From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: Chris PeBenito <pebenito@ieee.org>
Cc: Paul Moore <paul@paul-moore.com>,
Chris PeBenito <chpebeni@linux.microsoft.com>,
SElinux mailing list <selinux@vger.kernel.org>,
brauner@kernel.org, bluca@debian.org
Subject: Re: Proposed feature: fine-grained file descriptors in SELinux
Date: Tue, 14 Nov 2023 09:31:07 -0500 [thread overview]
Message-ID: <CAEjxPJ7jvYPENavhxdrT8y1cDrNSc4Cw5Q3Pny8e+P=4Lt=YBw@mail.gmail.com> (raw)
In-Reply-To: <aee59e7d-2a94-235a-a9dc-e1059660fcc7@ieee.org>
On Tue, Nov 14, 2023 at 9:14 AM Chris PeBenito <pebenito@ieee.org> wrote:
>
> On 11/13/2023 10:35 AM, Stephen Smalley wrote:
> > On Sun, Nov 12, 2023 at 11:52 PM Paul Moore <paul@paul-moore.com> wrote:
> >> On Thu, Nov 9, 2023 at 1:26 PM Chris PeBenito
> >> <chpebeni@linux.microsoft.com> wrote:
> >>> systemd is increasing usage of memfds, pidfds, etc. This is resulting
> >>> in a need for wide inheritance of fds across the system. For example in
> >>> a lot of systemd interfaces that have a pid field now have a comparable
> >>> pidfd interface. dbus-broker and polkit are similarly updated.
> >>>
> >>> Some references from an All Systems Go! talk:
> >>> https://cfp.all-systems-go.io/media/all-systems-go-2023/submissions/T3LJAM/resources/ASG_2023_PID_FD-ize_all_the_things_E98Zw9Q.pdf
> >>> This is from a few months ago; the switch to PIDFDs is nearly
> >>> complete, and we're already seeing denials for this usage.
> >>>
> >>>
> >>> Since file descriptors are increasing use as references for various
> >>> operations, I think it would be useful to have a finer-grained fd class,
> >>> so we can limit file descriptor inheritance, particularly as it looks
> >>> like systemd/pid1 will need to inherit pidfd file descriptors from
> >>> possibly all domains. Specifically, I propose adding new permissions to
> >>> the fd class, such as use_pidfd and use_memfd. Then systemd can use
> >>> pidfds from any domain, but only use regular fds from trusted domains.
> >>>
> >>> Thoughts?
> >>
> >> I think adding some granularity to the fd:use permission makes sense,
> >> although I'm wondering if we are better served by creating new object
> >> classes for these new types of reference fds, e.g. pidfd:use,
> >> memfd:user, etc.? When I read "use_pidfd" my first thought is that we
> >> are encoding an object class in the permission.
> >>
> >> Have you looked at the associated kernel code yet? I suspect we might
> >> need to augment the existing memfd/pidfd/etc. code paths with an
> >> additional LSM hook to be able to mark the fd's LSM/SELinux state with
> >> class info, but I'm not sure off the top of my head.
> >
> > We don't actually store SECCLASS_FD in any security blobs currently
> > (i.e. there is no sclass field in the file_security_struct); we just
> > always check against SECCLASS_FD in file_has_perm(),
> > selinux_binder_transfer_file(), ioctl_has_perm(),
> > selinux_kernel_module_from_file(). As you note, we don't have a way of
> > knowing what kind of fd it is at those points so we would need to
> > somehow pass that information to selinux_file_alloc_security() and
> > save the class at that time, or otherwise introduce new hooks.
> >
> > There are three approaches that could be taken here:
> > 1. Introduce new permissions on the existing class, as proposed by Chris,
> > 2. Introduce new classes, as you proposed,
> > 3. Label different kinds of fds via type_transitions or similar so
> > that we can distinguish them by type in policy rather than needing
> > separate permissions or classes.
> >
> > We've used all three approaches in the past for different kinds of
> > checks so it is more a question of what is optimal for this use case.
> > The last one is the heaviest approach since it imposes extra overhead
> > upon allocation/labeling that doesn't currently exist for fds.
>
> Either new perms or new class works for me. I like the new classes idea
> more than my original proposal; however, I'm unclear how a
> type_transition would work in this scenario. What would the target type be?
>
> type_transition foo_t ?:fd foo_pidfd_t;
> type_transition foo_t ?:fd foo_memfd_t;
Sorry, perhaps I was unclear. The new classes proposal is just to use
a different security class i.e. fd, pidfd, memfd classes, such that
allow rules would be written accordingly, e.g. allow foo_t self:fd
use; allow foo_t domain:pidfd use; That was Paul's proposal. Using a
derived type via type_transition is the 3rd option, and that one would
require introducing logic into selinux_file_alloc_security() to call
security_transition_sid() and impose that overhead on all fd creation,
which is likely a non-starter.
prev parent reply other threads:[~2023-11-14 14:31 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-09 18:26 Proposed feature: fine-grained file descriptors in SELinux Chris PeBenito
2023-11-13 4:52 ` Paul Moore
2023-11-13 15:35 ` Stephen Smalley
2023-11-14 6:22 ` Paul Moore
2023-11-14 14:14 ` Chris PeBenito
2023-11-14 14:31 ` Stephen Smalley [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAEjxPJ7jvYPENavhxdrT8y1cDrNSc4Cw5Q3Pny8e+P=4Lt=YBw@mail.gmail.com' \
--to=stephen.smalley.work@gmail.com \
--cc=bluca@debian.org \
--cc=brauner@kernel.org \
--cc=chpebeni@linux.microsoft.com \
--cc=paul@paul-moore.com \
--cc=pebenito@ieee.org \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).