Handling unknown permissions in userspace object managers

Handling unknown permissions in userspace object managers

[Eric Paris]

glibc/nscd is acting as a userspace object manager.  Today what they are
doing is:

static const access_vector_t perms[LASTREQ] =
{
  [GETPWBYNAME] = NSCD__GETPWD,
  [GETPWBYUID] = NSCD__GETPWD,
...
  [INNETGR] = NSCD__GETNETGRP,
  [GETFDNETGR] = NSCD__SHMEMNETGRP,
};
...
rc = avc_has_perm (ssid, tsid, SECCLASS_NSCD, perms[req], &aeref, NULL) < 0;
...

They recently ran into problems where they defined NSCD__GETNETGRP in
their application but the selinux policy was never updated to support
the new permission.  They found that such checks were being denied.
(which surprises me actually but I haven't dug into that and probably
should)

I suggested glibc replace SECCLASS_NSCD with string_to_security_class()
and to replace the hard coded perm values with string_to_av_perm().  It
has a couple of obvious benefits.  one: they know if policy supports the
class/perm in question.  two: if things change in policy glibc still
works (we know that WE won't change the policy such that they would
break, but that doesn't mean that someone couldn't/wouldn't)

Carlos and I had a question come out of this.  How do we recommend he
handle the perms[] array?  Before the switch to string_to_av_perm() it
was on a read only data page.  Now since it has to be updated at run
time he has an array of strings on a read only data page but the AV
values are on a rw page.  Do we have a suggestion how this could be
improved?  Is it worth map-ing a page for this tiny array so it can be
marked RO after it is filled in?

-Eric


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Handling unknown permissions in userspace object managers

[Stephen Smalley]

On 11/01/2013 11:18 AM, Eric Paris wrote:
> glibc/nscd is acting as a userspace object manager.  Today what they are
> doing is:
> 
> static const access_vector_t perms[LASTREQ] =
> {
>   [GETPWBYNAME] = NSCD__GETPWD,
>   [GETPWBYUID] = NSCD__GETPWD,
> ...
>   [INNETGR] = NSCD__GETNETGRP,
>   [GETFDNETGR] = NSCD__SHMEMNETGRP,
> };
> ...
> rc = avc_has_perm (ssid, tsid, SECCLASS_NSCD, perms[req], &aeref, NULL) < 0;
> ...
> 
> They recently ran into problems where they defined NSCD__GETNETGRP in
> their application but the selinux policy was never updated to support
> the new permission.  They found that such checks were being denied.
> (which surprises me actually but I haven't dug into that and probably
> should)
> 
> I suggested glibc replace SECCLASS_NSCD with string_to_security_class()
> and to replace the hard coded perm values with string_to_av_perm().  It
> has a couple of obvious benefits.  one: they know if policy supports the
> class/perm in question.  two: if things change in policy glibc still
> works (we know that WE won't change the policy such that they would
> break, but that doesn't mean that someone couldn't/wouldn't)

Use selinux_set_mapping() if you want to create a mapping of your own
class/perm indices to the policy values without needing to keep them
identical.  See XSELinux for an example.

Use selinux_check_access() instead if you want to push all the handling
of the AVC, class/perm string mapping, etc to libselinux and not deal
with it inside your application.  That's by far the easiest interface.
It does however impose the overhead of looking up the SIDs, class, and
perm value on each check, but I doubt this path is performance-critical.
 It also handles security_deny_unknown() checking so handle_unknown is
dealt with properly.
> 
> Carlos and I had a question come out of this.  How do we recommend he
> handle the perms[] array?  Before the switch to string_to_av_perm() it
> was on a read only data page.  Now since it has to be updated at run
> time he has an array of strings on a read only data page but the AV
> values are on a rw page.  Do we have a suggestion how this could be
> improved?  Is it worth map-ing a page for this tiny array so it can be
> marked RO after it is filled in?
> 
> -Eric
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Handling unknown permissions in userspace object managers

[Eric Paris]

