Received: by 2002:ab2:60d1:0:b0:1f7:5705:b850 with SMTP id i17csp1751927lqm; Fri, 3 May 2024 05:49:04 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCV5Hh082MFamSwxDRglkK4tK/J6VpjaIyNtnf/usFZnUuB6zhmzSBcRg6HMc2ZxKfUj2K65sdJb650hcfEwq0zqxlfln8C7dc0dJjPUGQ== X-Google-Smtp-Source: AGHT+IGUntMn20bLzz2pw3xE+dUGBDxqfNLBB4aGj7e0JRsQI/4fgrw6NZn1CL5H8L1ThTo/uFIV X-Received: by 2002:a19:c214:0:b0:512:e02f:9fa7 with SMTP id l20-20020a19c214000000b00512e02f9fa7mr2174650lfc.1.1714740544645; Fri, 03 May 2024 05:49:04 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714740544; cv=pass; d=google.com; s=arc-20160816; b=HDUGrugBp5GY7ggOykDryXOvfwC9+MvJaMWzEXLlm27/KQkmGN/qkh9ol9V4DmUGO8 dEteu3nqPbCLe/ZjQD6gLlilMaXGOEsa9TvNdtIlM7YD3m9juVirdl8xp1F2K7z3IPz3 WZjO3NJCWcRfyASqf10wKhCxi7X3qJYUys7ao6GPejZPsaSTuFD9CmOHiuH6sNnYoBQ3 qjI5QE0ozemJUoBj1/06fbB7R5Yy8EMXVJqP3Yfm1O13aRfgF48R0W6yvUe/ee2aeA1t t9ZeE2A7npv+ZdwFLxav2J6oodyreXeFHeeqR+w9vLGvLQlDrFAvt+hOxgoqjlFWAsk7 68aQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=5Y5k4LZDSx2AIqs23NmgFSme0AlhbpWJougf2C8BhMM=; fh=g7d/rzrCfrz4QvIMNWZ0sgkwf2K0DGFf0DSxkvXNLYo=; b=EvEYmvBRxVNYLb1uhHj0am87fAIY/MQrDrwrWRqPLo5d63OQQe/nsSzYOI17BZMq3J kfHmkaWnFbX3GcfdjnD1Dhxo2nY9+fhhDNOVsYTI98hWB4H1iUcucEwceqrKZFbZp3kA uoLCaLUK8ud4pH9EbktnWgsfE64fgcIbv2agxzCJUVajsabaEAh9xACttRNJEvhphsmN Mx5lWf7hZ8b4hqkeU0VV52GAYCio5EEWZgVb5mR9T1Fv3D4alknkxhyM7snPfiaNekHg ObXWFf6FRHSw5Cgybuti9Tyg9iIrQ7wMbbqMI0U2HRczWWgDFPSmKSHlPLnDF4IRY+aG /Msw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=euTKUyXY; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-nfs+bounces-3146-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-nfs+bounces-3146-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id r16-20020a170906281000b00a59997da8e4si396286ejc.418.2024.05.03.05.49.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 May 2024 05:49:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs+bounces-3146-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=euTKUyXY; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-nfs+bounces-3146-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-nfs+bounces-3146-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 32E6F1F219DF for ; Fri, 3 May 2024 12:49:04 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 51E1715357F; Fri, 3 May 2024 12:48:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="euTKUyXY" X-Original-To: linux-nfs@vger.kernel.org Received: from mail-pg1-f173.google.com (mail-pg1-f173.google.com [209.85.215.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BCD97152788; Fri, 3 May 2024 12:48:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.173 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714740536; cv=none; b=V1xq2vylZ8gvEQzKthAXuhDplw22Lvitedkgk+thivv5zB4Yo4rUWGnEJdVTLPEuJvdDro7NJCz0gIeF4WguYYFX+++crsYSB0iB8J9jRwuNVZ2CMcSXlkQTJIbztgVOb3DgWOYXMdMhPKKJfU5IR7q3aNa7+2zxTR0LUZolZNg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714740536; c=relaxed/simple; bh=GmZ5L8T1pqxa1hc7nHK6JLmX7g5vBxYUL5gKbPt9ZIg=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=Wg7FdRHA3fhDhw0Js4l/nGqjCmZuSrHF4/YqhwKpmvEOj8R2m/QLjuU5FLlIke50lT9uVBviw9esN1gDR6nx8rWhzHfZfyG/zJy+4ioDnOBc15i8IQRdol8N7D9n/CNFyNf0cajE05JBQGi9eRJmByWA882F1lYvpkXHfhwOn1o= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=euTKUyXY; arc=none smtp.client-ip=209.85.215.