Received: by 2002:ab2:7855:0:b0:1f9:5764:f03e with SMTP id m21csp500762lqp; Wed, 22 May 2024 10:29:45 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVRyqUmWqkARazTm4/wq+BVK5s8CwU7kpgkB1ML4GI+jjuJ1g3FQ0mWMPwkqssAuHm6t2WLiHazQ7/Uu8DwwZm8wKzRuQBp211fwpGL5w== X-Google-Smtp-Source: AGHT+IHi+2cmn1AHd+onZrR2HXyJ2UtTBKNMlOtty3SfxW/+/szOpprzfWFTjaTUlua6Bk7Xc8X7 X-Received: by 2002:a17:906:3a9a:b0:a5a:7493:5b68 with SMTP id a640c23a62f3a-a5d5ecdc977mr1053919466b.24.1716398985552; Wed, 22 May 2024 10:29:45 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716398985; cv=pass; d=google.com; s=arc-20160816; b=XR+3/YKppHMzqEekybW4T6UcZMpUqJa4/zA25Vd2Oki7rWDaEOrfBNC9HG486xgQCW mkLCYdIasScCIoclJ7iK64ziG2QW23izpnQ4fttFmsxE3bIhmTHD5hNLBghD1H8FgB2B qCekR0oOBKUeEPaCP6LtnBbYbGXml9hjRc3wqLnQFr3JVNTZV4+yAkbhyR1C97b8EHDJ PGGBDp02DT3CeZwkWLwNDef3Xgd3df71n5kcr1TEW3Enx7CxEs7h3EiYWJl0/ZlcV+qB LZwShHxcpHTTefNI3Vn+lrhQYHnZ/DnunlDo822FilyfjAfsfFjAxiQ7gBXWEiWIbQh+ L6Zg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=zEc+arxvFWhx8lCR8GzmhsnqiINgipEWkuKuwOGrkaU=; fh=UDhR2PI+nU760vFS1OXqKyA3ClYjm43+HbokCxTIuTs=; b=O7Rv2mEAytvsUJx5WxDI88kVKsk0nQfYvlmSXis/JZSsPc3lszE1wWQlgFhTA1rzaZ nZTHjwfvP1seyBqWPvvC86X2/J79CR7UAzrfZtz1WkRxmHa+6b9VUnFNEFsnrMViK252 +mO/9kBs6jfXZO1vOFcWUioI5wmpvti2lgp0A+P4wlvxTJ4bFK4c69/CG8djyfyw5SGd ctuyBfxzgKnRJVSMujoulNDxf2FGAaZU5cTzEfq58NXliRkvkmYKb80Hg2nYYcbLAaqk Qmm73H17D9xISDXRJxlnFMLDss+qxfHvzZqTou2bUZ5awKPPUov9SBROMRPPN8cRFBt/ 83JA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=hJ7nZJzP; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-nfs+bounces-3339-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-nfs+bounces-3339-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id a640c23a62f3a-a5a55e5500bsi1216152366b.902.2024.05.22.10.29.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 May 2024 10:29:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs+bounces-3339-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=hJ7nZJzP; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-nfs+bounces-3339-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-nfs+bounces-3339-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id CCB961F2181F for ; Wed, 22 May 2024 17:29:44 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B7AB12B9C3; Wed, 22 May 2024 17:29:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="hJ7nZJzP" X-Original-To: linux-nfs@vger.kernel.org Received: from mail-pg1-f179.google.com (mail-pg1-f179.google.com [209.85.215.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3CAA82869B; Wed, 22 May 2024 17:29:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.179 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716398981; cv=none; b=Q2x4GPLi2RrcHKuWMc6xA0BQCAn6095q0w7gHeRakQLQMDShthiRXtIMXJmdteFqGMCpvbLOF+1+0hktLEEnKpy6WuIZG4S5r5ZnXtXQAc5iOL13j9cvlxgZzxIzDfwQLnxIwuReM8rkxR24wl49W58naB8IiANixlMqLobtY9M= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716398981; c=relaxed/simple; bh=UOM2BH8YpyNbWZ+1zFlYjCrwNfWnDJfkxxAhGazq2QQ=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=Gtv5MvF3aD1N3uHW7/w0WCKAKEhv4xQsLJ8NLZZTruFwWVZ6bC7rmjxk3NduIKR0YTCzOBPvLXyTEt0uS9Gf5yQQBbJs3ojSHAaZP0DDmXSkwGYkXcPI0QWYJwH1Bfc/qSInpoMqWHkLoJj8ahYlJUoY5OioOGSgTlZ9WqkWW6w= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=hJ7nZJzP; arc=none smtp.client-ip=209.85.215.