On Fri, 2013-11-01 at 11:48 -0400, Stephen Smalley wrote:
> On 11/01/2013 11:18 AM, Eric Paris wrote:
> > glibc/nscd is acting as a userspace object manager.  Today what they are
> > doing is:
> > 
> > static const access_vector_t perms[LASTREQ] =
> > {
> >   [GETPWBYNAME] = NSCD__GETPWD,
> >   [GETPWBYUID] = NSCD__GETPWD,
> > ...
> >   [INNETGR] = NSCD__GETNETGRP,
> >   [GETFDNETGR] = NSCD__SHMEMNETGRP,
> > };
> > ...
> > rc = avc_has_perm (ssid, tsid, SECCLASS_NSCD, perms[req], &aeref, NULL) < 0;
> > ...
> > 
> > They recently ran into problems where they defined NSCD__GETNETGRP in
> > their application but the selinux policy was never updated to support
> > the new permission.  They found that such checks were being denied.
> > (which surprises me actually but I haven't dug into that and probably
> > should)
> > 
> > I suggested glibc replace SECCLASS_NSCD with string_to_security_class()
> > and to replace the hard coded perm values with string_to_av_perm().  It
> > has a couple of obvious benefits.  one: they know if policy supports the
> > class/perm in question.  two: if things change in policy glibc still
> > works (we know that WE won't change the policy such that they would
> > break, but that doesn't mean that someone couldn't/wouldn't)
> 
> Use selinux_set_mapping() if you want to create a mapping of your own
> class/perm indices to the policy values without needing to keep them
> identical.  See XSELinux for an example.

I completely forget about that interface.  It does simplify things a
bit, but it seems to make things worse as well.  When dealing with
unknown perms selinux_set_mapping() is going to return EINVAL and the
userspace object manager will be just screwed...

Any thoughts how we could better that interface for the case where
security_deny_unknown() == 0? 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Handling unknown permissions in userspace object managers

[Stephen Smalley]

On 11/01/2013 11:54 AM, Eric Paris wrote:
> On Fri, 2013-11-01 at 11:48 -0400, Stephen Smalley wrote:
>> On 11/01/2013 11:18 AM, Eric Paris wrote:
>>> glibc/nscd is acting as a userspace object manager.  Today what they are
>>> doing is:
>>>
>>> static const access_vector_t perms[LASTREQ] =
>>> {
>>>   [GETPWBYNAME] = NSCD__GETPWD,
>>>   [GETPWBYUID] = NSCD__GETPWD,
>>> ...
>>>   [INNETGR] = NSCD__GETNETGRP,
>>>   [GETFDNETGR] = NSCD__SHMEMNETGRP,
>>> };
>>> ...
>>> rc = avc_has_perm (ssid, tsid, SECCLASS_NSCD, perms[req], &aeref, NULL) < 0;
>>> ...
>>>
>>> They recently ran into problems where they defined NSCD__GETNETGRP in
>>> their application but the selinux policy was never updated to support
>>> the new permission.  They found that such checks were being denied.
>>> (which surprises me actually but I haven't dug into that and probably
>>> should)
>>>
>>> I suggested glibc replace SECCLASS_NSCD with string_to_security_class()
>>> and to replace the hard coded perm values with string_to_av_perm().  It
>>> has a couple of obvious benefits.  one: they know if policy supports the
>>> class/perm in question.  two: if things change in policy glibc still
>>> works (we know that WE won't change the policy such that they would
>>> break, but that doesn't mean that someone couldn't/wouldn't)
>>
>> Use selinux_set_mapping() if you want to create a mapping of your own
>> class/perm indices to the policy values without needing to keep them
>> identical.  See XSELinux for an example.
> 
> I completely forget about that interface.  It does simplify things a
> bit, but it seems to make things worse as well.  When dealing with
> unknown perms selinux_set_mapping() is going to return EINVAL and the
> userspace object manager will be just screwed...
> 
> Any thoughts how we could better that interface for the case where
> security_deny_unknown() == 0? 

Just do what I did in the kernel code (security/selinux/ss/services.c,
changes to selinux_set_mapping, map_decision based on handle_unknown).

But selinux_check_access() is IMHO a better way to go for any new code
unless it is so performance-critical that the context, class, and perm
lookups per check are prohibitive.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Handling unknown permissions in userspace object managers

[Stephen Smalley]

On 11/01/2013 01:00 PM, Carlos O'Donell wrote:
> On 11/01/2013 12:00 PM, Stephen Smalley wrote:
>> But selinux_check_access() is IMHO a better way to go for any new code
>> unless it is so performance-critical that the context, class, and perm
>> lookups per check are prohibitive.
> 
> The code in question is from glibc's nscd and used when determining if
> the user should or should not have access to specific cache results, and
> therefore it is performance sensitive. The faster we can determine if
> access is allowed the faster we can return a result to a client that
> needs an answer about a particular credential. I'm happing doing the
> translations at startup when the daemon is initializing, but I'm not
> happy to do them at every request arriving to the daemon. Unless someone
> says this needs to be fully dynamic I'd like to avoid any costs during
> the request handling phase.

I doubt the overhead of the SID/class/perm lookup compares to the IPC
overhead, but I can't say that I've measured it.  But feel free to use
whichever interface you prefer.




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Handling unknown permissions in userspace object managers

[Stephen Smalley]

On 11/01/2013 01:18 PM, Carlos O'Donell wrote:
> On 11/01/2013 01:02 PM, Stephen Smalley wrote:
>> On 11/01/2013 01:00 PM, Carlos O'Donell wrote:
>>> On 11/01/2013 12:00 PM, Stephen Smalley wrote:
>>>> But selinux_check_access() is IMHO a better way to go for any new code
>>>> unless it is so performance-critical that the context, class, and perm
>>>> lookups per check are prohibitive.
>>>
>>> The code in question is from glibc's nscd and used when determining if
>>> the user should or should not have access to specific cache results, and
>>> therefore it is performance sensitive. The faster we can determine if
>>> access is allowed the faster we can return a result to a client that
>>> needs an answer about a particular credential. I'm happing doing the
>>> translations at startup when the daemon is initializing, but I'm not
>>> happy to do them at every request arriving to the daemon. Unless someone
>>> says this needs to be fully dynamic I'd like to avoid any costs during
>>> the request handling phase.
>>
>> I doubt the overhead of the SID/class/perm lookup compares to the IPC
>> overhead, but I can't say that I've measured it.  But feel free to use
>> whichever interface you prefer.
> 
> I already have to pay the IPC overhead, and I try to cut costs where
> possible. However, you are correct in that we should remeasure the
> performance to see if this actually makes any difference. If it makes
> no difference then there isn't any point to all the custom code in glibc
> and we should just call selinux_check_access.
> 
> The only real point would be that nscd has custom failure logging right 
> now by basically reimplementing a selinux_check_access, but that's a 
> very very weak reason since SELinux's own logging is far superior.
> 
> In that case the question of RW pages with permission values goes away
> because we do the translation each time we make a permission check using
> the constant strings in rodata for `nscd' and the various perms.
> 
> Does that make sense?

Yes, the RW page issue goes away whichever interface you use - if you
use selinux_set_mapping(), then you get to use constant values for your
own permission definitions and libselinux will internally map your
values to the policy values at runtime, while if you use
selinux_check_access(), then libselinux will internally look up the
strings at runtime.  Either way avoids the problem of the RW page.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Handling unknown permissions in userspace object managers

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/01/2013 01:02 PM, Stephen Smalley wrote:
> On 11/01/2013 01:00 PM, Carlos O'Donell wrote:
>> On 11/01/2013 12:00 PM, Stephen Smalley wrote:
>>> But selinux_check_access() is IMHO a better way to go for any new code 
>>> unless it is so performance-critical that the context, class, and perm 
>>> lookups per check are prohibitive.
>> 
>> The code in question is from glibc's nscd and used when determining if 
>> the user should or should not have access to specific cache results, and 
>> therefore it is performance sensitive. The faster we can determine if 
>> access is allowed the faster we can return a result to a client that 
>> needs an answer about a particular credential. I'm happing doing the 
>> translations at startup when the daemon is initializing, but I'm not 
>> happy to do them at every request arriving to the daemon. Unless someone 
>> says this needs to be fully dynamic I'd like to avoid any costs during 
>> the request handling phase.
> 
> I doubt the overhead of the SID/class/perm lookup compares to the IPC 
> overhead, but I can't say that I've measured it.  But feel free to use 
> whichever interface you prefer.
> 
> 
> 
> 
> -- This message was distributed to subscribers of the selinux mailing
> list. If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes
> as the message.
> 
We could potentially optimize the calls similarly to what we did with
procattr, where we cache the previous lookup.  Since the
source,type,class,perm flags will often be repeated.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlJ0G2wACgkQrlYvE4MpobM5twCeN14XzW+AaRpnMHf58EAETeuu
IVYAoOmXkl9dIh4ARQjQDkl3JIH1WUnj
=5ZEm
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.