Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp5688837pxb; Wed, 26 Jan 2022 18:54:39 -0800 (PST) X-Google-Smtp-Source: ABdhPJw9wZkE4ks+m2/mMFmuUnFeMuX5idh7oy/1zpHgQAWafMZPXAQOzU+zNyXwsPq9pUXrKhaM X-Received: by 2002:a05:6402:32a:: with SMTP id q10mr1818887edw.248.1643252078830; Wed, 26 Jan 2022 18:54:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643252078; cv=none; d=google.com; s=arc-20160816; b=B67abxSvYjr8rbzUOSNhCcHX9Oard8wluW+XIQLwyHk5QG2P3KGIBUfWoU1onlbNVQ svqipPnszDzOL3eLOMgy0mHd0n80+irrRM8pmdpliW8cXHI2FmFoeUa5Zm5JtBIjtWFh eGTAGujdhDNLvp9MIPMA5zXkVsLgprA5ltpIBjetWwUR+AwaP0HS0yFPu3MEKtB3KXEG MPuMD1F4eWV5901y7Qnjp8GgqU0/vQE97xot3mCo8g8f/JrfIf1MisWs4Df46Dzq1qsL ZI8z02DYKmlp7yisFJBpV5ehoVmiwdLqlie/6X7nH8xcvRm4mYwlYZwjMfATk1RYKjZr K9Hw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=0kmlesg0I4LYJSjpNNLXT1MwRqqz07UkKMgwpQerJZI=; b=DDghmKcj0Tc8MZyurgUkJBl2wN2SCRXrz9eg8IPr0Dd7tiGT4kXglajPSL3fa0IIEw iMC2Go+HzCj4wC3Tode6MAwP9KP/yy+cJpwotorq5LpLiZpBh4iHwzcbhZme0zCrS7ly 3YdTvGUT/nxjMSsoFTPc0ygdzRiGaZVrVE7z0IVQ4erSww0XB1ehIh6MkoRMbV6DG3u8 UFkpIUMInFP135bgKiTxLywpdQ6sK7Zne7+O/E317MKTeUNuht04TEhM6lhmLrDgfzmI 2aGj7iKcr7TIL50pSGJR8goGemmfEftbO+UI9154CP772y9cQqs8ZGUwdOEQqo5GNRlH z1xg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=l9vpOUZB; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dr11si642976ejc.157.2022.01.26.18.54.31; Wed, 26 Jan 2022 18:54:38 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=l9vpOUZB; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229890AbiAZWl6 (ORCPT + 22 others); Wed, 26 Jan 2022 17:41:58 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60690 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229693AbiAZWl5 (ORCPT ); Wed, 26 Jan 2022 17:41:57 -0500 Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 092EFC06161C for ; Wed, 26 Jan 2022 14:41:57 -0800 (PST) Received: by mail-ed1-x531.google.com with SMTP id j2so1139632edj.8 for ; Wed, 26 Jan 2022 14:41:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0kmlesg0I4LYJSjpNNLXT1MwRqqz07UkKMgwpQerJZI=; b=l9vpOUZB8NcQgpvbNkpOEaeahCnYoHjUgOpPZAywPZfGYpyG0d9jz/Kt1pKMI84twO NuOzY+JdgnvBZ7r10vSopglCYsgSKT9oWEBS5FQdK25SkR4NpgnSlqBI6/rh2VirvKh7 5I6cTxkLzn6QB2Agk++R+m56tpPtRt5DknK/gL66+niqa5azxbOhOw+Fs6WElUJNhzVK 2EkZv6+jYG2MdXTPjRR1Rf2t3ioib6J+qa1YUhjfYgcFGltmjT0hAU9W1HOVbHwesrwZ EknPLiDwrej46VB2W/j7SRp1dWKinvVldzz7NzW1TAXcKs0fs+ykXY8WeUrQEedMPHvk BYmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0kmlesg0I4LYJSjpNNLXT1MwRqqz07UkKMgwpQerJZI=; b=V5XiI6RPXdkJUbbSaJxOMMS2RV+mBOnQ+kO8DSVacq4yEN1Mo1BuuMdSjzMINu1Lt3 MEjZahHCJTHq8RXDZR6vcTvd/mUiesppFKzUq9leowbk5Wf2coyW9aU66xhC2RwjCHq7 Ivnc8gzkmICBHuoF34AfFU+Tr2KnunE2lNBTjNnPtDaDxpJ+M9kJm8wqjQfL2zTD32LZ HWcVqS4s3JMZYYtIjusZCL+niX1HJN/piYt7+GviQXOQVeD61lmWYgMl/tT45KXplquO ugyti65h9wap0Efe47ltxp4QsSTV979xrrAoSA+UJTL6Ga0PfjyS9Jy56afAOmCgnfQ1 