fanghuilin / rpms / kernel

Forked from rpms/kernel 3 years ago
Clone
Pablo Greco d6c4c4
From mboxrd@z Thu Jan  1 00:00:00 1970
Pablo Greco d6c4c4
Return-Path: <SRS0=e2dy=XH=vger.kernel.org=selinux-owner@kernel.org>
Pablo Greco d6c4c4
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
Pablo Greco d6c4c4
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Pablo Greco d6c4c4
X-Spam-Level: 
Pablo Greco d6c4c4
X-Spam-Status: No, score=-15.0 required=3.0
Pablo Greco d6c4c4
	tests=HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,
Pablo Greco d6c4c4
	MENTIONS_GIT_HOSTING,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT
Pablo Greco d6c4c4
	autolearn=ham autolearn_force=no version=3.4.0
Pablo Greco d6c4c4
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
Pablo Greco d6c4c4
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0CE63C4CEC5
Pablo Greco d6c4c4
	for <selinux@archiver.kernel.org>; Thu, 12 Sep 2019 13:30:40 +0000 (UTC)
Pablo Greco d6c4c4
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
Pablo Greco d6c4c4
	by mail.kernel.org (Postfix) with ESMTP id DC0B020CC7
Pablo Greco d6c4c4
	for <selinux@archiver.kernel.org>; Thu, 12 Sep 2019 13:30:39 +0000 (UTC)
Pablo Greco d6c4c4
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
Pablo Greco d6c4c4
        id S1732192AbfILNaj (ORCPT <rfc822;selinux@archiver.kernel.org>);
Pablo Greco d6c4c4
        Thu, 12 Sep 2019 09:30:39 -0400
Pablo Greco d6c4c4
Received: from mx1.redhat.com ([209.132.183.28]:52278 "EHLO mx1.redhat.com"
Pablo Greco d6c4c4
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
Pablo Greco d6c4c4
        id S1731687AbfILNaj (ORCPT <rfc822;selinux@vger.kernel.org>);
Pablo Greco d6c4c4
        Thu, 12 Sep 2019 09:30:39 -0400
Pablo Greco d6c4c4
Received: from mail-qt1-f197.google.com (mail-qt1-f197.google.com [209.85.160.197])
Pablo Greco d6c4c4
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
Pablo Greco d6c4c4
        (No client certificate requested)
Pablo Greco d6c4c4
        by mx1.redhat.com (Postfix) with ESMTPS id 97CC359465
Pablo Greco d6c4c4
        for <selinux@vger.kernel.org>; Thu, 12 Sep 2019 13:30:38 +0000 (UTC)
Pablo Greco d6c4c4
Received: by mail-qt1-f197.google.com with SMTP id c8so13609684qtd.20
Pablo Greco d6c4c4
        for <selinux@vger.kernel.org>; Thu, 12 Sep 2019 06:30:38 -0700 (PDT)
Pablo Greco d6c4c4
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
Pablo Greco d6c4c4
        d=1e100.net; s=20161025;
Pablo Greco d6c4c4
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
Pablo Greco d6c4c4
         :content-transfer-encoding;
Pablo Greco d6c4c4
        bh=S/MIBrjCy5DTvfqPzJTJqDQQH1pDu780wgGyHs56w4k=;
Pablo Greco d6c4c4
        b=H7fZr4X/c4ge0SXeHHRXrq3U4J60PWfSRqdCphTWxKjyLvBs8nktbJczT562oH7Hxv
Pablo Greco d6c4c4
         hdvVjKgAzNxIXFdQetnmveDXojtHFrE21PNdo5ONQIyh35oZyrJB4ewZdUrNfbrvDc2y
Pablo Greco d6c4c4
         ElMr/HoKEX5pY+GMJE4nzeBotlfCWU9BoAxJPUhzKA9Oib+AqDzQ0hCGH6pQY9RXRXBV
Pablo Greco d6c4c4
         IMH21FE5dxQGtLHNCJXVxE14edDeRo8qQFWQw6ooogK7JvduuJrWBn3BmCbKz1YLTNZE
Pablo Greco d6c4c4
         9wRXvaHFVGNhr79JrRcItTp6Sx+tZ3XY46CV+Wi6Rq1fu8MePP9zFdIQXw9wqyd+UgLa
Pablo Greco d6c4c4
         AIlw==
Pablo Greco d6c4c4
