Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp5921782pxb; Mon, 14 Feb 2022 10:45:02 -0800 (PST) X-Google-Smtp-Source: ABdhPJyaAW2j9UiHiULS3fxZzVjJiSTPymLKUpNmTfFS0nVKiaJdbT/0xJ7ji0JwmaWLtxTwPrLy X-Received: by 2002:a63:2015:: with SMTP id g21mr343884pgg.184.1644864302631; Mon, 14 Feb 2022 10:45:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644864302; cv=none; d=google.com; s=arc-20160816; b=0GM3ngcpnPrHFnnep3YW1tlsxm1GV7N14GZNkaqq/AvPkTHMQ1FYvWdGpBr2YV3uc9 ukDTjFnEybnVEcp0ml7KXzq9KpVgVDXl1R3M0ISy4EvIc5tI4bJHGZNK77pU947FVdoF ss2cEt5RVhZ26GPUJN+rqc62c5YG4FjsHO53S3x6izeHiiadql0SkqjJyR96yNCq5tgi ptRHFOb4O2jTNhxEaCxv+Y6aM2nJHgOt/nGPzCh2HgEf74awwfONa0en4ufhPa3/daBW Kc0t4mbBk+j2qWVpkkw9ovLrQWKdj+vWzvnaw8FH0+w3gO9MD9VzqCdw2xpl91o1VfVQ 5XYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=g6DcfZ92QqbVDkAs+5onWxHYvjv4eWwkjyJIREZ2EHI=; b=yQJFLhUpPtQQW06hRqfF8GK+oe0JjyfHjxLTm63SvQXlIpt7oZPTAeOjo01Uho4Fwl /3nIoQZqLcZxY1HuXESSRj78sabGBuFomzqYOFhQPj7qULmvrsyHQ15FS80HCSDi2CQu qNIFPoGNwsMmSQPVGF8jSL8d5mUjYszS98GDnRK1JZ9SQYTXWMsx0qbtgb+dPyhJViju NvbjM238rdJV9J8LWKTF+FH3RMyv5hdzG1+OLNDkyN63RnAC2LJRbH7G7Ptp1PnsL+dK 7yt4tIIvZPZZ6NP8tk1fARr588UsDzfXW/cAvc6oym3YpmPIRTnvoFkL6P0NwdpfkIYl HHxw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=FuHHJ7d7; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id j3si12548892plk.612.2022.02.14.10.45.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 14 Feb 2022 10:45:02 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=FuHHJ7d7; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id D24026E4E0; Mon, 14 Feb 2022 10:44:53 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241249AbiBNHLu (ORCPT + 22 others); Mon, 14 Feb 2022 02:11:50 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:33654 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241171AbiBNHLt (ORCPT ); Mon, 14 Feb 2022 02:11:49 -0500 Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2DE8E58E42 for ; Sun, 13 Feb 2022 23:11:41 -0800 (PST) Received: by mail-lj1-x231.google.com with SMTP id c10so8258473ljr.9 for ; Sun, 13 Feb 2022 23:11:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=g6DcfZ92QqbVDkAs+5onWxHYvjv4eWwkjyJIREZ2EHI=; b=FuHHJ7d7pv5aBhqmGSDZ49xksdbfDW1/UWVdzf9yzdMEbAxQdda/x670Ojs+8e87vM E5fimacLU+KLUtiJ2cK3H3h9q2Od2Wa3HStmrEe4GLWhoJMXtCuXFhb4dqCaGfaGoLfa 6AVvAon6gw93LvgE/YeBH7tl4vvAbD9rLhRg9ahUi2xDM8DdLqaQhOqJQSk3K11pmDc6 akX1kWkWmI4lNlIQ2Lsvh0WC+oHthoN4+WS1+MOBsIb8rqYJdkBO4YKpYfOrxvWUrXQv aDjJUdJB3QU7x8T+dNg3bPDQFZCSpBPoh+uLjsq8dYnftpAmFy1MGpgcKgD2oMiqkKRR VnEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=g6DcfZ92QqbVDkAs+5onWxHYvjv4eWwkjyJIREZ2EHI=; b=cJyFWkXczZGCOSHC/qPCOPXgSKF8eU8GzpfkZeK/ke95n6RDxY+9wVwin84kAkTTB3 a2MFmEKCPg8m+X1Zky/JHa84SoHxiIprMPAGPwMyCpNelXOwHEi6COIMU4kEdmuF13si 47dFX3YWyFTab521lZB0Y7I5tKmk7F7yf3YWVCMgf1ElOPx9yG+tqoKhXOmbgzILYMQJ gbEbYJUAajYVDHq6onIeJ+i9+Pr7mqZ4l7PppRUnwNRXGkkQ4X5yOPz21vmgCRG+Itc2 ny6gMzAY0Xoi3/JOB5783yubwjxo3/GGTErHQ7MB47zU4aQbdIVUqUnd97813EnDvTGb AU0w== X-Gm-Message-State: AOAM533uUGSBgxCUMaskKlvcqlIEa9agwRtoAy7QIMcsTLWueJcjd9XC ahlmXzytTj13fruTen7FLiaLtIjCpYTDViiKselXDQ== X-Received: by 2002:a2e:a4ce:: with SMTP id p14mr1611442ljm.124.1644822699006; Sun, 13 Feb 2022 23:11:39 -0800 (PST) MIME-Version: 1.0 References: <4df50e95-6173-4ed1-9d08-3c1c4abab23f@gmail.com> <478e1651-a383-05ff-d011-6dda771b8ce8@linux.microsoft.com> <875ypt5zmz.fsf@defensec.nl> In-Reply-To: From: Jeffrey Vander Stoep Date: Mon, 14 Feb 2022 08:11:28 +0100 Message-ID: Subject: Re: [PATCH] SELinux: Always allow FIOCLEX and FIONCLEX To: William Roberts Cc: Dominick Grift , Chris PeBenito , Paul Moore , Demi Marie Obenour , Stephen Smalley , Eric Paris , SElinux list , Linux kernel mailing list , selinux-refpolicy@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-9.5 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE, USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Tue, Feb 8, 2022 at 3:18 PM William Roberts wrote: > > > > This is getting too long for me. > > > > > > > I don't have a strong opinion either way. If one were to allow this > > > using a policy rule, it would result in a major policy breakage. The > > > rule would turn on extended perm checks across the entire system, > > > which the SELinux Reference Policy isn't written for. I can't speak > > > to the Android policy, but I would imagine it would be the similar > > > problem there too. > > > > Excuse me if I am wrong but AFAIK adding a xperm rule does not turn on > > xperm checks across the entire system. > > It doesn't as you state below its target + class. > > > > > If i am not mistaken it will turn on xperm checks only for the > > operations that have the same source and target/target class. > > That's correct. > > > > > This is also why i don't (with the exception TIOSCTI for termdev > > chr_file) use xperms by default. > > > > 1. it is really easy to selectively filter ioctls by adding xperm rules > > for end users (and since ioctls are often device/driver specific they > > know best what is needed and what not) > > > >>> and FIONCLEX can be trivially bypassed unless fcntl(F_SETFD) > > > > 2. if you filter ioctls in upstream policy for example like i do with > > TIOSCTI using for example (allowx foo bar (ioctl chr_file (not > > (0xXXXX)))) then you cannot easily exclude additional ioctls later where source is > > foo and target/tclass is bar/chr_file because there is already a rule in > > place allowing the ioctl (and you cannot add rules) > > Currently, fcntl flag F_SETFD is never checked, it's silently allowed, but > the equivalent FIONCLEX and FIOCLEX are checked. So if you wrote policy > to block the FIO*CLEX flags, it would be bypassable through F_SETFD and > FD_CLOEXEC. So the patch proposed makes the FIO flags behave like > F_SETFD. Which means upstream policy users could drop this allow, which > could then remove the target/class rule and allow all icotls. Which is easy > to prevent and fix you could be a rule in to allowx 0 as documented in the > wiki: https://selinuxproject.org/page/XpermRules > > The questions I think we have here are: > 1. Do we agree that the behavior between SETFD and the FIO flags are equivalent? > I think they are. > 2. Do we want the interfaces to behave the same? > I think they should. > 3. Do upstream users of the policy construct care? > The patch is backwards compat, but I don't want their to be cruft > floating around with extra allowxperm rules. I think this proposed change is fine from Android's perspective. It implements in the kernel what we've already already put in place in our policy - that all domains are allowed to use these IOCLTs. https://cs.android.com/android/platform/superproject/+/master:system/sepolicy/public/domain.te;l=312 It'll be a few years before we can clean up our policy since we need to support older kernels, but that's fine.