SELinux and access(2), we want to know.

SELinux and access(2), we want to know.

[Eric Paris]

SELinux (and I assume all LSMs) have a bit of a problem with with the
access(2) call.  If a process calls access("/etc/shadow", R_OK) I claim
that we darn sure better return the same result that open("/etc/shadow",
O_RDONLY) would return.  I'm guessing noone is going to argue that
point.  Lets me also say this is only interesting if DAC allows a given
operation but MAC disallows it.  If DAC denies the request none of this
matters.

The only way to tell the right result for access() is for SELinux to
actually do the checks between (subject, file, read).  Again not a lot
of controversy here.

Lets say that the LSM does not allow read for the given subject
to /etc/shadow.  SELinux just denied an operation.  Today we log that a
process was just denied the ability to read /etc/shadow.  But the
process didn't actually try to read it.  If you surf with nautilus
to /etc it's going to call access() on everything to decide what kind of
little icons to put up there.  This could generate hundreds of SELinux
denials that nautilus tried to read everything in /etc.

What SELinux has to do today for programs like this is to not audit the
permission check (subject, file, read).  The problem here is that if the
program does act badly, and actually tries to read the file rather than
just call access() SELinux won't notify us, or report the denial in the
audit log.

I want/need a way for SELinux to know that a particular check can from
access() rather than from a truly misbehaving program.  That way I can
not send denial messages to the log if people just call access(2) but
will send a denial if the program does something illegal.  We had a long
discussion on the SELinux list about how we want to handle and log the
differences, but from the point of view of the VFS all that matters is
that we want to know when inode_permission is being called in access()
or from somewhere else.  The discussion was between not logging ANY
denials SELiunx causes from the access() call and being smarter about
only not logging those we really don't care about in a more fine grained
manor (I plan to go with fine grained version of not logging denials).
The philosophical question is really if there is (and I claim there is)
a difference between access() and open() and if we agree there is a
difference SELinux needs to know about it so logging those is different.

I propose 2 possible solutions.
1) a new VFS flag next to MAY_READ, MAY_WRITE and friends possibly
called "FROM_ACCESS" which we pass down to the LSM in faccessat during
the inode_permission call.

2) a new LSM hook.  security_inode_access_permission() which is called
from inode_permission() along with associated flags and such to
inode_permissions so the LSM knows where this call is coming from.

3) I've also heard it hinted that we could do this with audit by just
having audit drop the denials that include the access(2) syscall and the
scontext and tcontext for the slew of things the SELinux policy writers
know we are not interested in.  And while it seems good, now we have
SELinux 'policy' in places other than the policy, harder to distribute,
and it requires that everyone who turns on SELinux also turns on syscall
auditing with its associated overhead.

Obviously I think the right thing to decide if an LSM wants to send a
denial message or not is the LSM.  The only problem I have is that the
LSM doesn't know today when it is getting different types or requests
and so can't make that decision.

-Eric

Re: SELinux and access(2), we want to know.

[Serge E. Hallyn]

Quoting Eric Paris (eparis@redhat.com):
> 3) I've also heard it hinted that we could do this with audit by just
> having audit drop the denials that include the access(2) syscall and the
> scontext and tcontext for the slew of things the SELinux policy writers
> know we are not interested in.  And while it seems good, now we have

What is the difference whether an attacker does access(2) to check for
/etc/shadow rights, or does a failed open()?

Either you care that someone is poking around, or you don't.  Right?

> SELinux 'policy' in places other than the policy, harder to distribute,
> and it requires that everyone who turns on SELinux also turns on syscall
> auditing with its associated overhead.
> 
> Obviously I think the right thing to decide if an LSM wants to send a
> denial message or not is the LSM.  The only problem I have is that the
> LSM doesn't know today when it is getting different types or requests
> and so can't make that decision.

I think the problem is that you want to guess the intent, and you
can't do that.  Knowing that a process did access instead of open
really isn't sufficient.

-serge

Re: SELinux and access(2), we want to know.

