selinux prevents msgrcv on restore message queues?

selinux prevents msgrcv on restore message queues?

[Nathan Lynch]

Hi,

With ckpt-v19-rc3 the test-mq.sh testcase in cr_tests fails when SELinux
is enabled on my test system (64-bit powerpc kernel).  The testcase
sleeps in do_msgrcv after restart and never wakes up.  When SELinux is
disabled, the messages are received and the testcase passes.

I've established that the messages are being restored during restart --
msgctl(IPC_STAT) shows one message in each queue before calling msgrcv.
Adding the IPC_NOWAIT flag to the msgrcv calls gets ENOMSG, however.

I managed to narrow this down to security_msg_queue_msgrcv ->
selinux_msg_queue_msgrcv.  avc_has_perm(SECCLASS_MSG, MSG__RECEIVE) gets
-EACCESS, so I guess something is going awry in selinux restore hooks?

Any ideas?


Thanks,
Nathan

Re: selinux prevents msgrcv on restore message queues?

[Serge E. Hallyn]

Quoting Nathan Lynch (ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org):
> Hi,
> 
> With ckpt-v19-rc3 the test-mq.sh testcase in cr_tests fails when SELinux
> is enabled on my test system (64-bit powerpc kernel).  The testcase
> sleeps in do_msgrcv after restart and never wakes up.  When SELinux is
> disabled, the messages are received and the testcase passes.
> 
> I've established that the messages are being restored during restart --
> msgctl(IPC_STAT) shows one message in each queue before calling msgrcv.
> Adding the IPC_NOWAIT flag to the msgrcv calls gets ENOMSG, however.
> 
> I managed to narrow this down to security_msg_queue_msgrcv ->
> selinux_msg_queue_msgrcv.  avc_has_perm(SECCLASS_MSG, MSG__RECEIVE) gets
> -EACCESS, so I guess something is going awry in selinux restore hooks?
> 
> Any ideas?

Hmm, wait.  security_msg_msg_alloc() is being called after
security_msg_msg_restore.  That may not be what is causing
your troubles, but it's certainly not right.

-serge

Re: selinux prevents msgrcv on restore message queues?

[Serge E. Hallyn]

Quoting Serge E. Hallyn (serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org):
> Quoting Nathan Lynch (ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org):
> > Hi,
> > 
> > With ckpt-v19-rc3 the test-mq.sh testcase in cr_tests fails when SELinux
> > is enabled on my test system (64-bit powerpc kernel).  The testcase
> > sleeps in do_msgrcv after restart and never wakes up.  When SELinux is
> > disabled, the messages are received and the testcase passes.
> > 
> > I've established that the messages are being restored during restart --
> > msgctl(IPC_STAT) shows one message in each queue before calling msgrcv.
> > Adding the IPC_NOWAIT flag to the msgrcv calls gets ENOMSG, however.
> > 
> > I managed to narrow this down to security_msg_queue_msgrcv ->
> > selinux_msg_queue_msgrcv.  avc_has_perm(SECCLASS_MSG, MSG__RECEIVE) gets
> > -EACCESS, so I guess something is going awry in selinux restore hooks?
> > 
> > Any ideas?
> 
> Hmm, wait.  security_msg_msg_alloc() is being called after
> security_msg_msg_restore.  That may not be what is causing
> your troubles, but it's certainly not right.

Can you try the following patch?

Also, to actually restore the LSM labels you need to add -k to your
restart flags, but without the -k you should get a sane default
security label.

From 6609b9d71312c6641bdceaaa97bbbf2f809b6ade Mon Sep 17 00:00:00 2001
From: Serge E. Hallyn <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
Date: Tue, 2 Mar 2010 13:13:36 -0600
Subject: [PATCH 1/1] always security_msg_alloc before security_msg_restore

Signed-off-by: Serge E. Hallyn <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
---
 ipc/checkpoint_msg.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

diff --git a/ipc/checkpoint_msg.c b/ipc/checkpoint_msg.c
index 0155c20..594580f 100644
--- a/ipc/checkpoint_msg.c
+++ b/ipc/checkpoint_msg.c
@@ -231,6 +231,12 @@ static struct msg_msg *restore_msg_contents_one(struct ckpt_ctx *ctx, int *clen)
 	msg->next = NULL;
 	pseg = &msg->next;
 
+	/* set default MAC attributes */
+	ret = security_msg_msg_alloc(msg);
+	if (ret < 0)
+		goto out;
+
+	/* if requested and allowed, reset checkpointed MAC attributes */
 	ret = security_restore_obj(ctx, (void *) msg, CKPT_SECURITY_MSG_MSG,
 				   h->sec_ref);
 	if (ret < 0)
@@ -261,7 +267,6 @@ static struct msg_msg *restore_msg_contents_one(struct ckpt_ctx *ctx, int *clen)
 	msg->m_type = h->m_type;
 	msg->m_ts = h->m_ts;
 	*clen = h->m_ts;
-	ret = security_msg_msg_alloc(msg);
  out:
 	if (ret < 0 && msg) {
 		free_msg(msg);
-- 
1.6.0.6

Re: selinux prevents msgrcv on restore message queues?

