From: Stephen Smalley <sds@tycho.nsa.gov>
To: Lukasz Pawelczyk <l.pawelczyk@samsung.com>
Cc: "David S. Miller" <davem@davemloft.net>,
"Eric W. Biederman" <ebiederm@xmission.com>,
"Kirill A. Shutemov" <kirill@shutemov.name>,
"Serge E. Hallyn" <serge@hallyn.com>,
Al Viro <viro@zeniv.linux.org.uk>,
Alexey Dobriyan <adobriyan@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
Andy Lutomirski <luto@amacapital.net>,
Casey Schaufler <casey@schaufler-ca.com>,
David Howells <dhowells@redhat.com>,
Fabian Frederick <fabf@skynet.be>,
Greg KH <gregkh@linuxfoundation.org>,
James Morris <james.l.morris@oracle.com>,
Jeff Layton <jlayton@primarydata.com>,
Jingoo Han <jg1.han@samsung.com>, Joe Perches <joe@perches.com>,
John Johansen <john.johansen@canonical.com>,
Jonathan Corbet <corbet@lwn.net>,
Kees Cook <keescook@chromium.org>,
Mauro Carvalho Chehab <mchehab@osg.samsung.com>,
Miklos Szeredi <miklos@szeredi.hu>,
Oleg Nesterov <oleg@redhat.com>, Paul Moore <paul@pa>
Subject: Re: [PATCH v2 0/7] Smack namespace
Date: Tue, 26 May 2015 12:34:16 -0400 [thread overview]
Message-ID: <5564A088.4040507@tycho.nsa.gov> (raw)
In-Reply-To: <1432657655.1974.21.camel@samsung.com>
On 05/26/2015 12:27 PM, Lukasz Pawelczyk wrote:
> Hi,
>
> Thanks for taking the interest and commenting on this.
> Replies below.
>
>
> On wto, 2015-05-26 at 10:35 -0400, Stephen Smalley wrote:
>> On 05/25/2015 08:32 AM, Lukasz Pawelczyk wrote:
>>> --- Design ideas ---
>>>
>>> "Smack namespace" is rather "Smack labels namespace" as not the whole
>>> MAC is namespaced, only the labels. There is a great analogy between
>>> Smack labels namespace and the user namespace part that remaps UIDs.
>>>
>>> The idea is to create a map of labels for a namespace so the namespace
>>> is only allowed to use those labels. Smack rules are always the same
>>> as in the init namespace (limited only by what labels are mapped) and
>>> cannot be manipulated from the child namespace. The map is actually
>>> only for labels' names. The underlying structures for labels remain
>>> the same. The filesystem also stores the "unmapped" labels from the
>>> init namespace.
>>
>> How do you achieve that without introducing additional hooks or
>> reworking the current hooks in the setxattr code path? At present, the
>> security module is allowed to rewrite getxattr requests on the
>> security.* namespace but it isn't allowed to do that for setxattr, so if
>> the process invokes setxattr with a mapped label, then it will be the
>> mapped label that gets passed to the filesystem implementation, not the
>> unmapped label. The security module may internally store it in unmapped
>> form and may even return that upon getxattr() calls, but if you then
>> reboot the system and later fetch from the filesystem, it will get the
>> mapped label value.
>
> I call the inode operation by hand in the post_setxattr.
>
> The label will effectively be set twice, which is not ideal, but there
> is no other option right now without reworking the hooks as you said.
>
> This shouldn't really be a problem because the Smack operations will not
> use the filesystem label (even when it's set incorrectly for a moment)
> but an already initialized smack_known structure for this inode that has
> all the values filled in properly.
>
> The only attack vector I can think of is hard rebooting the machine in a
> way that mapped label is really saved in the filesystem before the
> unmapped will have a chance. Should I be worried about that? This sounds
> a little unreal.
If it were my security module, I would be worried about it. Even aside
from maliciously induced failure, you are leaving yourself open to
inconsistencies arising upon crashes. I would suggest modifying the
setxattr hook so that the security module can override the original
value/size pair with its own definition before it is passed to the inode
operation. There is already precedent in that security modules are
allowed to override the value/size returned by getxattr for security.*,
so this just makes them fully parallel.