[Eric Paris]

On Thu, 2009-05-07 at 14:57 -0500, Serge E. Hallyn wrote:
> Quoting Eric Paris (eparis@redhat.com):
> > 3) I've also heard it hinted that we could do this with audit by just
> > having audit drop the denials that include the access(2) syscall and the
> > scontext and tcontext for the slew of things the SELinux policy writers
> > know we are not interested in.  And while it seems good, now we have
> 
> What is the difference whether an attacker does access(2) to check for
> /etc/shadow rights, or does a failed open()?
> 
> Either you care that someone is poking around, or you don't.  Right?

No, sadly not true.  Sometimes people have a reason to poke....

> > SELinux 'policy' in places other than the policy, harder to distribute,
> > and it requires that everyone who turns on SELinux also turns on syscall
> > auditing with its associated overhead.
> > 
> > Obviously I think the right thing to decide if an LSM wants to send a
> > denial message or not is the LSM.  The only problem I have is that the
> > LSM doesn't know today when it is getting different types or requests
> > and so can't make that decision.
> 
> I think the problem is that you want to guess the intent, and you
> can't do that.  Knowing that a process did access instead of open
> really isn't sufficient.

That's absolutely true.  But, there are cases where we know that
applications are going to go things which selinux is going to deny and
we don't want to tell or warn the user, like for a long time pam would
try to directly open passwd/shadow if it could and would fall back to a
helper if it couldn't.  We wanted to force it to use the helper but we
didn't want tons of denials telling us it did something stupid.  It also
means that we wouldn't get the notification if it tried to do something
wrong, so it's a tradeoff.  Everyone in the SELinux community realizes
this.

In the case I'm describing our only choice is to stop auditing of ALL
attempts by the application to look at the file.  We know that the
application is going to be calling access() but we have to stop auditing
of both access and open, clearly you're not going to say this is a
better situation.

Your suggestion is the equivalent of knowing that your friend John might
look in your window to see if you are home but shouldn't ever try to
kick down the door.  In the current situation you can't tell the
difference between the window and the door so you won't call the police
even if John tries to kick down the door.  When in reality it would be a
lot better to not call the police if John looks in the window even
though you don't know his intent.  He might be looking in the window to
see if you are home and if not he'll try to kick down the door.  But
that situation of not knowing his intent and still not always calling
the policy is a heck of a lot better than NEVER calling the police.  And
I'm glad you see my side of the SELinux argument that this dontaudit
needs to be per domain, not global for all access calls, since knowing
John might look in the window has nothing to do with Jake and we
probably want to call the policy if he does either!

Often the right thing to do here is to fix the application to not
request things it doesn't need, but at least in the case of Nautilus it
needs to learn everything just so it can draw it's icons, not much we
can do about that example.

-Eric

Re: SELinux and access(2), we want to know.

[Serge E. Hallyn]

Quoting Eric Paris (eparis@redhat.com):

...

> Your suggestion is the equivalent of knowing that your friend John might
> look in your window to see if you are home but shouldn't ever try to
> kick down the door.  In the current situation you can't tell the
> difference between the window and the door so you won't call the police
> even if John tries to kick down the door.

I don't buy this analogy, unless there a side effect to a failed open()
which I'm not thinking of?

> When in reality it would be a
> lot better to not call the police if John looks in the window even
> though you don't know his intent.  He might be looking in the window to
> see if you are home and if not he'll try to kick down the door.  But
> that situation of not knowing his intent and still not always calling
> the policy is a heck of a lot better than NEVER calling the police.  And
> I'm glad you see my side of the SELinux argument that this dontaudit
> needs to be per domain, not global for all access calls, since knowing

Yes.  It should be distinguishable per domain (and it is, using
dontaudit, right?).  But I don't yet see any reason why it's worth
distinguishing between access() and open().

> John might look in the window has nothing to do with Jake and we
> probably want to call the policy if he does either!
> 
> Often the right thing to do here is to fix the application to not
> request things it doesn't need, but at least in the case of Nautilus it
> needs to learn everything just so it can draw it's icons, not much we
> can do about that example.

If policy lets Nautilus poke around all under /usr without auditing,
then it (and anyone who attacks it) gets to do that...  catching opens
and not accesses doesn't imo buy you anything.

-serge

Re: SELinux and access(2), we want to know.

[Casey Schaufler]

Serge E. Hallyn wrote:
> Quoting Eric Paris (eparis@redhat.com):
>   
>> 3) I've also heard it hinted that we could do this with audit by just
>> having audit drop the denials that include the access(2) syscall and the
>> scontext and tcontext for the slew of things the SELinux policy writers
>> know we are not interested in.  And while it seems good, now we have
>>     
>
> What is the difference whether an attacker does access(2) to check for
> /etc/shadow rights, or does a failed open()?
>   

I have been studiously ignoring the discussions on the SELinux list because
in the end it really doesn't matter, as Serge (appears to) point out here.
The access() system call was a major thorn in the side of the POSIX security
working group because its behavior is not really very rational. By design
it does not take into account read-only file systems, ACLs, MAC labels,
TOMOYO policy, or anything other than the mode bits. A successful return
from access() gives you no assurance whatever that if you actually try the
operation it will succeed. My recollection is that every version of
"trusted unix" written treats the system call the same way it would a
call to lstat(), because that's really all it is doing.

Re: SELinux and access(2), we want to know.

[Eamon Walsh]

Casey Schaufler wrote:
> Serge E. Hallyn wrote:
>   
>> Quoting Eric Paris (eparis@redhat.com):
>>   
>>     
>>> 3) I've also heard it hinted that we could do this with audit by just
>>> having audit drop the denials that include the access(2) syscall and the
>>> scontext and tcontext for the slew of things the SELinux policy writers
>>> know we are not interested in.  And while it seems good, now we have
>>>     
>>>       
>> What is the difference whether an attacker does access(2) to check for
>> /etc/shadow rights, or does a failed open()?
>>   
>>     
>
> I have been studiously ignoring the discussions on the SELinux list because
> in the end it really doesn't matter, as Serge (appears to) point out here.
> The access() system call was a major thorn in the side of the POSIX security
> working group because its behavior is not really very rational. By design
> it does not take into account read-only file systems, ACLs, MAC labels,
> TOMOYO policy, or anything other than the mode bits. A successful return
> from access() gives you no assurance whatever that if you actually try the
> operation it will succeed. My recollection is that every version of
> "trusted unix" written treats the system call the same way it would a
> call to lstat(), because that's really all it is doing.
>   

Serge, and the status quo, says access() == open(), not access() == lstat().

Eric's proposed change would be necessary to support access() ==
lstat(), even as an option.



-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency

Re: SELinux and access(2), we want to know.

[Stephen Smalley]

On Thu, 2009-05-07 at 20:51 -0700, Casey Schaufler wrote:
> Serge E. Hallyn wrote:
> > Quoting Eric Paris (eparis@redhat.com):
> >   
> >> 3) I've also heard it hinted that we could do this with audit by just
> >> having audit drop the denials that include the access(2) syscall and the
> >> scontext and tcontext for the slew of things the SELinux policy writers
> >> know we are not interested in.  And while it seems good, now we have
> >>     
> >
> > What is the difference whether an attacker does access(2) to check for
> > /etc/shadow rights, or does a failed open()?
> >   
> 
> I have been studiously ignoring the discussions on the SELinux list because
> in the end it really doesn't matter, as Serge (appears to) point out here.
> The access() system call was a major thorn in the side of the POSIX security
> working group because its behavior is not really very rational. By design
> it does not take into account read-only file systems, ACLs, MAC labels,
> TOMOYO policy, or anything other than the mode bits. A successful return
> from access() gives you no assurance whatever that if you actually try the
> operation it will succeed. My recollection is that every version of
> "trusted unix" written treats the system call the same way it would a
> call to lstat(), because that's really all it is doing.

Casey, please go read the access(2) / faccessat(2) code in Linux and
then come back to the discussion.  It does in fact take into account all
of those things presently (and notes in a comment that SuS v2 requires
that it report a read-only fs).

-- 
Stephen Smalley
National Security Agency

Re: SELinux and access(2), we want to know.

[Daniel J Walsh]

On 05/08/2009 08:27 AM, Stephen Smalley wrote:
> On Thu, 2009-05-07 at 20:51 -0700, Casey Schaufler wrote:
>> Serge E. Hallyn wrote:
>>> Quoting Eric Paris (eparis@redhat.com):
>>>
>>>> 3) I've also heard it hinted that we could do this with audit by just
>>>> having audit drop the denials that include the access(2) syscall and the
>>>> scontext and tcontext for the slew of things the SELinux policy writers
>>>> know we are not interested in.  And while it seems good, now we have
>>>>
>>> What is the difference whether an attacker does access(2) to check for
>>> /etc/shadow rights, or does a failed open()?
>>>
>> I have been studiously ignoring the discussions on the SELinux list because
>> in the end it really doesn't matter, as Serge (appears to) point out here.
>> The access() system call was a major thorn in the side of the POSIX security
>> working group because its behavior is not really very rational. By design
>> it does not take into account read-only file systems, ACLs, MAC labels,
>> TOMOYO policy, or anything other than the mode bits. A successful return
>> from access() gives you no assurance whatever that if you actually try the
>> operation it will succeed. My recollection is that every version of
>> "trusted unix" written treats the system call the same way it would a
>> call to lstat(), because that's really all it is doing.
>
> Casey, please go read the access(2) / faccessat(2) code in Linux and
> then come back to the discussion.  It does in fact take into account all
> of those things presently (and notes in a comment that SuS v2 requires
> that it report a read-only fs).
>
Reality check.

The biggest reason for this is Nautilus and other GUI tools that open a 
directory and look at all of the files in the directory checking their 
access.  So running as staff_t and using nautilus on the /etc directory 
or /bin/directory generates hundreds of AVC indicating that staff_t 
tried to read/write/execute every program it is not allowed to execute.

Totally useless and gives the SELinux SUCKS crowd more ammunition. If 
the MLS people want to treat ACCESS==OPEN then we are going to have a 
big boolean/tunable flag for their paranoia.  For everyone else.  Lets 
try to figure out when an application is actually doing something evil.

Currently pam libraries and kerberos libraries run access checks that 
cause us to DONTAUDIT reads of /etc/shadow and WRITES of /etc/krb5.conf
To pretty critical Security files.  So any app that uses kerberos 
(getpw) call and every app that uses PAM Authentication can try to read 
/etc/shadow and write /etc/krb5.conf without us knowing.

Re: SELinux and access(2), we want to know.

[Stephen Smalley]

On Fri, 2009-05-08 at 08:27 -0400, Stephen Smalley wrote:
> On Thu, 2009-05-07 at 20:51 -0700, Casey Schaufler wrote:
> > Serge E. Hallyn wrote:
> > > Quoting Eric Paris (eparis@redhat.com):
> > >   
> > >> 3) I've also heard it hinted that we could do this with audit by just
> > >> having audit drop the denials that include the access(2) syscall and the
> > >> scontext and tcontext for the slew of things the SELinux policy writers
> > >> know we are not interested in.  And while it seems good, now we have
> > >>     
> > >
> > > What is the difference whether an attacker does access(2) to check for
> > > /etc/shadow rights, or does a failed open()?
> > >   
> > 
> > I have been studiously ignoring the discussions on the SELinux list because
> > in the end it really doesn't matter, as Serge (appears to) point out here.
> > The access() system call was a major thorn in the side of the POSIX security
> > working group because its behavior is not really very rational. By design
> > it does not take into account read-only file systems, ACLs, MAC labels,
> > TOMOYO policy, or anything other than the mode bits. A successful return
> > from access() gives you no assurance whatever that if you actually try the
> > operation it will succeed. My recollection is that every version of
> > "trusted unix" written treats the system call the same way it would a
> > call to lstat(), because that's really all it is doing.
> 
> Casey, please go read the access(2) / faccessat(2) code in Linux and
> then come back to the discussion.  It does in fact take into account all
> of those things presently (and notes in a comment that SuS v2 requires
> that it report a read-only fs).

...and it is precisely for this reason that programs like nautilus use
access(2) rather than lstat(2) in order to determine accessibility of
the files.  As do other things like the kerberos libraries.  So we can't
just change the behavior to fit your model of access(2) only checking
mode bits.

-- 
Stephen Smalley
National Security Agency

Re: SELinux and access(2), we want to know.

[Jamie Lokier]

Eric Paris wrote:
> If a process calls access("/etc/shadow", R_OK) I claim
> that we darn sure better return the same result that open("/etc/shadow",
> O_RDONLY) would return.  I'm guessing noone is going to argue that
> point.

This is actually wrong in general - and I see that several posters
have repeated it as if it's a fact.

Since the days prior to the new-fangled security models, access() is
supposed to calculate access for the _real_ user and group of the
process doing the access, whereas open() uses the _effective_ user and
group.

It is one of the things access() is useful for, in setuid/setgid programs.

It should be quite obvious that there are corresponding concepts in
modern security models, such as delegated authority, capabilities
etc. which possibly ought to apply to access(), and which possibly
affect how it's audited.

-- Jamie

Re: SELinux and access(2), we want to know.

[Stephen Smalley]

On Thu, 2009-05-07 at 15:18 -0400, Eric Paris wrote:
> SELinux (and I assume all LSMs) have a bit of a problem with with the
> access(2) call.  If a process calls access("/etc/shadow", R_OK) I claim
> that we darn sure better return the same result that open("/etc/shadow",
> O_RDONLY) would return.  I'm guessing noone is going to argue that
> point.  Lets me also say this is only interesting if DAC allows a given
> operation but MAC disallows it.  If DAC denies the request none of this
> matters.
> 
> The only way to tell the right result for access() is for SELinux to
> actually do the checks between (subject, file, read).  Again not a lot
> of controversy here.
> 
> Lets say that the LSM does not allow read for the given subject
> to /etc/shadow.  SELinux just denied an operation.  Today we log that a
> process was just denied the ability to read /etc/shadow.  But the
> process didn't actually try to read it.  If you surf with nautilus
> to /etc it's going to call access() on everything to decide what kind of
> little icons to put up there.  This could generate hundreds of SELinux
> denials that nautilus tried to read everything in /etc.
> 
> What SELinux has to do today for programs like this is to not audit the
> permission check (subject, file, read).  The problem here is that if the
> program does act badly, and actually tries to read the file rather than
> just call access() SELinux won't notify us, or report the denial in the
> audit log.
> 
> I want/need a way for SELinux to know that a particular check can from
> access() rather than from a truly misbehaving program.  That way I can
> not send denial messages to the log if people just call access(2) but
> will send a denial if the program does something illegal.  We had a long
> discussion on the SELinux list about how we want to handle and log the
> differences, but from the point of view of the VFS all that matters is
> that we want to know when inode_permission is being called in access()
> or from somewhere else.  The discussion was between not logging ANY
> denials SELiunx causes from the access() call and being smarter about
> only not logging those we really don't care about in a more fine grained
> manor (I plan to go with fine grained version of not logging denials).
> The philosophical question is really if there is (and I claim there is)
> a difference between access() and open() and if we agree there is a
> difference SELinux needs to know about it so logging those is different.
> 
> I propose 2 possible solutions.
> 1) a new VFS flag next to MAY_READ, MAY_WRITE and friends possibly
> called "FROM_ACCESS" which we pass down to the LSM in faccessat during
> the inode_permission call.

This seems to be the simplest approach, and I don't see any downside to
it.  Just requires adding the flag, passing it down through
inode_permission and to security_inode_permission, and then updating the
Smack and SELinux hook functions to handle it properly.  Then Casey can
even ignore requests from access(2) if he wants in Smack and have it
only return the DAC result if that is his preference...

> 2) a new LSM hook.  security_inode_access_permission() which is called
> from inode_permission() along with associated flags and such to
> inode_permissions so the LSM knows where this call is coming from.
> 
> 3) I've also heard it hinted that we could do this with audit by just
> having audit drop the denials that include the access(2) syscall and the
> scontext and tcontext for the slew of things the SELinux policy writers
> know we are not interested in.  And while it seems good, now we have
> SELinux 'policy' in places other than the policy, harder to distribute,
> and it requires that everyone who turns on SELinux also turns on syscall
> auditing with its associated overhead.
> 
> Obviously I think the right thing to decide if an LSM wants to send a
> denial message or not is the LSM.  The only problem I have is that the
> LSM doesn't know today when it is getting different types or requests
> and so can't make that decision.
> 
> -Eric
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
-- 
Stephen Smalley
National Security Agency

Re: SELinux and access(2), we want to know.