[Nathan Lynch]

On Tue, 2010-03-02 at 19:19 -0600, Serge E. Hallyn wrote:
> Quoting Serge E. Hallyn (serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org):
> > Quoting Nathan Lynch (ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org):
> > > Hi,
> > > 
> > > With ckpt-v19-rc3 the test-mq.sh testcase in cr_tests fails when SELinux
> > > is enabled on my test system (64-bit powerpc kernel).  The testcase
> > > sleeps in do_msgrcv after restart and never wakes up.  When SELinux is
> > > disabled, the messages are received and the testcase passes.
> > > 
> > > I've established that the messages are being restored during restart --
> > > msgctl(IPC_STAT) shows one message in each queue before calling msgrcv.
> > > Adding the IPC_NOWAIT flag to the msgrcv calls gets ENOMSG, however.
> > > 
> > > I managed to narrow this down to security_msg_queue_msgrcv ->
> > > selinux_msg_queue_msgrcv.  avc_has_perm(SECCLASS_MSG, MSG__RECEIVE) gets
> > > -EACCESS, so I guess something is going awry in selinux restore hooks?
> > > 
> > > Any ideas?
> > 
> > Hmm, wait.  security_msg_msg_alloc() is being called after
> > security_msg_msg_restore.  That may not be what is causing
> > your troubles, but it's certainly not right.
> 
> Can you try the following patch?
> 
> Also, to actually restore the LSM labels you need to add -k to your
> restart flags, but without the -k you should get a sane default
> security label.

Thanks, the ipc/mq tests pass with this patch and restart -k.  Without
-k the tests still fail in the same manner (msgrcv fails).  Is that the
behavior you'd expect?

Re: selinux prevents msgrcv on restore message queues?

[Serge E. Hallyn]

Quoting Nathan Lynch (ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org):
> On Tue, 2010-03-02 at 19:19 -0600, Serge E. Hallyn wrote:
> > Quoting Serge E. Hallyn (serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org):
> > > Quoting Nathan Lynch (ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org):
> > > > Hi,
> > > > 
> > > > With ckpt-v19-rc3 the test-mq.sh testcase in cr_tests fails when SELinux
> > > > is enabled on my test system (64-bit powerpc kernel).  The testcase
> > > > sleeps in do_msgrcv after restart and never wakes up.  When SELinux is
> > > > disabled, the messages are received and the testcase passes.
> > > > 
> > > > I've established that the messages are being restored during restart --
> > > > msgctl(IPC_STAT) shows one message in each queue before calling msgrcv.
> > > > Adding the IPC_NOWAIT flag to the msgrcv calls gets ENOMSG, however.
> > > > 
> > > > I managed to narrow this down to security_msg_queue_msgrcv ->
> > > > selinux_msg_queue_msgrcv.  avc_has_perm(SECCLASS_MSG, MSG__RECEIVE) gets
> > > > -EACCESS, so I guess something is going awry in selinux restore hooks?
> > > > 
> > > > Any ideas?
> > > 
> > > Hmm, wait.  security_msg_msg_alloc() is being called after
> > > security_msg_msg_restore.  That may not be what is causing
> > > your troubles, but it's certainly not right.
> > 
> > Can you try the following patch?
> > 
> > Also, to actually restore the LSM labels you need to add -k to your
> > restart flags, but without the -k you should get a sane default
> > security label.
> 
> Thanks, the ipc/mq tests pass with this patch and restart -k.  Without
> -k the tests still fail in the same manner (msgrcv fails).  Is that the
> behavior you'd expect?

Not really - the test runs as unconfined_u right?  I'd expect the
msg to get created with the same type both when you just run the
original program and when you restart it.  If you just run the
checkpointed program and let it complete, doe sit also get a
denial at msgrcv?

-serge

Re: selinux prevents msgrcv on restore message queues?

[Nathan Lynch]

On Wed, 2010-03-03 at 13:49 -0600, Serge E. Hallyn wrote:
> Quoting Nathan Lynch (ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org):
> > On Tue, 2010-03-02 at 19:19 -0600, Serge E. Hallyn wrote:
> > > Can you try the following patch?
> > > 
> > > Also, to actually restore the LSM labels you need to add -k to your
> > > restart flags, but without the -k you should get a sane default
> > > security label.
> > 
> > Thanks, the ipc/mq tests pass with this patch and restart -k.  Without
> > -k the tests still fail in the same manner (msgrcv fails).  Is that the
> > behavior you'd expect?
> 
> Not really - the test runs as unconfined_u right?

I added a ps -Z to test-mq.sh before thawing:

# PATH=/root/cr/user-cr.git:$PATH bash test-mq.sh 
Using output dir ./cr_mq_6T8KIG6
XXX Test 1: simple restart with SYSVIPC msq
check-mq: no process killed
../common.sh: line 45:  5173 Killed                  ( sleep $1; kill -s USR1 $$ )
LABEL                             PID TTY          TIME CMD
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 4358 pts/1 00:00:00 bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5151 pts/1 00:00:00 bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5172 pts/1 00:00:00 nsexec
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5175 pts/1 00:00:00 sleep
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5178 pts/1 00:00:00 check-
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5183 pts/1 00:00:00 ps
PASS


>   I'd expect the
> msg to get created with the same type both when you just run the
> original program and when you restart it.  If you just run the
> checkpointed program and let it complete, doe sit also get a
> denial at msgrcv?

No, the msgrcv calls succeed if I alter the testcase to resume the
original process instead of killing and restarting it.

Re: selinux prevents msgrcv on restore message queues?

[Serge E. Hallyn]

Quoting Nathan Lynch (ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org):
> On Wed, 2010-03-03 at 13:49 -0600, Serge E. Hallyn wrote:
> > Quoting Nathan Lynch (ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org):
> > > On Tue, 2010-03-02 at 19:19 -0600, Serge E. Hallyn wrote:
> > > > Can you try the following patch?
> > > > 
> > > > Also, to actually restore the LSM labels you need to add -k to your
> > > > restart flags, but without the -k you should get a sane default
> > > > security label.
> > > 
> > > Thanks, the ipc/mq tests pass with this patch and restart -k.  Without
> > > -k the tests still fail in the same manner (msgrcv fails).  Is that the
> > > behavior you'd expect?
> > 
> > Not really - the test runs as unconfined_u right?
> 
> I added a ps -Z to test-mq.sh before thawing:
> 
> # PATH=/root/cr/user-cr.git:$PATH bash test-mq.sh 
> Using output dir ./cr_mq_6T8KIG6
> XXX Test 1: simple restart with SYSVIPC msq
> check-mq: no process killed
> ../common.sh: line 45:  5173 Killed                  ( sleep $1; kill -s USR1 $$ )
> LABEL                             PID TTY          TIME CMD
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 4358 pts/1 00:00:00 bash
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5151 pts/1 00:00:00 bash
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5172 pts/1 00:00:00 nsexec
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5175 pts/1 00:00:00 sleep
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5178 pts/1 00:00:00 check-
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5183 pts/1 00:00:00 ps
> PASS

Can you try the following patch?

(this is on top of the last one - I'd sent)

The problem is that selinux does not assign a label to a msg_msg
until you do msgsnd.  So it may be best to special-case the
msg_msg object type and always have it restore the msgtype.  One
reason *NOT* to do that woudl be that the restarter might not have
msg_msg:restore permission...  But pls let me know if this patch
fixes your problem.

thanks,
-serge

From d20ab718b6ebe21a034801c461772e588b92432a Mon Sep 17 00:00:00 2001
From: Serge E. Hallyn <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
Date: Wed, 3 Mar 2010 11:31:33 -0600
Subject: [PATCH 1/1] always restore msg_msg label

Signed-off-by: Serge E. Hallyn <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
---
 security/security.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/security/security.c b/security/security.c
index 28db976..2b147cf 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1524,7 +1524,9 @@ int security_restore_obj(struct ckpt_ctx *ctx, void *v, int sectype,
 
 	/* return if caller didn't want to restore checkpointed labels */
 	if (!(ctx->uflags & RESTART_KEEP_LSM))
-		return 0;
+		/* though msg_msg label must always be restored */
+		if (sectype != CKPT_SECURITY_MSG_MSG)
+			return 0;
 
 	l = ckpt_obj_fetch(ctx, secref, CKPT_OBJ_SECURITY);
 	if (IS_ERR(l))
-- 
1.6.0.6

Re: selinux prevents msgrcv on restore message queues?

[Nathan Lynch]

On Wed, 2010-03-03 at 17:44 -0600, Serge E. Hallyn wrote:
> Quoting Nathan Lynch (ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org):
> > On Wed, 2010-03-03 at 13:49 -0600, Serge E. Hallyn wrote:
> > > Quoting Nathan Lynch (ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org):
> > > > On Tue, 2010-03-02 at 19:19 -0600, Serge E. Hallyn wrote:
> > > > > Can you try the following patch?
> > > > > 
> > > > > Also, to actually restore the LSM labels you need to add -k to your
> > > > > restart flags, but without the -k you should get a sane default
> > > > > security label.
> > > > 
> > > > Thanks, the ipc/mq tests pass with this patch and restart -k.  Without
> > > > -k the tests still fail in the same manner (msgrcv fails).  Is that the
> > > > behavior you'd expect?
> > > 
> > > Not really - the test runs as unconfined_u right?
> > 
> > I added a ps -Z to test-mq.sh before thawing:
> > 
> > # PATH=/root/cr/user-cr.git:$PATH bash test-mq.sh 
> > Using output dir ./cr_mq_6T8KIG6
> > XXX Test 1: simple restart with SYSVIPC msq
> > check-mq: no process killed
> > ../common.sh: line 45:  5173 Killed                  ( sleep $1; kill -s USR1 $$ )
> > LABEL                             PID TTY          TIME CMD
> > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 4358 pts/1 00:00:00 bash
> > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5151 pts/1 00:00:00 bash
> > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5172 pts/1 00:00:00 nsexec
> > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5175 pts/1 00:00:00 sleep
> > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5178 pts/1 00:00:00 check-
> > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5183 pts/1 00:00:00 ps
> > PASS
> 
> Can you try the following patch?
> 
> (this is on top of the last one - I'd sent)
> 
> The problem is that selinux does not assign a label to a msg_msg
> until you do msgsnd.  So it may be best to special-case the
> msg_msg object type and always have it restore the msgtype.  One
> reason *NOT* to do that woudl be that the restarter might not have
> msg_msg:restore permission...  But pls let me know if this patch
> fixes your problem.

Yes, with both patches applied to ckpt-v19-dev
(261322990a4ed23c8475c232423845f998dd4f89) the tests pass with and
without the -k flag.

Re: selinux prevents msgrcv on restore message queues?

[Serge E. Hallyn]

Quoting Nathan Lynch (ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org):
> On Wed, 2010-03-03 at 17:44 -0600, Serge E. Hallyn wrote:
> > Quoting Nathan Lynch (ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org):
> > > On Wed, 2010-03-03 at 13:49 -0600, Serge E. Hallyn wrote:
> > > > Quoting Nathan Lynch (ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org):
> > > > > On Tue, 2010-03-02 at 19:19 -0600, Serge E. Hallyn wrote:
> > > > > > Can you try the following patch?
> > > > > > 
> > > > > > Also, to actually restore the LSM labels you need to add -k to your
> > > > > > restart flags, but without the -k you should get a sane default
> > > > > > security label.
> > > > > 
> > > > > Thanks, the ipc/mq tests pass with this patch and restart -k.  Without
> > > > > -k the tests still fail in the same manner (msgrcv fails).  Is that the
> > > > > behavior you'd expect?
> > > > 
> > > > Not really - the test runs as unconfined_u right?
> > > 
> > > I added a ps -Z to test-mq.sh before thawing:
> > > 
> > > # PATH=/root/cr/user-cr.git:$PATH bash test-mq.sh 
> > > Using output dir ./cr_mq_6T8KIG6
> > > XXX Test 1: simple restart with SYSVIPC msq
> > > check-mq: no process killed
> > > ../common.sh: line 45:  5173 Killed                  ( sleep $1; kill -s USR1 $$ )
> > > LABEL                             PID TTY          TIME CMD
> > > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 4358 pts/1 00:00:00 bash
> > > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5151 pts/1 00:00:00 bash
> > > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5172 pts/1 00:00:00 nsexec
> > > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5175 pts/1 00:00:00 sleep
> > > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5178 pts/1 00:00:00 check-
> > > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5183 pts/1 00:00:00 ps
> > > PASS
> > 
> > Can you try the following patch?
> > 
> > (this is on top of the last one - I'd sent)
> > 
> > The problem is that selinux does not assign a label to a msg_msg
> > until you do msgsnd.  So it may be best to special-case the
> > msg_msg object type and always have it restore the msgtype.  One
> > reason *NOT* to do that woudl be that the restarter might not have
> > msg_msg:restore permission...  But pls let me know if this patch
> > fixes your problem.
> 
> Yes, with both patches applied to ckpt-v19-dev
> (261322990a4ed23c8475c232423845f998dd4f89) the tests pass with and
> without the -k flag.

Cool.  The main alternative would be to rip the core of
ipc/msg.c:do_msgsnd() out and re-use that in place of the bulk of
restore_msg_contents_one().

Since a user can't specify a security context on an msg_msg (but
can on msgq) I think the end-result would be fine.  It's a lot more
work and may cause some other problems, but OTOH we'd be using one
code path for msgsnd and its restore which would be a win.

thanks,
-serge

Re: selinux prevents msgrcv on restore message queues?

[Serge E. Hallyn]

[
cc:ing SELinux and LSM lists bc this somewhat changes the
ipc msg_msg restore behavior - which was previously broken,
and now is hopefully merely dubious.  The original email
in this thread can be seen at
https://lists.linux-foundation.org/pipermail/containers/2010-March/023266.html
]

Quoting Serge E. Hallyn (serue@us.ibm.com):
> Quoting Nathan Lynch (ntl@pobox.com):
> > On Wed, 2010-03-03 at 17:44 -0600, Serge E. Hallyn wrote:
> > > Quoting Nathan Lynch (ntl@pobox.com):
> > > > On Wed, 2010-03-03 at 13:49 -0600, Serge E. Hallyn wrote:
> > > > > Quoting Nathan Lynch (ntl@pobox.com):
> > > > > > On Tue, 2010-03-02 at 19:19 -0600, Serge E. Hallyn wrote:
> > > > > > > Can you try the following patch?
> > > > > > > 
> > > > > > > Also, to actually restore the LSM labels you need to add -k to your
> > > > > > > restart flags, but without the -k you should get a sane default
> > > > > > > security label.
> > > > > > 
> > > > > > Thanks, the ipc/mq tests pass with this patch and restart -k.  Without
> > > > > > -k the tests still fail in the same manner (msgrcv fails).  Is that the
> > > > > > behavior you'd expect?
> > > > > 
> > > > > Not really - the test runs as unconfined_u right?
> > > > 
> > > > I added a ps -Z to test-mq.sh before thawing:
> > > > 
> > > > # PATH=/root/cr/user-cr.git:$PATH bash test-mq.sh 
> > > > Using output dir ./cr_mq_6T8KIG6
> > > > XXX Test 1: simple restart with SYSVIPC msq
> > > > check-mq: no process killed
> > > > ../common.sh: line 45:  5173 Killed                  ( sleep $1; kill -s USR1 $$ )
> > > > LABEL                             PID TTY          TIME CMD
> > > > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 4358 pts/1 00:00:00 bash
> > > > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5151 pts/1 00:00:00 bash
> > > > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5172 pts/1 00:00:00 nsexec
> > > > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5175 pts/1 00:00:00 sleep
> > > > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5178 pts/1 00:00:00 check-
> > > > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5183 pts/1 00:00:00 ps
> > > > PASS
> > > 
> > > Can you try the following patch?
> > > 
> > > (this is on top of the last one - I'd sent)
> > > 
> > > The problem is that selinux does not assign a label to a msg_msg
> > > until you do msgsnd.  So it may be best to special-case the
> > > msg_msg object type and always have it restore the msgtype.  One
> > > reason *NOT* to do that woudl be that the restarter might not have
> > > msg_msg:restore permission...  But pls let me know if this patch
> > > fixes your problem.
> > 
> > Yes, with both patches applied to ckpt-v19-dev
> > (261322990a4ed23c8475c232423845f998dd4f89) the tests pass with and
> > without the -k flag.
> 
> Cool.  The main alternative would be to rip the core of
> ipc/msg.c:do_msgsnd() out and re-use that in place of the bulk of
> restore_msg_contents_one().
> 
> Since a user can't specify a security context on an msg_msg (but
> can on msgq) I think the end-result would be fine.  It's a lot more

Except it wouldn't be fine, because SELinux chooses a label for the
new msg_msg based on both the task's and the queue's contexts.  And
we have no idea whether the task's context has changed since the
msg was sent.

Now, it seems like letting restart choose the labels may promote
bypassing of assured pipelines, but then you can't guarantee original
security guarantees anyway unless you have an assured pipeline
from checkpoint->restart, whether enforced through SELinux
policy or through TPM.  And if you have that, then the msg_msg
context can't be surruptitiously changed before restart.

So there is no ideal solution for SELinux, but always doing label
restore for msg_msg, with the requirement that the restarter be
allowed msg_msg:restore permission to the restored msg_msg type,
seems the best answer.

thanks,
-serge