* [PATCH] RFC: selinux: don't filter copy-up xattrs while uninitialized
@ 2023-10-18 10:08 David Disseldorp
2023-10-20 12:21 ` Stephen Smalley
0 siblings, 1 reply; 5+ messages in thread
From: David Disseldorp @ 2023-10-18 10:08 UTC (permalink / raw)
To: selinux; +Cc: linux-unionfs, David Disseldorp
Extended attribute copy-up functionality added via 19472b69d639d
("selinux: Implementation for inode_copy_up_xattr() hook") sees
"security.selinux" contexts dropped, instead relying on contexts
applied via the inode_copy_up() hook.
When copy-up takes place during early boot, prior to selinux
initialization / policy load, the context stripping can be unwanted
and unexpected. Make filtering dependent on selinux_initialized().
RFC: This changes user behaviour so is likely unacceptable. Still,
I'd be interested in hearing other suggestions for how this could be
addressed.
---
security/selinux/hooks.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 2aa0e219d7217..fb3e53bb7e90c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3527,7 +3527,7 @@ static int selinux_inode_copy_up_xattr(const char *name)
* don't then want to overwrite it by blindly copying all the lower
* xattrs up. Instead, we have to filter out SELinux-related xattrs.
*/
- if (strcmp(name, XATTR_NAME_SELINUX) == 0)
+ if (selinux_initialized() && strcmp(name, XATTR_NAME_SELINUX) == 0)
return 1; /* Discard */
/*
* Any other attribute apart from SELINUX is not claimed, supported
--
2.35.3
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH] RFC: selinux: don't filter copy-up xattrs while uninitialized 2023-10-18 10:08 [PATCH] RFC: selinux: don't filter copy-up xattrs while uninitialized David Disseldorp @ 2023-10-20 12:21 ` Stephen Smalley 2023-10-20 15:55 ` Paul Moore 0 siblings, 1 reply; 5+ messages in thread From: Stephen Smalley @ 2023-10-20 12:21 UTC (permalink / raw) To: David Disseldorp, Paul Moore; +Cc: selinux, linux-unionfs On Wed, Oct 18, 2023 at 6:08 AM David Disseldorp <ddiss@suse.de> wrote: > > Extended attribute copy-up functionality added via 19472b69d639d > ("selinux: Implementation for inode_copy_up_xattr() hook") sees > "security.selinux" contexts dropped, instead relying on contexts > applied via the inode_copy_up() hook. > > When copy-up takes place during early boot, prior to selinux > initialization / policy load, the context stripping can be unwanted > and unexpected. Make filtering dependent on selinux_initialized(). > > RFC: This changes user behaviour so is likely unacceptable. Still, > I'd be interested in hearing other suggestions for how this could be > addressed. IMHO, this is fixing a bug, only affects early userspace (pre policy load), and is likely acceptable. But Paul will make the final call. We can't introduce and use a new policy capability here because this is before policy has been loaded. > --- > security/selinux/hooks.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 2aa0e219d7217..fb3e53bb7e90c 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -3527,7 +3527,7 @@ static int selinux_inode_copy_up_xattr(const char *name) > * don't then want to overwrite it by blindly copying all the lower > * xattrs up. Instead, we have to filter out SELinux-related xattrs. > */ > - if (strcmp(name, XATTR_NAME_SELINUX) == 0) > + if (selinux_initialized() && strcmp(name, XATTR_NAME_SELINUX) == 0) > return 1; /* Discard */ > /* > * Any other attribute apart from SELINUX is not claimed, supported > -- > 2.35.3 ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] RFC: selinux: don't filter copy-up xattrs while uninitialized 2023-10-20 12:21 ` Stephen Smalley @ 2023-10-20 15:55 ` Paul Moore 2023-10-20 20:33 ` David Disseldorp 0 siblings, 1 reply; 5+ messages in thread From: Paul Moore @ 2023-10-20 15:55 UTC (permalink / raw) To: Stephen Smalley; +Cc: David Disseldorp, selinux, linux-unionfs On Fri, Oct 20, 2023 at 8:21 AM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > On Wed, Oct 18, 2023 at 6:08 AM David Disseldorp <ddiss@suse.de> wrote: > > > > Extended attribute copy-up functionality added via 19472b69d639d > > ("selinux: Implementation for inode_copy_up_xattr() hook") sees > > "security.selinux" contexts dropped, instead relying on contexts > > applied via the inode_copy_up() hook. > > > > When copy-up takes place during early boot, prior to selinux > > initialization / policy load, the context stripping can be unwanted > > and unexpected. Make filtering dependent on selinux_initialized(). > > > > RFC: This changes user behaviour so is likely unacceptable. Still, > > I'd be interested in hearing other suggestions for how this could be > > addressed. > > IMHO, this is fixing a bug, only affects early userspace (pre policy > load), and is likely acceptable. > But Paul will make the final call. We can't introduce and use a new > policy capability here because this is before policy has been loaded. I agree with Stephen, this is a bug fix so I wouldn't worry too much about user visible behavior. For better or worse, the SELinux-enabled-but-no-policy-loaded case has always been a bit awkward and has required multiple patches over the years to correct unwanted behaviors. I'm open to comments on this, but I don't believe this is something we want to see backported to the stable kernels, and considering we are currently at v6.6-rc6, this isn't really a candidate for the upcoming merge window. This means we have a few more weeks to comment, test, etc. and one of the things I would like to see is a better description of before-and-after labeling in the commit description. This helps people who trip over this change, identify what changed, and helps them resolve the problem on their systems. Does that sound good? -- paul-moore.com ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] RFC: selinux: don't filter copy-up xattrs while uninitialized 2023-10-20 15:55 ` Paul Moore @ 2023-10-20 20:33 ` David Disseldorp 2023-11-20 23:03 ` Paul Moore 0 siblings, 1 reply; 5+ messages in thread From: David Disseldorp @ 2023-10-20 20:33 UTC (permalink / raw) To: Paul Moore; +Cc: Stephen Smalley, selinux, linux-unionfs Hi Paul and Stephen, On Fri, 20 Oct 2023 11:55:31 -0400, Paul Moore wrote: > On Fri, Oct 20, 2023 at 8:21 AM Stephen Smalley > <stephen.smalley.work@gmail.com> wrote: > > On Wed, Oct 18, 2023 at 6:08 AM David Disseldorp <ddiss@suse.de> wrote: > > > > > > Extended attribute copy-up functionality added via 19472b69d639d > > > ("selinux: Implementation for inode_copy_up_xattr() hook") sees > > > "security.selinux" contexts dropped, instead relying on contexts > > > applied via the inode_copy_up() hook. > > > > > > When copy-up takes place during early boot, prior to selinux > > > initialization / policy load, the context stripping can be unwanted > > > and unexpected. Make filtering dependent on selinux_initialized(). > > > > > > RFC: This changes user behaviour so is likely unacceptable. Still, > > > I'd be interested in hearing other suggestions for how this could be > > > addressed. > > > > IMHO, this is fixing a bug, only affects early userspace (pre policy > > load), and is likely acceptable. > > But Paul will make the final call. We can't introduce and use a new > > policy capability here because this is before policy has been loaded. > > I agree with Stephen, this is a bug fix so I wouldn't worry too much > about user visible behavior. For better or worse, the > SELinux-enabled-but-no-policy-loaded case has always been a bit > awkward and has required multiple patches over the years to correct > unwanted behaviors. Understood. > I'm open to comments on this, but I don't believe this is something we > want to see backported to the stable kernels, and considering we are > currently at v6.6-rc6, this isn't really a candidate for the upcoming > merge window. This means we have a few more weeks to comment, test, > etc. and one of the things I would like to see is a better description > of before-and-after labeling in the commit description. This helps > people who trip over this change, identify what changed, and helps > them resolve the problem on their systems. > > Does that sound good? That sounds good to me. I'll rework the commit description (and comment above this change), do some further testing and then submit a v2. Thanks for your feedback, David ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] RFC: selinux: don't filter copy-up xattrs while uninitialized 2023-10-20 20:33 ` David Disseldorp @ 2023-11-20 23:03 ` Paul Moore 0 siblings, 0 replies; 5+ messages in thread From: Paul Moore @ 2023-11-20 23:03 UTC (permalink / raw) To: David Disseldorp; +Cc: Stephen Smalley, selinux, linux-unionfs On Fri, Oct 20, 2023 at 4:33 PM David Disseldorp <ddiss@suse.de> wrote: > > Hi Paul and Stephen, > > On Fri, 20 Oct 2023 11:55:31 -0400, Paul Moore wrote: > > > On Fri, Oct 20, 2023 at 8:21 AM Stephen Smalley > > <stephen.smalley.work@gmail.com> wrote: > > > On Wed, Oct 18, 2023 at 6:08 AM David Disseldorp <ddiss@suse.de> wrote: > > > > > > > > Extended attribute copy-up functionality added via 19472b69d639d > > > > ("selinux: Implementation for inode_copy_up_xattr() hook") sees > > > > "security.selinux" contexts dropped, instead relying on contexts > > > > applied via the inode_copy_up() hook. > > > > > > > > When copy-up takes place during early boot, prior to selinux > > > > initialization / policy load, the context stripping can be unwanted > > > > and unexpected. Make filtering dependent on selinux_initialized(). > > > > > > > > RFC: This changes user behaviour so is likely unacceptable. Still, > > > > I'd be interested in hearing other suggestions for how this could be > > > > addressed. > > > > > > IMHO, this is fixing a bug, only affects early userspace (pre policy > > > load), and is likely acceptable. > > > But Paul will make the final call. We can't introduce and use a new > > > policy capability here because this is before policy has been loaded. > > > > I agree with Stephen, this is a bug fix so I wouldn't worry too much > > about user visible behavior. For better or worse, the > > SELinux-enabled-but-no-policy-loaded case has always been a bit > > awkward and has required multiple patches over the years to correct > > unwanted behaviors. > > Understood. > > > I'm open to comments on this, but I don't believe this is something we > > want to see backported to the stable kernels, and considering we are > > currently at v6.6-rc6, this isn't really a candidate for the upcoming > > merge window. This means we have a few more weeks to comment, test, > > etc. and one of the things I would like to see is a better description > > of before-and-after labeling in the commit description. This helps > > people who trip over this change, identify what changed, and helps > > them resolve the problem on their systems. > > > > Does that sound good? > > That sounds good to me. I'll rework the commit description (and comment > above this change), do some further testing and then submit a v2. Hi David, No rush, I just wanted to check in on this and see how things were going? -- paul-moore.com ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-11-20 23:03 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2023-10-18 10:08 [PATCH] RFC: selinux: don't filter copy-up xattrs while uninitialized David Disseldorp 2023-10-20 12:21 ` Stephen Smalley 2023-10-20 15:55 ` Paul Moore 2023-10-20 20:33 ` David Disseldorp 2023-11-20 23:03 ` Paul Moore
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox