Received: by 2002:a05:7412:b795:b0:e2:908c:2ebd with SMTP id iv21csp553087rdb; Thu, 2 Nov 2023 10:58:27 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHXFiDbeN2AW94hVuDmkDt8FUlVigh12tf3PTmwPz5LdYi6i4+T5+YFltiPX3klXLqni/gN X-Received: by 2002:a05:6358:e490:b0:168:ec55:d164 with SMTP id by16-20020a056358e49000b00168ec55d164mr21768197rwb.25.1698947907504; Thu, 02 Nov 2023 10:58:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698947907; cv=none; d=google.com; s=arc-20160816; b=0T4/RZeHmehekR6/ZVp1Q3ykkLxyghKiHfASc2uonisqMGN/OUxLcA98KCaCudHIpE ZMDgW0A1SUyBwHnZlCey2IhGMfQz5JgQqIYZUccU83N9IZZkq3agUGNKINt4kT9rmZ0U BYyUccT3JZcP7kBINnEUOYm9fAm9Hykh1YuhEAxoP5SZjS4pUrPYep6V7am8d/geYaHE gwNQBihiBpRoBaS75Y0G1rxah5ZIbHPOEiVvm1C/5JD3PSEHQ5uj0ZvX22m1hLfnlpSU sOqmbvL10pvNrDQAnqjAvzHuYkTT4duSki08Fd/E3M5JrWwWsVT3HTLc1mJx5s2iuYp6 siSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:autocrypt :from:references:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=tp8izf7QPwpHFaPqaZVcwUXFrUe8L7A/9WJXpfj40As=; fh=Vqz3SEEiCjQsz81/Bq436lc1uInOV/oEXw8GHS2wjsE=; b=qZJ1D/q048zBVJ3D+CBvo2jzlmtLWWjydr7AupMuGU7o3b34Zc8EASIdA2lH6K5soZ 0+1Q3Xs2JdgOkqJF9bw9CY9AhIzONLU0gds8BVGsA9XBueN6o14lcDRY3ehfmUIk3PuD 4dTPa3RlhpeWvu6CI58YcUxJxpHm2ljp9UOp/aAqEVNtYQTpfa0+jzALzWHEj+snm3n4 B1vkEUbKSNCuHnCImiR3Wjvbs0mJxWCQQP34INnQZKIXrHQK2jWXAdSVC9iFia1cAm3c f/rLXQO6d6UwlQF0yRveHN3MuyXYS4hB4yXyW6EwHpVqUJzT58ovWK8kqX7L2OcZqSxL IE8g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=jQ3tnucv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [23.128.96.33]) by mx.google.com with ESMTPS id s36-20020a635264000000b00578af609d05si63421pgl.244.2023.11.02.10.58.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Nov 2023 10:58:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) client-ip=23.128.96.33; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=jQ3tnucv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 3493082096B0; Thu, 2 Nov 2023 10:58:20 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345059AbjKBR6H (ORCPT + 99 others); Thu, 2 Nov 2023 13:58:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36218 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344644AbjKBR6C (ORCPT ); Thu, 2 Nov 2023 13:58:02 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E0B98137 for ; Thu, 2 Nov 2023 10:57:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1698947829; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=tp8izf7QPwpHFaPqaZVcwUXFrUe8L7A/9WJXpfj40As=; b=jQ3tnucv0clKthMfvijf9lMrUQvjE+1JwkwuM8Vg3Lwp3xcAv8TqVE4TCbEivZYdse+H/P 5oUwKlIx7uhDEvEuNpLV3x7XHX8ANMogkU0K0/J1Wm5PTLpjwq9aZx8t5TgrIHWhqn+yKm 7Xrd6JWJaBpl5ix9M5rFMeOqbFvKGzY= Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-173-OqV3xzT6OW6kFOqF9arXhQ-1; Thu, 02 Nov 2023 13:57:06 -0400 X-MC-Unique: OqV3xzT6OW6kFOqF9arXhQ-1 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 60F7B1C29EB6; Thu, 2 Nov 2023 17:57:04 +0000 (UTC) Received: from [10.39.208.33] (unknown [10.39.208.33]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6D3ED492BFC; Thu, 2 Nov 2023 17:57:00 +0000 (UTC) Message-ID: <76572500-5f90-46fe-9bf2-b090bf1b616b@redhat.com> Date: Thu, 2 Nov 2023 18:56:59 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v4 4/4] vduse: Add LSM hooks to check Virtio device type Content-Language: en-US To: Casey Schaufler , mst@redhat.com, jasowang@redhat.com, xuanzhuo@linux.alibaba.