From: Simon McVittie <smcv@collabora.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Casey Schaufler <casey@schaufler-ca.com>,
casey.schaufler@intel.com, jmorris@namei.org,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org,
keescook@chromium.org, john.johansen@canonical.com,
penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com
Subject: Re: [PATCH v12 23/25] NET: Add SO_PEERCONTEXT for multiple LSMs
Date: Thu, 19 Dec 2019 12:19:39 +0000 [thread overview]
Message-ID: <20191219121939.GA1291250@horizon> (raw)
In-Reply-To: <a522de22-ba62-a24d-24f7-b69418e7ec0b@tycho.nsa.gov>
On Wed, 18 Dec 2019 at 15:50:45 -0500, Stephen Smalley wrote:
> Ok, this seems to be a lack of support in AppArmor for saving the peer info
> for unix/local domain sockets, so not your bug. Doesn't implement the
> necessary hooks.
Ubuntu kernels have working getsockopt SO_PEERSEC for AppArmor (which
definitely works for D-Bus, or did when I tried it in the past), but it
seems to be a downstream patch.
Is there a combination of LSMs where this works correctly and shows
multiple LSMs' labels, either upstream or with downstream patches? D-Bus
ought to be an early consumer of this information, but that's going to
be difficult if there's nowhere I can test it. If there was a pair of
in-tree or out-of-tree test LSMs that automatically labelled process
12345 and all sockets that it created with something like (pseudocode)
{
"labeltest1": "labeltest1process12345",
"labeltest2": "labeltest2process12345"
}
then that would make testing straightforward.
From my user-space developer perspective, I'd really like the kernel
to have at least brief documentation of the assumptions that can be
made about the compound format, to avoid people like me having to
ask the linux-security-module mailing list and use the answers as our
documentation:
- Can I assume that the LSM names (conceptually, keys in the associative
array) are printable ASCII? If not, can I at least assume that they are
printable UTF-8, or that LSMs whose names are not printable UTF-8 are
too weird to be worth supporting in user-space APIs?
If this decision hasn't been made yet, I would like to request ASCII,
or UTF-8 if a wider character repertoire is desired - that would make
user-space APIs a lot easier to write.
- What can I assume about the format of the labels (values in the
associative array)?
From previous conversations on linux-security-module it seems the
answer is: they are intended to be printable strings; their encoding
is unspecified (could be ASCII or UTF-8, but equally could be Latin-1
or anything else); there are no reserved or disallowed characters
except '\0'; individual LSMs like SELinux and AppArmor might impose
tighter restrictions, but LSM-agnostic code can't assume those
restrictions are present.
Even if the format is conceptually an unspecified encoding with every
nonzero byte allowed, if LSM and security policy authors establish a
convention that the labels are ASCII or UTF-8 without control characters
such as newlines, that would make user-space a lot easier to deal with.
- Can I assume that the names and labels in /proc/$pid/attr/context
correspond exactly (same label <=> same bytes) to the ones in
SO_PEERCONTEXT?
In particular, a design issue in the previous interfaces with
/proc/$pid/attr/current and SO_PEERSEC was that AppArmor puts
"unconfined\n" in /proc/$pid/attr/current, but "unconfined\0" in
SO_PEERSEC, and implementations of protocols like D-Bus can't know
that these are meant to be the same without LSM-specific knowledge
(namely "AppArmor profile names can't contain newlines").
If this new API is an opportunity to declare that LSMs are expected
to put the same canonical form of a label in /proc/$pid/attr/context and
SO_PEERCONTEXT, possibly with a non-canonical version (adding '\n' or
'\0' or similar) exposed in the older /proc/$pid/attr/current and
SO_PEERSEC interfaces for backwards compatibility, then that would make
life a lot easier for user-space developers like me.
- Does the order of the names and values matter? Can I assume anything
about them?
It would make the D-Bus API more straightforward if I can assume that
the order doesn't matter, and represent it as an unordered map
(associative array), like a Perl hash or Python dict.
I'm asking all this from the D-Bus perspective, but anything that
wants to store or forward LSM contexts in an LSM-agnostic way will
have essentially the same requirements - I could imagine X11, Wayland,
varlink etc. hitting the same problems D-Bus did.
Thanks,
smcv
next prev parent reply other threads:[~2019-12-19 12:20 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20191216223621.5127-1-casey.ref@schaufler-ca.com>
2019-12-16 22:35 ` [PATCH v12 00/25] LSM: Module stacking for AppArmor Casey Schaufler
2019-12-16 22:35 ` [PATCH v12 01/25] LSM: Infrastructure management of the sock security Casey Schaufler
2019-12-17 17:23 ` Stephen Smalley
2019-12-16 22:35 ` [PATCH v12 02/25] LSM: Create and manage the lsmblob data structure Casey Schaufler
2019-12-17 17:30 ` Stephen Smalley
2019-12-19 21:11 ` Mimi Zohar
2019-12-19 21:44 ` Casey Schaufler
2019-12-16 22:35 ` [PATCH v12 03/25] LSM: Use lsmblob in security_audit_rule_match Casey Schaufler
2019-12-17 17:34 ` Stephen Smalley
2019-12-17 22:01 ` Casey Schaufler
2019-12-17 23:47 ` Kees Cook
2019-12-18 0:28 ` Casey Schaufler
2019-12-18 13:16 ` Stephen Smalley
2019-12-16 22:36 ` [PATCH v12 04/25] LSM: Use lsmblob in security_kernel_act_as Casey Schaufler
2019-12-17 17:37 ` Stephen Smalley
2019-12-16 22:36 ` [PATCH v12 05/25] net: Prepare UDS for security module stacking Casey Schaufler
2019-12-17 17:41 ` Stephen Smalley
2019-12-16 22:36 ` [PATCH v12 06/25] LSM: Use lsmblob in security_secctx_to_secid Casey Schaufler
2019-12-17 17:51 ` Stephen Smalley
2019-12-16 22:36 ` [PATCH v12 07/25] LSM: Use lsmblob in security_secid_to_secctx Casey Schaufler
2019-12-17 18:01 ` Stephen Smalley
2019-12-16 22:36 ` [PATCH v12 08/25] LSM: Use lsmblob in security_ipc_getsecid Casey Schaufler
2019-12-17 18:02 ` Stephen Smalley
2019-12-16 22:36 ` [PATCH v12 09/25] LSM: Use lsmblob in security_task_getsecid Casey Schaufler
2019-12-17 18:11 ` Stephen Smalley
2019-12-17 18:26 ` Casey Schaufler
2019-12-16 22:36 ` [PATCH v12 10/25] LSM: Use lsmblob in security_inode_getsecid Casey Schaufler
2019-12-17 18:13 ` Stephen Smalley
2019-12-16 22:36 ` [PATCH v12 11/25] LSM: Use lsmblob in security_cred_getsecid Casey Schaufler
2019-12-17 18:23 ` Stephen Smalley
2019-12-16 22:36 ` [PATCH v12 12/25] IMA: Change internal interfaces to use lsmblobs Casey Schaufler
2019-12-17 18:26 ` Stephen Smalley
2019-12-16 22:36 ` [PATCH v12 13/25] LSM: Specify which LSM to display Casey Schaufler
2019-12-18 15:17 ` Stephen Smalley
2019-12-18 16:32 ` Casey Schaufler
2019-12-16 22:36 ` [PATCH v12 14/25] LSM: Ensure the correct LSM context releaser Casey Schaufler
2019-12-18 15:53 ` Stephen Smalley
2019-12-16 22:36 ` [PATCH v12 15/25] LSM: Use lsmcontext in security_secid_to_secctx Casey Schaufler
2019-12-18 16:06 ` Stephen Smalley
2019-12-18 19:33 ` Stephen Smalley
2019-12-16 22:36 ` [PATCH v12 16/25] LSM: Use lsmcontext in security_dentry_init_security Casey Schaufler
2019-12-18 16:16 ` Stephen Smalley
2019-12-16 22:36 ` [PATCH v12 17/25] LSM: Use lsmcontext in security_inode_getsecctx Casey Schaufler
2019-12-18 17:02 ` Stephen Smalley
2019-12-16 22:36 ` [PATCH v12 18/25] LSM: security_secid_to_secctx in netlink netfilter Casey Schaufler
2019-12-18 17:10 ` Stephen Smalley
2019-12-16 22:36 ` [PATCH v12 19/25] NET: Store LSM netlabel data in a lsmblob Casey Schaufler
2019-12-18 17:41 ` Stephen Smalley
2019-12-16 22:36 ` [PATCH v12 20/25] LSM: Verify LSM display sanity in binder Casey Schaufler
2019-12-18 17:43 ` Stephen Smalley
2019-12-16 22:36 ` [PATCH v12 21/25] Audit: Add subj_LSM fields when necessary Casey Schaufler
2019-12-18 17:55 ` Stephen Smalley
2019-12-16 22:36 ` [PATCH v12 22/25] Audit: Include object data for all security modules Casey Schaufler
2019-12-18 18:02 ` Stephen Smalley
2019-12-16 22:36 ` [PATCH v12 23/25] NET: Add SO_PEERCONTEXT for multiple LSMs Casey Schaufler
2019-12-18 18:28 ` Stephen Smalley
2019-12-18 19:12 ` Stephen Smalley
2019-12-18 20:50 ` Stephen Smalley
2019-12-19 12:19 ` Simon McVittie [this message]
2019-12-19 13:47 ` Stephen Smalley
2019-12-19 15:00 ` Stephen Smalley
2019-12-19 16:48 ` Simon McVittie
2019-12-19 17:02 ` Stephen Smalley
2019-12-19 19:27 ` John Johansen
2019-12-19 20:51 ` Casey Schaufler
2019-12-19 21:41 ` John Johansen
2019-12-19 19:21 ` John Johansen
2019-12-16 22:36 ` [PATCH v12 24/25] LSM: Add /proc attr entry for full LSM context Casey Schaufler
2019-12-16 22:36 ` [PATCH v12 25/25] AppArmor: Remove the exclusive flag Casey Schaufler
2019-12-24 23:18 [PATCH v12 00/25] LSM: Module stacking for AppArmor Casey Schaufler
2019-12-24 23:19 ` [PATCH v12 23/25] NET: Add SO_PEERCONTEXT for multiple LSMs Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191219121939.GA1291250@horizon \
--to=smcv@collabora.com \
--cc=casey.schaufler@intel.com \
--cc=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox