD8tyTvXyG7o0wT7u+h SxK7TUnBAjCr/QxmM71n/cA0s6LSIj/dMvOqRc/pW/qxwqi1h76lG6M3m4kc0BFCv8wK SJYkX65fNOMiaHQf8LPyJDE9GC0Q8dIf00wBQxl/P3jk8EriEoUUehiINN9HHM1O6Ppf 7jAi8VAni4yKdxVTkfz5dzMvhq4t7JxCTLqydNFI+zQqxKDaJzS/G9gBf+f955n7sy1g q4lg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=FRTETGecuG6wFvpJiWj2QB7gtWBg3s5Eo853/+tZlW8=; b=HqbTIk4gn8jhzGZtq1+KVBmBYyuOm25e1rn40idoZ4QlbPA91Me37MidTS3O8rWRnD ++nv9YAx0doQ9h0QQXH9YfYxinMRoytEpY1utgLlwI67OUyoEWzenr+ncvf4R+adwTNd 0yQgm/vhqBA29d9ipMxRxt+neSHE6S1VXXd+XowIBf33+U1UKdGNDRg02/scoMwdXCqr Sn0VbK+bUgQFJkHFGkI02dIb0Bw0i2CvCXkEXKXvNX/ri5OOEVJzN75gFDT7qR7Mwsvl eYQojMMEJ0EYN44lk2oR9044IIKX3MEyz3fNTsGvWSqYAZ0lPOb0tVtL3gCzbYRMWlcL +mdQ== X-Gm-Message-State: AOAM531pXIxhRgOU7RVS+F4N7IYaSo4yPWIqP10QcC6ytlxVMCQ0NKMV WYfNI015Pyx09KTFHkVjal+5WDmcXj+QMbIw3/g= X-Received: by 2002:a05:6870:1688:b0:da:b3f:321d with SMTP id j8-20020a056870168800b000da0b3f321dmr3068797oae.205.1646759555172; Tue, 08 Mar 2022 09:12:35 -0800 (PST) MIME-Version: 1.0 References: <20220217143457.75229-1-cgzones@googlemail.com> In-Reply-To: From: =?UTF-8?Q?Christian_G=C3=B6ttsche?= Date: Tue, 8 Mar 2022 18:12:24 +0100 Message-ID: Subject: Re: [PATCH] selinux: log anon inode class name To: Paul Moore Cc: SElinux list , James Morris , "Serge E. Hallyn" , Stephen Smalley , Eric Paris , Richard Guy Briggs , Ondrej Mosnacek , Linux kernel mailing list , linux-security-module@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 25 Feb 2022 at 01:25, Paul Moore wrote: > > On Thu, Feb 17, 2022 at 9:35 AM Christian G=C3=B6ttsche > wrote: > > > > Log the anonymous inode class name in the security hook > > inode_init_security_anon. This name is the key for name based type > > transitions on the anon_inode security class on creation. Example: > > > > type=3DAVC msg=3Daudit(02/16/22 22:02:50.585:216) : avc: granted = { create } for pid=3D2136 comm=3Dmariadbd anonclass=3D"[io_uring]" dev=3D"= anon_inodefs" ino=3D6871 scontext=3Dsystem_u:system_r:mysqld_t:s0 tcontext= =3Dsystem_u:system_r:mysqld_iouring_t:s0 tclass=3Danon_inode > > > > Add a new LSM audit data type holding the inode and the class name. > > > > Also warn if the security hook gets called with no name set; currently > > the only caller fs/anon_inodes.c:anon_inode_make_secure_inode() passes > > one. > > > > Signed-off-by: Christian G=C3=B6ttsche > > --- > > include/linux/lsm_audit.h | 5 +++++ > > security/lsm_audit.c | 21 +++++++++++++++++++++ > > security/selinux/hooks.c | 7 +++++-- > > 3 files changed, 31 insertions(+), 2 deletions(-) > > ... > > > diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h > > index 17d02eda9538..8135a88d6d82 100644 > > --- a/include/linux/lsm_audit.h > > +++ b/include/linux/lsm_audit.h > > @@ -76,6 +76,7 @@ struct common_audit_data { > > #define LSM_AUDIT_DATA_IBENDPORT 14 > > #define LSM_AUDIT_DATA_LOCKDOWN 15 > > #define LSM_AUDIT_DATA_NOTIFICATION 16 > > +#define LSM_AUDIT_DATA_ANONINODE 17 > > union { > > struct path path; > > struct dentry *dentry; > > @@ -96,6 +97,10 @@ struct common_audit_data { > > struct lsm_ibpkey_audit *ibpkey; > > struct