From mboxrd@z Thu Jan  1 00:00:00 1970

Return-Path: <SRS0=e2dy=XH=vger.kernel.org=selinux-owner@kernel.org>

X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on

	aws-us-west-2-korg-lkml-1.web.codeaurora.org

X-Spam-Level: 

X-Spam-Status: No, score=-15.0 required=3.0

	tests=HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,

	MENTIONS_GIT_HOSTING,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT

	autolearn=ham autolearn_force=no version=3.4.0

Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])

	by smtp.lore.kernel.org (Postfix) with ESMTP id 0CE63C4CEC5

	for <selinux@archiver.kernel.org>; Thu, 12 Sep 2019 13:30:40 +0000 (UTC)

Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])

	by mail.kernel.org (Postfix) with ESMTP id DC0B020CC7

	for <selinux@archiver.kernel.org>; Thu, 12 Sep 2019 13:30:39 +0000 (UTC)

Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand

        id S1732192AbfILNaj (ORCPT <rfc822;selinux@archiver.kernel.org>);

        Thu, 12 Sep 2019 09:30:39 -0400

Received: from mx1.redhat.com ([209.132.183.28]:52278 "EHLO mx1.redhat.com"

        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP

        id S1731687AbfILNaj (ORCPT <rfc822;selinux@vger.kernel.org>);

        Thu, 12 Sep 2019 09:30:39 -0400

Received: from mail-qt1-f197.google.com (mail-qt1-f197.google.com [209.85.160.197])

        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))

        (No client certificate requested)

        by mx1.redhat.com (Postfix) with ESMTPS id 97CC359465

        for <selinux@vger.kernel.org>; Thu, 12 Sep 2019 13:30:38 +0000 (UTC)

Received: by mail-qt1-f197.google.com with SMTP id c8so13609684qtd.20

        for <selinux@vger.kernel.org>; Thu, 12 Sep 2019 06:30:38 -0700 (PDT)

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

        d=1e100.net; s=20161025;

        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version

         :content-transfer-encoding;

        bh=S/MIBrjCy5DTvfqPzJTJqDQQH1pDu780wgGyHs56w4k=;

        b=H7fZr4X/c4ge0SXeHHRXrq3U4J60PWfSRqdCphTWxKjyLvBs8nktbJczT562oH7Hxv

         hdvVjKgAzNxIXFdQetnmveDXojtHFrE21PNdo5ONQIyh35oZyrJB4ewZdUrNfbrvDc2y

         ElMr/HoKEX5pY+GMJE4nzeBotlfCWU9BoAxJPUhzKA9Oib+AqDzQ0hCGH6pQY9RXRXBV

         IMH21FE5dxQGtLHNCJXVxE14edDeRo8qQFWQw6ooogK7JvduuJrWBn3BmCbKz1YLTNZE

         9wRXvaHFVGNhr79JrRcItTp6Sx+tZ3XY46CV+Wi6Rq1fu8MePP9zFdIQXw9wqyd+UgLa

         AIlw==

X-Gm-Message-State: APjAAAXpWx500L+bZRH8M7OzuSb0aBlsvvjaBYCGvSkzojpa2nRWjtk0

        cjKEj45ivsUgPW2Bbi6CGEtspqM4wmwb72z+ajR4hy5OjMT3KRh6W71HFbVPrlLYQTvse11Ax2d

        wGOma7U/qIGDDYkjh/Q==

X-Received: by 2002:ac8:7b2e:: with SMTP id l14mr8094193qtu.11.1568295037636;

        Thu, 12 Sep 2019 06:30:37 -0700 (PDT)

X-Google-Smtp-Source: APXvYqzybFpoaFyGZXafGEdtHCL3XllpHltaXggcIZEb7De49V/kJzm1pU6vpg1gN8HtgnB3cilLuA==

X-Received: by 2002:ac8:7b2e:: with SMTP id l14mr8094176qtu.11.1568295037442;

        Thu, 12 Sep 2019 06:30:37 -0700 (PDT)

Received: from localhost.localdomain ([12.133.141.2])

        by smtp.gmail.com with ESMTPSA id h68sm11848865qkd.35.2019.09.12.06.30.35

        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);

        Thu, 12 Sep 2019 06:30:36 -0700 (PDT)

From:   Jonathan Lebon <jlebon@redhat.com>

To:     selinux@vger.kernel.org

Cc:     Jonathan Lebon <jlebon@redhat.com>,

        Victor Kamensky <kamensky@cisco.com>

Subject: [PATCH v2] selinux: allow labeling before policy is loaded

Date:   Thu, 12 Sep 2019 09:30:07 -0400

Message-Id: <20190912133007.27545-1-jlebon@redhat.com>

X-Mailer: git-send-email 2.21.0

MIME-Version: 1.0

Content-Transfer-Encoding: 8bit

Sender: selinux-owner@vger.kernel.org

Precedence: bulk

List-ID: <selinux.vger.kernel.org>

X-Mailing-List: selinux@vger.kernel.org

Archived-At: <https://lore.kernel.org/selinux/20190912133007.27545-1-jlebon@redhat.com/>

List-Archive: <https://lore.kernel.org/selinux/>

List-Post: <mailto:selinux@vger.kernel.org>

Currently, the SELinux LSM prevents one from setting the

`security.selinux` xattr on an inode without a policy first being

loaded. However, this restriction is problematic: it makes it impossible

to have newly created files with the correct label before actually

loading the policy.

This is relevant in distributions like Fedora, where the policy is

loaded by systemd shortly after pivoting out of the initrd. In such

instances, all files created prior to pivoting will be unlabeled. One

then has to relabel them after pivoting, an operation which inherently

races with other processes trying to access those same files.

Going further, there are use cases for creating the entire root

filesystem on first boot from the initrd (e.g. Container Linux supports

this today[1], and we'd like to support it in Fedora CoreOS as well[2]).

One can imagine doing this in two ways: at the block device level (e.g.

laying down a disk image), or at the filesystem level. In the former,

labeling can simply be part of the image. But even in the latter

scenario, one still really wants to be able to set the right labels when

populating the new filesystem.

This patch enables this by changing behaviour in the following two ways:

1. allow `setxattr` if we're not initialized

2. don't try to set the in-core inode SID if we're not initialized;

   instead leave it as `LABEL_INVALID` so that revalidation may be

   attempted at a later time

Note the first hunk of this patch is mostly the same as a previously

discussed one[3], though it was part of a larger series which wasn't

accepted.

Co-developed-by: Victor Kamensky <kamensky@cisco.com>

Signed-off-by: Victor Kamensky <kamensky@cisco.com>

Signed-off-by: Jonathan Lebon <jlebon@redhat.com>

[1] https://coreos.com/os/docs/latest/root-filesystem-placement.html

[2] https://github.com/coreos/fedora-coreos-tracker/issues/94

[3] https://www.spinics.net/lists/linux-initramfs/msg04593.html

---

v2:

  - return early in selinux_inode_setxattr if policy hasn't been loaded

---

 security/selinux/hooks.c | 12 ++++++++++++

 1 file changed, 12 insertions(+)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c

index 94de51628..dbe96c707 100644

--- a/security/selinux/hooks.c

+++ b/security/selinux/hooks.c

@@ -3142,6 +3142,9 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,

 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);

 	}

+	if (!selinux_state.initialized)

+		return (inode_owner_or_capable(inode) ? 0 : -EPERM);

+

 	sbsec = inode->i_sb->s_security;

 	if (!(sbsec->flags & SBLABEL_MNT))

 		return -EOPNOTSUPP;

@@ -3225,6 +3228,15 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,

 		return;

 	}

+	if (!selinux_state.initialized) {

+		/* If we haven't even been initialized, then we can't validate

+		 * against a policy, so leave the label as invalid. It may

+		 * resolve to a valid label on the next revalidation try if

+		 * we've since initialized.

+		 */

+		return;

+	}

+

 	rc = security_context_to_sid_force(&selinux_state, value, size,

 					   &newsid);

 	if (rc) {

-- 

2.21.0