* Re: [PATCH -v2] SELinux: create new open permission
2008-02-28 17:58 [PATCH -v2] SELinux: create new open permission Eric Paris
@ 2008-02-28 18:30 ` Paul Moore
2008-02-28 18:50 ` Christopher J. PeBenito
` (2 subsequent siblings)
3 siblings, 0 replies; 10+ messages in thread
From: Paul Moore @ 2008-02-28 18:30 UTC (permalink / raw)
To: Eric Paris; +Cc: selinux, sds, jmorris
On Thursday 28 February 2008 12:58:40 pm Eric Paris wrote:
> Adds a new open permission inside SELinux when 'opening' a file. The
> idea is that opening a file and reading/writing to that file are not
> the same thing. Its different if a program had its stdout redirected
> to /tmp/output than if the program tried to directly open
> /tmp/output. This should allow policy writers to more liberally give
> read/write permissions across the policy while still blocking many
> design and programing flaws SELinux is so good at catching today.
>
> Signed-off-by: Eric Paris <eparis@redhat.com>
Much better :)
Reviewed-by: Paul Moore <paul.moore@hp.com>
> ---
> As an example, process1 in httpd_t opened a bunch of files of type
> user_tmp_t. It then called process2 running as ntpd_t which did
> nothing but accept those open fd's and terminate. Notice proc1
> needed open perms and proc2 only needed read and write.
>
> #============= httpd_t ==============
> allow httpd_t tmp_t:dir open;
> allow httpd_t user_tmp_t:blk_file { read write open };
> allow httpd_t user_tmp_t:chr_file { read write open };
> allow httpd_t user_tmp_t:dir { read open };
> allow httpd_t user_tmp_t:fifo_file { read write open };
> allow httpd_t user_tmp_t:file { read write execute entrypoint open };
> allow httpd_t user_tmp_t:lnk_file read;
>
> #============= ntpd_t ==============
> allow ntpd_t user_tmp_t:blk_file { read write };
> allow ntpd_t user_tmp_t:chr_file { read write };
> allow ntpd_t user_tmp_t:dir read;
> allow ntpd_t user_tmp_t:fifo_file { read write };
> allow ntpd_t user_tmp_t:file { read write entrypoint };
>
> security/selinux/hooks.c | 31
> +++++++++++++++++++++++++-
> security/selinux/include/av_perm_to_string.h | 5 ++++
> security/selinux/include/av_permissions.h | 5 ++++
> security/selinux/include/security.h | 2 +
> security/selinux/selinuxfs.c | 3 +-
> security/selinux/ss/services.c | 3 ++
> 6 files changed, 47 insertions(+), 2 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 75c2e99..a4cf5ff 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -1599,6 +1599,35 @@ static inline u32 file_mask_to_av(int mode,
> int mask) return av;
> }
>
> +/*
> + * Convert a file mask to an access vector and include the correct
> open + * open permission.
> + */
> +static inline u32 open_file_mask_to_av(int mode, int mask)
> +{
> + u32 av = file_mask_to_av(mode, mask);
> +
> + if (selinux_policycap_openperm) {
> + /*
> + * lnk files and socks do not really have an 'open'
> + */
> + if (S_ISREG(mode))
> + av |= FILE__OPEN;
> + else if (S_ISCHR(mode))
> + av |= CHR_FILE__OPEN;
> + else if (S_ISBLK(mode))
> + av |= BLK_FILE__OPEN;
> + else if (S_ISFIFO(mode))
> + av |= FIFO_FILE__OPEN;
> + else if (S_ISDIR(mode))
> + av |= DIR__OPEN;
> + else
> + printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av "
> + "with unknown mode:%x\n", mode);
> + }
> + return av;
> +}
> +
> /* Convert a Linux file to an access vector. */
> static inline u32 file_to_av(struct file *file)
> {
> @@ -2517,7 +2546,7 @@ static int selinux_inode_permission(struct
> inode *inode, int mask, }
>
> return inode_has_perm(current, inode,
> - file_mask_to_av(inode->i_mode, mask), NULL);
> + open_file_mask_to_av(inode->i_mode, mask), NULL);
> }
>
> static int selinux_inode_setattr(struct dentry *dentry, struct iattr
> *iattr) diff --git a/security/selinux/include/av_perm_to_string.h
> b/security/selinux/include/av_perm_to_string.h index d569669..1223b4f
> 100644
> --- a/security/selinux/include/av_perm_to_string.h
> +++ b/security/selinux/include/av_perm_to_string.h
> @@ -14,12 +14,17 @@
> S_(SECCLASS_DIR, DIR__REPARENT, "reparent")
> S_(SECCLASS_DIR, DIR__SEARCH, "search")
> S_(SECCLASS_DIR, DIR__RMDIR, "rmdir")
> + S_(SECCLASS_DIR, DIR__OPEN, "open")
> S_(SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans")
> S_(SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint")
> S_(SECCLASS_FILE, FILE__EXECMOD, "execmod")
> + S_(SECCLASS_FILE, FILE__OPEN, "open")
> S_(SECCLASS_CHR_FILE, CHR_FILE__EXECUTE_NO_TRANS,
> "execute_no_trans") S_(SECCLASS_CHR_FILE, CHR_FILE__ENTRYPOINT,
> "entrypoint") S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod")
> + S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open")
> + S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open")
> + S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open")
> S_(SECCLASS_FD, FD__USE, "use")
> S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto")
> S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn")
> diff --git a/security/selinux/include/av_permissions.h
> b/security/selinux/include/av_permissions.h index 75b4131..c4c5116
> 100644
> --- a/security/selinux/include/av_permissions.h
> +++ b/security/selinux/include/av_permissions.h
> @@ -79,6 +79,7 @@
> #define DIR__REPARENT 0x00080000UL
> #define DIR__SEARCH 0x00100000UL
> #define DIR__RMDIR 0x00200000UL
> +#define DIR__OPEN 0x00400000UL
> #define FILE__IOCTL 0x00000001UL
> #define FILE__READ 0x00000002UL
> #define FILE__WRITE 0x00000004UL
> @@ -99,6 +100,7 @@
> #define FILE__EXECUTE_NO_TRANS 0x00020000UL
> #define FILE__ENTRYPOINT 0x00040000UL
> #define FILE__EXECMOD 0x00080000UL
> +#define FILE__OPEN 0x00100000UL
> #define LNK_FILE__IOCTL 0x00000001UL
> #define LNK_FILE__READ 0x00000002UL
> #define LNK_FILE__WRITE 0x00000004UL
> @@ -136,6 +138,7 @@
> #define CHR_FILE__EXECUTE_NO_TRANS 0x00020000UL
> #define CHR_FILE__ENTRYPOINT 0x00040000UL
> #define CHR_FILE__EXECMOD 0x00080000UL
> +#define CHR_FILE__OPEN 0x00100000UL
> #define BLK_FILE__IOCTL 0x00000001UL
> #define BLK_FILE__READ 0x00000002UL
> #define BLK_FILE__WRITE 0x00000004UL
> @@ -153,6 +156,7 @@
> #define BLK_FILE__SWAPON 0x00004000UL
> #define BLK_FILE__QUOTAON 0x00008000UL
> #define BLK_FILE__MOUNTON 0x00010000UL
> +#define BLK_FILE__OPEN 0x00020000UL
> #define SOCK_FILE__IOCTL 0x00000001UL
> #define SOCK_FILE__READ 0x00000002UL
> #define SOCK_FILE__WRITE 0x00000004UL
> @@ -187,6 +191,7 @@
> #define FIFO_FILE__SWAPON 0x00004000UL
> #define FIFO_FILE__QUOTAON 0x00008000UL
> #define FIFO_FILE__MOUNTON 0x00010000UL
> +#define FIFO_FILE__OPEN 0x00020000UL
> #define FD__USE 0x00000001UL
> #define SOCKET__IOCTL 0x00000001UL
> #define SOCKET__READ 0x00000002UL
> diff --git a/security/selinux/include/security.h
> b/security/selinux/include/security.h index 837ce42..fa30f53 100644
> --- a/security/selinux/include/security.h
> +++ b/security/selinux/include/security.h
> @@ -43,11 +43,13 @@ extern int selinux_mls_enabled;
> /* Policy capabilities */
> enum {
> POLICYDB_CAPABILITY_NETPEER,
> + POLICYDB_CAPABILITY_OPENPERM,
> __POLICYDB_CAPABILITY_MAX
> };
> #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
>
> extern int selinux_policycap_netpeer;
> +extern int selinux_policycap_openperm;
>
> int security_load_policy(void * data, size_t len);
>
> diff --git a/security/selinux/selinuxfs.c
> b/security/selinux/selinuxfs.c index 0341567..1d996bb 100644
> --- a/security/selinux/selinuxfs.c
> +++ b/security/selinux/selinuxfs.c
> @@ -42,7 +42,8 @@
>
> /* Policy capability filenames */
> static char *policycap_names[] = {
> - "network_peer_controls"
> + "network_peer_controls",
> + "open_perms"
> };
>
> unsigned int selinux_checkreqprot =
> CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; diff --git
> a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index f374186..23a61f1 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -61,6 +61,7 @@ extern void selnl_notify_policyload(u32 seqno);
> unsigned int policydb_loaded_version;
>
> int selinux_policycap_netpeer;
> +int selinux_policycap_openperm;
>
> /*
> * This is declared in avc.c
> @@ -1306,6 +1307,8 @@ static void security_load_policycaps(void)
> {
> selinux_policycap_netpeer = ebitmap_get_bit(&policydb.policycaps,
> POLICYDB_CAPABILITY_NETPEER);
> + selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps,
> + POLICYDB_CAPABILITY_OPENPERM);
> }
>
> extern void selinux_complete_init(void);
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: [PATCH -v2] SELinux: create new open permission
2008-02-28 17:58 [PATCH -v2] SELinux: create new open permission Eric Paris
2008-02-28 18:30 ` Paul Moore
@ 2008-02-28 18:50 ` Christopher J. PeBenito
2008-02-28 19:00 ` Eric Paris
2008-02-28 19:04 ` Stephen Smalley
2008-02-28 20:50 ` Stephen Smalley
2008-02-28 23:05 ` James Morris
3 siblings, 2 replies; 10+ messages in thread
From: Christopher J. PeBenito @ 2008-02-28 18:50 UTC (permalink / raw)
To: Eric Paris; +Cc: selinux, sds, jmorris, Paul Moore
On Thu, 2008-02-28 at 12:58 -0500, Eric Paris wrote:
> Adds a new open permission inside SELinux when 'opening' a file. The
> idea is that opening a file and reading/writing to that file are not the
> same thing. Its different if a program had its stdout redirected
> to /tmp/output than if the program tried to directly open /tmp/output.
> This should allow policy writers to more liberally give read/write
> permissions across the policy while still blocking many design and
> programing flaws SELinux is so good at catching today.
>
> Signed-off-by: Eric Paris <eparis@redhat.com>
>
What does open on a dir mean? Isn't that the same as the read perm?
> allow httpd_t user_tmp_t:dir { read open };
[...]
> + * Convert a file mask to an access vector and include the correct open
> + * open permission.
> + */
> +static inline u32 open_file_mask_to_av(int mode, int mask)
> +{
> + u32 av = file_mask_to_av(mode, mask);
> +
> + if (selinux_policycap_openperm) {
> + /*
> + * lnk files and socks do not really have an 'open'
> + */
> + if (S_ISREG(mode))
> + av |= FILE__OPEN;
> + else if (S_ISCHR(mode))
> + av |= CHR_FILE__OPEN;
> + else if (S_ISBLK(mode))
> + av |= BLK_FILE__OPEN;
> + else if (S_ISFIFO(mode))
> + av |= FIFO_FILE__OPEN;
> + else if (S_ISDIR(mode))
> + av |= DIR__OPEN;
> + else
> + printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av "
> + "with unknown mode:%x\n", mode);
> + }
> + return av;
> +}
> +
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: [PATCH -v2] SELinux: create new open permission
2008-02-28 18:50 ` Christopher J. PeBenito
@ 2008-02-28 19:00 ` Eric Paris
2008-02-28 20:32 ` James Antill
2008-02-28 19:04 ` Stephen Smalley
1 sibling, 1 reply; 10+ messages in thread
From: Eric Paris @ 2008-02-28 19:00 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: selinux, sds, jmorris, Paul Moore
On Thu, 2008-02-28 at 13:50 -0500, Christopher J. PeBenito wrote:
> On Thu, 2008-02-28 at 12:58 -0500, Eric Paris wrote:
> > Adds a new open permission inside SELinux when 'opening' a file. The
> > idea is that opening a file and reading/writing to that file are not the
> > same thing. Its different if a program had its stdout redirected
> > to /tmp/output than if the program tried to directly open /tmp/output.
