Re: [RFC PATCH 2/2] tun: fix LSM/SELinux labeling of tun/tap devices

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

From: Paul Moore <pmoore@redhat.com>
To: Jason Wang <jasowang@redhat.com>
Cc: netdev@vger.kernel.org, linux-security-module@vger.kernel.org,
	selinux@tycho.nsa.gov
Subject: Re: [RFC PATCH 2/2] tun: fix LSM/SELinux labeling of tun/tap devices
Date: Mon, 03 Dec 2012 11:22:29 -0500	[thread overview]
Message-ID: <2549856.XZ72FtkyJK@sifl> (raw)
In-Reply-To: <50BC7BCE.7000502@redhat.com>

On Monday, December 03, 2012 06:15:42 PM Jason Wang wrote:
> On 11/30/2012 06:06 AM, Paul Moore wrote:
> > This patch corrects some problems with LSM/SELinux that were introduced
> > with the multiqueue patchset.  The problem stems from the fact that the
> > multiqueue work changed the relationship between the tun device and its
> > associated socket; before the socket persisted for the life of the
> > device, however after the multiqueue changes the socket only persisted
> > for the life of the userspace connection (fd open).  For non-persistent
> > devices this is not an issue, but for persistent devices this can cause
> > the tun device to lose its SELinux label.
> > 
> > We correct this problem by adding an opaque LSM security blob to the
> > tun device struct which allows us to have the LSM security state, e.g.
> > SELinux labeling information, persist for the lifetime of the tun
> > device.

...

> > -static int selinux_tun_dev_attach(struct sock *sk)
> > +static int selinux_tun_dev_attach(struct sock *sk, void *security)
> > 
> >  {
> > 
> > +	struct tun_security_struct *tunsec = security;
> > 
> >  	struct sk_security_struct *sksec = sk->sk_security;
> >  	u32 sid = current_sid();
> >  	int err;
> > 
> > +	/* we don't currently perform any NetLabel based labeling here ...
> >
> >  	err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
> >  	
> >  			   TUN_SOCKET__RELABELFROM, NULL);
> >  	
> >  	if (err)
> >  	
> >  		return err;
> > 
> > -	err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
> > +	err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
> > 
> >  			   TUN_SOCKET__RELABELTO, NULL);
> >  	
> >  	if (err)
> >  	
> >  		return err;
> > 
> > -	sksec->sid = sid;
> > +	sksec->sid = tunsec->sid;
> > +	sksec->sclass = SECCLASS_TUN_SOCKET;
> 
> I'm not sure whether this is correct, looks like we need to differ between
> TUNSETQUEUE and TUNSETIFF. When userspace call TUNSETIFF for persistent
> device, looks like we need change the sid of tunsec like in the past.

It may be that I'm misunderstanding TUNSETQUEUE and/or TUNSETIFF.  Can you 
elaborate as to why they should be different?

One thing that I think we probably should change is the relabelto/from 
permissions in the function above (selinux_tun_dev_attach()); in the case 
where the socket does not yet have a label, e.g. 'sksec->sid == 0', we should 
probably skip the relabel permissions since we want to assign the TUN device 
label regardless in this case.

-- 
paul moore
security and virtualization @ redhat

next prev parent reply	other threads:[~2012-12-03 16:22 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-11-29 22:06 [RFC PATCH 0/2] Fix some multiqueue TUN problems Paul Moore
2012-11-29 22:06 ` [RFC PATCH 1/2] tun: correctly report an error in tun_flow_init() Paul Moore
2012-12-05 16:02   ` Paul Moore
2012-12-06  3:35     ` Jason Wang
2012-11-29 22:06 ` [RFC PATCH 2/2] tun: fix LSM/SELinux labeling of tun/tap devices Paul Moore
2012-12-03 10:15   ` Jason Wang
2012-12-03 16:22     ` Paul Moore [this message]
2012-12-04 13:24       ` Jason Wang
2012-12-04 15:24         ` Michael S. Tsirkin
2012-12-05  6:17           ` Jason Wang
2012-12-05 11:43             ` Michael S. Tsirkin
2012-12-05 13:45               ` Jason Wang
2012-12-04 16:18         ` Paul Moore
2012-12-04 17:36           ` Michael S. Tsirkin
2012-12-04 18:17             ` Paul Moore
2012-12-05  6:19               ` Jason Wang
2012-12-05 11:44                 ` Michael S. Tsirkin
2012-12-05 14:01                   ` Jason Wang
2012-12-05 16:00                     ` Paul Moore
2012-12-05  5:44           ` Jason Wang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2549856.XZ72FtkyJK@sifl \
    --to=pmoore@redhat.com \
    --cc=jasowang@redhat.com \
    --cc=linux-security-module@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox