Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp656892pxu; Wed, 14 Oct 2020 10:16:37 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyKehpf4THgV+Vizi02PagZFUBDM1ppBaXqCqmU+44BdtaOObtv5vjO4lH8LgbVvQmIT0V1 X-Received: by 2002:a17:906:38c9:: with SMTP id r9mr39015ejd.9.1602695796948; Wed, 14 Oct 2020 10:16:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1602695796; cv=none; d=google.com; s=arc-20160816; b=Em2lkuFPBmRFA8A8cRusqsLjLeecpaZ5ka1qmHDxqjEwoh7b1EyPhXnFvOkrRbzjMK eSu6VmyPSze0XjQTlveFb3vPnChKytGSc3uK0++zwqQwmGnLkqoXZzxMkdQjyYDI7nfn VLG4fKEuCsn6igDBUG6DGim3ArfxwFZnlV+Kwu9LNwjYVLUtTpjW9d4IZCQN15e5tG4G OHclOLIN4fM4RPh32xTkmlvc2y8vyYtiIjn7b8XihaWso5iSGvv51bytGKCllYvaFS9w GY+yBy5te6eZQn7Cyctx4EDU2pvTyBeFHUy9YJsgSis64qQH7S+ESrZhm7BiYKy3MQeh rYnQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=WWQUs1iKiL0g+WuQeTob+uddOusmv5uTWIOTWJtZDHc=; b=gOxaTKUnwOpyMuXS31zCM6F8kdttE0ufBp1h0Et583eeSfHa+KrmjHwAlshRYbdW0J N4Ct2tVy4ebAt49rXhxkWaKIEGxpkjpmCb/HSDgKiqdl4I5kf+htYzkMs/SKYFFcOYQ1 K9r7YDtGAO7o15vDUNr5oWR5Ta7XWk5jNXh+ws73wwW2j2u0I1M7/Gq8V+EDGeAu0+L2 t8GKjolBL/d5uLz3cpnjuhp5PZSDnLcRVEKqVGwtIdcDjYtA+Id4JxIpIkt008MGVjmP QiQP8kb7beSnwkQGVFmBGEMMJJGq+j/Ts2iLikE8lEIrJHirM6MefEkTMSMOs4FRZxe7 QiDQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umich.edu header.s=google-2016-06-03 header.b=k5J+g+Kw; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umich.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h17si201952ejf.88.2020.10.14.10.16.02; Wed, 14 Oct 2020 10:16:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@umich.edu header.s=google-2016-06-03 header.b=k5J+g+Kw; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umich.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728368AbgJNOhj (ORCPT + 99 others); Wed, 14 Oct 2020 10:37:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60976 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727875AbgJNOhi (ORCPT ); Wed, 14 Oct 2020 10:37:38 -0400 Received: from mail-ej1-x643.google.com (mail-ej1-x643.google.com [IPv6:2a00:1450:4864:20::643]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 47628C061755; Wed, 14 Oct 2020 07:37:38 -0700 (PDT) Received: by mail-ej1-x643.google.com with SMTP id c22so5237781ejx.0; Wed, 14 Oct 2020 07:37:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WWQUs1iKiL0g+WuQeTob+uddOusmv5uTWIOTWJtZDHc=; b=k5J+g+KwT03/K1PomluP39o+tUilGk44BG0xTfzs3jHO+5lgUDz0elaz/0WlzMo8zj mV6lcGRRId/5lG9mh8l96zURAVT0xrwHoVUZuPBJO5Tj444U5jdMjNyB1kQOAcKB8mDU LImFQkhUAY1UGdUk3wTCLB1TV5jaatZt7juMqkpxoYxOHmoV05KjFAO3UX8bM1A89Um8 TxAihmKrq/dgMZIrDUNzjEds4F7vxM9rkwe5sUxcVz46PhknsluYMrh1CDM8sdEm3v79 lXi7FokpNEVBzriVI+Jok17g3Xn59D0hi3j3EIJsFSfTevGizGOV2t8Y1rLiiqTZEyN6 HqmQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WWQUs1iKiL0g+WuQeTob+uddOusmv5uTWIOTWJtZDHc=; b=o5/tL5kr+MGpSFeY9FUgo67nyc9QW8NZ9U972ToyN8f1CH8yuuxoSy7O05OQ5g5usw S6BgvRNO22XSOCyFNGBCkpTFgekqGGxSq8sEB9GNAmFHGrW7gMWgKuVZMVG818Jx4G47 FK75FLVwlb6XtEP+/6IYtANVGACZ6qOPgRJhgxySzYS6ZHT3iDQx/dnbkwR5ziDjRzsP 4OLjfqniUWt4xmPi+EZ2RogmtJ/huIjPRTFLC//0C7mFWTuF/4u+mvozpapAMLhbY++O jsb1XH8hZx+MpCbeWiBDRMhBtHYFuvnjSixR8PWFkm3hw4xDZl943NHX8Ac3kZGyUEIZ ZAEA== X-Gm-Message-State: AOAM530XzwMVI5bpGPOmAKXpdh8sgbka/UdDVRbIgSiFIgo3tUZDYii1 rN5oozl2mL0nhgt8LEBz//nIVzPU/dmrAqComUw= X-Received: by 2002:a17:906:7013:: with SMTP id n19mr5582979ejj.388.1602686256864; Wed, 14 Oct 2020 07:37:36 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Olga Kornievskaia Date: Wed, 14 Oct 2020 10:37:26 -0400 Message-ID: Subject: Re: selinux: how to query if selinux is enabled To: Stephen Smalley Cc: Chuck Lever , Paul Moore , Linux Security Module list , SElinux list , Linux NFS Mailing List Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Tue, Oct 13, 2020 at 7:51 PM Stephen Smalley wrote: > > On Fri, Oct 9, 2020 at 12:36 PM Olga Kornievskaia wrote: > > > > On Fri, Oct 9, 2020 at 10:08 AM Chuck Lever wrote: > > > > > > > > > > > > > On Oct 9, 2020, at 7:49 AM, Olga Kornievskaia wrote: > > > > > > > > On Thu, Oct 8, 2020 at 9:03 PM Paul Moore wrote: > > > >> > > > >> ->On Thu, Oct 8, 2020 at 9:50 AM Olga Kornievskaia wrote: > > > >>> On Wed, Oct 7, 2020 at 9:07 PM Paul Moore wrote: > > > >>>> On Wed, Oct 7, 2020 at 8:41 PM Olga Kornievskaia wrote: > > > >>>>> Hi folks, > > > >>>>> > > > >>>>> From some linux kernel module, is it possible to query and find out > > > >>>>> whether or not selinux is