> > This should allow policy writers to more liberally give read/write
> > permissions across the policy while still blocking many design and
> > programing flaws SELinux is so good at catching today.
> >
> > Signed-off-by: Eric Paris <eparis@redhat.com>
> >
>
> What does open on a dir mean? Isn't that the same as the read perm?
Admittedly there is very little distinction and I don't know the
usefulness, but it is possible for a process to pass an open fd to a
directory so I saw little reason to exclude it. lnk and socket files
were excluded because they could not be 'opened.' Obvious for a socket,
but lnk files are magically changed in the kernel to an open on the real
file before the security check, so you couldn't ever pass an open lnk
file.
> #============= httpd_t =============
> allow httpd_t user_tmp_t:dir { read open };
> #============= ntpd_t ==============
> allow ntpd_t user_tmp_t:dir read;
-Eric
> > allow httpd_t user_tmp_t:dir { read open };
> [...]
> > + * Convert a file mask to an access vector and include the correct open
> > + * open permission.
> > + */
> > +static inline u32 open_file_mask_to_av(int mode, int mask)
> > +{
> > + u32 av = file_mask_to_av(mode, mask);
> > +
> > + if (selinux_policycap_openperm) {
> > + /*
> > + * lnk files and socks do not really have an 'open'
> > + */
> > + if (S_ISREG(mode))
> > + av |= FILE__OPEN;
> > + else if (S_ISCHR(mode))
> > + av |= CHR_FILE__OPEN;
> > + else if (S_ISBLK(mode))
> > + av |= BLK_FILE__OPEN;
> > + else if (S_ISFIFO(mode))
> > + av |= FIFO_FILE__OPEN;
> > + else if (S_ISDIR(mode))
> > + av |= DIR__OPEN;
> > + else
> > + printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av "
> > + "with unknown mode:%x\n", mode);
> > + }
> > + return av;
> > +}
> > +
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: [PATCH -v2] SELinux: create new open permission
2008-02-28 19:00 ` Eric Paris
@ 2008-02-28 20:32 ` James Antill
2008-02-29 12:37 ` Russell Coker
0 siblings, 1 reply; 10+ messages in thread
From: James Antill @ 2008-02-28 20:32 UTC (permalink / raw)
To: Eric Paris; +Cc: Christopher J. PeBenito, selinux, sds, jmorris, Paul Moore
[-- Attachment #1: Type: text/plain, Size: 1212 bytes --]
On Thu, 2008-02-28 at 14:00 -0500, Eric Paris wrote:
> On Thu, 2008-02-28 at 13:50 -0500, Christopher J. PeBenito wrote:
> > On Thu, 2008-02-28 at 12:58 -0500, Eric Paris wrote:
> > > Adds a new open permission inside SELinux when 'opening' a file. The
> > > idea is that opening a file and reading/writing to that file are not the
> > > same thing. Its different if a program had its stdout redirected
> > > to /tmp/output than if the program tried to directly open /tmp/output.
> > > This should allow policy writers to more liberally give read/write
> > > permissions across the policy while still blocking many design and
> > > programing flaws SELinux is so good at catching today.
> > >
> > > Signed-off-by: Eric Paris <eparis@redhat.com>
> > >
> >
> > What does open on a dir mean? Isn't that the same as the read perm?
>
> Admittedly there is very little distinction and I don't know the
> usefulness, but it is possible for a process to pass an open fd to a
> directory so I saw little reason to exclude it.