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, stephen.smalley.work@gmail.com, eparis@parisplace.org, xieyongji@bytedance.com, virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, david.marchand@redhat.com, lulu@redhat.com References: <20231020155819.24000-1-maxime.coquelin@redhat.com> <20231020155819.24000-5-maxime.coquelin@redhat.com> <923f87a1-1871-479e-832e-db67b5ae87fd@redhat.com> <64626db9-e37a-4c65-a455-fc3985382216@schaufler-ca.com> <7524dee3-7c48-4864-8182-1b166b0f6faa@redhat.com> From: Maxime Coquelin Autocrypt: addr=maxime.coquelin@redhat.com; keydata= xsFNBFOEQQIBEADjNLYZZqghYuWv1nlLisptPJp+TSxE/KuP7x47e1Gr5/oMDJ1OKNG8rlNg kLgBQUki3voWhUbMb69ybqdMUHOl21DGCj0BTU3lXwapYXOAnsh8q6RRM+deUpasyT+Jvf3a gU35dgZcomRh5HPmKMU4KfeA38cVUebsFec1HuJAWzOb/UdtQkYyZR4rbzw8SbsOemtMtwOx YdXodneQD7KuRU9IhJKiEfipwqk2pufm2VSGl570l5ANyWMA/XADNhcEXhpkZ1Iwj3TWO7XR uH4xfvPl8nBsLo/EbEI7fbuUULcAnHfowQslPUm6/yaGv6cT5160SPXT1t8U9QDO6aTSo59N jH519JS8oeKZB1n1eLDslCfBpIpWkW8ZElGkOGWAN0vmpLfdyiqBNNyS3eGAfMkJ6b1A24un /TKc6j2QxM0QK4yZGfAxDxtvDv9LFXec8ENJYsbiR6WHRHq7wXl/n8guyh5AuBNQ3LIK44x0 KjGXP1FJkUhUuruGyZsMrDLBRHYi+hhDAgRjqHgoXi5XGETA1PAiNBNnQwMf5aubt+mE2Q5r qLNTgwSo2dpTU3+mJ3y3KlsIfoaxYI7XNsPRXGnZi4hbxmeb2NSXgdCXhX3nELUNYm4ArKBP LugOIT/zRwk0H0+RVwL2zHdMO1Tht1UOFGfOZpvuBF60jhMzbQARAQABzSxNYXhpbWUgQ29x dWVsaW4gPG1heGltZS5jb3F1ZWxpbkByZWRoYXQuY29tPsLBeAQTAQIAIgUCV3u/5QIbAwYL CQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQyjiNKEaHD4ma2g/+P+Hg9WkONPaY1J4AR7Uf kBneosS4NO3CRy0x4WYmUSLYMLx1I3VH6SVjqZ6uBoYy6Fs6TbF6SHNc7QbB6Qjo3neqnQR1 71Ua1MFvIob8vUEl3jAR/+oaE1UJKrxjWztpppQTukIk4oJOmXbL0nj3d8dA2QgHdTyttZ1H xzZJWWz6vqxCrUqHU7RSH9iWg9R2iuTzii4/vk1oi4Qz7y/q8ONOq6ffOy/t5xSZOMtZCspu Mll2Szzpc/trFO0pLH4LZZfz/nXh2uuUbk8qRIJBIjZH3ZQfACffgfNefLe2PxMqJZ8mFJXc RQO0ONZvwoOoHL6CcnFZp2i0P5ddduzwPdGsPq1bnIXnZqJSl3dUfh3xG5ArkliZ/++zGF1O wvpGvpIuOgLqjyCNNRoR7cP7y8F24gWE/HqJBXs1qzdj/5Hr68NVPV1Tu/l2D1KMOcL5sOrz 2jLXauqDWn1Okk9hkXAP7+0Cmi6QwAPuBT3i6t2e8UdtMtCE4sLesWS/XohnSFFscZR6Vaf3 gKdWiJ/fW64L6b9gjkWtHd4jAJBAIAx1JM6xcA1xMbAFsD8gA2oDBWogHGYcScY/4riDNKXi lw92d6IEHnSf6y7KJCKq8F+Jrj2BwRJiFKTJ6ChbOpyyR6nGTckzsLgday2KxBIyuh4w+hMq TGDSp2rmWGJjASrOwU0EVPSbkwEQAMkaNc084Qvql+XW+wcUIY+Dn9A2D1gMr2BVwdSfVDN7 0ZYxo9PvSkzh6eQmnZNQtl8WSHl3VG3IEDQzsMQ2ftZn2sxjcCadexrQQv3Lu60Tgj7YVYRM H+fLYt9W5YuWduJ+FPLbjIKynBf6JCRMWr75QAOhhhaI0tsie3eDsKQBA0w7WCuPiZiheJaL 4MDe9hcH4rM3ybnRW7K2dLszWNhHVoYSFlZGYh+MGpuODeQKDS035+4H2rEWgg+iaOwqD7bg CQXwTZ1kSrm8NxIRVD3MBtzp9SZdUHLfmBl/tLVwDSZvHZhhvJHC6Lj6VL4jPXF5K2+Nn/Su CQmEBisOmwnXZhhu8ulAZ7S2tcl94DCo60ReheDoPBU8PR2TLg8rS5f9w6mLYarvQWL7cDtT d2eX3Z6TggfNINr/RTFrrAd7NHl5h3OnlXj7PQ1f0kfufduOeCQddJN4gsQfxo/qvWVB7PaE 1WTIggPmWS+Xxijk7xG6x9McTdmGhYaPZBpAxewK8ypl5+yubVsE9yOOhKMVo9DoVCjh5To5 aph7CQWfQsV7cd9PfSJjI2lXI0dhEXhQ7lRCFpf3V3mD6CyrhpcJpV6XVGjxJvGUale7+IOp sQIbPKUHpB2F+ZUPWds9yyVxGwDxD8WLqKKy0WLIjkkSsOb9UBNzgRyzrEC9lgQ/ABEBAAHC wV8EGAECAAkFAlT0m5MCGwwACgkQyjiNKEaHD4nU8hAAtt0xFJAy0sOWqSmyxTc7FUcX+pbD KVyPlpl6urKKMk1XtVMUPuae/+UwvIt0urk1mXi6DnrAN50TmQqvdjcPTQ6uoZ8zjgGeASZg jj0/bJGhgUr9U7oG7Hh2F8vzpOqZrdd65MRkxmc7bWj1k81tOU2woR/Gy8xLzi0k0KUa8ueB iYOcZcIGTcs9CssVwQjYaXRoeT65LJnTxYZif2pfNxfINFzCGw42s3EtZFteczClKcVSJ1+L +QUY/J24x0/ocQX/M1PwtZbB4c/2Pg/t5FS+s6UB1Ce08xsJDcwyOPIH6O3tccZuriHgvqKP yKz/Ble76+NFlTK1mpUlfM7PVhD5XzrDUEHWRTeTJSvJ8TIPL4uyfzhjHhlkCU0mw7Pscyxn DE8G0UYMEaNgaZap8dcGMYH/96EfE5s/nTX0M6MXV0yots7U2BDb4soLCxLOJz4tAFDtNFtA wLBhXRSvWhdBJZiig/9CG3dXmKfi2H+wdUCSvEFHRpgo7GK8/Kh3vGhgKmnnxhl8ACBaGy9n fxjSxjSO6rj4/MeenmlJw1yebzkX8ZmaSi8BHe+n6jTGEFNrbiOdWpJgc5yHIZZnwXaW54QT UhhSjDL1rV2B4F28w30jYmlRmm2RdN7iCZfbyP3dvFQTzQ4ySquuPkIGcOOHrvZzxbRjzMx1 Mwqu3GQ= In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.10 X-Spam-Status: No, score=-1.3 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Thu, 02 Nov 2023 10:58:20 -0700 (PDT) On 10/24/23 17:30, Casey Schaufler wrote: > On 10/24/2023 2:49 AM, Maxime Coquelin wrote: >> >> >> On 10/23/23 17:13, Casey Schaufler wrote: >>> On 10/23/2023 12:28 AM, Maxime Coquelin wrote: >>>> >>>> >>>> On 10/21/23 00:20, Casey Schaufler wrote: >>>>> On 10/20/2023 8:58 AM, Maxime Coquelin wrote: >>>>>> This patch introduces LSM hooks for devices creation, >>>>>> destruction and opening operations, checking the >>>>>> application is allowed to perform these operations for >>>>>> the Virtio device type. >>>>> >>>>> Why do you think that there needs to be a special LSM check for virtio >>>>> devices? What can't existing device attributes be used? >>>> >>>> Michael asked for a way for SELinux to allow/prevent the creation of >>>> some types of devices [0]. >>>> >>>> A device is created using ioctl() on VDUSE control chardev. Its type is >>>> specified via a field in the structure passed in argument. >>>> >>>> I didn't see other way than adding dedicated LSM hooks to achieve this, >>>> but it is possible that their is a better way to do it? >>> >>> At the very least the hook should be made more general, and I'd have to >>> see a proposal before commenting on that. security_dev_destroy(dev) >>> might >>> be a better approach. If there's reason to control destruction of vduse >>> devices it's reasonable to assume that there are other devices with the >>> same or similar properties. >> >> VDUSE is different from other devices as the device is actually >> implemented by the user-space application, so this is very specific in >> my opinion. > > This is hardly unique. If you're implementing the device > in user-space you may well be able to implement the desired > controls there. > >> >>> >>> Since SELinux is your target use case, can you explain why you can't >>> create SELinux policy to enforce the restrictions you're after? I >>> believe >>> (but can be proven wrong, of course) that SELinux has mechanism for >>> dealing >>> with controls on ioctls. >>> >> >> I am not aware of such mechanism to deal with ioctl(), if you have a >> pointer that would be welcome. > > security/selinux/hooks.c We might be able to extend selinux_file_ioctl(), but that will only covers the ioctl for the control file, this patch also adds hook for the device file opening that would need dedicated hook as the device type information is stored in the device's private data. Michael, before going further, I would be interested in your feedback. Was this patch what you had in mind when requesting for a way to allow/deny devices types for a given application? Regards, Maxime > >> >> Thanks, >> Maxime >> >>> >>>> >>>> Thanks, >>>> Maxime >>>> >>>> [0]: >>>> https://lore.kernel.org/all/20230829130430-mutt-send-email-mst@kernel.org/ >>>> >>>> >>> >> >