LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Victor Kamensky <kamensky@cisco.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Taras Kondratiuk <takondra@cisco.com>,
"H. Peter Anvin" <hpa@zytor.com>,
Al Viro <viro@zeniv.linux.org.uk>, Arnd Bergmann <arnd@arndb.de>,
Rob Landley <rob@landley.net>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
Jonathan Corbet <corbet@lwn.net>,
James McMechan <james.w.mcmechan@gmail.com>,
initramfs@vger.kernel.org, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
xe-linux-external@cisco.com, Paul Moore <paul@paul-moore.com>,
Eric Paris <eparis@parisplace.org>
Subject: Re: [PATCH v3 14/15] selinux: allow setxattr on rootfs so initramfs code can set them
Date: Sat, 10 Mar 2018 19:07:18 -0800 (PST) [thread overview]
Message-ID: <alpine.LRH.2.00.1803101848580.24419@sjc-ads-6991.cisco.com> (raw)
In-Reply-To: <1519153284.14218.18.camel@tycho.nsa.gov>
On Tue, 20 Feb 2018, Stephen Smalley wrote:
> On Fri, 2018-02-16 at 20:33 +0000, Taras Kondratiuk wrote:
>> From: Victor Kamensky <kamensky@cisco.com>
>>
>> initramfs code supporting extended cpio format have ability to
>> fill extended attributes from cpio archive, but if SELinux enabled
>> and security server is not initialized yet, selinux callback would
>> refuse setxattr made by initramfs code.
>>
>> Solution enable SBLABEL_MNT on rootfs even if secrurity server is
>> not initialized yet.
>
> What if we were to instead skip the SBLABEL_MNT check in
> selinux_inode_setxattr() if !ss_initialized? Not dependent on
> filesystem type.
Stephen, thank you for looking into this. Sorry, for dealyed reponse -
I needed to find time to require context about these changes.
As you suggested I've tried this and it works:
>From 6bf35bd055fdb12e94f3d5188eccfdbaa30dbcf4 Mon Sep 17 00:00:00 2001
From: Victor Kamensky <kamensky@cisco.com>
Date: Fri, 9 Mar 2018 23:01:20 -0800
Subject: [PATCH 1/2] selinux: allow setxattr on file systems if policy is not
loaded
initramfs code supporting extended cpio format have ability to
fill extended attributes from cpio archive, but if SELinux enabled
and security server is not initialized yet, selinux callback would
refuse setxattr made by initramfs code because file system is not
yet marked as one that support labeling (SBLABEL_MNT flag).
Solution do not refuse setxattr even if SBLABEL_MNT is not set
for file systems when policy is not loaded yet.
Signed-off-by: Victor Kamensky <kamensky@cisco.com>
---
security/selinux/hooks.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 819fd68..31303ed 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3120,7 +3120,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
return selinux_inode_setotherxattr(dentry, name);
sbsec = inode->i_sb->s_security;
- if (!(sbsec->flags & SBLABEL_MNT))
+ if (!(sbsec->flags & SBLABEL_MNT) && ss_initialized)
return -EOPNOTSUPP;
if (!inode_owner_or_capable(inode))
--
2.7.4
But with this change it would mean for that filesystem types, that
never are supposed to get SBLABEL_MNT flag, code may go through
if !ss_initialized. I have hard time evaluating impication of this,
but it is not existing case or not a big deal.
Generally I agree with your concern that the issue is not "rootfs"
specific. Other thought that it could be solved with use of
selinux_is_sblabel_mnt instead of "rootfs" specific check inside
of selinux_set_mnt_opts, in addition to similar code
in sb_finish_set_opts function. I.e something like this:
>From a94548b5ecde43ccc9c2b02b29becc086b4343a3 Mon Sep 17 00:00:00 2001
From: Victor Kamensky <kamensky@cisco.com>
Date: Fri, 9 Mar 2018 23:01:20 -0800
Subject: [PATCH 1/2] selinux: allow setxattr on rootfs so initramfs code can
set them
initramfs code supporting extended cpio format have ability to
fill extended attributes from cpio archive, but if SELinux enabled
and security server is not initialized yet, selinux callback would
refuse setxattr made by initramfs code.
Solution enable set SBLABEL_MNT on file systems for which we can
figure out that they support securit labels even if secrurity
server is not initialized yet.
Signed-off-by: Victor Kamensky <kamensky@cisco.com>
---
security/selinux/hooks.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 819fd68..326aca9 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -701,6 +701,18 @@ static int selinux_set_mnt_opts(struct super_block *sb,
if (!ss_initialized) {
if (!num_opts) {
+ /*
+ * For some of file systems we can mark them as
+ * supporting security labels even before policy
+ * loaded. It may be used by code that may want
+ * to do setxatts before polict load.
+ *
+ * Note after policy loaded this check and marking
+ * happens again.