yisg== X-Gm-Message-State: AOAM53069a0AFDDja3v3ToBNXqULgcsTN9wwiPzMPk9JM/cpYMdrun2B PEOE9oEh3gxzkSd/6kqSgFs7SxWElALKs2oj7VN0 X-Received: by 2002:a05:6402:2793:: with SMTP id b19mr1052162ede.171.1643236915606; Wed, 26 Jan 2022 14:41:55 -0800 (PST) MIME-Version: 1.0 References: <4df50e95-6173-4ed1-9d08-3c1c4abab23f@gmail.com> In-Reply-To: From: Paul Moore Date: Wed, 26 Jan 2022 17:41:44 -0500 Message-ID: Subject: Re: [PATCH] SELinux: Always allow FIOCLEX and FIONCLEX To: Demi Marie Obenour Cc: Stephen Smalley , Eric Paris , selinux@vger.kernel.org, linux-kernel@vger.kernel.org, selinux-refpolicy@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Tue, Jan 25, 2022 at 5:50 PM Demi Marie Obenour wrote: > On 1/25/22 17:27, Paul Moore wrote: > > On Tue, Jan 25, 2022 at 4:34 PM Demi Marie Obenour > > wrote: > >> > >> These ioctls are equivalent to fcntl(fd, F_SETFD, flags), which SELinux > >> always allows too. Furthermore, a failed FIOCLEX could result in a file > >> descriptor being leaked to a process that should not have access to it. > >> > >> Signed-off-by: Demi Marie Obenour > >> --- > >> security/selinux/hooks.c | 5 +++++ > >> 1 file changed, 5 insertions(+) > > > > I'm not convinced that these two ioctls should be exempt from SELinux > > policy control, can you explain why allowing these ioctls with the > > file:ioctl permission is not sufficient for your use case? Is it a > > matter of granularity? > > FIOCLEX and FIONCLEX are applicable to *all* file descriptors, not just > files. If I want to allow them with SELinux policy, I have to grant > *:ioctl to all processes and use xperm rules to determine what ioctls > are actually allowed. That is incompatible with existing policies and > needs frequent maintenance when new ioctls are added. > > Furthermore, these ioctls do not allow one to do anything that cannot > already be done by fcntl(F_SETFD), and (unless I have missed something) > SELinux unconditionally allows that. Therefore, blocking these ioctls > does not improve security, but does risk breaking userspace programs. > The risk is especially great because in the absence of SELinux, I > believe FIOCLEX and FIONCLEX *will* always succeed, and userspace > programs may rely on this. Worse, if a failure of FIOCLEX is ignored, > a file descriptor can be leaked to a child process that should not have > access to it, but which SELinux allows access to. Userspace > SELinux-naive sandboxes are one way this could happen. Therefore, > blocking FIOCLEX may *create* a security issue, and it cannot solve one. I can see you are frustrated with my initial take on this, but please understand that excluding an operation from the security policy is not something to take lightly and needs discussion. I've added the SELinux refpolicy list to this thread as I believe their input would be helpful here. -- paul-moore.com