LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Stephen Smalley <sds@tycho.nsa.gov>
To: Lucian Adrian Grijincu <lucian.grijincu@gmail.com>
Cc: James Morris <jmorris@namei.org>,
	Eric Paris <eparis@parisplace.org>,
	Nick Piggin <npiggin@kernel.dk>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	linux-kernel@vger.kernel.org,
	linux-security-module@vger.kernel.org
Subject: Re: [PATCH] security/selinux: fix /proc/sys/ labeling
Date: Tue, 01 Feb 2011 10:02:18 -0500	[thread overview]
Message-ID: <1296572538.12605.4.camel@moss-pluto> (raw)
In-Reply-To: <1296519474-15714-1-git-send-email-lucian.grijincu@gmail.com>

On Tue, 2011-02-01 at 02:17 +0200, Lucian Adrian Grijincu wrote:
> From: Eric W. Biederman <ebiederm@xmission.com>

Is this patch really from Eric or just derived from an earlier patch by
him?

> 
> This fixes an old (2007) selinux regression: filesystem labeling for
> /proc/sys returned
>      -r--r--r-- unknown                          /proc/sys/fs/file-nr
> instead of
>      -r--r--r-- system_u:object_r:sysctl_fs_t:s0 /proc/sys/fs/file-nr
> 
> Events that lead to breaking of /proc/sys selinux labeling:
> 
> 1) sysctl was reimplemented to route all calls through /proc/sysctl
> 
>     commit 77b14db502cb85a031fe8fde6c85d52f3e0acb63
>     [PATCH] sysctl: reimplement the sysctl proc support
> 
> 2) proc_dir_entry was removed from ctl_table:
> 
>     commit 3fbfa98112fc3962c416452a0baf2214381030e6
>     [PATCH] sysctl: remove the proc_dir_entry member for the sysctl tables
> 
> 3) selinux still walked the proc_dir_entry tree to apply
>    labeling. Because ctl_tables don't have a proc_dir_entry, we did
>    not label /proc/sys/ inodes any more. To achieve this the /proc/sys
>    inodes were marked private and private inodes were ignored by
>    selinux.
> 
>     commit bbaca6c2e7ef0f663bc31be4dad7cf530f6c4962
>     [PATCH] selinux: enhance selinux to always ignore private inodes
> 
>     commit 86a71dbd3e81e8870d0f0e56b87875f57e58222b
>     [PATCH] sysctl: hide the sysctl proc inodes from selinux
> 
> Access control checks have been done by means of a special sysctl hook
> that was called for read/write accesses to any /proc/sys/ entry.
> 
> We don't have to do this because, instead of walking the
> proc_dir_entry tree we can walk the dentry tree (as done in this
> patch). With this patch:
> * we don't mark /proc/sys inodes as private
> * we don't need the sysclt security hook
> * we walk the dentry tree to find the path to the inode.
> 
> We have to strip the PID in /proc/PID/ entries that have a
> proc_dir_entry because selinux does not know how to label paths like
> '/1/net/rpc/nfsd.fh' (and defaults to 'proc_t' labeling). Selinux does
> know of '/net/rpc/nfsd.fh' (and applies the 'sysctl_rpc_t' label).
> 
> PID stripping from the path was done implicitly in the previous code
> because the proc_dir_entry tree had the root in '/net' in the example
> from above. The dentry tree has the root in '/1'.
> 
> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>

And did Eric truly sign off on this patch or just on an earlier one?

> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index e276eb4..7c5dfb1 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -1317,9 +1311,9 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
>  
>  		if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
>  			struct proc_inode *proci = PROC_I(inode);
> -			if (proci->pde) {
> +			if (opt_dentry && (proci->pde || proci->sysctl)) {
>  				isec->sclass = inode_mode_to_security_class(inode->i_mode);
> -				rc = selinux_proc_get_sid(proci->pde,
> +				rc = selinux_proc_get_sid(opt_dentry,
>  							  isec->sclass,
>  							  &sid);
>  				if (rc)

It would be nice if we could eliminate the last remaining piece of proc
internal knowledge from this code - why do we need the proci->pde ||
proci->sysctl test here?  What changes without it?

-- 
Stephen Smalley
National Security Agency


  parent reply	other threads:[~2011-02-01 15:02 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-02-01  0:17 Lucian Adrian Grijincu
2011-02-01  1:32 ` [PATCH] security: remove unused security_sysctl hook Lucian Adrian Grijincu
2011-02-01 15:02 ` Stephen Smalley [this message]
2011-02-01 15:53   ` [PATCH] security/selinux: fix /proc/sys/ labeling Lucian Adrian Grijincu
2011-02-01 15:59     ` Stephen Smalley
2011-02-01 16:32       ` Lucian Adrian Grijincu
2011-02-01 16:37         ` Stephen Smalley
2011-02-01 16:42           ` [PATCH 1/2] " Lucian Adrian Grijincu
2011-02-01 16:44             ` [PATCH 2/2] security: remove unused security_sysctl hook Lucian Adrian Grijincu
2011-02-01 19:05               ` Stephen Smalley
2011-02-01 20:06                 ` Eric Paris
2011-02-14 19:33                   ` Lucian Adrian Grijincu
2011-02-14 19:53                     ` Eric Paris
2011-02-14 20:06                       ` Lucian Adrian Grijincu
2011-02-14 22:06                         ` James Morris
2011-02-01 19:04             ` [PATCH 1/2] security/selinux: fix /proc/sys/ labeling Stephen Smalley
2011-02-01 19:33             ` Eric W. Biederman
2011-02-01 19:33             ` Eric W. Biederman
2011-02-01 19:46               ` Lucian Adrian Grijincu
2011-02-01 20:14                 ` Eric W. Biederman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1296572538.12605.4.camel@moss-pluto \
    --to=sds@tycho.nsa.gov \
    --cc=ebiederm@xmission.com \
    --cc=eparis@parisplace.org \
    --cc=jmorris@namei.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=lucian.grijincu@gmail.com \
    --cc=npiggin@kernel.dk \
    --subject='Re: [PATCH] security/selinux: fix /proc/sys/ labeling' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).