fuse + setfilecon - need some userspace / libselinux1 assistance

fuse + setfilecon - need some userspace / libselinux1 assistance

[Luke Kenneth Casson Leighton]

hi,

i'm not entirely sure what is going on, so thought i'd best ask.

i'm adding xattr support to fuse (*gibber*) so that i can do selinux
permissions properly.

therein immediately lies the problem: the userspace implementation of
getxattr is fine (one might hope) but the userspace implementation of
setxattr is not fine.

why?  well, because a setxattr("security.selinux", <somegarbage>)
operation is performed!

as i found out, that is banned, esp. as the userspace program is run as
getfsuid() to the user.


consequently, i looked around and found the util "setfilecon" which uses
setfilecon().

to my surprise, i found that the argv[] arguments were simply ...
typecast from a char* to a security_context_t.

surely... that's rather unexpected behaviour that could, in the
future, break applications?

well, anyway, what i've done is to check that the string is
"security.selinux" and then to call setfilecon() and that seems to work
fine.



secondly, and this is quite an important one for security reasons: the
fusermount program must be run setuid to root, in order to allow
users to _un_mount their own filesystem.

the fusermount program, whilst running as root, removes all "linux
capabilities" _except_ that of the ability to unmount.

and it also does a setfsuid and setfsgid to the user.

so, my question is: what possible horrors could i encounter,
given that setfsuid and setfilecon are involved?

will the setfilecon operation occur _as_ the user specified under the
setfsuid() uid?

or will the setfilecon operation be actioned as root?

i believe it to be really important that the answer is
"the setfilecon() is done as the setfsuid() uid"!

l.

-- 
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love.  If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: fuse + setfilecon - need some userspace / libselinux1 assistance

[Stephen Smalley]

On Tue, 2004-09-28 at 10:03, Luke Kenneth Casson Leighton wrote:
> why?  well, because a setxattr("security.selinux", <somegarbage>)
> operation is performed!
> 
> as i found out, that is banned, esp. as the userspace program is run as
> getfsuid() to the user.

Sorry, do you mean that you ran into DAC denials due to lack of search
permission to the necessary directories?  setxattr itself doesn't impose
any uid-based restrictions on security.selinux; that is all controlled
based on security contexts.

> consequently, i looked around and found the util "setfilecon" which uses
> setfilecon().

setfilecon(path, context) just calls setxattr(path, security.selinux,
context, len, 0).  Nothing magic there.
> 
> to my surprise, i found that the argv[] arguments were simply ...
> typecast from a char* to a security_context_t.
> 
> surely... that's rather unexpected behaviour that could, in the
> future, break applications?

The fact that security contexts are strings is fairly established.  We
do need to introduce a level of indirection in translation for human
consumption for proper MLS support, unfortunately.

> will the setfilecon operation occur _as_ the user specified under the
> setfsuid() uid?
> 
> or will the setfilecon operation be actioned as root?
> 
> i believe it to be really important that the answer is
> "the setfilecon() is done as the setfsuid() uid"!

As far as the path lookup is concerned, the usual DAC restrictions are
applied, and are based on fsuid as usual.  But the setting of the
security context is not uid-based at all.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: fuse + setfilecon - need some userspace / libselinux1 assistance

[Luke Kenneth Casson Leighton]

stephen, hi,

i must apologise because a lot of this is out-of-date: i managed to at
least get something working, even if it's badly hacked together with
sellotape.

the one outstanding question that _is_ still relevant is the
one about security/selinux/hooks.c treating a vfs's "-512"
error code response [please try later] as an error.

why, well just in case some other [more mainstream] filesystem
e.g. a selinuxed version of nfs does the same sort of thing
[responds to a vfs_xxxx() call or a vfs_getxattr() call with
-512 and actually expects hooks.c _to_ try later]

l.

On Fri, Oct 08, 2004 at 02:03:32PM -0400, Stephen Smalley wrote:

> On Tue, 2004-09-28 at 10:03, Luke Kenneth Casson Leighton wrote:
> > why?  well, because a setxattr("security.selinux", <somegarbage>)
> > operation is performed!
> > 
> > as i found out, that is banned, esp. as the userspace program is run as
> > getfsuid() to the user.
> 
> Sorry, do you mean that you ran into DAC denials due to lack of search
> permission to the necessary directories?  setxattr itself doesn't impose
> any uid-based restrictions on security.selinux; that is all controlled
> based on security contexts.
> 
> > consequently, i looked around and found the util "setfilecon" which uses
> > setfilecon().
> 
> setfilecon(path, context) just calls setxattr(path, security.selinux,
> context, len, 0).  Nothing magic there.
> > 
> > to my surprise, i found that the argv[] arguments were simply ...
> > typecast from a char* to a security_context_t.
> > 
> > surely... that's rather unexpected behaviour that could, in the
> > future, break applications?
> 
> The fact that security contexts are strings is fairly established.  We
> do need to introduce a level of indirection in translation for human
> consumption for proper MLS support, unfortunately.
> 
> > will the setfilecon operation occur _as_ the user specified under the
> > setfsuid() uid?
> > 
> > or will the setfilecon operation be actioned as root?
> > 
> > i believe it to be really important that the answer is
> > "the setfilecon() is done as the setfsuid() uid"!
> 
> As far as the path lookup is concerned, the usual DAC restrictions are
> applied, and are based on fsuid as usual.  But the setting of the
> security context is not uid-based at all.
> 
> -- 
> Stephen Smalley <sds@epoch.ncsc.mil>
> National Security Agency
> 

-- 
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love.  If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: fuse + setfilecon - need some userspace / libselinux1 assistance

[Stephen Smalley]

On Fri, 2004-10-08 at 14:36, Luke Kenneth Casson Leighton wrote:
> the one outstanding question that _is_ still relevant is the
> one about security/selinux/hooks.c treating a vfs's "-512"
> error code response [please try later] as an error.
> 
> why, well just in case some other [more mainstream] filesystem
> e.g. a selinuxed version of nfs does the same sort of thing
> [responds to a vfs_xxxx() call or a vfs_getxattr() call with
> -512 and actually expects hooks.c _to_ try later]

You would have to either change d_instantiate() to return an error code
and fix all callers to check and propagate it upwards to where it can be
handled sanely in the usual manner, or move the inode security
initialization from d_instantiate to somewhere that already allows such
error propagation, e.g. iget() - but that has its own problems for lots
of filesystems.  I don't think you can handle it sanely within hooks.c
itself.  Use of d_instantiate for inode security initialization has
always been controversial, but no one has come up with a better
suggestion yet.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.