Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp2147621pxm; Thu, 24 Feb 2022 17:45:18 -0800 (PST) X-Google-Smtp-Source: ABdhPJwqTeyYFEnSQcE6eDF7UdEuvEMuNkcPSngW3mL8AqI2xDoXMX5ap+ScrVIHjF1CjCKT8i/t X-Received: by 2002:a17:906:5958:b0:6cf:762c:447 with SMTP id g24-20020a170906595800b006cf762c0447mr4477191ejr.195.1645753518400; Thu, 24 Feb 2022 17:45:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645753518; cv=none; d=google.com; s=arc-20160816; b=E2TLkKLMozAFBL22WTQ7o2OixpbtQinxgmcL6Z9zqM/V9r6vo1zqAao86BYsiKtNSF CSQtO8Kt30fMifZVyMSEnSx3HmWUYy/C7iPTUsSKEZrzwgU4XJYQ/5w4hw4lIKO4+Hf9 Roy9thax1UFoaSvRxUmiFNbyrFJgEEfSCQlJVDetkKMDRj2d2KlaLgA6V7l/fHerkeI5 wLSrsTP4RlJD7lqDhK1uKmU9iz9kw2/alsJaZtMYKITgbyt+duFYfC0SL+HnsVz7bjx0 RAgL2R0hHr1nIWoQAYloeZJe7K2OzRpSh86gWETnEUK2vEE+TiSdnj0pA1i2L7zbZpA2 VBLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=y7JZLiTaaSBR+Poz7SRaGfgsdoBr6p+bG2YMfUy3Slw=; b=KUki6ou97fB4XijrYgEtvjVDAsnirOGhLcLkVlpwtmrS2dzaHirWluHxJngo+GAAob Z36tjgSexDLpbjMTeJXlWh8rNiTxNd8qvh4ysZKmlOILXpwcjs+2X5mV20vxW1+Moq5B tuyJWQeKcZPEdrcVO4cMEiwf9SJWIBtAMBlqeh6+6Dey0kuXHKWqkCI8O1CF55fO/pV7 0oLuK+stqhgUUmk5WoJ/h7EGRcvd3Q4EsoYb68kdnTEnAiprA1HsW69a1KDyXR68FMDm wexuznIr4ULyZ1sYAg6wWHyFi28amomRx8sJU5SiTgltQlpHFKPXYjLm9RoHbzCGqgrf u4Bg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=kg2PGF0E; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id qf22-20020a1709077f1600b006d0beded887si642794ejc.975.2022.02.24.17.45.10; Thu, 24 Feb 2022 17:45:18 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=kg2PGF0E; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233399AbiBYAfE (ORCPT + 22 others); Thu, 24 Feb 2022 19:35:04 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39494 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233302AbiBYAfE (ORCPT ); Thu, 24 Feb 2022 19:35:04 -0500 Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4515924FA2B for ; Thu, 24 Feb 2022 16:34:33 -0800 (PST) Received: by mail-ed1-x531.google.com with SMTP id x5so5187616edd.11 for ; Thu, 24 Feb 2022 16:34:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=y7JZLiTaaSBR+Poz7SRaGfgsdoBr6p+bG2YMfUy3Slw=; b=kg2PGF0EVFDRcG1mIXlLVEv5Ej1ZhQ7nNfe4zx5FcXv2Z07350v9XCQ87Fy0kkQMHj 12qdDKOYqzndeSrhOXAjHk39Xowv3LtN14PQ+2zqEkoxbWdoS3L+Yr3ILhg0aV9jDzMU nEzwTLq7qo/OpikrpjRdL66whBt4gns2ydEz4+42D0JFsDsm/IbcmPypfgIfrEZmJNUr RLah9HnZHqHB+yIswc5D04W2DJkHzdtkGYTr8FQ9sAbu7v2boYFMPMIrRbbjWepcwFTG 9+Opr8Zt6xNA9iQcdK5rGvdkIOl3piw5hI7REcbQGJsvH9Kg77wOhUda1JHAhW/BMzVF DcTg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=y7JZLiTaaSBR+Poz7SRaGfgsdoBr6p+bG2YMfUy3Slw=; b=w5ackVDWLU6+dOVs5fcmV8pOu7joGUYBKVnTMMd6TFDqRoCojjWG3aOYCokyEW+vnC G2CWad+0KzOawlkQSIgY4nXvNNURRKkYT7zLCkTKxkhzMWo/i9tTav3azU2dCP/bah6u bu7toLvOfPfg/UzC8wjLTdc6vtGXxNDf4n+flaRnkFk6/RwFF848mTtqnf+6VlAMnCOS mgLF/ra+t5qR3o+y9ZOVTGuUMOhSApph8sHuaVgqUAp9RhqPTW7Ix7fVSgOTekvTKMu3 Z7jMWnjZQCPJMpjbEBZCUlXg216YFP0cvwzYADgB4LvSIqZZLwhZcYXSgXOBPGXGfK8r xMcg== X-Gm-Message-State: AOAM530P1rzPZu9w1Mh8Cw2Kb46nz9h7ob/AV3q57fN9dQUmrWRsJ4On b3H1OtNSDPjnIHpYa1ajtEhLYY+50XeQt3Rlqclv X-Received: by 2002:a50:e004:0:b0:410:a39b:e30c with SMTP id e4-20020a50e004000000b00410a39be30cmr4645925edl.198.1645749271746; Thu, 24 Feb 2022 16:34:31 -0800 (PST) MIME-Version: 1.0 References: <20220224102417.42268-1-richard_c_haines@btinternet.com> In-Reply-To: <20220224102417.42268-1-richard_c_haines@btinternet.com> From: Paul Moore Date: Thu, 24 Feb 2022 19:34:20 -0500 Message-ID: Subject: Re: [PATCH V3] security/selinux: Always allow FIOCLEX and FIONCLEX To: Richard Haines , selinux@vger.kernel.org Cc: stephen.smalley.work@gmail.com, eparis@parisplace.org, demiobenour@gmail.com, linux-kernel@vger.kernel.org, selinux-refpolicy@vger.kernel.org, jeffv@google.