Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp3397642rdg; Tue, 17 Oct 2023 13:29:12 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHnAfh2Wu2g1KSzY4nJnsRf6dd9sP3pS+lAuv46UH2RqKNrWNezmXePxdtNpdMyoyCTiUA+ X-Received: by 2002:a17:90a:de16:b0:27c:fbfa:e2d with SMTP id m22-20020a17090ade1600b0027cfbfa0e2dmr3298760pjv.45.1697574552183; Tue, 17 Oct 2023 13:29:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697574552; cv=none; d=google.com; s=arc-20160816; b=G8jiQmz9E43mvZ8aKsTcMRI85DLjIQ5+RP6oh5mEMJ+cPhOeTqG72us08qKR4DsX5n gfpU7u5YmMsGr0eqLLp521zaBkgpN9sD7vJsGwuILgqhcu27ZqeS/5e6t8Rxu2g8K7se +jnlq3moJtkfPcrXrOxAmSiqMyFIa8rvHIVAPRYYuWNb9ZOkBdrGTCLMVq2luQUJoXwm Cpn84CE43yKMCHvYQFdE+6B4AJ36MEyckSvb/jsKpEf6wEI+B6MWpIwoXK7EbOxYEipI xS4QP5iNOl4lmshffh1IT8+Kqxg8uE54Fx7a2Bd31u4rNe3T2Olq207p25jFdkqmjJhC k8qA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=roSMLNHP+gwwhTlf1XgKo9nsppqOzmaJeO33fNjYZrs=; fh=pudsf+qNLqbB7SSmaR9v/6tx0l8FMgDTPXd8BF60lhk=; b=ixYVH/BL90pwQX5eMELruEHj7wGKRh5lKtRmfJwvRUHFX5/33SpseedpxmNzvK1Mq7 YkYFqDOeRbRAorVu5yeaBTr3tvzIBNqTGFtTf1wdT9/I0/sO1r03LBqzSzHpa9ZKyq20 ZbmC9YmeXqRyP3HEVaVbF8QSz5NIgEA1L3mblx9+g/a6XXEJ8x2caMFS9FgNKz4cO2Iu 17aEktW/YtOKEDfUDfvGWhOX0SOFuu6shXhOiwye18dC5IhSr9OX01UypA6JMVARIscp j+DP0C3schq4MC+ibLOqp84dk+m5JOMvl1myjjpZQ0QV95jhfWXcjTLmfEI7ThtK2AwQ l02A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=LHg3lNh1; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id pg18-20020a17090b1e1200b0026b4d5844ccsi2523430pjb.27.2023.10.17.13.29.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Oct 2023 13:29:12 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=LHg3lNh1; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 08DEB801B8A9; Tue, 17 Oct 2023 13:29:09 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234833AbjJQU3J (ORCPT + 22 others); Tue, 17 Oct 2023 16:29:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53260 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231149AbjJQU3I (ORCPT ); Tue, 17 Oct 2023 16:29:08 -0400 Received: from mail-yb1-xb32.google.com (mail-yb1-xb32.google.com [IPv6:2607:f8b0:4864:20::b32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DEFC1C6 for ; Tue, 17 Oct 2023 13:29:04 -0700 (PDT) Received: by mail-yb1-xb32.google.com with SMTP id 3f1490d57ef6-d9a518d66a1so7169579276.0 for ; Tue, 17 Oct 2023 13:29:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1697574544; x=1698179344; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=roSMLNHP+gwwhTlf1XgKo9nsppqOzmaJeO33fNjYZrs=; b=LHg3lNh1F51W5OV4SYB2lmGKVQKH7e+yhqd/eB9+xSKwyYepok7895AZFBYT5gd2KR cYvnyXxqg2/ijVsrer42IH5dXydBpht9bMds0n0o6fset6C9jRAa1PBMoPBUf80SIlMO /MWI/cnOvo+pyTQIpY4X5Ov49Ab+fUgaagiXVSBf8K5Q8aE+TigiODo0sRT4TtiyW8he KMddW5Rs2JEOXK2+jMnt0hXGRrlLr/pkERIObqkF97fdyC7EyKg7u1WwSDQtweIrMF2j iasmne18dl3/qdwS0HOfR9/rVl1TSGkdj6U4toXWCEdSajyjzki7Cbl44iu8I9gEiVwE nLKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697574544; x=1698179344; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=roSMLNHP+gwwhTlf1XgKo9nsppqOzmaJeO33fNjYZrs=; b=WGBn4+Le+kw1HYq1GtWcBMOFwWzesEGoczbwyTuBj82L1f0gRD3q6TitRQXGx4RphD Brync3qNc7f2xSIZksyg1I1aFtsMDYAAt0BHQbYY/4kitrTfy6QfXzvJKmvYQiuRM46V dXHW/UC+dIjQBf03CF0o9416EXMXmftRMoOKFCCJqqCp9JzdeJJ3K1Wf00aYJUwU7LUe 4BKayoPqPDtTzMtsz4wUZGsB5NNgncYlLjToGK2IUqL7kLc0QeYSnnMYjlPnitZ4nILt mZ/EixxvrssvttLMTgwiLPRLZEIURQS7v1DQawzNHxHGGNURdl5O82jDIf1QQmi6ZxFP Mh5w== X-Gm-Message-State: AOJu0YzEviH3IaGUVxBwM8QHGGqZzBNSs9R3EoRONtfDQNLupbwRAnd3 HuL9OYCfe1YfYBerHQAoBg3Ruzce6WKKKpfEmu53 X-Received: by 2002:a25:b120:0:b0:d9a:ca1f:4c0 with SMTP id g32-20020a25b120000000b00d9aca1f04c0mr3519306ybj.43.1697574543993; Tue, 17 Oct 2023 13:29:03 -0700 (PDT) MIME-Version: 1.0 References: <20231016220835.GH800259@ZenIV> In-Reply-To: <20231016220835.GH800259@ZenIV> From: Paul Moore Date: Tue, 17 Oct 2023 16:28:53 -0400 Message-ID: Subject: Re: [PATCH][RFC] selinuxfs: saner handling of policy reloads To: Al Viro Cc: selinux@vger.kernel.org, linux-fsdevel@vger.kernel.org, Linus Torvalds , Christian Brauner , selinux-refpolicy@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Tue, 17 Oct 2023 13:29:09 -0700 (PDT) On Mon, Oct 16, 2023 at 6:08=E2=80=AFPM Al Viro w= rote: > > [ > That thing sits in viro/vfs.git#work.selinuxfs; I have > lock_rename()-related followups in another branch, so a pull would be mor= e > convenient for me than cherry-pick. NOTE: testing and comments would > be very welcome - as it is, the patch is pretty much untested beyond > "it builds". > ] > > On policy reload selinuxfs replaces two subdirectories (/booleans > and /class) with new variants. Unfortunately, that's done with > serious abuses of directory locking. > > 1) lock_rename() should be done to parents, not to objects being > exchanged > > 2) there's a bunch of reasons why it should not be done for directories > that do not have a common ancestor; most of those do not apply to > selinuxfs, but even in the best case the proof is subtle and brittle. > > 3) failure halfway through the creation of /class will leak > names and values arrays. > > 4) use of d_genocide() is also rather brittle; it's probably not much of > a bug per se, but e.g. an overmount of /sys/fs/selinuxfs/classes/shm/inde= x > with any regular file will end up with leaked mount on policy reload. > Sure, don't do it, but... > > Let's stop messing with disconnected directories; just create > a temporary (/.swapover) with no permissions for anyone (on the > level of ->permission() returing -EPERM, no matter who's calling > it) and build the new /booleans and /class in there; then > lock_rename on root and that temporary directory and d_exchange() > old and new both for class and booleans. Then unlock and use > simple_recursive_removal() to take the temporary out; it's much > more robust. > > And instead of bothering with separate pathways for freeing > new (on failure halfway through) and old (on success) names/values, > do all freeing in one place. With temporaries swapped with the > old ones when we are past all possible failures. > > The only user-visible difference is that /.swapover shows up > (but isn't possible to open, look up into, etc.) for the > duration of policy reload. Thanks Al. Giving this a very quick look, I like the code simplifications that come out of this change and I'll trust you on the idea that this approach is better from a VFS perspective. While the reject_all() permission hammer is good, I do want to make sure we are covered from a file labeling perspective; even though the DAC/reject_all() check hits first and avoids the LSM inode permission hook, we still want to make sure the files are labeled properly. It looks like given the current SELinux Reference Policy this shouldn't be a problem, it will be labeled like most everything else in selinuxfs via genfscon (SELinux policy construct). I expect those with custom SELinux policies will have something similar in place with a sane default that would cover the /sys/fs/selinux/.swapover directory but I did add the selinux-refpol list to the CC line just in case I'm being dumb and forgetting something important with respect to policy. The next step is to actually boot up a kernel with this patch and make sure it doesn't break anything. Simply booting up a SELinux system and running 'load_policy' a handful of times should exercise the policy (re)load path, and if you want a (relatively) simple SELinux test suite you can find one here: * https://github.com/SELinuxProject/selinux-testsuite The README.md should have the instructions necessary to get it running. If you can't do that, and no one else on the mailing list is able to test this out, I'll give it a go but expect it to take a while as I'm currently swamped with reviews and other stuff. --=20 paul-moore.com