Also we have the *at() and fchdir() calls, so this distinction (between
open and read on dirs) is useful.
--
James Antill <james.antill@redhat.com>
Red Hat
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH -v2] SELinux: create new open permission
2008-02-28 20:32 ` James Antill
@ 2008-02-29 12:37 ` Russell Coker
2008-02-29 13:00 ` Stephen Smalley
0 siblings, 1 reply; 10+ messages in thread
From: Russell Coker @ 2008-02-29 12:37 UTC (permalink / raw)
To: James Antill
Cc: Eric Paris, Christopher J. PeBenito, selinux, sds, jmorris,
Paul Moore
On Friday 29 February 2008 07:32, James Antill <james.antill@redhat.com>
wrote:
> > > What does open on a dir mean? Isn't that the same as the read perm?
> >
> > Admittedly there is very little distinction and I don't know the
> > usefulness, but it is possible for a process to pass an open fd to a
> > directory so I saw little reason to exclude it.
>
> Also we have the *at() and fchdir() calls, so this distinction (between
> open and read on dirs) is useful.
This new open permission is being created specifically to allow file handles
to be inherited across exec.
Inheriting a directory file handle for the purpose of fchdir() seems quite
unlikely. In fact when fchdir() is mentioned in mailing list discussions it
always seems to be in the context of allowing a process to break out of a
chroot() jail.
Does anyone have a hypothetical example of how fchdir() could be used in a way
which doesn't break the security of a system but yet need to have open and
read access be differentiated?
As an aside, I'm concerned about the implications of this new file open
permission for overall quality of SE Linux policy (both reference policy and
custom policy). I anticipate many people writing policy that allows read and
write access wildly with the idea that controls on open will prevent them
being exploited.
--
russell@coker.com.au
http://etbe.coker.com.au/ My Blog
http://www.coker.com.au/sponsorship.html Sponsoring Free Software development
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH -v2] SELinux: create new open permission
2008-02-29 12:37 ` Russell Coker
@ 2008-02-29 13:00 ` Stephen Smalley
0 siblings, 0 replies; 10+ messages in thread
From: Stephen Smalley @ 2008-02-29 13:00 UTC (permalink / raw)
To: russell
Cc: James Antill, Eric Paris, Christopher J. PeBenito, selinux,
jmorris, Paul Moore
On Fri, 2008-02-29 at 23:37 +1100, Russell Coker wrote:
> On Friday 29 February 2008 07:32, James Antill <james.antill@redhat.com>
> wrote:
> > > > What does open on a dir mean? Isn't that the same as the read perm?
> > >
> > > Admittedly there is very little distinction and I don't know the
> > > usefulness, but it is possible for a process to pass an open fd to a
> > > directory so I saw little reason to exclude it.
> >
> > Also we have the *at() and fchdir() calls, so this distinction (between
> > open and read on dirs) is useful.
>
> This new open permission is being created specifically to allow file handles
> to be inherited across exec.
>
> Inheriting a directory file handle for the purpose of fchdir() seems quite
> unlikely. In fact when fchdir() is mentioned in mailing list discussions it
> always seems to be in the context of allowing a process to break out of a
> chroot() jail.
>
> Does anyone have a hypothetical example of how fchdir() could be used in a way
> which doesn't break the security of a system but yet need to have open and
> read access be differentiated?
>
> As an aside, I'm concerned about the implications of this new file open
> permission for overall quality of SE Linux policy (both reference policy and
> custom policy). I anticipate many people writing policy that allows read and
> write access wildly with the idea that controls on open will prevent them
> being exploited.
That is a concern, but on the other side of it, today we have to either
allow or dontaudit many cases where a program only inherits a descriptor
from the caller and should never directly open the file, so the new open
check gives us a way to distinguish such attempts.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH -v2] SELinux: create new open permission
2008-02-28 18:50 ` Christopher J. PeBenito
2008-02-28 19:00 ` Eric Paris
@ 2008-02-28 19:04 ` Stephen Smalley
1 sibling, 0 replies; 10+ messages in thread
From: Stephen Smalley @ 2008-02-28 19:04 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: Eric Paris, selinux, jmorris, Paul Moore
On Thu, 2008-02-28 at 13:50 -0500, Christopher J. PeBenito wrote:
> On Thu, 2008-02-28 at 12:58 -0500, Eric Paris wrote:
> > Adds a new open permission inside SELinux when 'opening' a file. The
> > idea is that opening a file and reading/writing to that file are not the
> > same thing. Its different if a program had its stdout redirected
> > to /tmp/output than if the program tried to directly open /tmp/output.