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pg1-f173.google.com with SMTP id 41be03b00d2f7-53fa455cd94so7003548a12.2; Fri, 03 May 2024 05:48:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1714740534; x=1715345334; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=5Y5k4LZDSx2AIqs23NmgFSme0AlhbpWJougf2C8BhMM=; b=euTKUyXY8UVmIJp2OGg6dvymEwvnrqYQVwPgssapxCsKkX37yeIhExilod/Dn25AY3 +0H6OxEx3ay5rASBbulZ2iMWTL9fkTd17KUslDdRz+HHuPu7rPTIiz6Rl2RnXFlWL76u Lgvl6ft3kLvRHBppPBu2UtdP9cuh7wcsv/wIDXXX12nJoCP3H4n70Q22jfUX8Ybi7arP 5U9HW9g8XMSm/aPvf9JKBABT3id/auhSFqHGH6blAYpv5qRt8D/Nvbm6JGi904aIDoqt o7mztdAHXIZDEFL5gBuhYbX6T03K3TmA7Gj8wC/x3HcHGiF6kWnz7e5BBlIwH4VWes/8 7aAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714740534; x=1715345334; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=5Y5k4LZDSx2AIqs23NmgFSme0AlhbpWJougf2C8BhMM=; b=VMkrh1WGdSmsoRv9wAXdarXi8KjibQJ54asNKEbLKCGNf4CeortZbmS74VrOrDVM0I YI/UNb+h+mgedaXVJa62qFEyfPC9A4Xal3cv6TvxFPPCMfxh0PCrGYZu1nlwfw631/nA kl1zIW/OSLGv81v1SCyeD+2Bk2hxJK+y7JwC8wnittOlyRvgr6TCdkRUQZYyeclCQ9hv GTRiVngsrj8EgIdZEINgT6Rad7r1kV1FGPRrehkrSCErZkcYgbbCZ1bHa00uLhakBQwE ZWpgIAwWlpzwZAcZdbrK5SEe/T61BG01/6/CmAzil5JP/htAGu/RQQuORrCvLiwFik6K yydA== X-Forwarded-Encrypted: i=1; AJvYcCXUZo0jyKZUtxUuNy6FWR/ry0uoEUi1+xWKQT03QzVcW5q9ez3nRyUKVU8EWdLPrqxvXHj6SfOIHvV9Gs1KkiVNVhcjD3n2yerrNr9/IlDxS/MmewmvPXYLnKkmkkFbV7DbZdlMX9i1wfAjziYkRoRS X-Gm-Message-State: AOJu0Yxv0CL2BaPRQkWlSoGvLgI9HrV/Q25V7kAvd90zQ9QDIy+1a/LB 5bSLMQGqZcrcVVx2rU2wmGBrOgxloaSwzSNXwAeX48e6SsXqJs+Jt/FfQNUVOHz8KC/8qswIjNg 9dlk6TQ6/Fk1WJrHgVeAJhgVdpgo= X-Received: by 2002:a17:90a:9f88:b0:2a4:b831:5017 with SMTP id o8-20020a17090a9f8800b002a4b8315017mr2359132pjp.48.1714740533994; Fri, 03 May 2024 05:48:53 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-nfs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240502195800.3252-1-stephen.smalley.work@gmail.com> <70273db57aa4b6df43ae1f73e6bf3b80abf0c599.camel@kernel.org> In-Reply-To: <70273db57aa4b6df43ae1f73e6bf3b80abf0c599.camel@kernel.org> From: Stephen Smalley Date: Fri, 3 May 2024 08:48:42 -0400 Message-ID: Subject: Re: [PATCH v2] nfsd: set security label during create operations To: Jeffrey Layton Cc: selinux@vger.kernel.org, linux-nfs@vger.kernel.org, chuck.lever@oracle.com, neilb@suse.de, paul@paul-moore.com, omosnace@redhat.com, linux-security-module@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, May 2, 2024 at 6:34=E2=80=AFPM Jeffrey Layton = wrote: > > On Thu, 2024-05-02 at 15:58 -0400, Stephen Smalley wrote: > > When security labeling is enabled, the client can pass a file security > > label as part of a create operation for the new file, similar to mode > > and other attributes. At present, the security label is received by nfs= d > > and passed down to nfsd_create_setattr(), but nfsd_setattr() is never > > called and therefore the label is never set on the new file. I couldn't > > tell if this has always been broken or broke at