lsm_ibendport_audit *ibendport; > > int reason; > > + struct { > > + struct inode *inode; > > + const char *anonclass; > > + } anoninode_struct; > > } u; > > /* this union contains LSM specific data */ > > union { > > diff --git a/security/lsm_audit.c b/security/lsm_audit.c > > index 1897cbf6fc69..5545fed35539 100644 > > --- a/security/lsm_audit.c > > +++ b/security/lsm_audit.c > > @@ -433,6 +433,27 @@ static void dump_common_audit_data(struct audit_bu= ffer *ab, > > audit_log_format(ab, " lockdown_reason=3D\"%s\"", > > lockdown_reasons[a->u.reason]); > > break; > > + case LSM_AUDIT_DATA_ANONINODE: { > > + struct dentry *dentry; > > + struct inode *inode; > > + > > + rcu_read_lock(); > > + inode =3D a->u.anoninode_struct.inode; > > + dentry =3D d_find_alias_rcu(inode); > > + if (dentry) { > > + audit_log_format(ab, " name=3D"); > > + spin_lock(&dentry->d_lock); > > + audit_log_untrustedstring(ab, dentry->d_name.na= me); > > + spin_unlock(&dentry->d_lock); > > + } > > I'm not sure we are ever going to get a useful dentry name for > anonymous inodes, I think we can probably drop this. The "anonclass=3D" > field will likely be much more interesting and helpful. > > > + audit_log_format(ab, " anonclass=3D"); > > + audit_log_untrustedstring(ab, a->u.anoninode_struct.ano= nclass); > > + audit_log_format(ab, " dev=3D"); > > + audit_log_untrustedstring(ab, inode->i_sb->s_id); > > I'm pretty sure this is always going to end up being "anon_inodefs" > and thus not very useful. > > > + audit_log_format(ab, " ino=3D%lu", inode->i_ino); > > Similarly, I'm not sure how useful the inode number is in practice. > I've never tried, but can a user lookup an anonymous inode via the > inode number? > > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > > index dafabb4dcc64..19c831d94d9b 100644 > > --- a/security/selinux/hooks.c > > +++ b/security/selinux/hooks.c > > @@ -2932,6 +2932,8 @@ static int selinux_inode_init_security_anon(struc= t inode *inode, > > if (unlikely(!selinux_initialized(&selinux_state))) > > return 0; > > > > + WARN_ON(!name); > > + > > isec =3D selinux_inode(inode); > > > > /* > > @@ -2965,8 +2967,9 @@ static int selinux_inode_init_security_anon(struc= t inode *inode, > > * allowed to actually create this type of anonymous inode. > > */ > > > > - ad.type =3D LSM_AUDIT_DATA_INODE; > > - ad.u.inode =3D inode; > > + ad.type =3D LSM_AUDIT_DATA_ANONINODE; > > + ad.u.anoninode_struct.inode =3D inode; > > + ad.u.anoninode_struct.anonclass =3D name ? (const char *)name->= name : "unknown(null)"; > > This doesn't seem to match well with the newly added WARN_ON() > assertion above. I would suggest dropping the WARN_ON() assertion as > security_transition_sid() can already handle that safely, and leaving > the tertiary statement above; however I think we should probably > change the anonclass string to "?" as that is the common unset field > value used by audit. Is the hook inode_init_security_anon expected to be called with an empty name though? The condition was just a fallback to not crash the kernel. (Dropped in v2.) > > -- > paul-moore.com