Received: by 2002:a05:7412:8d06:b0:f9:332d:97f1 with SMTP id bj6csp88075rdb;
        Mon, 18 Dec 2023 09:36:54 -0800 (PST)
X-Google-Smtp-Source: AGHT+IEYf8M93M3P/hvHIR6MCp0lb/NNq7fMU9+WFJXPtWwvEITMz7+okmtmK4EyO7U+K6wnGRXa
X-Received: by 2002:a05:6359:587:b0:170:17eb:7c5b with SMTP id ee7-20020a056359058700b0017017eb7c5bmr15149734rwb.46.1702921014038;
        Mon, 18 Dec 2023 09:36:54 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1702921014; cv=none;
        d=google.com; s=arc-20160816;
        b=Wm32FQavOXgkLNUlIfbmUiVfi6WpoE9XXW7TlWgbOOax7nBZWvdd+YYFMPNT0VK3j+
         X8JhbvsErPtimLI4HHVvw1KhVFesdbZg65b43Nuqu+5EwYvsWFCx0CgufAN6jA+Q2ZoI
         /Iu4phWCCEImheB/kKzwIHto6QID4jAvxJDLjUxPxkMHq5o5R2hkB29iDv8KIf6lu5AC
         nKF5bIVWRTm7SCgk9dVabCSe2tsJgGH9Hi4rSvnNyd/E5nk7mu0uxnN64F5IegpvNW8e
         iGLhjz0qvnlzhYraUbtF/JZuGZUcrdhgyVO6DKzAEK6fUQulGpptDivkyVS2gXpaXi0M
         5H4A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe
         :list-id:precedence:dkim-signature;
        bh=RGhfp7gmzYvPgDOx9Jk6h3Gpd+Z4OEn2fO5WRaWtC6k=;
        fh=S7cExyZkHfnqQz+kBij/opIgLl0BlEmscMBCC/HLC1U=;
        b=B2ekuQurUtfwcBQmkoIUJPtFqJIj954t+3vBQZYh26czemjBns44noldrz0l8AYMZL
         RY1+RVBOGqa2sXnIwu0dpeLSz58N0nTxmJIN4Wm3UK4+h7G9jZFHVHIhebvRAUWUrdsx
         PbjRtQpOpbevkVZPnPrC3GXY0eME8oCz9HWtZR137emCaBcxsTHhmk4INQmaTKqjgJ96
         uMv3SKoyJwqLKnqKYY2nxmcMsG7LdYxcm5RvCBJL0iRDtNSrHaS/qX4n2RXkhS+kAGUc
         XQFutI5TP6XKum59ga+NitB3ymsv1nDfx6MH9QqjW4F1wDR1dHy9CRZf3IQk6qoBJK3s
         W7vg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=AhAv2Xdc;
       spf=pass (google.com: domain of linux-kernel+bounces-4178-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-4178-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel+bounces-4178-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id d2-20020a0cdb02000000b0067f2768dfa3si6161927qvk.586.2023.12.18.09.36.53
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 18 Dec 2023 09:36:54 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-4178-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=AhAv2Xdc;
       spf=pass (google.com: domain of linux-kernel+bounces-4178-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-4178-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id BF3691C25239
	for <linux.lists.archive@gmail.com>; Mon, 18 Dec 2023 17:36:53 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 8025B5BFB5;
	Mon, 18 Dec 2023 17:36:45 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="AhAv2Xdc"
X-Original-To: linux-kernel@vger.kernel.org
Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com [209.85.210.170])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 809AC498B4;
	Mon, 18 Dec 2023 17:36:43 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Received: by mail-pf1-f170.google.com with SMTP id d2e1a72fcca58-6d728c75240so1305194b3a.1;
        Mon, 18 Dec 2023 09:36:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1702921003; x=1703525803; darn=vger.kernel.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=RGhfp7gmzYvPgDOx9Jk6h3Gpd+Z4OEn2fO5WRaWtC6k=;
        b=AhAv2Xdc+RBU4LGn15IqaYkr78pCY8shKY1loH70HSN2htGPHkzleb8DtI9ogxwmbI
         H6K7uqHI+24oUapebnv/y1JHdQ9haA6lUE87bmogoN0r5oto6xxvdGBADV7UysjvxnTM
         wp5dJ4HKE/R2G0LlxFUj+ZOa7mVQpVDFJOduTCxqdaHuPBfHyTD2NcCK3vskACezUXwY
         CZNCeBVZIL507bvCMmj4yFoGNck7W5t6z07XQ7x9MbURg+h5/mAF2kSgVKmf9x/3Te8K
         b0lnJ7r9+zfUBwgbw6c1AsQxkP9Klwz8TwLAim5x7MoOAWzEqoYuJSCuNre4GWGjNb84
         IKUw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1702921003; x=1703525803;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=RGhfp7gmzYvPgDOx9Jk6h3Gpd+Z4OEn2fO5WRaWtC6k=;