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Thu, Feb 24, 2022 at 5:24 AM Richard Haines wrote: > > These ioctls are equivalent to fcntl(fd, F_SETFD, flags), which SELinux > always allows too. Furthermore, a failed FIOCLEX could result in a file > descriptor being leaked to a process that should not have access to it. > > As this patch removes access controls, a policy capability needs to be > enabled in policy to always allow these ioctls. > > Based-on-patch-by: Demi Marie Obenour > Signed-off-by: Richard Haines > --- > V2 Change: Control via a policy capability. > V3 Change: Update switch check. > > security/selinux/hooks.c | 6 ++++++ > security/selinux/include/policycap.h | 1 + > security/selinux/include/policycap_names.h | 3 ++- > security/selinux/include/security.h | 7 +++++++ > 4 files changed, 16 insertions(+), 1 deletion(-) This looks good to me, but before I merge this are the SELinux userspace folks okay with the policy capability's name and enum value? > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 5b6895e4f..d369c2d82 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -3745,6 +3745,12 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd, > CAP_OPT_NONE, true); > break; > > + case FIOCLEX: > + case FIONCLEX: > + if (!selinux_policycap_ioctl_skip_cloexec()) > + error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); > + break; > + > /* default case assumes that the command will go > * to the file's ioctl() function. > */ > diff --git a/security/selinux/include/policycap.h b/security/selinux/include/policycap.h > index 2ec038efb..44d73dc32 100644 > --- a/security/selinux/include/policycap.h > +++ b/security/selinux/include/policycap.h > @@ -11,6 +11,7 @@ enum { > POLICYDB_CAPABILITY_CGROUPSECLABEL, > POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION, > POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS, > + POLICYDB_CAPABILITY_IOCTL_CLOEXEC, > __POLICYDB_CAPABILITY_MAX > }; > #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) > diff --git a/security/selinux/include/policycap_names.h b/security/selinux/include/policycap_names.h > index b89289f09..ebd64afe1 100644 > --- a/security/selinux/include/policycap_names.h > +++ b/security/selinux/include/policycap_names.h > @@ -12,7 +12,8 @@ const char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX] = { > "always_check_network", > "cgroup_seclabel", > "nnp_nosuid_transition", > - "genfs_seclabel_symlinks" > + "genfs_seclabel_symlinks", > + "ioctl_skip_cloexec" > }; > > #endif /* _SELINUX_POLICYCAP_NAMES_H_ */ > diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h > index ac0ece013..8a789c22b 100644 > --- a/security/selinux/include/security.h > +++ b/security/selinux/include/security.h > @@ -219,6 +219,13 @@ static inline bool selinux_policycap_genfs_seclabel_symlinks(void) > return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS]); > } > > +static inline bool selinux_policycap_ioctl_skip_cloexec(void) > +{ > + struct selinux_state *state = &selinux_state; > + > + return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_IOCTL_CLOEXEC]); > +} > + > struct selinux_policy_convert_data; > > struct selinux_load_state { > -- > 2.35.1 -- paul-moore.com