From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7A29EC43460 for ; Fri, 23 Apr 2021 15:20:15 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id E752461467 for ; Fri, 23 Apr 2021 15:20:14 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E752461467 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 317206B006E; Fri, 23 Apr 2021 11:20:14 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 2C7466B0071; Fri, 23 Apr 2021 11:20:14 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 141196B0072; Fri, 23 Apr 2021 11:20:14 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0243.hostedemail.com [216.40.44.243]) by kanga.kvack.org (Postfix) with ESMTP id EC2A46B006E for ; Fri, 23 Apr 2021 11:20:13 -0400 (EDT) Received: from smtpin04.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id A73678249980 for ; Fri, 23 Apr 2021 15:20:13 +0000 (UTC) X-FDA: 78063992706.04.41A6F9C Received: from mail-lf1-f53.google.com (mail-lf1-f53.google.com [209.85.167.53]) by imf01.hostedemail.com (Postfix) with ESMTP id B4C795001536 for ; Fri, 23 Apr 2021 15:20:09 +0000 (UTC) Received: by mail-lf1-f53.google.com with SMTP id j4so38594806lfp.0 for ; Fri, 23 Apr 2021 08:20:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=maceZlLfg4OAEQcp6cVbWohUhmFE6QpxzS6f5WTPWNE=; b=OHGakvkYEeEUMLkV2JOjAHwfxeEKV8RVr/JFfpH8TAPbOGL8o3S6gyxzmxLFCjnlpB XbnBsHxaUt/pbcO+LyiUjNu8jM9F82dlSX9fs+9hdPdogsDcbtMIKvy4vOBB9APADkjF zoQc2iJgmW47O2p8z+bZf0ORKBVEI6lyENaeBflViJ1dke3s2kPWQgPI8WfJoAp8yo8T uMxqK4DXlbfmCYkMVurCp8rECkN3XBRA45BLufDNLpI6tD934hU4ZHqWivC6CfprqLYa DkRar6zHg0dGzj4OKBsQPH6OuY4hRDxnoMSxuZ4LWGaIrj4ykqUY7MW1X3o9Tne4K4Lg IZkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=maceZlLfg4OAEQcp6cVbWohUhmFE6QpxzS6f5WTPWNE=; b=gp1lPZMaa2qDw5zBMgM1jaswMqnIHf7aYq8yENEOU3kS1IuHa0X4I0hLkCLAWpciHm W5jecm7cetrzOwBvo+1CQE0T9uk2lg1QyPcOiXw/KrdPnVz7I8wcQ9PyCjBP2oDFqkI3 QbD1FSLeunMZ9UTNvxNSnjolLkXcFU0l+aY+iWoAHDYP+nzIfhm0oVp4PkQEFLUvnl21 2YKQ2upUwdEuY3ZnFq+H16vIepjjUfZ3ywf3o5PmmUOrD1gP8KvFG1CpEPcXLtVEEKHv wpvZdy71KeMdSHaPtufMI1trAJlsHpJ/ZeTRB5Y8tlB/jayFYPtnmVkGijiGgcvOkuM6 saJg== X-Gm-Message-State: AOAM531ZL4p5seJ/krUkZIKdUjSkWJSaTh5OXgaYHzLwUsWJuIlqSyJM ZvqL9odr+HiqZkZmGkCaXyD6c4+snfovONVZU28= X-Google-Smtp-Source: ABdhPJymNiLGny8U9D5UNjpeWMnCcuik4NYuRh6tEKCqqRaRS8+QclLMBJngwiKLOSGEbuRPukUtW5+yEMWAIipsIAU= X-Received: by 2002:a05:6512:6ca:: with SMTP id u10mr3131852lff.560.1619191211832; Fri, 23 Apr 2021 08:20:11 -0700 (PDT) MIME-Version: 1.0 References: <20210421171446.785507-1-omosnace@redhat.com> <20210421171446.785507-3-omosnace@redhat.com> In-Reply-To: From: Stephen Smalley Date: Fri, 23 Apr 2021 11:20:00 -0400 Message-ID: Subject: Re: [RFC PATCH 2/2] selinux: add capability to map anon inode types to separate classes To: Ondrej Mosnacek Cc: SElinux list , Paul Moore , LSM List , "open list:MEMORY MANAGEMENT" , Linux FS Devel , linux-kernel , Lokesh Gidra Content-Type: text/plain; charset="UTF-8" X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: B4C795001536 X-Stat-Signature: 9xieca53uq8k5g7f9jn1xm8iych8xebb Received-SPF: none (gmail.com>: No applicable sender policy available) receiver=imf01; identity=mailfrom; envelope-from=""; helo=mail-lf1-f53.google.com; client-ip=209.85.167.53 X-HE-DKIM-Result: pass/pass X-HE-Tag: 1619191209-326968 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Fri, Apr 23, 2021 at 10:22 AM Stephen Smalley wrote: > > On Fri, Apr 23, 2021 at 9:41 AM Ondrej Mosnacek wrote: > > > > On Thu, Apr 22, 2021 at 3:21 PM Stephen Smalley > > wrote: > > > On Wed, Apr 21, 2021 at 1:14 PM Ondrej Mosnacek wrote: > > > > > > > > Unfortunately, the approach chosen in commit 29cd6591ab6f ("selinux: > > > > teach SELinux about anonymous inodes") to use a single class for all > > > > anon inodes and let the policy distinguish between them using named > > > > transitions turned out to have a rather unfortunate drawback. > > > > > > > > For example, suppose we have two types of anon inodes, "A" and "B", and > > > > we want to allow a set of domains (represented by an attribute "attr_x") > > > > certain set of permissions on anon inodes of type "A" that were created > > > > by the same domain, but at the same time disallow this set to access > > > > anon inodes of type "B" entirely. Since all inodes share the same class > > > > and we want to distinguish