From: "Michael S. Tsirkin" <mst@redhat.com>
To: Jason Wang <jasowang@redhat.com>
Cc: Paul Moore <pmoore@redhat.com>,
netdev@vger.kernel.org, linux-security-module@vger.kernel.org,
selinux@tycho.nsa.gov
Subject: Re: [RFC PATCH 2/2] tun: fix LSM/SELinux labeling of tun/tap devices
Date: Wed, 5 Dec 2012 13:44:55 +0200 [thread overview]
Message-ID: <20121205114455.GB26649@redhat.com> (raw)
In-Reply-To: <50BEE76A.3080707@redhat.com>
On Wed, Dec 05, 2012 at 02:19:22PM +0800, Jason Wang wrote:
> On 12/05/2012 02:17 AM, Paul Moore wrote:
> > On Tuesday, December 04, 2012 07:36:26 PM Michael S. Tsirkin wrote:
> >> On Tue, Dec 04, 2012 at 11:18:57AM -0500, Paul Moore wrote:
> >>> Okay, based on your explanation of TUNSETQUEUE, the steps below are what I
> >>> believe we need to do ... if you disagree speak up quickly please.
> >>>
> >>> A. TUNSETIFF (new, non-persistent device)
> >>>
> >>> [Allocate and initialize the tun_struct LSM state based on the calling
> >>> process, use this state to label the TUN socket.]
> >>>
> >>> 1. Call security_tun_dev_create() which authorizes the action.
> >>> 2. Call security_tun_dev_alloc_security() which allocates the tun_struct
> >>> LSM blob and SELinux sets some internal blob state to record the label of
> >>> the calling process.
> >>> 3. Call security_tun_dev_attach() which sets the label of the TUN socket
> >>> to match the label stored in the tun_struct LSM blob during A2. No
> >>> authorization is done at this point since the socket is new/unlabeled.
> >>>
> >>> B. TUNSETIFF (existing, persistent device)
> >>>
> >>> [Relabel the existing tun_struct LSM state based on the calling process,
> >>> use this state to label the TUN socket.]
> >>>
> >>> 1. Attempt to relabel/reset the tun_struct LSM blob from the currently
> >>> stored value, set during A2, to the label of the current calling process.
> >>> *** THIS IS NOT CURRENTLY DONE IN THE RFC PATCH ***
> >>> 2. Call security_tun_dev_attach() which sets the label of the TUN socket
> >>> to match the label stored in the tun_struct LSM blob during B1. No
> >>> authorization is done at this point since the socket is new/unlabeled.
> >>>
> >>> C. TUNSETQUEUE
> >>>
> >>> [Use the existing tun_struct LSM state to label the new TUN socket.]
> >>>
> >>> 1. Call security_tun_dev_attach() which sets the label of the TUN socket
> >>> to match the label stored in the tun_struct LSM blob set during either A2
> >>> or B1. No authorization is done at this point since the socket is
> >>> new/unlabeled.
> >> Here's what bothers me. libvirt currently opens tun and passes
> >> fd to qemu. What would prevent qemu from attaching fd using TUNSETQUEUE
> >> to another device it does not own?
> > True, assuming all the above is correct and that I'm understanding it
> > correctly (Jason?), we should probably add a new SELinux access control for
> > TUNSETQUEUE.
>
> Yes, we need make sure qemu can call TUNSETQUEUE for the device it does
> not own.
Meaning can *not* call?
> >
> > The current DAC code exists in tun_not_capable().
> >
next prev parent reply other threads:[~2012-12-05 11:44 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-29 22:06 [RFC PATCH 0/2] Fix some multiqueue TUN problems Paul Moore
2012-11-29 22:06 ` Paul Moore
2012-11-29 22:06 ` [RFC PATCH 1/2] tun: correctly report an error in tun_flow_init() Paul Moore
2012-11-29 22:06 ` Paul Moore
2012-12-05 16:02 ` Paul Moore
2012-12-05 16:02 ` Paul Moore
2012-12-06 3:35 ` Jason Wang
2012-11-29 22:06 ` [RFC PATCH 2/2] tun: fix LSM/SELinux labeling of tun/tap devices Paul Moore
2012-11-29 22:06 ` Paul Moore
2012-12-03 10:15 ` Jason Wang
2012-12-03 16:22 ` Paul Moore
2012-12-03 16:22 ` Paul Moore
2012-12-04 13:24 ` Jason Wang
2012-12-04 15:24 ` Michael S. Tsirkin
2012-12-05 6:17 ` Jason Wang
2012-12-05 11:43 ` Michael S. Tsirkin
2012-12-05 13:45 ` Jason Wang
2012-12-04 16:18 ` Paul Moore
2012-12-04 16:18 ` Paul Moore
2012-12-04 17:36 ` Michael S. Tsirkin
2012-12-04 18:17 ` Paul Moore
2012-12-04 18:17 ` Paul Moore
2012-12-05 6:19 ` Jason Wang
2012-12-05 11:44 ` Michael S. Tsirkin [this message]
2012-12-05 14:01 ` Jason Wang
2012-12-05 16:00 ` Paul Moore
2012-12-05 16:00 ` Paul Moore
2012-12-05 5:44 ` Jason Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121205114455.GB26649@redhat.com \
--to=mst@redhat.com \
--cc=jasowang@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pmoore@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.