Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp142166pxm; Tue, 22 Feb 2022 19:03:14 -0800 (PST) X-Google-Smtp-Source: ABdhPJwtmy3zDk7Nsd5lA5fP4UHL6Hj+xvP5ocev17xYG+SDmPziv+NgWPHifGeBK2gyQ4nD0qem X-Received: by 2002:a63:ea07:0:b0:372:f0e9:50b9 with SMTP id c7-20020a63ea07000000b00372f0e950b9mr22017199pgi.566.1645585394295; Tue, 22 Feb 2022 19:03:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645585394; cv=none; d=google.com; s=arc-20160816; b=w3tTx9JmOw0CTTT6dUHu24lhgYPbzgkDzxzSrBQ6a27f1/YyWow62eb7BT4KCc2ryf Pe7KIQ0VQkd79v7rRxJH7UzqbJ1mNkLLEJ6WchYsuB3kfWgRTRN2KX8j3I//T9BUbeCE MrzqDrkm44WjKyP0Qdfwzq+WeSKej1WalZh3KZIsTJ+3HG8ax9fQQswO/zxBaCTNobwo eFjBPGaLzPFd+3PPiCS+JTRtfjTj6Y1yCr/ge7CAoNL91a341U1Xaby94XQtihYW0CI4 nGw1ez/TIkuNJLpnwPADKJnaS1W0K6Qdx4mAo4LMz25i1QhZOD+Be83sdGwJP8DqnJSO G6XA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=0sDj0qMJJiN5G76triZ2YOQFF95CL0AvqXtgUFOJ/qk=; b=YJbm+E9g7a5G6v2czz/aVYN9+je8bUo+NU3Bdj0t07P3PlrvYacKq0Rv+hhjhfT59y jU9LmwldiXpWM8tK4dBKEEFUlTJp0CKrx/cVa8XuQ3CHuNKXzlAOC9aY5bIJfkpNRoXk ZPRtOUA52a1rcxRQ/x6xIHG95Qj1ZRIEAZKjkz5xXrcgxLSOSynp9Khv2m+zPHNnIAF1 pOVsGodFQXALJEKQDOIzw6+5WeZtBxUvFZxffjoXKfzVKEepCP3xe5XzWbBIHtV0zyid jbUn9MsYMbsagXnWpjaMF/dTggZr6k56pQiz/2pRGpLcZzh7TJNw28wu1NhbfURKy1VY /q1g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=hPpp7Skw; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p3si13367088pfo.191.2022.02.22.19.03.08; Tue, 22 Feb 2022 19:03:14 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=hPpp7Skw; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236274AbiBVX3K (ORCPT + 22 others); Tue, 22 Feb 2022 18:29:10 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56402 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236261AbiBVX3K (ORCPT ); Tue, 22 Feb 2022 18:29:10 -0500 Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ECB19A27B2 for ; Tue, 22 Feb 2022 15:28:43 -0800 (PST) Received: by mail-ej1-x629.google.com with SMTP id d10so47615146eje.10 for ; Tue, 22 Feb 2022 15:28:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0sDj0qMJJiN5G76triZ2YOQFF95CL0AvqXtgUFOJ/qk=; b=hPpp7SkwemAPoCxUmzJK8Z9jEuz2Ipp1/bHRj8z9satZdk6aNRAmEZ1xsvLdbSt7Fj CGTAEBI2ZwJ7tklGkS0Y4emJNlChkcpsrDDtHIIsI253bWpbBE3OtDR7USWHSUIlGxan IiyjiQCNYab6YGCbWjIPcp8tUsuN2Qc20uPWtpzA+syN1WUN6D1ogO/8Ca14REDOzxem cvHIcjGhdEQZvofhwdxgsOLguJF87p/WhFstfmPeTd5neXlk9uIKr6fiQQfaibKXN9X9 nCc/y+Wuw6LOgyKv5lTFUaivLmqGa9C3z/T05HMWVWQbxdo7dUXWrw2l/ePGBVMj1sp6 oUQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0sDj0qMJJiN5G76triZ2YOQFF95CL0AvqXtgUFOJ/qk=; b=hfRHfm6NzV6hj1wpde2Sv2i/Hpo6xHjsLe7eVaBb3oPBKinSUvjV+5rXjbDCOj2ftJ KZFsDKtiO5hw5Gm91Sf6whMprwTC1ZX3eWfNxHvv+rl1hYyHmcF8RMFOqhzrAuaXbUYn DzrJA3VczIGLCe+ltAfNQnxMFeA147fZ0FA8HohyJV5PCm18Ls5Xf2Op3qHPDXDj58+4 0/MuKegB7owgmZyXYlOlo6fi1lK+UEevvjGW5StT4+g+bXBa6+L02J/fIe+b0oMFs3+B X/Njuy4RJPGHxYkaVr8fh+c0XQK7vqMtW3+aKVTmd6QxXON47sUXFaYr9MjrS5FQxsn4 FdGw== X-Gm-Message-State: AOAM530X1phoXCCufb9YYHSyxtVdFCws2umrqMLtMFB8q/5ZIbW7gFBv a/zVKGLTwqVHaYYOfulPiBo0C8fiicO9cHA6Fkan X-Received: by 