> > This should allow policy writers to more liberally give read/write
> > permissions across the policy while still blocking many design and
> > programing flaws SELinux is so good at catching today.
> >
> > Signed-off-by: Eric Paris <eparis@redhat.com>
> >
>
> What does open on a dir mean? Isn't that the same as the read perm?
open should only get checked at open(2) time, while read will get
checked both at open(2) time and if the descriptor is inherited or
transferred.
>
> > allow httpd_t user_tmp_t:dir { read open };
> [...]
> > + * Convert a file mask to an access vector and include the correct open
> > + * open permission.
> > + */
> > +static inline u32 open_file_mask_to_av(int mode, int mask)
> > +{
> > + u32 av = file_mask_to_av(mode, mask);
> > +
> > + if (selinux_policycap_openperm) {
> > + /*
> > + * lnk files and socks do not really have an 'open'
> > + */
> > + if (S_ISREG(mode))
> > + av |= FILE__OPEN;
> > + else if (S_ISCHR(mode))
> > + av |= CHR_FILE__OPEN;
> > + else if (S_ISBLK(mode))
> > + av |= BLK_FILE__OPEN;
> > + else if (S_ISFIFO(mode))
> > + av |= FIFO_FILE__OPEN;
> > + else if (S_ISDIR(mode))
> > + av |= DIR__OPEN;
> > + else
> > + printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av "
> > + "with unknown mode:%x\n", mode);
> > + }
> > + return av;
> > +}
> > +
>
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH -v2] SELinux: create new open permission
2008-02-28 17:58 [PATCH -v2] SELinux: create new open permission Eric Paris
2008-02-28 18:30 ` Paul Moore
2008-02-28 18:50 ` Christopher J. PeBenito
@ 2008-02-28 20:50 ` Stephen Smalley
2008-02-28 23:05 ` James Morris
3 siblings, 0 replies; 10+ messages in thread
From: Stephen Smalley @ 2008-02-28 20:50 UTC (permalink / raw)
To: Eric Paris; +Cc: selinux, jmorris, Paul Moore
On Thu, 2008-02-28 at 12:58 -0500, Eric Paris wrote:
> Adds a new open permission inside SELinux when 'opening' a file. The
> idea is that opening a file and reading/writing to that file are not the
> same thing. Its different if a program had its stdout redirected
> to /tmp/output than if the program tried to directly open /tmp/output.
> This should allow policy writers to more liberally give read/write
> permissions across the policy while still blocking many design and
> programing flaws SELinux is so good at catching today.
>
> Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
>
> ---
> As an example, process1 in httpd_t opened a bunch of files of type
> user_tmp_t. It then called process2 running as ntpd_t which did nothing
> but accept those open fd's and terminate. Notice proc1 needed open
> perms and proc2 only needed read and write.
>
> #============= httpd_t ==============
> allow httpd_t tmp_t:dir open;
> allow httpd_t user_tmp_t:blk_file { read write open };
> allow httpd_t user_tmp_t:chr_file { read write open };
> allow httpd_t user_tmp_t:dir { read open };
> allow httpd_t user_tmp_t:fifo_file { read write open };
> allow httpd_t user_tmp_t:file { read write execute entrypoint open };
> allow httpd_t user_tmp_t:lnk_file read;
>
> #============= ntpd_t ==============
> allow ntpd_t user_tmp_t:blk_file { read write };
> allow ntpd_t user_tmp_t:chr_file { read write };
> allow ntpd_t user_tmp_t:dir read;
> allow ntpd_t user_tmp_t:fifo_file { read write };
> allow ntpd_t user_tmp_t:file { read write entrypoint };
>
> security/selinux/hooks.c | 31 +++++++++++++++++++++++++-
> security/selinux/include/av_perm_to_string.h | 5 ++++
> security/selinux/include/av_permissions.h | 5 ++++
> security/selinux/include/security.h | 2 +
> security/selinux/selinuxfs.c | 3 +-
> security/selinux/ss/services.c | 3 ++
> 6 files changed, 47 insertions(+), 2 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 75c2e99..a4cf5ff 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -1599,6 +1599,35 @@ static inline u32 file_mask_to_av(int mode, int mask)
> return av;
> }
>
> +/*
> + * Convert a file mask to an access vector and include the correct open
> + * open permission.
> + */
> +static inline u32 open_file_mask_to_av(int mode, int mask)
> +{
> + u32 av = file_mask_to_av(mode, mask);
> +
> + if (selinux_policycap_openperm) {
> + /*
> + * lnk files and socks do not really have an 'open'
> + */
> + if (S_ISREG(mode))
> + av |= FILE__OPEN;
> + else if (S_ISCHR(mode))
> + av |= CHR_FILE__OPEN;
> + else if (S_ISBLK(mode))
> + av |= BLK_FILE__OPEN;
> + else if (S_ISFIFO(mode))
> + av |= FIFO_FILE__OPEN;
> + else if (S_ISDIR(mode))
> + av |= DIR__OPEN;
> + else
> + printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av "
> + "with unknown mode:%x\n", mode);
> + }
> + return av;
> +}
> +
> /* Convert a Linux file to an access vector. */
> static inline u32 file_to_av(struct file *file)
> {
> @@ -2517,7 +2546,7 @@ static int selinux_inode_permission(struct inode *inode, int mask,
> }
>
> return inode_has_perm(current, inode,
> - file_mask_to_av(inode->i_mode, mask), NULL);
> + open_file_mask_to_av(inode->i_mode, mask), NULL);
> }
>
> static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
> diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
> index d569669..1223b4f 100644
> --- a/security/selinux/include/av_perm_to_string.h
> +++ b/security/selinux/include/av_perm_to_string.h
> @@ -14,12 +14,17 @@
> S_(SECCLASS_DIR, DIR__REPARENT, "reparent")
> S_(SECCLASS_DIR, DIR__SEARCH, "search")
> S_(SECCLASS_DIR, DIR__RMDIR, "rmdir")
> + S_(SECCLASS_DIR, DIR__OPEN, "open")
> S_(SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans")
> S_(SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint")
> S_(SECCLASS_FILE, FILE__EXECMOD, "execmod")
> + S_(SECCLASS_FILE, FILE__OPEN, "open")
> S_(SECCLASS_CHR_FILE, CHR_FILE__EXECUTE_NO_TRANS, "execute_no_trans")
> S_(SECCLASS_CHR_FILE, CHR_FILE__ENTRYPOINT, "entrypoint")
> S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod")
> + S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open")
> + S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open")
> + S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open")
> S_(SECCLASS_FD, FD__USE, "use")
> S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto")
> S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn")
> diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
> index 75b4131..c4c5116 100644
> --- a/security/selinux/include/av_permissions.h
> +++ b/security/selinux/include/av_permissions.h
> @@ -79,6 +79,7 @@
> #define DIR__REPARENT 0x00080000UL
> #define DIR__SEARCH 0x00100000UL
> #define DIR__RMDIR 0x00200000UL
> +#define DIR__OPEN 0x00400000UL
> #define FILE__IOCTL 0x00000001UL
> #define FILE__READ 0x00000002UL
> #define FILE__WRITE 0x00000004UL
> @@ -99,6 +100,7 @@
> #define FILE__EXECUTE_NO_TRANS 0x00020000UL
> #define FILE__ENTRYPOINT 0x00040000UL
> #define FILE__EXECMOD 0x00080000UL
> +#define FILE__OPEN 0x00100000UL
> #define LNK_FILE__IOCTL 0x00000001UL
> #define LNK_FILE__READ 0x00000002UL
> #define LNK_FILE__WRITE 0x00000004UL
> @@ -136,6 +138,7 @@
> #define CHR_FILE__EXECUTE_NO_TRANS 0x00020000UL
> #define CHR_FILE__ENTRYPOINT 0x00040000UL
> #define CHR_FILE__EXECMOD 0x00080000UL
> +#define CHR_FILE__OPEN 0x00100000UL
> #define BLK_FILE__IOCTL 0x00000001UL
> #define BLK_FILE__READ 0x00000002UL
> #define BLK_FILE__WRITE 0x00000004UL
> @@ -153,6 +156,7 @@
