Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp3152187pxb; Fri, 4 Feb 2022 02:26:26 -0800 (PST) X-Google-Smtp-Source: ABdhPJwWwjZz7hs9Lr0vrgEdnuaylDBCYZJg9Wh3z8o2g7FqJGr6yCvf9+eudbpsYl3dJ8sK6IBN X-Received: by 2002:a63:9307:: with SMTP id b7mr1834985pge.616.1643970386218; Fri, 04 Feb 2022 02:26:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643970386; cv=none; d=google.com; s=arc-20160816; b=yws1Eb7DfJt3QbSEVFSOq4bTojJUihhTCu+wEbUuf5O8ih/sNvuurMmfWwqJASt0Ux dzYVwliklIO/HfPE9Dpmntt3CVUcO56Hh8FegG2RLW8eMF5ZjtM8pYBv5iPADEqhy+Sg F8qUGs4O4731mEy4xawsbc4tT1goCh1M6ivT4PNhIyDDI77xY7DcrITJ56xtdDwb7aax +mnxcxoVJR3CrvKG2oQcYo1ev1nk2PBBRreSAFlmCrT0zpfb4k9Baj113Kufqz94rNI1 siOzS9Ukxk6KnlcD6YFbMksvW6+p5dLENFDQ3lxjmzeWe8+Bwn/WCFpAFuZ3KMf3o7On Kmlw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=AmSNhDG6FW6yzlPpCdGKepqD+t+GFrCkOSovI2o4uvI=; b=VwGq2Sp6Y+xUKvA4yxNi82c8RljkD4Ava+SVxiBLMugxUQp/96o9EqVa6NRKEBnepC jzs5jcBeWS5ENvvhc5+R5kc2q0HX/Vh/WrJZkxu8v235EzF5Xcxmwu9OTVoOSa2tIJvg Q5fgnkq8h9yzNijIAq2E/4BUfQN04jxDGVH3n7iCx9uIHurC3WtZiaHQGu0JwVbn/VCU PD9iO5TrUYseNEktRGXysH325WuN1Koh0+da+aAzuADLaXSkmocteST6rDbEnbAtRKFL c5NCi6ImflziFU7E120HRnqV/1vbxwFc3hEjfraC/29/REAKbac/itvtCVxJT3rIDw3f W+9Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b="A/uDj8h0"; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id bk9si1283998pgb.669.2022.02.04.02.26.19; Fri, 04 Feb 2022 02:26:26 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b="A/uDj8h0"; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1355516AbiBCXoc (ORCPT + 22 others); Thu, 3 Feb 2022 18:44:32 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45764 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243572AbiBCXob (ORCPT ); Thu, 3 Feb 2022 18:44:31 -0500 Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CF6D9C061714 for ; Thu, 3 Feb 2022 15:44:30 -0800 (PST) Received: by mail-ed1-x532.google.com with SMTP id n10so9505321edv.2 for ; Thu, 03 Feb 2022 15:44:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=AmSNhDG6FW6yzlPpCdGKepqD+t+GFrCkOSovI2o4uvI=; b=A/uDj8h0TiRQQH5mrt6TQPc7Y0azsfr7kb4qI+LVJLLCIDOWDLgOVwRohllzo5rrBM CG8Kamrm7loe3c0ameljz4bFqOr7sxayOW1rPAn1UKBNZvmmWfVQewc8ecFDhYWp7IGY MkMjo/8uJtaGlIPCHPDzS5S0rZLqI/3/YCIIQrmV9rQeJrKMBxRuddxkEiEBqkhJIK53 EoD2PuMhMpJgRI4sMzORjEZ9mK9WNlSsc+nN3lxtJn/92xGkVVA+BdNMfMwYBembFmn6 Q1rSzs8uiS8ZXk4qLq1MQP+m6YxXHxzHFwZyq/+3G/bTvcQI1tMLeDTAt96B87dK+3cz kk4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AmSNhDG6FW6yzlPpCdGKepqD+t+GFrCkOSovI2o4uvI=; b=H0aUn3blSInLwYQtGYmTLNCThEruLR0Q2FF4GSUYIlcDTIC3yKSTxWITZtma/5lNIF 6kC3Sa38svmJ+JAwjSrQLE77RdbEpi6Xyp3GlQGzgB4n52DYS9nrEdvqPsiat1VMjR7w KkS9TOKPGvgaiH9TmaGQVny/v440b1eLkpAtZFdWeqB2PlYK3D8RcCczOseI8H0+U6vm IYSK8pvu6ndplqDv/qQjlTOmKnZBESn+fYAVWSwIHzrWU+YNWvCJkSmAt8hZ2ZhBXhAc 8H1Jbk+8vAPKJyiWlqzJPbl/XNY5rgGsXOkM9DjM+Fu10EvTyD6IDM/k0aBMQlVVDHAp ylXQ== X-Gm-Message-State: AOAM5315fWzsJ/NIano6MDreflZjBqhjg828gIyQR2XBXgsDha9tihqk z8fSJVPL0PHDFudWlxvbbBootfkB+JbSPH7nvc2E X-Received: by 2002:aa7:dcc9:: with SMTP id w9mr550521edu.434.1643931869390; Thu, 03 Feb 2022 15:44:29 -0800 (PST) MIME-Version: 1.0 References: <4df50e95-6173-4ed1-9d08-3c1c4abab23f@gmail.com> In-Reply-To: From: Paul Moore Date: Thu, 3 Feb 2022 18:44:18 -0500 Message-ID: Subject: Re: [PATCH] SELinux: Always allow FIOCLEX and FIONCLEX To: Demi Marie Obenour Cc: Stephen Smalley , Eric Paris , selinux@vger.kernel.org, linux-kernel@vger.kernel.org, selinux-refpolicy@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Wed, Feb 2, 2022 at 5:13 AM Demi Marie Obenour wrote: > On 2/1/22 12:26, Paul Moore wrote: > > On Sat, Jan 29, 2022 at 10:40 PM Demi Marie Obenour > > wrote: > >> On 1/26/22 17:41, Paul Moore wrote: > >>> On Tue, Jan 25, 2022 at 5:50 PM Demi Marie Obenour > >>> wrote: > >>>> On 1/25/22 17:27, Paul Moore wrote: > >>>>> On Tue, Jan 25, 2022 at 4:34 PM Demi Marie Obenour > >>>>> wrote: > >>>>>> > >>>>>> These ioctls are equivalent to fcntl(fd, F_SETFD, flags), which SELinux > >>>>>> always allows too. Furthermore, a failed FIOCLEX could result in a file > >>>>>> descriptor being leaked to a process that should not have access to it. > >>>>>> > >>>>>> Signed-off-by: Demi Marie Obenour > >>>>>> --- > >>>>>> security/selinux/hooks.c | 5 +++++ > >>>>>> 1 file changed, 5 insertions(+) > >>>>> > >>>>> I'm not convinced that these two ioctls should be exempt from SELinux > >>>>> policy control, can you explain why allowing these ioctls with the > >>>>> file:ioctl permission is not sufficient for your use case? Is it a > >>>>> matter of granularity? > >>>> > >>>> FIOCLEX and FIONCLEX are applicable to *all* file descriptors, not just > >>>> files. If I want to allow them with SELinux policy, I have to grant > >>>> *:ioctl to all processes and use xperm rules to determine what ioctls > >>>> are actually allowed. That is incompatible with existing policies and > >>>> needs frequent maintenance when new ioctls are added. > >>>> > >>>> Furthermore, these ioctls do not allow one to do anything that cannot > >>>> already be done by fcntl(F_SETFD), and (unless I have missed something) > >>>> SELinux unconditionally allows that. Therefore, blocking these ioctls > >>>> does not improve security, but does risk breaking userspace programs. > >>>> The risk is especially great because in the absence of SELinux, I > >>>> believe FIOCLEX and FIONCLEX *will* always succeed, and userspace > >>>> programs may rely on this. Worse, if a failure of FIOCLEX is ignored, > >>>> a file descriptor can be leaked to a child process that should not have > >>>> access to it, but which SELinux allows access to. Userspace > >>>> SELinux-naive sandboxes are one way this could happen. Therefore, > >>>> blocking FIOCLEX may *create* a security issue, and it cannot solve one. > >>> > >>> I can see you are frustrated with my initial take on this, but please > >>> understand that excluding an operation from the security policy is not > >>> something to take lightly and needs discussion. I've added the > >>> SELinux refpolicy list to this thread as I believe their input would > >>> be helpful here. > >> > >> Absolutely it is not something that should be taken lightly, though I > >> strongly believe it is correct in this case. Is one of my assumptions > >> mistaken? > > > > My concern is that there is a distro/admin somewhere which is relying > > on their SELinux policy enforcing access controls on these ioctls and > > removing these controls would cause them a regression. > > I obviously do not have visibility into all systems, but I suspect that > nobody is actually relying on this. Setting and clearing CLOEXEC via > fcntl is not subject to SELinux restrictions, so blocking FIOCLEX > and FIONCLEX can be trivially bypassed unless fcntl(F_SETFD) is > blocked by seccomp or another LSM. Clearing close-on-exec can also be > implemented with dup2(), and setting it can be implemented with dup3() > and F_DUPFD_CLOEXEC (which SELinux also allows). In short, I believe > that unconditionally allowing FIOCLEX and FIONCLEX may fix real-world > problems, and that it is highly unlikely that anyone is relying on the > current behavior. I understand your point, but I remain concerned about making a kernel change for something that can be addressed via policy. I'm also concerned that in the nine days this thread has been on both the mail SELinux developers and refpolicy lists no one other than you and I have commented on this patch. In order to consider this patch further, I'm going to need to see comments from others, preferably those with a background in supporting SELinux policy. Also, while I'm sure you are already well aware of this, I think it is worth mentioning that SELinux does apply access controls when file descriptors are inherited across an exec() boundary. -- paul-moore.com