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pg1-f179.google.com with SMTP id 41be03b00d2f7-60585faa69fso779743a12.1; Wed, 22 May 2024 10:29:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1716398979; x=1717003779; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=zEc+arxvFWhx8lCR8GzmhsnqiINgipEWkuKuwOGrkaU=; b=hJ7nZJzP9e873l1GRnfuhQe1PZh/rzgNcx+Yv8/CyJ9qsSAA4YsemwsXuE1IaGDEj8 bEzD0b0RnvNbUJ9ND7S00wy2i32v5skQ1YkfL2795uF8tKyohKFl2WtRl41Ct1t8oacI ujdU2i4GZjk6PoHkCKmEaTYsGSAvRHJjgnCw8myyvXrmMkDqsIIUW1BvHKzUgBWNZRDZ qgHVIMxL7wBqqAlDkn/EUA7xC6HXrasr6QC6ZwLySh7hO06CW2KTI09N5yUA7npRDWfz G9Ph1iDyFP6w/+8xNxM8WEQZEtr+XbYIzDfRzry1sWocdIyZDBiRSe6CMGbQHMFrYGXu ro7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716398979; x=1717003779; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zEc+arxvFWhx8lCR8GzmhsnqiINgipEWkuKuwOGrkaU=; b=XrWDEeQqKE+m4/xupFGwS9WXGq9B9D4PzKsib5FvofzkPCQTQouIlVYCude3B7sedQ bnUlthexGr9LzT2dbupcMJ61SS/AsgsL2iFfKP8xtM8m1tau9cCe/HqFm5QdYmGk6OcT 1oVSup3dY6TnBvprsrVLI5iLch4YNHYgRYmlcXT6vY9nIIKByHMkrbjf6IDtYe5CW++D Upr/9cMwBiXMMx0dB1dC2JHDli2TS5ww0xMCW3g2cRBCNR0T9WdUwu9cbHpCzJDEjnRe ZAZSFxPJnE09y5RgliCFpV0SwvX1twss+7ohckoFi/GXNgIL0zS8zziKPvE6u8WWFcpU /asw== X-Forwarded-Encrypted: i=1; AJvYcCUxEN/15BIbZ8xk/nmBhdQxQqirt7kTk2DCGdzKS0paevpel4YkS20iI/x1ZUqEzUyypXonCkT6gd8/O/Vn1wTcs3AXxlFwiRVC6Mu8Ys9b2ivtvJ+zhxiV5wg6jxdK3dU3Xca8NKGxjU30DSDyLxCZ X-Gm-Message-State: AOJu0YwuLBG0EKyM3XrfgqjjyHmNC0gtPvwo2O3MgexdIKQWKzCzEVdD JieMrQdcJfwrYiQR3Yn4GRELrCqGB0Rn9SdGrYmNVRIp90SwSe4T68BWzJdIFmabYk5QYURet6+ Cpk//4WFmuUQKa3cIcsEUZDaTTH0= X-Received: by 2002:a17:90b:68b:b0:2b6:208c:2aee with SMTP id 98e67ed59e1d1-2bd9f604d7cmr3898356a91.20.1716398979539; Wed, 22 May 2024 10:29:39 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-nfs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240503130905.16823-1-stephen.smalley.work@gmail.com> <171497439414.9775.6998904788791406674@noble.neil.brown.name> In-Reply-To: From: Stephen Smalley Date: Wed, 22 May 2024 13:29:28 -0400 Message-ID: Subject: Re: [PATCH v3] nfsd: set security label during create operations To: NeilBrown Cc: selinux@vger.kernel.org, linux-nfs@vger.kernel.org, chuck.lever@oracle.com, jlayton@kernel.org, paul@paul-moore.com, omosnace@redhat.com, linux-security-module@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, May 16, 2024 at 1:29=E2=80=AFPM Stephen Smalley wrote: > > On Wed, May 15, 2024 at 10:52=E2=80=AFAM Stephen Smalley > wrote: > > > > On Mon, May 6, 2024 at 1:46=E2=80=AFAM NeilBrown wrote: > > > > > > On Fri, 03 May 2024, Stephen Smalley wrote: > > > > When security labeling is enabled, the client can pass a file secur= ity > > > > label as part of a create operation for the new file, similar to mo= de > > > > and other attributes. At present, the security label is received by= nfsd > > > > and passed down to nfsd_create_setattr(), but nfsd_setattr() is nev= er > > > > called and therefore the label is never set on the new file. This b= ug > > > > may have been introduced on or around commit d6a97d3f589a ("NFSD: > > > > add security label to struct nfsd_attrs"). Looking at nfsd_setattr(= ) > > > > I am uncertain as to whether the same issue presents for > > > > file ACLs and therefore requires a similar fix for those. > > > > > > > > An alternative