> #define BLK_FILE__SWAPON 0x00004000UL
> #define BLK_FILE__QUOTAON 0x00008000UL
> #define BLK_FILE__MOUNTON 0x00010000UL
> +#define BLK_FILE__OPEN 0x00020000UL
> #define SOCK_FILE__IOCTL 0x00000001UL
> #define SOCK_FILE__READ 0x00000002UL
> #define SOCK_FILE__WRITE 0x00000004UL
> @@ -187,6 +191,7 @@
> #define FIFO_FILE__SWAPON 0x00004000UL
> #define FIFO_FILE__QUOTAON 0x00008000UL
> #define FIFO_FILE__MOUNTON 0x00010000UL
> +#define FIFO_FILE__OPEN 0x00020000UL
> #define FD__USE 0x00000001UL
> #define SOCKET__IOCTL 0x00000001UL
> #define SOCKET__READ 0x00000002UL
> diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
> index 837ce42..fa30f53 100644
> --- a/security/selinux/include/security.h
> +++ b/security/selinux/include/security.h
> @@ -43,11 +43,13 @@ extern int selinux_mls_enabled;
> /* Policy capabilities */
> enum {
> POLICYDB_CAPABILITY_NETPEER,
> + POLICYDB_CAPABILITY_OPENPERM,
> __POLICYDB_CAPABILITY_MAX
> };
> #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
>
> extern int selinux_policycap_netpeer;
> +extern int selinux_policycap_openperm;
>
> int security_load_policy(void * data, size_t len);
>
> diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
> index 0341567..1d996bb 100644
> --- a/security/selinux/selinuxfs.c
> +++ b/security/selinux/selinuxfs.c
> @@ -42,7 +42,8 @@
>
> /* Policy capability filenames */
> static char *policycap_names[] = {
> - "network_peer_controls"
> + "network_peer_controls",
> + "open_perms"
> };
>
> unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index f374186..23a61f1 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -61,6 +61,7 @@ extern void selnl_notify_policyload(u32 seqno);
> unsigned int policydb_loaded_version;
>
> int selinux_policycap_netpeer;
> +int selinux_policycap_openperm;
>
> /*
> * This is declared in avc.c
> @@ -1306,6 +1307,8 @@ static void security_load_policycaps(void)
> {
> selinux_policycap_netpeer = ebitmap_get_bit(&policydb.policycaps,
> POLICYDB_CAPABILITY_NETPEER);
> + selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps,
> + POLICYDB_CAPABILITY_OPENPERM);
> }
>
> extern void selinux_complete_init(void);
>
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: [PATCH -v2] SELinux: create new open permission
2008-02-28 17:58 [PATCH -v2] SELinux: create new open permission Eric Paris
` (2 preceding siblings ...)
2008-02-28 20:50 ` Stephen Smalley
@ 2008-02-28 23:05 ` James Morris
3 siblings, 0 replies; 10+ messages in thread
From: James Morris @ 2008-02-28 23:05 UTC (permalink / raw)
To: Eric Paris; +Cc: selinux, sds, Paul Moore
On Thu, 28 Feb 2008, Eric Paris wrote:
> Adds a new open permission inside SELinux when 'opening' a file. The
> idea is that opening a file and reading/writing to that file are not the
> same thing. Its different if a program had its stdout redirected
> to /tmp/output than if the program tried to directly open /tmp/output.
> This should allow policy writers to more liberally give read/write
> permissions across the policy while still blocking many design and
> programing flaws SELinux is so good at catching today.
>
> Signed-off-by: Eric Paris <eparis@redhat.com>
Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6.git#next
--
James Morris
<jmorris@namei.org>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread