Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp871901rwb; Thu, 12 Jan 2023 13:32:46 -0800 (PST) X-Google-Smtp-Source: AMrXdXuRZvJLsSLmY/lnE5xpHOL2padDeNYh7R9U/7Rx4XSwDvCBpMtk+RdOweTXSk92uT79u6Xm X-Received: by 2002:a05:6402:e87:b0:461:b8bf:ce1b with SMTP id h7-20020a0564020e8700b00461b8bfce1bmr70609312eda.34.1673559165740; Thu, 12 Jan 2023 13:32:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673559165; cv=none; d=google.com; s=arc-20160816; b=0vc2md2gpdo35xFl3I6OJh8mzwMKdQRCVMF6JxJza71tsKhQvk1SV5CyqpgJZRL5Pu LQMlWH6cbCBj8e+z20RYC4pSrCnB4Ws5awJrlY0Ao/J0hViIVCylY+VwEBxuA0wM1PST SfYd9MMI+haDJxQtQd5x1ZIKfXjEGOJyqjFLGzjp2ppYh2GZWEmNpdvPle0Z3dr/3qEx dzOL1enxSp50ZEKe89l+J0JvhsJ1Z3gWm6oUXLwzC+wnwxRGmRf58HfO0Tj/2RSIl8S8 P68eSxa3oK9TdblILSdwLqb1QX0wFJOV8oHb0MQZeukPaGDqrDWUpZ41c0/r0RFsHYmy PwkA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=YCu5Y/GTVOBPVVyupzvBVkyh0EoOaLJvwwF2Oks4mXY=; b=CT1VGMyjWnddf7S812FUtRZZ0LQdEayWcuvnEOFY8tToEApKFSeTrUuzyG1CImAZ7R ei2abN5nzuOksh1I7pftVcwzQBKjGD2xCyQH8KrDImuwEkrN0a4zAfehXC0GskZ9d40P kuHKVPOVtTyOkEjtYkGMPGlAMgAJE1cMD11iPsNzeVdd0A50ui+m1e4D6ZioBr+3V6Hp pz0IP9YBdzczc93INhC30ZXVlL37togleG0fq/6VJXaCxayRMKwpyfs5FtwnhQ+WQ8PD slUnp7z205p3/dPZlBCHYcBLukpocs6DDxlFL7DWR7y9I/HQQy12zopIPa59PzkPEHpJ 5IKA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=S0BCMwT5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id dz16-20020a0564021d5000b004862741e01csi20530807edb.602.2023.01.12.13.32.33; Thu, 12 Jan 2023 13:32:45 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=S0BCMwT5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240712AbjALVCZ (ORCPT + 50 others); Thu, 12 Jan 2023 16:02:25 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36464 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240248AbjALVAG (ORCPT ); Thu, 12 Jan 2023 16:00:06 -0500 Received: from mail-pf1-x42d.google.com (mail-pf1-x42d.google.com [IPv6:2607:f8b0:4864:20::42d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ED94E5F83 for ; Thu, 12 Jan 2023 12:45:11 -0800 (PST) Received: by mail-pf1-x42d.google.com with SMTP id a184so14680932pfa.9 for ; Thu, 12 Jan 2023 12:45:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=YCu5Y/GTVOBPVVyupzvBVkyh0EoOaLJvwwF2Oks4mXY=; b=S0BCMwT5P7ybDn6r2T8wPtB6PkHGixbFQlQ3OynLx5lY5TiaRq/UFmSGjmKwPFs4Yf m5Ktnwuj8h2mNQ9ZjWZp4mq2WC6XMEb6+37eeIgBuC1SmjVx3z8M3XlYcRNEpMM2Ywfw iFyeKEaqAOMWqxgCqRIhDLeYomw+uEAXn8Yx9VI0+U7HOvubDPEveUH8SPim/VVDr7Rj LXhOb1ggvw7KICNNrAQQWM62NakUKDGS8rddDvXMBoTeUicXOol79nijSs3H9FRSioTe nGpDH6Kn0Zeq8jqBVZOUJp5JIbezJjKAuftIPIVy7P9m6A4jgi/ONOQhRtkNY97YLuu1 s08A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=YCu5Y/GTVOBPVVyupzvBVkyh0EoOaLJvwwF2Oks4mXY=; b=RnAc1D7W5RJKMl4hAUKamo6zFwna8oot/VlCOP1WQIFGUEhlOHT3lg2Mzo2kAXJvdk f0UToKEJ27C3cG1DiQDm+2g/6UepiwxJqc6JwfCn0gw+woRfCWu4ji/4FEIL+fovQPHV SdGHmlHqddIhJLwvtZe3fHuctO9rKcA3PvvqInrOdLeniReQJbSM7YrFAdxrnmfrfMcc ditQk8HQZTMX542CcoHSp0Ic5Sz0QwE9SuR0XePH6Y4dHKrpZaOVmbX8y6ujuVUSMyn9 e4KyFM/iQFMxDw9n/Ns1LSjcvOCUvYLK5AqM6nVKHWM9npDH14t1xQXB2nUL1jkZ4GDL 1EPg== X-Gm-Message-State: AFqh2krepUSUliQPbgOYnj9qGB11U8lE5RxmVSE78b2KOQfojq5C2E2X hPRA9qba3N5B9lXr1WedUG57mXunlla46vgLF/tk X-Received: by 2002:a63:e20b:0:b0:479:2109:506 with SMTP id q11-20020a63e20b000000b0047921090506mr4401043pgh.92.1673556311330; Thu, 12 Jan 2023 12:45:11 -0800 (PST) MIME-Version: 1.0 References: <20230109213809.418135-1-tjmercier@google.com> <20230109213809.418135-5-tjmercier@google.com> In-Reply-To: From: Paul Moore Date: Thu, 12 Jan 2023 15:45:00 -0500 Message-ID: Subject: Re: [PATCH 4/4] security: binder: Add transfer_charge SElinux hook To: "T.J. Mercier" Cc: Jeffrey Vander Stoep , Casey Schaufler , Greg Kroah-Hartman , =?UTF-8?B?QXJ2ZSBIasO4bm5ldsOlZw==?