        b=TjC0i01QuWnxJMkSamk3wgpUsEMUZOu7XmiySgJIHIXH3INDSHUT8Xtv77ukfMSxgK
         UqrPV4RHmCVHxjuvCJtkVDJ0HtL/IbT/Qz30m/656Rmg4WmXjrxNOGvRuBVYQO3EJo7t
         o7XDrSeTRoN1dhCE8dqdA1avXSTrq83dg7iSLhsyzbNhyixUUwzB+tJzN62Ya5eF9IrI
         PDIb6GdVicbl+rPW5OwudRMmXyVas1A2uksDPP2csVseDt3w2fWdCLClnARApmk9eqe7
         /gj05urTgY39HiXqzASvkGyTnWO4aBcdPAjpUUJlCADNFqw7kfnTt7NUdJoHPEXntWFp
         Pwsw==
X-Gm-Message-State: AOJu0Yw4GoGbmbErtAYrzbe6k+hDflxo0NdevkKszWPO4HwrtjGv2Rc5
	iVf/PMCmtaV3csht3N5usAvYeFRP9fNXR+Jcgbk=
X-Received: by 2002:a05:6a21:a58e:b0:194:967f:3213 with SMTP id
 gd14-20020a056a21a58e00b00194967f3213mr47225pzc.73.1702921002664; Mon, 18 Dec
 2023 09:36:42 -0800 (PST)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
References: <20231218141645.2548743-1-alpic@google.com> <6dce3020-14f0-471b-9b6a-c9dc761cfa19@schaufler-ca.com>
In-Reply-To: <6dce3020-14f0-471b-9b6a-c9dc761cfa19@schaufler-ca.com>
From: Stephen Smalley <stephen.smalley.work@gmail.com>
Date: Mon, 18 Dec 2023 12:36:31 -0500
Message-ID: <CAEjxPJ4tZAvch50i7Ve_7dPYUzCXK8ckDtmhwq81vjCf7pweQw@mail.gmail.com>
Subject: Re: [PATCH] SELinux: Introduce security_file_ioctl_compat hook
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: Alfred Piccioni <alpic@google.com>, Paul Moore <paul@paul-moore.com>, 
	Eric Paris <eparis@parisplace.org>, stable@vger.kernel.org, selinux@vger.kernel.org, 
	linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Mon, Dec 18, 2023 at 12:11=E2=80=AFPM Casey Schaufler <casey@schaufler-c=
a.com> wrote:
>
> On 12/18/2023 6:16 AM, Alfred Piccioni wrote:
>
> > Some ioctl commands do not require ioctl permission, but are routed to
> > other permissions such as FILE_GETATTR or FILE_SETATTR. This routing is
> > done by comparing the ioctl cmd to a set of 64-bit flags (FS_IOC_*).
> >
> > However, if a 32-bit process is running on a 64-bit kernel, it emits
> > 32-bit flags (FS_IOC32_*) for certain ioctl operations. These flags are
> > being checked erroneously, which leads to these ioctl operations being
> > routed to the ioctl permission, rather than the correct file
> > permissions.
> >
> > This was also noted in a RED-PEN finding from a while back -
> > "/* RED-PEN how should LSM module know it's handling 32bit? */".
> >
> > This patch introduces a new hook, security_file_ioctl_compat, that is
> > called from the compat ioctl syscal. All current LSMs have been changed
> > to support this hook.
> >
> > Reviewing the three places where we are currently using
> > security_file_ioctl, it appears that only SELinux needs a dedicated
> > compat change; TOMOYO and SMACK appear to be functional without any
> > change.
> >
> > Fixes: 0b24dcb7f2f7 ("Revert "selinux: simplify ioctl checking"")
> > Signed-off-by: Alfred Piccioni <alpic@google.com>
> > Cc: stable@vger.kernel.org
>
> This *really* needs to go the the LSM email list:
>         linux-security-module@vger.kernel.org

Yep, pointed that out a little earlier in this thread.

> > ---
> > diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_def=
s.h
> > index ac962c4cb44b..626aa8cf930d 100644
> > --- a/include/linux/lsm_hook_defs.h
> > +++ b/include/linux/lsm_hook_defs.h
> > @@ -171,6 +171,8 @@ LSM_HOOK(int, 0, file_alloc_security, struct file *=
file)
> >  LSM_HOOK(void, LSM_RET_VOID, file_free_security, struct file *file)
> >  LSM_HOOK(int, 0, file_ioctl, struct file *file, unsigned int cmd,
> >        unsigned long arg)
> > +LSM_HOOK(int, 0, file_ioctl_compat, struct file *file, unsigned int cm=
d,
> > +      unsigned long arg)
>
> Please add a flags parameter to file_ioctl() rather than a new hook.

Paul told him the opposite earlier.