Re: Fw: [PATCH] proc: Update inode upon changing task security attribute

linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: "Serge E. Hallyn" <serge@hallyn.com>
To: Munehisa Kamata <kamatam@amazon.com>
Cc: serge@hallyn.com, adobriyan@gmail.com, akpm@linux-foundation.org,
	casey@schaufler-ca.com, linux-fsdevel@vger.kernel.org,
	linux-security-module@vger.kernel.org, paul@paul-moore.com
Subject: Re: Fw: [PATCH] proc: Update inode upon changing task security attribute
Date: Mon, 11 Dec 2023 13:49:37 -0600	[thread overview]
Message-ID: <20231211194937.GA323128@mail.hallyn.com> (raw)
In-Reply-To: <20231211192723.28230-1-kamatam@amazon.com>

On Mon, Dec 11, 2023 at 07:27:23PM +0000, Munehisa Kamata wrote:
> On Sun, 2023-12-10 06:45:30 -0800, "Serge E. Hallyn" wrote:
> >
> > On Sat, Dec 09, 2023 at 01:10:42AM +0000, Munehisa Kamata wrote:
> > > On Sat, 2023-12-09 00:24:42 +0000, Casey Schaufler wrote:
> > > >
> > > > On 12/8/2023 3:32 PM, Paul Moore wrote:
> > > > > On Fri, Dec 8, 2023 at 6:21 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
> > > > >> On 12/8/2023 2:43 PM, Paul Moore wrote:
> > > > >>> On Thu, Dec 7, 2023 at 9:14 PM Munehisa Kamata <kamatam@amazon.com> wrote:
> > > > >>>> On Tue, 2023-12-05 14:21:51 -0800, Paul Moore wrote:
> > > > >>> ..
> > > > >>>
> > > > >>>>> I think my thoughts are neatly summarized by Andrew's "yuk!" comment
> > > > >>>>> at the top.  However, before we go too much further on this, can we
> > > > >>>>> get clarification that Casey was able to reproduce this on a stock
> > > > >>>>> upstream kernel?  Last I read in the other thread Casey wasn't seeing
> > > > >>>>> this problem on Linux v6.5.
> > > > >>>>>
> > > > >>>>> However, for the moment I'm going to assume this is a real problem, is
> > > > >>>>> there some reason why the existing pid_revalidate() code is not being
> > > > >>>>> called in the bind mount case?  From what I can see in the original
> > > > >>>>> problem report, the path walk seems to work okay when the file is
> > > > >>>>> accessed directly from /proc, but fails when done on the bind mount.
> > > > >>>>> Is there some problem with revalidating dentrys on bind mounts?
> > > > >>>> Hi Paul,
> > > > >>>>
> > > > >>>> https://lkml.kernel.org/linux-fsdevel/20090608201745.GO8633@ZenIV.linux.org.uk/
> > > > >>>>
> > > > >>>> After reading this thread, I have doubt about solving this in VFS.
> > > > >>>> Honestly, however, I'm not sure if it's entirely relevant today.
> > > > >>> Have you tried simply mounting proc a second time instead of using a bind mount?
> > > > >>>
> > > > >>>  % mount -t proc non /new/location/for/proc
> > > > >>>
> > > > >>> I ask because from your description it appears that proc does the
> > > > >>> right thing with respect to revalidation, it only becomes an issue
> > > > >>> when accessing proc through a bind mount.  Or did I misunderstand the
> > > > >>> problem?
> > > > >> It's not hard to make the problem go away by performing some simple
> > > > >> action. I was unable to reproduce the problem initially because I
> > > > >> checked the Smack label on the bind mounted proc entry before doing
> > > > >> the cat of it. The problem shows up if nothing happens to update the
> > > > >> inode.
> > > > > A good point.
> > > > >
> > > > > I'm kinda thinking we just leave things as-is, especially since the
> > > > > proposed fix isn't something anyone is really excited about.
> > > > 
> > > > "We have to compromise the performance of our sandboxing tool because of
> > > > a kernel bug that's known and for which a fix is available."
> > > > 
> > > > If this were just a curiosity that wasn't affecting real development I
> > > > might agree. But we've got a real world problem, and I don't see ignoring
> > > > it as a good approach. I can't see maintainers of other LSMs thinking so
> > > > if this were interfering with their users.
> > >  
> > > We do bind mount to make information exposed to the sandboxed task as little
> > > as possible. We also create a separate PID namespace for each sandbox, but
> > 
> > If not exposing information is the main motivation, then could you simply do:
> > 
> > mount -t proc proc dir
> > mount --bind dir/$$ dir
> > 
> > ?
> 
> Hi Serge,
> 
> It doesn't work.
> 
>  [root@ip-10-0-32-198 ec2-user]# mount -t proc proc dir
>  [root@ip-10-0-32-198 ec2-user]# echo AAA > dir/$$/attr/current
>  [root@ip-10-0-32-198 ec2-user]# chsmack dir/$$
>  dir/11222 access="AAA"
>  [root@ip-10-0-32-198 ec2-user]# mount --bind dir/$$ dir
>  [root@ip-10-0-32-198 ec2-user]# echo BBB > dir/attr/current
>  [root@ip-10-0-32-198 ec2-user]# echo CCC > dir/attr/current
>  bash: dir/attr/current: Permission denied
>  [root@ip-10-0-32-198 ec2-user]# ls dir
>  ls: cannot access dir: Permission denied
>  [root@ip-10-0-32-198 ec2-user]# 
>  
> It would not revalidate dir/$$ anyway, so this result wasn't surprising to
> me. Maybe I'm missing something?

I see.  Yeah, that's an ugly wart.

> > > still want to bind mount even with it to hide system-wide and pid 1
> > > information from the task. 
> > > 
> > > So, yeah, I see this as a real problem for our use case and want to seek an
> > > opinion about a possibly better fix.
> > > 
> > > 
> > > Thanks,
> > > Munehisa 
> >

next prev parent reply	other threads:[~2023-12-11 19:49 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20231129171122.0171313079ea3afa84762d90@linux-foundation.org>
2023-12-01  9:30 ` Fw: [PATCH] proc: Update inode upon changing task security attribute Alexey Dobriyan
2023-12-01 20:59   ` Munehisa Kamata
2023-12-01 21:42     ` Casey Schaufler
2023-12-05 22:21     ` Paul Moore
2023-12-05 22:31       ` Casey Schaufler
2023-12-08  2:14       ` Munehisa Kamata
2023-12-08 22:43         ` Paul Moore
2023-12-08 23:21           ` Casey Schaufler
2023-12-08 23:32             ` Paul Moore
2023-12-09  0:24               ` Casey Schaufler
2023-12-09  1:10                 ` Munehisa Kamata
2023-12-09 18:10                   ` Paul Moore
2023-12-09 21:17                     ` Munehisa Kamata
2023-12-10 21:52                       ` Paul Moore
2023-12-10 14:45                   ` Serge E. Hallyn
2023-12-11 19:27                     ` Munehisa Kamata
2023-12-11 19:49                       ` Serge E. Hallyn [this message]
2023-12-09 18:08                 ` Paul Moore
2023-12-09 18:35                   ` Casey Schaufler
2023-12-09 22:44                     ` Munehisa Kamata
2023-12-10 21:45                     ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20231211194937.GA323128@mail.hallyn.com \
    --to=serge@hallyn.com \
    --cc=adobriyan@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=casey@schaufler-ca.com \
    --cc=kamatam@amazon.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=paul@paul-moore.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).