2002:a17:906:c318:b0:6cf:d118:59d8 with SMTP id s24-20020a170906c31800b006cfd11859d8mr20829134ejz.112.1645572522506; Tue, 22 Feb 2022 15:28:42 -0800 (PST) MIME-Version: 1.0 References: <20220221131533.74238-1-richard_c_haines@btinternet.com> In-Reply-To: <20220221131533.74238-1-richard_c_haines@btinternet.com> From: Paul Moore Date: Tue, 22 Feb 2022 18:28:31 -0500 Message-ID: Subject: Re: [PATCH V2] security/selinux: Always allow FIOCLEX and FIONCLEX To: Richard Haines Cc: stephen.smalley.work@gmail.com, eparis@parisplace.org, demiobenour@gmail.com, selinux@vger.kernel.org, linux-kernel@vger.kernel.org, selinux-refpolicy@vger.kernel.org, jeffv@google.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Mon, Feb 21, 2022 at 8:15 AM Richard Haines wrote: > > These ioctls are equivalent to fcntl(fd, F_SETFD, flags), which SELinux > always allows too. Furthermore, a failed FIOCLEX could result in a file > descriptor being leaked to a process that should not have access to it. > > As this patch removes access controls, a policy capability needs to be > enabled in policy to always allow these ioctls. > > Based-on-patch-by: Demi Marie Obenour > Signed-off-by: Richard Haines > --- > V2 Change: Control via a policy capability. See this thread for discussion: > https://lore.kernel.org/selinux/CAHC9VhQEPxYP_KU56gAGNHKQaxucY8gSsHiUB42PVgADBAccRQ@mail.gmail.com/T/#t > > With this patch and the polcap enabled, the selinux-testsuite will fail: > ioctl/test at line 47 - Will need a fix. > > security/selinux/hooks.c | 7 +++++++ > security/selinux/include/policycap.h | 1 + > security/selinux/include/policycap_names.h | 3 ++- > security/selinux/include/security.h | 7 +++++++ > 4 files changed, 17 insertions(+), 1 deletion(-) Thanks Richard for putting together the v2 of this patch. As far as the test is concerned, it seems like the quick-n-dirty fix is to simply remove the ioctl(FIOCLEX) test in test_noioctl.c; is everyone okay with that? At least that is what I'm going to do with my local copy that I use to validate the kernel-secnext builds unless someone has a better patch :) > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 5b6895e4f..030c41652 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -3745,6 +3745,13 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd, > CAP_OPT_NONE, true); > break; > > + case FIOCLEX: > + case FIONCLEX: > + /* Must always succeed if polcap set, else default: */ > + if (selinux_policycap_ioctl_skip_cloexec()) > + break; > + fallthrough; > + The break/fallthrough looks like it might be a little more fragile than necessary, how about something like this: case FIOCLEX: case FIONCLEX: if (!selinux_policycap_ioctl_skip_cloexec()) error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); break; Yes, it does duplicate the default ioctl_has_perm() call, but since we are effectively deprecating this and locking the FIOCLEX/FIONCLEX behavior with this policy capability it seems okay to me (and preferable to relying on the fallthrough). Thoughts? -- paul-moore.com