currently enabled or not? > > > >>>>> > > > >>>>> Thank you. > > > >>>> > > > >>>> [NOTE: CC'ing the SELinux list as it's probably a bit more relevant > > > >>>> that the LSM list] > > > >>>> > > > >>>> In general most parts of the kernel shouldn't need to worry about what > > > >>>> LSMs are active and/or enabled; the simply interact with the LSM(s) > > > >>>> via the interfaces defined in include/linux/security.h (there are some > > > >>>> helpful comments in include/linux/lsm_hooks.h). Can you elaborate a > > > >>>> bit more on what you are trying to accomplish? > > > >>> > > > >>> Hi Paul, > > > >>> > > > >>> Thank you for the response. What I'm trying to accomplish is the > > > >>> following. Within a file system (NFS), typically any queries for > > > >>> security labels are triggered by the SElinux (or I guess an LSM in > > > >>> general) (thru the xattr_handler hooks). However, when the VFS is > > > >>> calling to get directory entries NFS will always get the labels > > > >>> (baring server not supporting it). However this is useless and affects > > > >>> performance (ie., this makes servers do extra work and adds to the > > > >>> network traffic) when selinux is disabled. It would be useful if NFS > > > >>> can check if there is anything that requires those labels, if SElinux > > > >>> is enabled or disabled. > > > >> > > > >> [Adding Chuck Lever to the CC line as I believe he has the most recent > > > >> LSM experience from the NFS side - sorry Chuck :)] > > > >> > > > >> I'll need to ask your patience on this as I am far from a NFS expert. > > > >> > > > >> Looking through the NFS readdir/getdents code this evening, I was > > > >> wondering if the solution in the readdir case is to simply tell the > > > >> server you are not interested in the security label by masking out > > > >> FATTR4_WORD2_SECURITY_LABEL in the nfs4_readdir_arg->bitmask in > > > >> _nfs4_proc_readdir()? Of course this assumes that the security label > > > >> genuinely isn't needed in this case (and not requesting it doesn't > > > >> bypass access controls or break something on the server side), and we > > > >> don't screw up some NFS client side cache by *not* fetching the > > > >> security label attribute. > > > >> > > > >> Is this remotely close to workable, or am I missing something fundamental? > > > >> > > > > > > > > No this is not going to work, as NFS requires labels when labels are > > > > indeed needed by the LSM. What I'm looking for is an optimization. > > > > What we have is functionality correct but performance might suffer for > > > > the standard case of NFSv4.2 seclabel enabled server and clients that > > > > don't care about seclabels. > > > > > > Initial thought: We should ask linux-nfs for help with this. > > > I've added them to the Cc: list. > > > > > > Olga, are you asking if the kernel NFS client module can somehow find > > > out whether the rest of the kernel is configured to care about security > > > labels before it forms an NFSv4 READDIR or LOOKUP request? > > > > Yes exactly, but I'm having a hard time trying to figure out how to > > use security_ismaclabel() function as has been suggested by Casey. > > I would suggest either introducing a new hook for your purpose, or > altering the existing one to support a form of query that isn't based > on a particular xattr name but rather just checking whether the module > supports/uses MAC labels at all. Options: 1) NULL argument to the > existing hook indicates a general query (could hide a bug in the > caller, so not optimal), 2) Add a new bool argument to the existing > hook to indicate whether the name should be used, or 3) Add a new hook > that doesn't take any arguments. Hi Stephen, Yes it seems like current api lacks the needed functionality and what you are suggesting is needed. Thank you for confirming it. > > > > > > I would certainly like to take the security label query out of every > > > LOOKUP operation if that is feasible! > > > > A LOOKUP doesn't add the seclabel query (by default) like READDIR does > > (it's hard-coded in the xdr code). LOOKUP uses server's bitmask and > > chooses the version without the seclabel bitmask because no label is > > passed into it. It looks like LOOKUP just allocates a label in > > nfs_lookup_revalidate_dentry(). So it's not driven by the something > > that I see used by the xattr_handle example in the NFS code.