From: Paul Moore <pmoore@redhat.com>
To: Jason Wang <jasowang@redhat.com>
Cc: "Michael S. Tsirkin" <mst@redhat.com>,
netdev@vger.kernel.org, linux-security-module@vger.kernel.org,
selinux@tycho.nsa.gov
Subject: Re: [RFC PATCH 2/2] tun: fix LSM/SELinux labeling of tun/tap devices
Date: Wed, 05 Dec 2012 11:00:32 -0500 [thread overview]
Message-ID: <11388792.PYQok62vJo@sifl> (raw)
In-Reply-To: <2433879.zRVUYBGg1f@jason-thinkpad-t430s>
On Wednesday, December 05, 2012 10:01:31 PM Jason Wang wrote:
> On Wednesday, December 05, 2012 01:44:55 PM Michael S. Tsirkin wrote:
> > On Wed, Dec 05, 2012 at 02:19:22PM +0800, Jason Wang wrote:
> > > On 12/05/2012 02:17 AM, Paul Moore wrote:
> > > > On Tuesday, December 04, 2012 07:36:26 PM Michael S. Tsirkin wrote:
> > > >> On Tue, Dec 04, 2012 at 11:18:57AM -0500, Paul Moore wrote:
> > > >>> Okay, based on your explanation of TUNSETQUEUE, the steps below are
> > > >>> what I
> > > >>> believe we need to do ... if you disagree speak up quickly please.
> > > >>>
> > > >>> A. TUNSETIFF (new, non-persistent device)
> > > >>>
> > > >>> [Allocate and initialize the tun_struct LSM state based on the
> > > >>> calling
> > > >>> process, use this state to label the TUN socket.]
> > > >>>
> > > >>> 1. Call security_tun_dev_create() which authorizes the action.
> > > >>> 2. Call security_tun_dev_alloc_security() which allocates the
> > > >>> tun_struct
> > > >>> LSM blob and SELinux sets some internal blob state to record the
> > > >>> label
> > > >>> of
> > > >>> the calling process.
> > > >>> 3. Call security_tun_dev_attach() which sets the label of the TUN
> > > >>> socket
> > > >>> to match the label stored in the tun_struct LSM blob during A2. No
> > > >>> authorization is done at this point since the socket is
> > > >>> new/unlabeled.
> > > >>>
> > > >>> B. TUNSETIFF (existing, persistent device)
> > > >>>
> > > >>> [Relabel the existing tun_struct LSM state based on the calling
> > > >>> process,
> > > >>> use this state to label the TUN socket.]
> > > >>>
> > > >>> 1. Attempt to relabel/reset the tun_struct LSM blob from the
> > > >>> currently
> > > >>> stored value, set during A2, to the label of the current calling
> > > >>> process.
> > > >>> *** THIS IS NOT CURRENTLY DONE IN THE RFC PATCH ***
> > > >>> 2. Call security_tun_dev_attach() which sets the label of the TUN
> > > >>> socket
> > > >>> to match the label stored in the tun_struct LSM blob during B1. No
> > > >>> authorization is done at this point since the socket is
> > > >>> new/unlabeled.
> > > >>>
> > > >>> C. TUNSETQUEUE
> > > >>>
> > > >>> [Use the existing tun_struct LSM state to label the new TUN socket.]
> > > >>>
> > > >>> 1. Call security_tun_dev_attach() which sets the label of the TUN
> > > >>> socket
> > > >>> to match the label stored in the tun_struct LSM blob set during
> > > >>> either
> > > >>> A2
> > > >>> or B1. No authorization is done at this point since the socket is
> > > >>> new/unlabeled.
> > > >>
> > > >> Here's what bothers me. libvirt currently opens tun and passes
> > > >> fd to qemu. What would prevent qemu from attaching fd using
> > > >> TUNSETQUEUE
> > > >> to another device it does not own?
> > > >
> > > > True, assuming all the above is correct and that I'm understanding it
> > > > correctly (Jason?), we should probably add a new SELinux access
> > > > control
> > > > for
> > > > TUNSETQUEUE.
> > >
> > > Yes, we need make sure qemu can call TUNSETQUEUE for the device it does
> > > not own.
> >
> > Meaning can *not* call?
>
> Sorry for not being clear, I mean qemu can call TUNSETQUEUE for the device
> it owns and for the device it does not own, it can't call.
Okay, let me add a access control for TUNSETQUEUE and I'll post an updated
patchset later today.
--
paul moore
security and virtualization @ redhat
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
WARNING: multiple messages have this Message-ID (diff)
From: Paul Moore <pmoore@redhat.com>
To: Jason Wang <jasowang@redhat.com>
Cc: "Michael S. Tsirkin" <mst@redhat.com>,
netdev@vger.kernel.org, linux-security-module@vger.kernel.org,
selinux@tycho.nsa.gov
Subject: Re: [RFC PATCH 2/2] tun: fix LSM/SELinux labeling of tun/tap devices
Date: Wed, 05 Dec 2012 11:00:32 -0500 [thread overview]
Message-ID: <11388792.PYQok62vJo@sifl> (raw)
In-Reply-To: <2433879.zRVUYBGg1f@jason-thinkpad-t430s>
On Wednesday, December 05, 2012 10:01:31 PM Jason Wang wrote:
> On Wednesday, December 05, 2012 01:44:55 PM Michael S. Tsirkin wrote:
> > On Wed, Dec 05, 2012 at 02:19:22PM +0800, Jason Wang wrote:
> > > On 12/05/2012 02:17 AM, Paul Moore wrote:
> > > > On Tuesday, December 04, 2012 07:36:26 PM Michael S. Tsirkin wrote:
> > > >> On Tue, Dec 04, 2012 at 11:18:57AM -0500, Paul Moore wrote:
> > > >>> Okay, based on your explanation of TUNSETQUEUE, the steps below are
> > > >>> what I
> > > >>> believe we need to do ... if you disagree speak up quickly please.