X-Gm-Message-State: APjAAAXpWx500L+bZRH8M7OzuSb0aBlsvvjaBYCGvSkzojpa2nRWjtk0
Pablo Greco d6c4c4
        cjKEj45ivsUgPW2Bbi6CGEtspqM4wmwb72z+ajR4hy5OjMT3KRh6W71HFbVPrlLYQTvse11Ax2d
Pablo Greco d6c4c4
        wGOma7U/qIGDDYkjh/Q==
Pablo Greco d6c4c4
X-Received: by 2002:ac8:7b2e:: with SMTP id l14mr8094193qtu.11.1568295037636;
Pablo Greco d6c4c4
        Thu, 12 Sep 2019 06:30:37 -0700 (PDT)
Pablo Greco d6c4c4
X-Google-Smtp-Source: APXvYqzybFpoaFyGZXafGEdtHCL3XllpHltaXggcIZEb7De49V/kJzm1pU6vpg1gN8HtgnB3cilLuA==
Pablo Greco d6c4c4
X-Received: by 2002:ac8:7b2e:: with SMTP id l14mr8094176qtu.11.1568295037442;
Pablo Greco d6c4c4
        Thu, 12 Sep 2019 06:30:37 -0700 (PDT)
Pablo Greco d6c4c4
Received: from localhost.localdomain ([12.133.141.2])
Pablo Greco d6c4c4
        by smtp.gmail.com with ESMTPSA id h68sm11848865qkd.35.2019.09.12.06.30.35
Pablo Greco d6c4c4
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Pablo Greco d6c4c4
        Thu, 12 Sep 2019 06:30:36 -0700 (PDT)
Pablo Greco d6c4c4
From:   Jonathan Lebon <jlebon@redhat.com>
Pablo Greco d6c4c4
To:     selinux@vger.kernel.org
Pablo Greco d6c4c4
Cc:     Jonathan Lebon <jlebon@redhat.com>,
Pablo Greco d6c4c4
        Victor Kamensky <kamensky@cisco.com>
Pablo Greco d6c4c4
Subject: [PATCH v2] selinux: allow labeling before policy is loaded
Pablo Greco d6c4c4
Date:   Thu, 12 Sep 2019 09:30:07 -0400
Pablo Greco d6c4c4
Message-Id: <20190912133007.27545-1-jlebon@redhat.com>
Pablo Greco d6c4c4
X-Mailer: git-send-email 2.21.0
Pablo Greco d6c4c4
MIME-Version: 1.0
Pablo Greco d6c4c4
Content-Transfer-Encoding: 8bit
Pablo Greco d6c4c4
Sender: selinux-owner@vger.kernel.org
Pablo Greco d6c4c4
Precedence: bulk
Pablo Greco d6c4c4
List-ID: <selinux.vger.kernel.org>
Pablo Greco d6c4c4
X-Mailing-List: selinux@vger.kernel.org
Pablo Greco d6c4c4
Archived-At: <https://lore.kernel.org/selinux/20190912133007.27545-1-jlebon@redhat.com/>
Pablo Greco d6c4c4
List-Archive: <https://lore.kernel.org/selinux/>
Pablo Greco d6c4c4
List-Post: <mailto:selinux@vger.kernel.org>
Pablo Greco d6c4c4
Pablo Greco d6c4c4
Currently, the SELinux LSM prevents one from setting the
Pablo Greco d6c4c4
`security.selinux` xattr on an inode without a policy first being
Pablo Greco d6c4c4
loaded. However, this restriction is problematic: it makes it impossible
Pablo Greco d6c4c4
to have newly created files with the correct label before actually
Pablo Greco d6c4c4
loading the policy.
Pablo Greco d6c4c4
Pablo Greco d6c4c4
This is relevant in distributions like Fedora, where the policy is
Pablo Greco d6c4c4
loaded by systemd shortly after pivoting out of the initrd. In such
Pablo Greco d6c4c4
instances, all files created prior to pivoting will be unlabeled. One
Pablo Greco d6c4c4
then has to relabel them after pivoting, an operation which inherently
Pablo Greco d6c4c4
races with other processes trying to access those same files.
Pablo Greco d6c4c4
Pablo Greco d6c4c4
Going further, there are use cases for creating the entire root
Pablo Greco d6c4c4
filesystem on first boot from the initrd (e.g. Container Linux supports
Pablo Greco d6c4c4
this today[1], and we'd like to support it in Fedora CoreOS as well[2]).
Pablo Greco d6c4c4
One can imagine doing this in two ways: at the block device level (e.g.
Pablo Greco d6c4c4
laying down a disk image), or at the filesystem level. In the former,
Pablo Greco d6c4c4
labeling can simply be part of the image. But even in the latter
Pablo Greco d6c4c4
scenario, one still really wants to be able to set the right labels when
Pablo Greco d6c4c4
populating the new filesystem.
Pablo Greco d6c4c4
Pablo Greco d6c4c4
This patch enables this by changing behaviour in the following two ways:
Pablo Greco d6c4c4
1. allow `setxattr` if we're not initialized
Pablo Greco d6c4c4
2. don't try to set the in-core inode SID if we're not initialized;
Pablo Greco d6c4c4
   instead leave it as `LABEL_INVALID` so that revalidation may be
Pablo Greco d6c4c4
   attempted at a later time
Pablo Greco d6c4c4
Pablo Greco d6c4c4
Note the first hunk of this patch is mostly the same as a previously
Pablo Greco d6c4c4
discussed one[3], though it was part of a larger series which wasn't
Pablo Greco d6c4c4
accepted.
Pablo Greco d6c4c4
Pablo Greco d6c4c4
Co-developed-by: Victor Kamensky <kamensky@cisco.com>
Pablo Greco d6c4c4
Signed-off-by: Victor Kamensky <kamensky@cisco.com>
Pablo Greco d6c4c4
Signed-off-by: Jonathan Lebon <jlebon@redhat.com>
Pablo Greco d6c4c4
Pablo Greco d6c4c4
[1] https://coreos.com/os/docs/latest/root-filesystem-placement.html
Pablo Greco d6c4c4
[2] https://github.com/coreos/fedora-coreos-tracker/issues/94
Pablo Greco d6c4c4
[3] https://www.spinics.net/lists/linux-initramfs/msg04593.html
Pablo Greco d6c4c4
Pablo Greco d6c4c4
---
Pablo Greco d6c4c4
Pablo Greco d6c4c4
v2:
Pablo Greco d6c4c4
  - return early in selinux_inode_setxattr if policy hasn't been loaded
Pablo Greco d6c4c4
Pablo Greco d6c4c4
---
Pablo Greco d6c4c4
Pablo Greco d6c4c4
 security/selinux/hooks.c | 12 ++++++++++++
Pablo Greco d6c4c4
 1 file changed, 12 insertions(+)
Pablo Greco d6c4c4
Pablo Greco d6c4c4
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
Pablo Greco d6c4c4
index 94de51628..dbe96c707 100644
Pablo Greco d6c4c4
--- a/security/selinux/hooks.c
Pablo Greco d6c4c4
+++ b/security/selinux/hooks.c
Pablo Greco d6c4c4
@@ -3142,6 +3142,9 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
Pablo Greco d6c4c4
 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
Pablo Greco d6c4c4
 	}
Pablo Greco d6c4c4
 
Pablo Greco d6c4c4
+	if (!selinux_state.initialized)
Pablo Greco d6c4c4
+		return (inode_owner_or_capable(inode) ? 0 : -EPERM);
Pablo Greco d6c4c4
+
Pablo Greco d6c4c4
 	sbsec = inode->i_sb->s_security;
Pablo Greco d6c4c4
 	if (!(sbsec->flags & SBLABEL_MNT))
Pablo Greco d6c4c4
 		return -EOPNOTSUPP;
Pablo Greco d6c4c4
@@ -3225,6 +3228,15 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
Pablo Greco d6c4c4
 		return;
Pablo Greco d6c4c4
 	}
Pablo Greco d6c4c4
 
Pablo Greco d6c4c4
+	if (!selinux_state.initialized) {
Pablo Greco d6c4c4
+		/* If we haven't even been initialized, then we can't validate
Pablo Greco d6c4c4
+		 * against a policy, so leave the label as invalid. It may
Pablo Greco d6c4c4
+		 * resolve to a valid label on the next revalidation try if
Pablo Greco d6c4c4
+		 * we've since initialized.
Pablo Greco d6c4c4
+		 */
Pablo Greco d6c4c4
+		return;
Pablo Greco d6c4c4
+	}
Pablo Greco d6c4c4
+
Pablo Greco d6c4c4
 	rc = security_context_to_sid_force(&selinux_state, value, size,
Pablo Greco d6c4c4
 					   &newsid);
Pablo Greco d6c4c4
 	if (rc) {
Pablo Greco d6c4c4
-- 
Pablo Greco d6c4c4
2.21.0
Pablo Greco d6c4c4
Pablo Greco d6c4c4