Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8AF44C54E94 for ; Tue, 24 Jan 2023 04:47:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232016AbjAXEr3 (ORCPT ); Mon, 23 Jan 2023 23:47:29 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46342 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231760AbjAXEr1 (ORCPT ); Mon, 23 Jan 2023 23:47:27 -0500 Received: from mail-yb1-xb30.google.com (mail-yb1-xb30.google.com [IPv6:2607:f8b0:4864:20::b30]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 91BC861A8 for ; Mon, 23 Jan 2023 20:47:26 -0800 (PST) Received: by mail-yb1-xb30.google.com with SMTP id 188so17440888ybi.9 for ; Mon, 23 Jan 2023 20:47:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=+5+rk6gG92yU871Q18SGdLg7yIfDbgS5v3bi+1rCUbI=; b=aWyceTWtE5DTXNyf9TvC5uY4/OZwC8YyWYVPbtQZa82CqvSa6NLYy7WyPJWvo1gHfR qbqDg2g0l+Ahec3b15JPqyZBqEWwhusTLppzRnqY5x9zcHeYavXxKgYAg8mIW3k8ULE5 sKYGam3VNwr5rFIaYa2weHMKPhAlUexGu6I7BsgaF2BY/zDAErUTVigE890Cwy6KLrLc 9yqPI2WnnMdJHwF42k8jmH74XUPI11iHViGtCj+XOvHYb5av5UEmYLP4v0+hPOymIYpP lWNcJpvaBML6U8BIJzbtH/XxL8W2IM9HC5UZ/bhRzYNKonuqg2CbUJvEgWkhW0R7YNE1 MdFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+5+rk6gG92yU871Q18SGdLg7yIfDbgS5v3bi+1rCUbI=; b=hiX5nI3DEpBdu40BjGZZvrVT/vzaGG5PAZTpyyokU11Xq5Xau+oe0FFZ8sZdZfkOHi +WtqhloYmu9gdeaMJdLaFbJM58EXEf1u1OCcSTlnBbTdrF6d4auj1y1eFYobBF/7wLss zkVRO81i8I+Qe2YXlSRm2qek9PGwVcFilnqMVhqFtDLBHfLfXTFoDV+xI9sGx4hDq5ho S8Pu/qRYd3CRuitApDHvWaJmp/GqpgIfD3HMEWqoEblev+GuEuoUOZ5CDt2O8nHTrJT7 /c41AVpvdYa0XR0IWXfR0Wo5qq6HP+Ts++KN5T5FLwYjcqoUR+SFWypGUM4PGKBupGn2 pqnA== X-Gm-Message-State: AFqh2kqyZ57U1pj95y86fGOhiy6npgYV4Yh/KBJAW3rI4bQXKxhh7PQ1 CGle3BzzDi/vaC1A5ErzM0nEkoiPH4SUO6DCU9KA4g== X-Google-Smtp-Source: AMrXdXuYdYgfPuS6e/ypCYP4fU7Onii28qxOTxo06MVE/ttY1OEfzR8WQcc4gqxY5GLV14tPPWAYGcO2P7+hD94HjyM= X-Received: by 2002:a25:c00a:0:b0:733:4dbc:7215 with SMTP id c10-20020a25c00a000000b007334dbc7215mr3054103ybf.636.1674535645579; Mon, 23 Jan 2023 20:47:25 -0800 (PST) MIME-Version: 1.0 References: <20230123191728.2928839-1-tjmercier@google.com> <20230123191728.2928839-5-tjmercier@google.com> In-Reply-To: From: "T.J. Mercier" Date: Mon, 23 Jan 2023 20:47:14 -0800 Message-ID: Subject: Re: [PATCH v2 4/4] security: binder: Add binder object flags to selinux_binder_transfer_file To: Paul Moore Cc: Greg Kroah-Hartman , =?UTF-8?B?QXJ2ZSBIasO4bm5ldsOlZw==?= , Todd Kjos , Martijn Coenen , Joel Fernandes , Christian Brauner , Carlos Llamas , Suren Baghdasaryan , James Morris , "Serge E. Hallyn" , Stephen Smalley , Eric Paris , hannes@cmpxchg.org, daniel.vetter@ffwll.ch, android-mm@google.com, jstultz@google.com, jeffv@google.com, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, cgroups@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jan 23, 2023 at 2:04 PM T.J. Mercier wrote: > > > > On Mon, Jan 23, 2023 at 1:36 PM Paul Moore wrote: >> >> On Mon, Jan 23, 2023 at 2:18 PM T.J. Mercier wrot= e: >> > >> > Any process can cause a memory charge transfer to occur to any other >> > process when transmitting a file descriptor through binder. This shoul= d >> > only be possible for central allocator processes, so the binder object >> > flags are added to the security_binder_transfer_file hook so that LSMs >> > can enforce restrictions on charge transfers. >> > >> > Signed-off-by: T.J. Mercier >> > --- >> > drivers/android/binder.c | 2 +- >> > include/linux/lsm_hook_defs.h | 2 +- >> > include/linux/lsm_hooks.h | 5 ++++- >> > include/linux/security.h | 6 ++++-- >> > security/security.c | 4 ++-- >> > security/selinux/hooks.c | 13 ++++++++++++- >> > security/selinux/include/classmap.h | 2 +- >> > 7 files changed, 25 insertions(+), 9 deletions(-) >> >> ... >> >> > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c >> > index 3c5be76a9199..d4cfca3c9a3b 100644 >> > --- a/security/selinux/hooks.c >> > +++ b/security/selinux/hooks.c >> > @@ -88,6 +88,7 @@ >> > #include >> > #include >> > #include /* for hashlen_string() */ >> > +#include >> > #include >> > #include >> > #include >> > @@ -2029,7 +2030,8 @@ static int selinux_binder_transfer_binder(const = struct cred *from, >> > >> > static int selinux_binder_transfer_file(const struct cred *from, >> > const struct cred *to, >> > - struct file *file) >> > + struct file *file, >> > + u32 binder_object_flags) >> > { >> > u32 sid =3D cred_sid(to); >> > struct file_security_struct *fsec =3D selinux_file(file); >> > @@ -2038,6 +2040,15 @@ static int selinux_binder_transfer_file(const s= truct cred *from, >> > struct common_audit_data ad; >> > int rc; >> > >> > + if (binder_object_flags & BINDER_FD_FLAG_XFER_CHARGE) { >> > + rc =3D avc_has_perm(&selinux_state, >> > + cred_sid(from), sid, >> > + SECCLASS_BINDER, BINDER__TRANSFER_CHARGE, >> > + NULL); >> > + if (rc) >> > + return rc; >> > + } >> > + >> > ad.type =3D LSM_AUDIT_DATA_PATH; >> > ad.u.path =3D file->f_path; >> > >> > diff --git a/security/selinux/include/classmap.h b/security/selinux/in= clude/classmap.h >> > index a3c380775d41..2eef180d10d7 100644 >> > --- a/security/selinux/include/classmap.h >> > +++ b/security/selinux/include/classmap.h >> > @@ -172,7 +172,7 @@ const struct security_class_mapping secclass_map[]= =3D { >> > { "tun_socket", >> > { COMMON_SOCK_PERMS, "attach_queue", NULL } }, >> > { "binder", { "impersonate", "call", "set_context_mgr", "trans= fer", >> > - NULL } }, >> > + "transfer_charge", NULL } }, >> > { "cap_userns", >> > { COMMON_CAP_PERMS, NULL } }, >> > { "cap2_userns", >> >> My first take on reading these changes above is that you've completely >> ignored my previous comments about SELinux access controls around >> resource management. You've leveraged the existing LSM/SELinux hook >> as we discussed previously, that's good, but can you explain what >> changes you've made to address my concerns about one-off resource >> management controls? >> > It's been a couple of weeks since v1 so I've sent this update out now to = incorporate all the other feedback so far to make sure it's headed in the r= ight direction. I've tried opening up a discussion about this rather unique= case, but there's been no activity on that yet. > Someone pointed out this didn't make it to the lists. Retrying. >> -- >> paul-moore.com