+ */
+ if (selinux_is_sblabel_mnt(sb))
+ sbsec->flags |= SBLABEL_MNT;
+
/* Defer initialization until selinux_complete_init,
after the initial policy is loaded and the security
server is ready to handle calls. */
--
2.7.4
Thanks,
Victor
>>
>> Signed-off-by: Victor Kamensky <kamensky@cisco.com>
>> ---
>> security/selinux/hooks.c | 12 ++++++++++++
>> 1 file changed, 12 insertions(+)
>>
>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>> index 8644d864e3c1..f3fe65589f02 100644
>> --- a/security/selinux/hooks.c
>> +++ b/security/selinux/hooks.c
>> @@ -706,6 +706,18 @@ static int selinux_set_mnt_opts(struct
>> super_block *sb,
>>
>> if (!ss_initialized) {
>> if (!num_opts) {
>> + /*
>> + * Special handling for rootfs. Is genfs but
>> supports
>> + * setting SELinux context on in-core
>> inodes.
>> + *
>> + * Chicken and egg problem: policy may
>> reside in rootfs
>> + * but for initramfs code to fill in
>> attributes, it
>> + * needs selinux to allow that.
>> + */
>> + if (!strncmp(sb->s_type->name, "rootfs",
>> + sizeof("rootfs")))
>> + sbsec->flags |= SBLABEL_MNT;
>> +
>> /* Defer initialization until
>> selinux_complete_init,
>> after the initial policy is loaded and
>> the security
>> server is ready to handle calls. */
>
next prev parent reply other threads:[~2018-03-11 3:07 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-16 20:33 [PATCH v3 00/15] extend initramfs archive format to support xattrs Taras Kondratiuk
2018-02-16 20:33 ` [PATCH v3 01/15] Documentation: add newcx initramfs format description Taras Kondratiuk
2018-02-16 20:59 ` H. Peter Anvin
2018-02-16 21:25 ` Rob Landley
2018-02-16 21:47 ` Victor Kamensky
2018-02-17 0:00 ` hpa
2018-02-17 10:04 ` Taras Kondratiuk
2018-02-17 17:32 ` Rob Landley
2018-02-18 0:15 ` Mimi Zohar
2018-02-18 0:24 ` hpa
2018-02-18 0:26 ` hpa
2018-02-18 0:47 ` Mimi Zohar
2018-02-16 20:33 ` [PATCH v3 02/15] initramfs: replace states with function pointers Taras Kondratiuk
2018-02-16 20:33 ` [PATCH v3 03/15] initramfs: store file name in name_buf Taras Kondratiuk
2018-02-16 20:33 ` [PATCH v3 04/15] initramfs: remove unnecessary symlinks processing shortcut Taras Kondratiuk
2018-02-16 20:33 ` [PATCH v3 05/15] initramfs: move files creation into separate state Taras Kondratiuk
2018-02-16 20:33 ` [PATCH v3 06/15] initramfs: separate reading cpio method from header Taras Kondratiuk
2018-02-16 20:33 ` [PATCH v3 07/15] initramfs: split header layout information from parsing function Taras Kondratiuk
2018-02-16 20:33 ` [PATCH v3 08/15] initramfs: add newcx format Taras Kondratiuk
2018-02-16 20:33 ` [PATCH v3 09/15] initramfs: set extended attributes Taras Kondratiuk
2018-02-16 20:33 ` [PATCH v3 10/15] gen_init_cpio: move header formatting into function Taras Kondratiuk
2018-02-16 20:33 ` [PATCH v3 11/15] gen_init_cpio: add newcx format Taras Kondratiuk
2018-02-16 20:33 ` [PATCH v3 12/15] gen_init_cpio: set extended attributes for " Taras Kondratiuk
2018-02-16 20:33 ` [PATCH v3 12/14] gen_initramfs_list.sh: add -x option to enable " Taras Kondratiuk
2018-02-16 20:33 ` [PATCH v3 13/15] " Taras Kondratiuk
2018-02-16 20:33 ` [PATCH v3 13/14] selinux: allow setxattr on rootfs so initramfs code can set them Taras Kondratiuk
2018-02-16 20:33 ` [PATCH v3 14/15] " Taras Kondratiuk
2018-02-20 19:01 ` Stephen Smalley
2018-03-11 3:07 ` Victor Kamensky [this message]
2018-03-20 16:33 ` [Non-DoD Source] " Stephen Smalley
2018-02-16 20:33 ` [PATCH v3 14/14] selinux: delay sid population for rootfs till init is complete Taras Kondratiuk
2018-02-16 20:33 ` [PATCH v3 15/15] " Taras Kondratiuk
2018-02-20 18:56 ` Stephen Smalley
2018-03-07 16:51 ` Rob Landley
2018-03-07 17:26 ` Victor Kamensky
2018-03-11 3:08 ` Victor Kamensky
2018-03-20 16:30 ` [Non-DoD Source] " Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LRH.2.00.1803101848580.24419@sjc-ads-6991.cisco.com \
--to=kamensky@cisco.com \
--cc=arnd@arndb.de \
--cc=corbet@lwn.net \
--cc=eparis@parisplace.org \
--cc=hpa@zytor.com \
--cc=initramfs@vger.kernel.org \
--cc=james.w.mcmechan@gmail.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=rob@landley.net \
--cc=sds@tycho.nsa.gov \
--cc=takondra@cisco.com \
--cc=viro@zeniv.linux.org.uk \
--cc=xe-linux-external@cisco.com \
--cc=zohar@linux.vnet.ibm.com \
--subject='Re: [PATCH v3 14/15] selinux: allow setxattr on rootfs so initramfs code can set them' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).