[Serge E. Hallyn]

Quoting Daniel J Walsh (dwalsh@redhat.com):
> Totally useless and gives the SELinux SUCKS crowd more ammunition. If  
> the MLS people want to treat ACCESS==OPEN then we are going to have a  
> big boolean/tunable flag for their paranoia.  For everyone else.  Lets  
> try to figure out when an application is actually doing something evil.

I'm really not here to be difficult, but if you believe that a failed
open is a problem bc an attacker can poke around the fs, and you believe
that nautilus can be hacked, then ignoring access just doesn't make
sense.  The fact that users are being inconvenienced doesn't change
that.

Jamie's point (obscured in code because it is implemented through
the use of fsuid) that for DAC purposes access and open use different
creds, is useful.  I can buy that audit should spit out a slightly
different message to show that MAC failed on real cred attempt
instead of subj...  (Even though the values of uid, euid, and fsuid
in the audit msg should make that clear).

So in that case, given how the code is structured currently in
fs/{open,namei}.c and through inode_permission, an extra flag
which selinux simply uses to judge which audit msg (if any) to
spit out seems the simplest way to do it.

-serge

Re: SELinux and access(2), we want to know.

[Casey Schaufler]

Daniel J Walsh wrote:
> On 05/08/2009 08:27 AM, Stephen Smalley wrote:
>> On Thu, 2009-05-07 at 20:51 -0700, Casey Schaufler wrote:
>>> Serge E. Hallyn wrote:
>>>> Quoting Eric Paris (eparis@redhat.com):
>>>>
>>>>> 3) I've also heard it hinted that we could do this with audit by just
>>>>> having audit drop the denials that include the access(2) syscall
>>>>> and the
>>>>> scontext and tcontext for the slew of things the SELinux policy
>>>>> writers
>>>>> know we are not interested in.  And while it seems good, now we have
>>>>>
>>>> What is the difference whether an attacker does access(2) to check for
>>>> /etc/shadow rights, or does a failed open()?
>>>>
>>> I have been studiously ignoring the discussions on the SELinux list
>>> because
>>> in the end it really doesn't matter, as Serge (appears to) point out
>>> here.
>>> The access() system call was a major thorn in the side of the POSIX
>>> security
>>> working group because its behavior is not really very rational. By
>>> design
>>> it does not take into account read-only file systems, ACLs, MAC labels,
>>> TOMOYO policy, or anything other than the mode bits. A successful
>>> return
>>> from access() gives you no assurance whatever that if you actually
>>> try the
>>> operation it will succeed. My recollection is that every version of
>>> "trusted unix" written treats the system call the same way it would a
>>> call to lstat(), because that's really all it is doing.
>>
>> Casey, please go read the access(2) / faccessat(2) code in Linux and
>> then come back to the discussion.  It does in fact take into account all
>> of those things presently (and notes in a comment that SuS v2 requires
>> that it report a read-only fs).

I stand humbly corrected. My years of experience have gotten
in the way of reality yet again.

>>
> Reality check.
>
> The biggest reason for this is Nautilus and other GUI tools that open
> a directory and look at all of the files in the directory checking
> their access.  So running as staff_t and using nautilus on the /etc
> directory or /bin/directory generates hundreds of AVC indicating that
> staff_t tried to read/write/execute every program it is not allowed to
> execute.
>
> Totally useless and gives the SELinux SUCKS crowd more ammunition.

Not to mention that a call to access() does not open the file. It
reports on the state of attributes of the file relative to the
attributes of a process. No access to the data is made available
via access() as is the case with open().

> If the MLS people want to treat ACCESS==OPEN then we are going to have
> a big boolean/tunable flag for their paranoia.  For everyone else. 
> Lets try to figure out when an application is actually doing something
> evil.

Treating access() the same as open() is wrong. Maybe that's what you
want in the SELinux policy, but it sure isn't consistent with the way
the file system works. Attribute accesses are different from data
accesses.

>
> Currently pam libraries and kerberos libraries run access checks that
> cause us to DONTAUDIT reads of /etc/shadow and WRITES of /etc/krb5.conf
> To pretty critical Security files.  So any app that uses kerberos
> (getpw) call and every app that uses PAM Authentication can try to
> read /etc/shadow and write /etc/krb5.conf without us knowing.
>
>
>