> > > >>>
> > > >>> A. TUNSETIFF (new, non-persistent device)
> > > >>>
> > > >>> [Allocate and initialize the tun_struct LSM state based on the
> > > >>> calling
> > > >>> process, use this state to label the TUN socket.]
> > > >>>
> > > >>> 1. Call security_tun_dev_create() which authorizes the action.
> > > >>> 2. Call security_tun_dev_alloc_security() which allocates the
> > > >>> tun_struct
> > > >>> LSM blob and SELinux sets some internal blob state to record the
> > > >>> label
> > > >>> of
> > > >>> the calling process.
> > > >>> 3. Call security_tun_dev_attach() which sets the label of the TUN
> > > >>> socket
> > > >>> to match the label stored in the tun_struct LSM blob during A2. No
> > > >>> authorization is done at this point since the socket is
> > > >>> new/unlabeled.
> > > >>>
> > > >>> B. TUNSETIFF (existing, persistent device)
> > > >>>
> > > >>> [Relabel the existing tun_struct LSM state based on the calling
> > > >>> process,
> > > >>> use this state to label the TUN socket.]
> > > >>>
> > > >>> 1. Attempt to relabel/reset the tun_struct LSM blob from the
> > > >>> currently
> > > >>> stored value, set during A2, to the label of the current calling
> > > >>> process.
> > > >>> *** THIS IS NOT CURRENTLY DONE IN THE RFC PATCH ***
> > > >>> 2. Call security_tun_dev_attach() which sets the label of the TUN
> > > >>> socket
> > > >>> to match the label stored in the tun_struct LSM blob during B1. No
> > > >>> authorization is done at this point since the socket is
> > > >>> new/unlabeled.
> > > >>>
> > > >>> C. TUNSETQUEUE
> > > >>>
> > > >>> [Use the existing tun_struct LSM state to label the new TUN socket.]
> > > >>>
> > > >>> 1. Call security_tun_dev_attach() which sets the label of the TUN
> > > >>> socket
> > > >>> to match the label stored in the tun_struct LSM blob set during
> > > >>> either
> > > >>> A2
> > > >>> or B1. No authorization is done at this point since the socket is
> > > >>> new/unlabeled.
> > > >>
> > > >> Here's what bothers me. libvirt currently opens tun and passes
> > > >> fd to qemu. What would prevent qemu from attaching fd using
> > > >> TUNSETQUEUE
> > > >> to another device it does not own?
> > > >
> > > > True, assuming all the above is correct and that I'm understanding it
> > > > correctly (Jason?), we should probably add a new SELinux access
> > > > control
> > > > for
> > > > TUNSETQUEUE.
> > >
> > > Yes, we need make sure qemu can call TUNSETQUEUE for the device it does
> > > not own.
> >
> > Meaning can *not* call?
>
> Sorry for not being clear, I mean qemu can call TUNSETQUEUE for the device
> it owns and for the device it does not own, it can't call.
Okay, let me add a access control for TUNSETQUEUE and I'll post an updated
patchset later today.
--
paul moore
security and virtualization @ redhat
next prev parent reply other threads:[~2012-12-05 16:04 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-29 22:06 [RFC PATCH 0/2] Fix some multiqueue TUN problems Paul Moore
2012-11-29 22:06 ` Paul Moore
2012-11-29 22:06 ` [RFC PATCH 1/2] tun: correctly report an error in tun_flow_init() Paul Moore
2012-11-29 22:06 ` Paul Moore
2012-12-05 16:02 ` Paul Moore
2012-12-05 16:02 ` Paul Moore
2012-12-06 3:35 ` Jason Wang
2012-11-29 22:06 ` [RFC PATCH 2/2] tun: fix LSM/SELinux labeling of tun/tap devices Paul Moore
2012-11-29 22:06 ` Paul Moore
2012-12-03 10:15 ` Jason Wang
2012-12-03 16:22 ` Paul Moore
2012-12-03 16:22 ` Paul Moore
2012-12-04 13:24 ` Jason Wang
2012-12-04 15:24 ` Michael S. Tsirkin
2012-12-05 6:17 ` Jason Wang
2012-12-05 11:43 ` Michael S. Tsirkin
2012-12-05 13:45 ` Jason Wang
2012-12-04 16:18 ` Paul Moore
2012-12-04 16:18 ` Paul Moore
2012-12-04 17:36 ` Michael S. Tsirkin
2012-12-04 18:17 ` Paul Moore
2012-12-04 18:17 ` Paul Moore
2012-12-05 6:19 ` Jason Wang
2012-12-05 11:44 ` Michael S. Tsirkin
2012-12-05 14:01 ` Jason Wang
2012-12-05 16:00 ` Paul Moore [this message]
2012-12-05 16:00 ` Paul Moore
2012-12-05 5:44 ` Jason Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=11388792.PYQok62vJo@sifl \
--to=pmoore@redhat.com \
--cc=jasowang@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=mst@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.