approach would be to introduce a new LSM hook to set= the > > > > "create SID" of the current task prior to the actual file creation,= which > > > > would atomically label the new inode at creation time. This would b= e better > > > > for SELinux and a similar approach has been used previously > > > > (see security_dentry_create_files_as) but perhaps not usable by oth= er LSMs. > > > > > > > > Reproducer: > > > > 1. Install a Linux distro with SELinux - Fedora is easiest > > > > 2. git clone https://github.com/SELinuxProject/selinux-testsuite > > > > 3. Install the requisite dependencies per selinux-testsuite/README.= md > > > > 4. Run something like the following script: > > > > MOUNT=3D$HOME/selinux-testsuite > > > > sudo systemctl start nfs-server > > > > sudo exportfs -o rw,no_root_squash,security_label localhost:$MOUNT > > > > sudo mkdir -p /mnt/selinux-testsuite > > > > sudo mount -t nfs -o vers=3D4.2 localhost:$MOUNT /mnt/selinux-tests= uite > > > > pushd /mnt/selinux-testsuite/ > > > > sudo make -C policy load > > > > pushd tests/filesystem > > > > sudo runcon -t test_filesystem_t ./create_file -f trans_test_file \ > > > > -e test_filesystem_filetranscon_t -v > > > > sudo rm -f trans_test_file > > > > popd > > > > sudo make -C policy unload > > > > popd > > > > sudo umount /mnt/selinux-testsuite > > > > sudo exportfs -u localhost:$MOUNT > > > > sudo rmdir /mnt/selinux-testsuite > > > > sudo systemctl stop nfs-server > > > > > > > > Expected output: > > > > > > > > Process context: > > > > unconfined_u:unconfined_r:test_filesystem_t:s0-s0:c0.c1023 > > > > Created file: trans_test_file > > > > File context: unconfined_u:object_r:test_filesystem_filetranscon_t:= s0 > > > > File context is correct > > > > > > > > Actual output: > > > > > > > > Process context: > > > > unconfined_u:unconfined_r:test_filesystem_t:s0-s0:c0.c1023 > > > > Created file: trans_test_file > > > > File context: system_u:object_r:test_file_t:s0 > > > > File context error, expected: > > > > test_filesystem_filetranscon_t > > > > got: > > > > test_file_t > > > > > > > > Signed-off-by: Stephen Smalley > > > > --- > > > > v3 removes the erroneous and unnecessary change to NFSv2 and update= s the > > > > description to note the possible origin of the bug. I did not add a > > > > Fixes tag however as I have not yet tried confirming that. > > > > > > I think this bug has always been present - since label support was > > > added. > > > Commit d6a97d3f589a ("NFSD: add security label to struct nfsd_attrs") > > > should have fixed it, but was missing the extra test that you provide= . > > > > > > So > > > Fixes: 0c71b7ed5de8 ("nfsd: introduce file_cache_mutex") > > > might be appropriate - it fixes the patch, though not a bug introduce= d > > > by the patch. > > > > > > Thanks for this patch! > > > Reviewed-by: NeilBrown > > > > FWIW, I finally got around to testing Linux v5.14 and it did pass > > these NFS tests so this was a regression. I haven't been able to > > bisect yet. > > Seems to have broken sometime between v5.19 and v6.0. Still bisecting. git bisect ended with: [d6a97d3f589a3a46a16183e03f3774daee251317] NFSD: add security label to struct nfsd_attrs as the breaking commit. Bisecting was a little complicated by other unrelated bugs but I narrowed it to just this particular one.