WARNING: multiple messages have this Message-ID (diff)
From: Stephen Smalley <sds@tycho.nsa.gov>
To: Lukasz Pawelczyk <l.pawelczyk@samsung.com>
Cc: "David S. Miller" <davem@davemloft.net>,
"Eric W. Biederman" <ebiederm@xmission.com>,
"Kirill A. Shutemov" <kirill@shutemov.name>,
"Serge E. Hallyn" <serge@hallyn.com>,
Al Viro <viro@zeniv.linux.org.uk>,
Alexey Dobriyan <adobriyan@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
Andy Lutomirski <luto@amacapital.net>,
Casey Schaufler <casey@schaufler-ca.com>,
David Howells <dhowells@redhat.com>,
Fabian Frederick <fabf@skynet.be>,
Greg KH <gregkh@linuxfoundation.org>,
James Morris <james.l.morris@oracle.com>,
Jeff Layton <jlayton@primarydata.com>,
Jingoo Han <jg1.han@samsung.com>, Joe Perches <joe@perches.com>,
John Johansen <john.johansen@canonical.com>,
Jonathan Corbet <corbet@lwn.net>,
Kees Cook <keescook@chromium.org>,
Mauro Carvalho Chehab <mchehab@osg.samsung.com>,
Miklos Szeredi <miklos@szeredi.hu>,
Oleg Nesterov <oleg@redhat.com>, Paul Moore <paul@paul-moore.com>,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
Zefan Li <lizefan@huawei.com>, Rafal Krypa <r.krypa@samsung.com>,
linux-doc@vger.kernel.org, linux-api@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
containers@lists.linux-foundation.org,
Lukasz Pawelczyk <havner@gmail.com>
Subject: Re: [PATCH v2 0/7] Smack namespace
Date: Tue, 26 May 2015 12:34:16 -0400 [thread overview]
Message-ID: <5564A088.4040507@tycho.nsa.gov> (raw)
In-Reply-To: <1432657655.1974.21.camel@samsung.com>
On 05/26/2015 12:27 PM, Lukasz Pawelczyk wrote:
> Hi,
>
> Thanks for taking the interest and commenting on this.
> Replies below.
>
>
> On wto, 2015-05-26 at 10:35 -0400, Stephen Smalley wrote:
>> On 05/25/2015 08:32 AM, Lukasz Pawelczyk wrote:
>>> --- Design ideas ---
>>>
>>> "Smack namespace" is rather "Smack labels namespace" as not the whole
>>> MAC is namespaced, only the labels. There is a great analogy between
>>> Smack labels namespace and the user namespace part that remaps UIDs.
>>>
>>> The idea is to create a map of labels for a namespace so the namespace
>>> is only allowed to use those labels. Smack rules are always the same
>>> as in the init namespace (limited only by what labels are mapped) and
>>> cannot be manipulated from the child namespace. The map is actually
>>> only for labels' names. The underlying structures for labels remain
>>> the same. The filesystem also stores the "unmapped" labels from the
>>> init namespace.
>>
>> How do you achieve that without introducing additional hooks or
>> reworking the current hooks in the setxattr code path? At present, the
>> security module is allowed to rewrite getxattr requests on the
>> security.* namespace but it isn't allowed to do that for setxattr, so if
>> the process invokes setxattr with a mapped label, then it will be the
>> mapped label that gets passed to the filesystem implementation, not the
>> unmapped label. The security module may internally store it in unmapped
>> form and may even return that upon getxattr() calls, but if you then
>> reboot the system and later fetch from the filesystem, it will get the
>> mapped label value.
>
> I call the inode operation by hand in the post_setxattr.
>
> The label will effectively be set twice, which is not ideal, but there
> is no other option right now without reworking the hooks as you said.
>
> This shouldn't really be a problem because the Smack operations will not
> use the filesystem label (even when it's set incorrectly for a moment)
> but an already initialized smack_known structure for this inode that has
> all the values filled in properly.
>
> The only attack vector I can think of is hard rebooting the machine in a
> way that mapped label is really saved in the filesystem before the
> unmapped will have a chance. Should I be worried about that? This sounds
> a little unreal.