some point in time. Loo= king > > at nfsd_setattr() I am uncertain as to whether the same issue presents = for > > file ACLs and therefore requires a similar fix for those. I am not over= ly > > confident that this is the right solution. > > > > An alternative approach would be to introduce a new LSM hook to set the > > "create SID" of the current task prior to the actual file creation, whi= ch > > would atomically label the new inode at creation time. This would be be= tter > > for SELinux and a similar approach has been used previously > > (see security_dentry_create_files_as) but perhaps not usable by other L= SMs. > > > > Reproducer: > > 1. Install a Linux distro with SELinux - Fedora is easiest > > 2. git clone https://github.com/SELinuxProject/selinux-testsuite > > 3. Install the requisite dependencies per selinux-testsuite/README.md > > 4. Run something like the following script: > > MOUNT=3D$HOME/selinux-testsuite > > sudo systemctl start nfs-server > > sudo exportfs -o rw,no_root_squash,security_label localhost:$MOUNT > > sudo mkdir -p /mnt/selinux-testsuite > > sudo mount -t nfs -o vers=3D4.2 localhost:$MOUNT /mnt/selinux-testsuite > > pushd /mnt/selinux-testsuite/ > > sudo make -C policy load > > pushd tests/filesystem > > sudo runcon -t test_filesystem_t ./create_file -f trans_test_file \ > > -e test_filesystem_filetranscon_t -v > > sudo rm -f trans_test_file > > popd > > sudo make -C policy unload > > popd > > sudo umount /mnt/selinux-testsuite > > sudo exportfs -u localhost:$MOUNT > > sudo rmdir /mnt/selinux-testsuite > > sudo systemctl stop nfs-server > > > > Expected output: > > > > Process context: > > unconfined_u:unconfined_r:test_filesystem_t:s0-s0:c0.c1023 > > Created file: trans_test_file > > File context: unconfined_u:object_r:test_filesystem_filetranscon_t:s0 > > File context is correct > > > > Actual output: > > > > Process context: > > unconfined_u:unconfined_r:test_filesystem_t:s0-s0:c0.c1023 > > Created file: trans_test_file > > File context: system_u:object_r:test_file_t:s0 > > File context error, expected: > > test_filesystem_filetranscon_t > > got: > > test_file_t > > > > Signed-off-by: Stephen Smalley > > --- > > v2 introduces a nfsd_attrs_valid() helper and uses it as suggested by > > Jeffrey Layton . > > > > fs/nfsd/nfsproc.c | 2 +- > > fs/nfsd/vfs.c | 2 +- > > fs/nfsd/vfs.h | 8 ++++++++ > > 3 files changed, 10 insertions(+), 2 deletions(-) > > > > diff --git a/fs/nfsd/nfsproc.c b/fs/nfsd/nfsproc.c > > index 36370b957b63..3e438159f561 100644 > > --- a/fs/nfsd/nfsproc.c > > +++ b/fs/nfsd/nfsproc.c > > @@ -389,7 +389,7 @@ nfsd_proc_create(struct svc_rqst *rqstp) > > * open(..., O_CREAT|O_TRUNC|O_WRONLY). > > */ > > attr->ia_valid &=3D ATTR_SIZE; > > - if (attr->ia_valid) > > + if (nfsd_attrs_valid(attr)) > > resp->status =3D nfsd_setattr(rqstp, newfhp, &att= rs, > > NULL); > > } > > This function is for NFSv2, which doesn't support any inode attributes > that aren't represented in ia_valid. We could leave this as-is, but > this is fine too. Sorry, I got over-eager with trying to fix all ia_valid checks. It's actually wrong so I'll send a 3rd version without it.