= , Todd Kjos , Martijn Coenen , Joel Fernandes , Christian Brauner , Carlos Llamas , Suren Baghdasaryan , James Morris , "Serge E. Hallyn" , Stephen Smalley , Eric Paris , hannes@cmpxchg.org, daniel.vetter@ffwll.ch, android-mm@google.com, jstultz@google.com, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jan 11, 2023 at 7:21 PM T.J. Mercier wrote: > > On Wed, Jan 11, 2023 at 3:00 PM Paul Moore wrote: > > > > On Mon, Jan 9, 2023 at 4:38 PM T.J. Mercier wrote: > > > > > > Any process can cause a memory charge transfer to occur to any other > > > process when transmitting a file descriptor through binder. This should > > > only be possible for central allocator processes, so a new SELinux > > > permission is added to restrict which processes are allowed to initiate > > > these charge transfers. > > > > > > Signed-off-by: T.J. Mercier > > > --- > > > drivers/android/binder.c | 5 +++++ > > > include/linux/lsm_hook_defs.h | 2 ++ > > > include/linux/lsm_hooks.h | 6 ++++++ > > > include/linux/security.h | 2 ++ > > > security/security.c | 6 ++++++ > > > security/selinux/hooks.c | 9 +++++++++ > > > security/selinux/include/classmap.h | 2 +- > > > 7 files changed, 31 insertions(+), 1 deletion(-) > > > > Hi T.J., > > > > A few things come to mind when looking at this patchset, but let me > > start with the big one first: you only sent 0/4 and 4/4 to the LSM and > > SELinux lists, so that's all I'm seeing in my inbox to review, and > > it's hard to make sense of what you want to do with just these > > snippets. This makes me cranky, and less inclined to spend the time > > to give this a proper review, because there are plenty of other things > > which need attention and don't require me having to hunt down missing > > pieces. Yes, I'm aware of b4/lei, and while they are great tools, my > > workflow was pretty well established before they came into existence > > and I still do things the good ol' fashioned way with mailing lists, > > etc. > > > > Make the patch reviewer's life easy whenever you can, it will rarely > > (ever?) backfire, I promise. > > Hi Paul, sorry about that. I have git send-email calling > get_maintainer.pl to automatically figure out the recipients, and I > think that's why it only sent particular patches to a subset of lists. > Looks like the list of recipients for each patch should be a union of > all patches. Thank you for taking a look anyway! Here's a lore link: > https://lore.kernel.org/lkml/20230109213809.418135-1-tjmercier@google.com/ > > > > diff --git a/drivers/android/binder.c b/drivers/android/binder.c > > > index 9830848c8d25..9063db04826d 100644 > > > --- a/drivers/android/binder.c > > > +++ b/drivers/android/binder.c > > > @@ -2279,6 +2279,11 @@ static int binder_translate_fd(u32 fd, binder_size_t fd_offset, __u32 flags, > > > if (IS_ENABLED(CONFIG_MEMCG) && (flags & BINDER_FD_FLAG_XFER_CHARGE)) { > > > struct dma_buf *dmabuf; > > > > > > + if (security_binder_transfer_charge(proc->cred, target_proc->cred)) { > > > + ret = -EPERM; > > > + goto err_security; > > > + } > > > > This is where I believe I'm missing the proper context, as this > > version of