If it were my security module, I would be worried about it. Even aside
from maliciously induced failure, you are leaving yourself open to
inconsistencies arising upon crashes. I would suggest modifying the
setxattr hook so that the security module can override the original
value/size pair with its own definition before it is passed to the inode
operation. There is already precedent in that security modules are
allowed to override the value/size returned by getxattr for security.*,
so this just makes them fully parallel.
next prev parent reply other threads:[~2015-05-26 16:34 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-21 11:53 [PATCH 0/8] Smack namespace Lukasz Pawelczyk
2015-05-21 11:53 ` Lukasz Pawelczyk
2015-05-21 11:53 ` [PATCH 1/8] kernel/exit.c: make sure current's nsproxy != NULL while checking caps Lukasz Pawelczyk
[not found] ` <1432209222-8479-2-git-send-email-l.pawelczyk-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org>
2015-05-23 17:49 ` Eric W. Biederman
2015-05-23 17:49 ` Eric W. Biederman
2015-05-23 17:49 ` Eric W. Biederman
[not found] ` <878ucf2nh4.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-05-25 11:33 ` Lukasz Pawelczyk
2015-05-25 11:33 ` Lukasz Pawelczyk
2015-05-21 11:53 ` [PATCH 5/8] smack: misc cleanups in preparation for a namespace patch Lukasz Pawelczyk
2015-05-21 11:53 ` [PATCH 6/8] smack: namespace groundwork Lukasz Pawelczyk
[not found] ` <1432209222-8479-1-git-send-email-l.pawelczyk-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org>
2015-05-21 11:53 ` [PATCH 1/8] kernel/exit.c: make sure current's nsproxy != NULL while checking caps Lukasz Pawelczyk
2015-05-21 11:53 ` Lukasz Pawelczyk
2015-05-21 11:53 ` [PATCH 2/8] user_ns: 3 new hooks for LSM namespace operations Lukasz Pawelczyk
2015-05-21 11:53 ` Lukasz Pawelczyk
2015-05-21 11:53 ` Lukasz Pawelczyk
2015-05-21 11:53 ` [PATCH 3/8] smack: extend capability functions and fix 2 checks Lukasz Pawelczyk
2015-05-21 11:53 ` Lukasz Pawelczyk
2015-05-21 11:53 ` Lukasz Pawelczyk
2015-05-21 11:53 ` [PATCH 4/8] smack: abstraction layer for 2 common Smack operations Lukasz Pawelczyk
2015-05-21 11:53 ` Lukasz Pawelczyk
2015-05-21 11:53 ` Lukasz Pawelczyk
2015-05-21 11:53 ` [PATCH 5/8] smack: misc cleanups in preparation for a namespace patch Lukasz Pawelczyk
2015-05-21 11:53 ` Lukasz Pawelczyk
2015-05-21 11:53 ` [PATCH 6/8] smack: namespace groundwork Lukasz Pawelczyk
2015-05-21 11:53 ` Lukasz Pawelczyk
2015-05-21 11:53 ` [PATCH 7/8] smack: namespace implementation Lukasz Pawelczyk
2015-05-21 11:53 ` Lukasz Pawelczyk
2015-05-21 11:53 ` [PATCH 8/8] smack: documentation for the Smack namespace Lukasz Pawelczyk
2015-05-21 11:53 ` Lukasz Pawelczyk
2015-05-21 11:53 ` Lukasz Pawelczyk
2015-05-25 12:32 ` [PATCH v2 0/7] " Lukasz Pawelczyk
2015-05-25 12:32 ` Lukasz Pawelczyk
2015-05-21 11:53 ` [PATCH 7/8] smack: namespace implementation Lukasz Pawelczyk
2015-05-25 12:32 ` [PATCH v2 0/7] Smack namespace Lukasz Pawelczyk
2015-05-25 12:32 ` [PATCH v2 3/7] smack: abstraction layer for 2 common Smack operations Lukasz Pawelczyk
2015-05-25 12:32 ` [PATCH v2 4/7] smack: misc cleanups in preparation for a namespace patch Lukasz Pawelczyk
[not found] ` <1432557162-19123-1-git-send-email-l.pawelczyk-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org>
2015-05-25 12:32 ` [PATCH v2 1/7] user_ns: 3 new hooks for user namespace operations Lukasz Pawelczyk
2015-05-25 12:32 ` Lukasz Pawelczyk
2015-05-25 12:32 ` Lukasz Pawelczyk
2015-05-25 12:32 ` [PATCH v2 2/7] smack: extend capability functions and fix 2 checks Lukasz Pawelczyk
2015-05-25 12:32 ` Lukasz Pawelczyk
2015-05-25 12:32 ` Lukasz Pawelczyk
2015-05-25 12:32 ` [PATCH v2 3/7] smack: abstraction layer for 2 common Smack operations Lukasz Pawelczyk
2015-05-25 12:32 ` Lukasz Pawelczyk
2015-05-25 12:32 ` [PATCH v2 4/7] smack: misc cleanups in preparation for a namespace patch Lukasz Pawelczyk
2015-05-25 12:32 ` Lukasz Pawelczyk
2015-05-25 12:32 ` [PATCH v2 5/7] smack: namespace groundwork Lukasz Pawelczyk
2015-05-25 12:32 ` Lukasz Pawelczyk
2015-05-25 12:32 ` Lukasz Pawelczyk
2015-05-25 12:32 ` [PATCH v2 6/7] smack: namespace implementation Lukasz Pawelczyk
2015-05-25 12:32 ` Lukasz Pawelczyk
2015-05-25 12:32 ` Lukasz Pawelczyk
2015-05-25 12:32 ` [PATCH v2 7/7] smack: documentation for the Smack namespace Lukasz Pawelczyk
2015-05-25 12:32 ` Lukasz Pawelczyk
2015-05-25 12:32 ` Lukasz Pawelczyk
2015-05-26 14:35 ` [PATCH v2 0/7] " Stephen Smalley
2015-05-26 14:35 ` Stephen Smalley
2015-05-27 1:04 ` Casey Schaufler
2015-05-27 1:04 ` Casey Schaufler
2015-05-27 3:13 ` Eric W. Biederman
2015-05-27 3:13 ` Eric W. Biederman
2015-05-27 10:13 ` Lukasz Pawelczyk
2015-05-27 10:13 ` Lukasz Pawelczyk
[not found] ` <1432721610.1784.27.camel-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org>
2015-05-27 15:12 ` Eric W. Biederman
2015-05-27 15:12 ` Eric W. Biederman
2015-05-27 15:12 ` Eric W. Biederman
2015-05-27 17:15 ` Lukasz Pawelczyk
2015-05-27 17:15 ` Lukasz Pawelczyk
[not found] ` <87vbfeqcke.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-05-27 17:15 ` Lukasz Pawelczyk
[not found] ` <87h9qyww4h.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-05-27 10:13 ` Lukasz Pawelczyk
2015-05-26 14:35 ` Stephen Smalley
2015-05-27 9:36 ` Lukasz Pawelczyk
2015-05-27 9:36 ` Lukasz Pawelczyk
2015-05-27 13:33 ` Stephen Smalley
2015-05-27 13:33 ` Stephen Smalley
[not found] ` <1432719372.1784.4.camel-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org>
2015-05-27 13:33 ` Stephen Smalley
[not found] ` <556484BD.2060004-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
2015-05-26 16:27 ` Lukasz Pawelczyk
2015-05-26 16:27 ` Lukasz Pawelczyk
2015-05-26 16:34 ` Stephen Smalley [this message]
2015-05-26 16:34 ` Stephen Smalley
[not found] ` <5564A088.4040507-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
2015-05-26 16:42 ` Lukasz Pawelczyk
2015-05-26 16:42 ` Lukasz Pawelczyk
[not found] ` <1432657655.1974.21.camel-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org>
2015-05-26 16:34 ` Stephen Smalley
2015-05-27 9:36 ` Lukasz Pawelczyk
2015-05-27 1:04 ` Casey Schaufler
2015-05-27 9:29 ` Lukasz Pawelczyk
2015-05-27 9:29 ` Lukasz Pawelczyk
[not found] ` <1432718944.1784.1.camel-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org>
2015-05-27 13:05 ` Casey Schaufler
2015-05-27 13:05 ` Casey Schaufler
2015-05-27 13:05 ` Casey Schaufler
[not found] ` <55651823.10304-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2015-05-27 9:29 ` Lukasz Pawelczyk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5564A088.4040507@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=casey@schaufler-ca.com \
--cc=corbet@lwn.net \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=fabf@skynet.be \
--cc=gregkh@linuxfoundation.org \
--cc=james.l.morris@oracle.com \
--cc=jg1.han@samsung.com \
--cc=jlayton@primarydata.com \
--cc=joe@perches.com \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=kirill@shutemov.name \
--cc=l.pawelczyk@samsung.com \
--cc=luto@amacapital.net \
--cc=mchehab@osg.samsung.com \
--cc=miklos@szeredi.hu \
--cc=oleg@redhat.com \
--cc=paul@pa \
--cc=serge@hallyn.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.