From: Daniel Burgener <dburgener@linux.microsoft.com>
To: Paul Moore <paul@paul-moore.com>, Miklos Szeredi <mszeredi@redhat.com>
Cc: linux-fsdevel@vger.kernel.org,
Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>,
Amir Goldstein <amir73il@gmail.com>, Karel Zak <kzak@redhat.com>,
Lennart Poettering <lennart@poettering.net>,
Ian Kent <raven@themaw.net>, Al Viro <viro@zeniv.linux.org.uk>,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org,
selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH v4 2/4] fanotify: notify on mount attach and detach
Date: Tue, 28 Jan 2025 13:11:11 -0500 [thread overview]
Message-ID: <e530f146-6412-4287-85ad-9e459f462797@linux.microsoft.com> (raw)
In-Reply-To: <CAHC9VhRzRqhXxcrv3ROChToFf4xX2Tdo--q-eMAc=KcUb=xb_w@mail.gmail.com>
> If I understand the commit description correctly,
> security_path_notify(path, mask, FSNOTIFY_OBJ_TYPE_MNTNS) indicates a
> change in the mount namespace indicated by the @path parameter, with
> the initial mntns changes being limited to attach/detach and possibly
> some other attributes (see patch 4/4), although the latter looks like
> it will probably happen at a later date.
>
> My initial thinking is that if we limit ourselves to existing SELinux
> policy permissions, this is much more of FILE__WATCH_MOUNT operation
> rather than a FILE__WATCH operation as while the /proc/PID/ns/mnt file
> specified in @path is simply a file, it represents much more than
> that. However, it we want to consider adding a new SELinux policy
> permission (which is easy to do), we may want to consider adding a new
> mount namespace specific permission, e.g. FILE__WATCH_MOUNTNS, this
> would make it easier for policy developers to distinguish between
> watching a traditional mount point and a mount namespace (although
> given the common approaches to labeling this may not be very
> significant). I'd personally like to hear from the SELinux policy
> folks on this (the SELinux reference policy has also been CC'd).
>
> If we reuse the file/watch_mount permission the policy rule would look
> something like below where <subject> is the SELinux domain of the
> process making the change, and <mntns_label> is the label of the
> /proc/PID/ns/mnt file:
>
> allow <subject> <mntns_label>:file { watch_mount };
>
> If we add a new file/watch_mountns permission the policy rule would
> look like this:
>
> allow <subject> <mntns_label>:file { watch_mountns };
>
I've gone back and forth on this a few times. If I understand it
correctly, I think we might really want to have a new permission here,
which is sad, because in my humble opinion, the watch_* permissions are
already more complicated than I like.
"watch" does seem to be the wrong thing because this grants more than
just changes to the specific file. However, "watch_mount" is a very
highly privileged operation. Allowing watch on all reads and writes in
the whole file hierarchy from a mount point is a substantial amount of
access, and seems quite a bit more substantial than just watching new
mounts being attached and detached (and similar) within a given mount
namespace.
FWIW I do think the assumption that different labeling between /proc/pid
files and mountpoints generally does make this not a problem in
practice. But in my opinion overloading watch_mount for this case seems
different from the existing watch_mount permission to warrant not doing
it. Particularly with watch_mount being such a privileged operation.
-Daniel
next prev parent reply other threads:[~2025-01-28 18:11 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-23 19:41 [PATCH v4 0/4] mount notification Miklos Szeredi
2025-01-23 19:41 ` [PATCH v4 1/4] fsnotify: add mount notification infrastructure Miklos Szeredi
2025-01-23 19:41 ` [PATCH v4 2/4] fanotify: notify on mount attach and detach Miklos Szeredi
2025-01-24 19:38 ` Paul Moore
2025-01-25 1:09 ` Russell Coker
2025-01-28 12:42 ` Miklos Szeredi
2025-01-28 13:37 ` Miklos Szeredi
2025-01-28 18:11 ` Daniel Burgener [this message]
2025-01-23 19:41 ` [PATCH v4 3/4] vfs: add notifications for " Miklos Szeredi
2025-01-23 19:41 ` [PATCH v4 4/4] vfs: add notifications for mount attribute change Miklos Szeredi
2025-01-24 9:09 ` Amir Goldstein
2025-01-24 15:38 ` Christian Brauner
2025-01-24 15:49 ` Miklos Szeredi
2025-01-25 9:22 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e530f146-6412-4287-85ad-9e459f462797@linux.microsoft.com \
--to=dburgener@linux.microsoft.com \
--cc=amir73il@gmail.com \
--cc=brauner@kernel.org \
--cc=jack@suse.cz \
--cc=kzak@redhat.com \
--cc=lennart@poettering.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mszeredi@redhat.com \
--cc=paul@paul-moore.com \
--cc=raven@themaw.net \
--cc=selinux-refpolicy@vger.kernel.org \
--cc=selinux@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).