both the inode types and the domains that > > > > created them, we have no choice than to create separate types for the > > > > cartesian product of (domains that belong to attr_x) x ("A", "B") and > > > > add all the necessary allow and transition rules for each domain > > > > individually. > > > > > > > > This makes it very impractical to write sane policies for anon inodes in > > > > the future, as more anon inode types are added. Therefore, this patch > > > > implements an alternative approach that assigns a separate class to each > > > > type of anon inode. This allows the example above to be implemented > > > > without any transition rules and with just a single allow rule: > > > > > > > > allow attr_x self:A { ... }; > > > > > > > > In order to not break possible existing users of the already merged > > > > original approach, this patch also adds a new policy capability > > > > "extended_anon_inode_class" that needs to be set by the policy to enable > > > > the new behavior. > > > > > > > > I decided to keep the named transition mechanism in the new variant, > > > > since there might eventually be some extra information in the anon inode > > > > name that could be used in transitions. > > > > > > > > One minor annoyance is that the kernel still expects the policy to > > > > provide both classes (anon_inode and userfaultfd) regardless of the > > > > capability setting and if one of them is not defined in the policy, the > > > > kernel will print a warning when loading the policy. However, it doesn't > > > > seem worth to work around that in the kernel, as the policy can provide > > > > just the definition of the unused class(es) (and permissions) to avoid > > > > this warning. Keeping the legacy anon_inode class with some fallback > > > > rules may also be desirable to keep the policy compatible with kernels > > > > that only support anon_inode. > > > > > > > > Signed-off-by: Ondrej Mosnacek > > > > > > NAK. We do not want to introduce a new security class for every user > > > of anon inodes - that isn't what security classes are for. > > > For things like kvm device inodes, those should ultimately use the > > > inherited context from the related inode (the /dev/kvm inode itself). > > > That was the original intent of supporting the related inode. > > > > Hmm, so are you implying that anon inodes should be thought of the > > same as control /dev nodes? I.e. that even though there may be many > > one-time actual inodes created by different processes, they should be > > thought of as a single "static interface" to the respective kernel > > functionality? That would justify having a common type/label for all > > of them, but I'm not sure if it doesn't open some gap due to the > > possibility to pass the associated file descriptors between processes > > (as AFAIK, these can hold some context)... > > That was the original design (and the original patchset that we posted > in parallel with Google's independently developed one). We even had > example policy/controls for /dev/kvm ioctls. > Imagine trying to write policy over /dev/kvm ioctls where you have to > deal with N different classes and/or types and remember which ioctl > commands are exercised on which class or type even though from the > users' perspective they all occurred through the /dev/kvm interface. > It seemed super fragile and difficult to maintain/analyze that way. > Versus writing a single allow rule for all /dev/kvm ioctls. > > I guess we could discuss the alternatives but please have a look at > those original patches and examples. If we go down this road, we need > some way to deal with scaling because we only have a limited number of > discrete classes available to us and potentially unbounded set of > distinct anon inode users (although hopefully in practice only a few > that we care about distinguishing). Actually, on second thought, we shouldn't be in any danger of running out of classes so nevermind on that point. > > > I thought this was supposed to resemble more the way BPF, perf_event, > > etc. support was implemented - the BPF and perf_event fds are also > > anon inodes under the hood, BTW - where each file descriptor is > > considered a separate object that inherits the label of its creator > > and there is some class separation (e.g. bpf vs. perf_event).