binder_translate_fd() differs from what I see in Linus' > > tree. However, the version in Linus' tree does have a LSM hook, > > security_binder_transfer_file(), which is passed both the credentials > > you are using above and based solely on the level of indentation shown > > in the chunk of code above, it seems like the existing hook might be > > suitable? > > Yes, patch 3 plumbs through flags to this function: > https://lore.kernel.org/lkml/20230109213809.418135-4-tjmercier@google.com/ > > I don't think the existing hook is suitable, which I've tried to explain below. In this particular case the issue of what permission checks are done for a given LSM, SELinux in this case, appears to be independent of if we need a new, different, or second LSM hook. Unless I missed something the only real difference with this new hook is that is sits behind a conditional checking if memory control groups are enabled and if a transfer charge was specified; it seems like passing the @flags parameter into the existing LSM hook would allow you to use the existing hook (it is called before the new hook, right?)? > > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > > > index 3c5be76a9199..823ef14924bd 100644 > > > --- a/security/selinux/hooks.c > > > +++ b/security/selinux/hooks.c > > > @@ -2066,6 +2066,14 @@ static int selinux_binder_transfer_file(const struct cred *from, > > > &ad); > > > } > > > > > > +static int selinux_binder_transfer_charge(const struct cred *from, const struct cred *to) > > > +{ > > > + return avc_has_perm(&selinux_state, > > > + cred_sid(from), cred_sid(to), > > > + SECCLASS_BINDER, BINDER__TRANSFER_CHARGE, > > > + NULL); > > > +} > > > > Generally speaking SELinux doesn't really worry about resource > > accounting controls so this seems a bit out of place, but perhaps the > > larger question is do you see this being sufficiently distinct from > > the existing binder:transfer permission? In other words, would you > > ever want to grant a domain the ability to transfer a file *without* > > also granting it the ability to transfer the memory charge? You need > > to help me explain why we need an additional permission for this, > > because I don't currently see the need. > > > Yes, and that's actually more often the case than not. A file here > means a file descriptor that points at any type of resource: file on > disk, memfd, dmabuf, etc. Currently there exists policy that restricts > which processes are allowed to interact with FDs over binder using the > security_binder_transfer_file hook you reference. [1] However this new > transfer_charge permission is meant to restrict the ability of a FD > sender to transfer the memory charge associated with that FD (if one > exists) to a recipient (who may or may not want to accept the memory > charge). So the memory charge is independent of (potentially one-time, > read-only) access to the FD. Without a more comprehensive set of LSM/SELinux access controls around resource management (which would need discussion beyond just this thread/patch) I'm not sure we want to start patching in one-off controls like this. I haven't looked, but are there any traditional/DAC access controls around transfering memory changes from one task to another? It seems like there *should* be, and if so, it seems like that would be the right approach at the moment ... if you're not already doing that in the other patches in the patchset. -- paul-moore.com