From: Stephen Smalley <sds@tycho.nsa.gov>
To: Lucian Adrian Grijincu <lucian.grijincu@gmail.com>
Cc: James Morris <jmorris@namei.org>,
Eric Paris <eparis@parisplace.org>,
Al Viro <viro@zeniv.linux.org.uk>, Christoph Hellwig <hch@lst.de>,
Dave Chinner <dchinner@redhat.com>, Arnd Bergmann <arnd@arndb.de>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
selinux <selinux@tycho.nsa.gov>,
"Eric W. Biederman" <ebiederm@xmission.com>
Subject: Re: [PATCH 2/2] RFC: selinux: sysctl: fix selinux labeling broken by last patch
Date: Mon, 31 Jan 2011 09:21:20 -0500 [thread overview]
Message-ID: <1296483680.26427.32.camel@moss-pluto> (raw)
In-Reply-To: <AANLkTinMNftk8cUnGn+XfpUkwyo5axdnS2oO8Dg4k6M8@mail.gmail.com>
On Mon, 2011-01-31 at 16:14 +0200, Lucian Adrian Grijincu wrote:
> On Mon, Jan 31, 2011 at 3:59 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> > - Don't remove the IS_PRIVATE() test from inode_has_perm(), as other
> > inodes beyond just the /proc/sys ones are marked with that flag
> > (original usage was for reiserfs xattr inodes).
>
>
> Are you sure? I believe it was added here:
>
> [PATCH] selinux: enhance selinux to always ignore private inodes
>
> Hmmm...turns out to not be quite enough, as the /proc/sys inodes
> aren't truly
> private to the fs, so we can run into them in a variety of security hooks
> beyond just the inode hooks, such as security_file_permission (when reading
> and writing them via the vfs helpers), security_sb_mount (when
> mounting other
> filesystems on directories in proc like binfmt_misc), and deeper within the
> security module itself (as in flush_unauthorized_files upon
> inheritance across
> execve). So I think we have to add an IS_PRIVATE() guard within SELinux, as
> below. Note however that the use of the private flag here could
> be confusing,
> as these inodes are _not_ private to the fs, are exposed to userspace, and
> security modules must implement the sysctl hook to get any access
> control over
> them.
>
>
> http://thread.gmane.org/gmane.comp.security.selinux/341/focus=519
>
>
> In my patch I don't care about IS_PRIVATE, because I don't mark proc
> inodes as PRIVATE any more.
>
>
> This patch added S_ISPRIVATE to proc inodes:
> [PATCH] sysctl: hide the sysctl proc inodes from selinux
> 86a71dbd3e81e8870d0f0e56b87875f57e58222b
>
> This one added the IS_PRIVATE check:
> [PATCH] selinux: enhance selinux to always ignore private inodes
> bbaca6c2e7ef0f663bc31be4dad7cf530f6c4962
>
>
> I'll remove the check from my patch if you say it's used in other
> places too, but the original usage does not seem to be "for reiserfs
> xattr inodes".
Ok, my mistake - you can leave that part alone. The original usage of
the S_PRIVATE flag was for reiserfs xattr inodes, but it appears that
you are correct that we don't need the IS_PRIVATE() guard within the
selinux code for that use case.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
WARNING: multiple messages have this Message-ID (diff)
From: Stephen Smalley <sds@tycho.nsa.gov>
To: Lucian Adrian Grijincu <lucian.grijincu@gmail.com>
Cc: James Morris <jmorris@namei.org>,
Eric Paris <eparis@parisplace.org>,
Al Viro <viro@zeniv.linux.org.uk>, Christoph Hellwig <hch@lst.de>,
Dave Chinner <dchinner@redhat.com>, Arnd Bergmann <arnd@arndb.de>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
selinux <selinux@tycho.nsa.gov>,
"Eric W. Biederman" <ebiederm@xmission.com>
Subject: Re: [PATCH 2/2] RFC: selinux: sysctl: fix selinux labeling broken by last patch
Date: Mon, 31 Jan 2011 09:21:20 -0500 [thread overview]
Message-ID: <1296483680.26427.32.camel@moss-pluto> (raw)
In-Reply-To: <AANLkTinMNftk8cUnGn+XfpUkwyo5axdnS2oO8Dg4k6M8@mail.gmail.com>
On Mon, 2011-01-31 at 16:14 +0200, Lucian Adrian Grijincu wrote:
> On Mon, Jan 31, 2011 at 3:59 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> > - Don't remove the IS_PRIVATE() test from inode_has_perm(), as other
> > inodes beyond just the /proc/sys ones are marked with that flag
> > (original usage was for reiserfs xattr inodes).
>
>
> Are you sure? I believe it was added here:
>
> [PATCH] selinux: enhance selinux to always ignore private inodes
>
> Hmmm...turns out to not be quite enough, as the /proc/sys inodes
> aren't truly
> private to the fs, so we can run into them in a variety of security hooks
> beyond just the inode hooks, such as security_file_permission (when reading
> and writing them via the vfs helpers), security_sb_mount (when
> mounting other
> filesystems on directories in proc like binfmt_misc), and deeper within the
> security module itself (as in flush_unauthorized_files upon
> inheritance across
> execve). So I think we have to add an IS_PRIVATE() guard within SELinux, as
> below. Note however that the use of the private flag here could
> be confusing,
> as these inodes are _not_ private to the fs, are exposed to userspace, and
> security modules must implement the sysctl hook to get any access
> control over
> them.
>
>
> http://thread.gmane.org/gmane.comp.security.selinux/341/focus=519
>
>
> In my patch I don't care about IS_PRIVATE, because I don't mark proc
> inodes as PRIVATE any more.
>
>
> This patch added S_ISPRIVATE to proc inodes:
> [PATCH] sysctl: hide the sysctl proc inodes from selinux
> 86a71dbd3e81e8870d0f0e56b87875f57e58222b
>
> This one added the IS_PRIVATE check:
> [PATCH] selinux: enhance selinux to always ignore private inodes
> bbaca6c2e7ef0f663bc31be4dad7cf530f6c4962
>
>
> I'll remove the check from my patch if you say it's used in other
> places too, but the original usage does not seem to be "for reiserfs
> xattr inodes".
Ok, my mistake - you can leave that part alone. The original usage of
the S_PRIVATE flag was for reiserfs xattr inodes, but it appears that
you are correct that we don't need the IS_PRIVATE() guard within the
selinux code for that use case.
--
Stephen Smalley
National Security Agency
next prev parent reply other threads:[~2011-01-31 14:21 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-01-31 3:26 [PATCH 2/2] RFC: selinux: sysctl: fix selinux labeling broken by last patch Lucian Adrian Grijincu
2011-01-31 13:59 ` Stephen Smalley
2011-01-31 13:59 ` Stephen Smalley
2011-01-31 14:14 ` Lucian Adrian Grijincu
2011-01-31 14:14 ` Lucian Adrian Grijincu
2011-01-31 14:21 ` Stephen Smalley [this message]
2011-01-31 14:21 ` Stephen Smalley
2011-01-31 16:27 ` Lucian Adrian Grijincu
2011-01-31 16:27 ` Lucian Adrian Grijincu
2011-01-31 16:59 ` Stephen Smalley
2011-01-31 16:59 ` Stephen Smalley
2011-01-31 17:03 ` Lucian Adrian Grijincu
2011-01-31 17:03 ` Lucian Adrian Grijincu
2011-01-31 18:35 ` Stephen Smalley
2011-01-31 18:35 ` Stephen Smalley
2011-01-31 19:55 ` Stephen Smalley
2011-01-31 19:55 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1296483680.26427.32.camel@moss-pluto \
--to=sds@tycho.nsa.gov \
--cc=arnd@arndb.de \
--cc=dchinner@redhat.com \
--cc=ebiederm@xmission.com \
--cc=eparis@parisplace.org \
--cc=hch@lst.de \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lucian.grijincu@gmail.com \
--cc=selinux@tycho.nsa.gov \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.