| Message ID | 20210612081403.16732-1-toiwoton@gmail.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | selinux-notebook: describe nosuid and NNP transitions | expand |
On Sat, Jun 12, 2021 at 4:14 AM Topi Miettinen <toiwoton@gmail.com> wrote: > > Describe cases where nosuid_transition or nnp_transition are needed. > > Signed-off-by: Topi Miettinen <toiwoton@gmail.com> > --- > src/computing_security_contexts.md | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > diff --git a/src/computing_security_contexts.md b/src/computing_security_contexts.md > index bb946b5..7bd1d87 100644 > --- a/src/computing_security_contexts.md > +++ b/src/computing_security_contexts.md > @@ -84,7 +84,14 @@ Processes inherit their security context as follows: > *default_type* (policy version 28) or if a security-aware process, > by calling ***setexeccon**(3)* if permitted by policy prior to > invoking exec. > -3. At any time, a security-aware process may invoke ***setcon**(3)* to > +3. If the file system is mounted with *nosuid* flag, type transitions > + require permission *nosuid_transition*. If the thread has > + *no_new_privs* attribute set, the transition requires > + *nnp_transition*. For both transitions, policy capability > + *nnp_nosuid_transition* is also required. See also > + [**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module-and-selinux) > + section. Thanks for adding this text, however I might suggest the following changes: "If the loaded SELinux policy has the nnp_nosuid_transition policy capability enabled there are potentially two additional permissions that are required to permit a domain transition: nosuid_transition for nosuid mounted filesystems, and nnp_transition for for threads with the no_new_privs flag." ... does that make sense? > +4. At any time, a security-aware process may invoke ***setcon**(3)* to > switch its security context (if permitted by policy) although this > practice is generally discouraged - exec-based transitions are > preferred. > -- > 2.30.2
On 18.6.2021 6.50, Paul Moore wrote: > On Sat, Jun 12, 2021 at 4:14 AM Topi Miettinen <toiwoton@gmail.com> wrote: >> >> Describe cases where nosuid_transition or nnp_transition are needed. >> >> Signed-off-by: Topi Miettinen <toiwoton@gmail.com> >> --- >> src/computing_security_contexts.md | 9 ++++++++- >> 1 file changed, 8 insertions(+), 1 deletion(-) >> >> diff --git a/src/computing_security_contexts.md b/src/computing_security_contexts.md >> index bb946b5..7bd1d87 100644 >> --- a/src/computing_security_contexts.md >> +++ b/src/computing_security_contexts.md >> @@ -84,7 +84,14 @@ Processes inherit their security context as follows: >> *default_type* (policy version 28) or if a security-aware process, >> by calling ***setexeccon**(3)* if permitted by policy prior to >> invoking exec. >> -3. At any time, a security-aware process may invoke ***setcon**(3)* to >> +3. If the file system is mounted with *nosuid* flag, type transitions >> + require permission *nosuid_transition*. If the thread has >> + *no_new_privs* attribute set, the transition requires >> + *nnp_transition*. For both transitions, policy capability >> + *nnp_nosuid_transition* is also required. See also >> + [**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module-and-selinux) >> + section. > > Thanks for adding this text, however I might suggest the following changes: > > "If the loaded SELinux policy has the nnp_nosuid_transition policy > capability enabled there are potentially two additional permissions > that are required to permit a domain transition: nosuid_transition for > nosuid mounted filesystems, and nnp_transition for for threads with > the no_new_privs flag." > > ... does that make sense? Yes. I'd then add: "If nnp_nosuid_transition policy capability is disabled, such domain transitions are denied." -Topi >> +4. At any time, a security-aware process may invoke ***setcon**(3)* to >> switch its security context (if permitted by policy) although this >> practice is generally discouraged - exec-based transitions are >> preferred. >> -- >> 2.30.2 >
On Fri, Jun 18, 2021 at 2:09 PM Topi Miettinen <toiwoton@gmail.com> wrote: > On 18.6.2021 6.50, Paul Moore wrote: > > On Sat, Jun 12, 2021 at 4:14 AM Topi Miettinen <toiwoton@gmail.com> wrote: > >> > >> Describe cases where nosuid_transition or nnp_transition are needed. > >> > >> Signed-off-by: Topi Miettinen <toiwoton@gmail.com> > >> --- > >> src/computing_security_contexts.md | 9 ++++++++- > >> 1 file changed, 8 insertions(+), 1 deletion(-) > >> > >> diff --git a/src/computing_security_contexts.md b/src/computing_security_contexts.md > >> index bb946b5..7bd1d87 100644 > >> --- a/src/computing_security_contexts.md > >> +++ b/src/computing_security_contexts.md > >> @@ -84,7 +84,14 @@ Processes inherit their security context as follows: > >> *default_type* (policy version 28) or if a security-aware process, > >> by calling ***setexeccon**(3)* if permitted by policy prior to > >> invoking exec. > >> -3. At any time, a security-aware process may invoke ***setcon**(3)* to > >> +3. If the file system is mounted with *nosuid* flag, type transitions > >> + require permission *nosuid_transition*. If the thread has > >> + *no_new_privs* attribute set, the transition requires > >> + *nnp_transition*. For both transitions, policy capability > >> + *nnp_nosuid_transition* is also required. See also > >> + [**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module-and-selinux) > >> + section. > > > > Thanks for adding this text, however I might suggest the following changes: > > > > "If the loaded SELinux policy has the nnp_nosuid_transition policy > > capability enabled there are potentially two additional permissions > > that are required to permit a domain transition: nosuid_transition for > > nosuid mounted filesystems, and nnp_transition for for threads with > > the no_new_privs flag." > > > > ... does that make sense? > > Yes. I'd then add: > > "If nnp_nosuid_transition policy capability is disabled, such domain > transitions are denied." In most cases, yes that is correct, but bounded domain transitions are still allowed in the case where the nnp_nosuid_transition policy capability is not enabled. Did you want to respin the patch with the above changes?
On 18.6.2021 22.32, Paul Moore wrote: > On Fri, Jun 18, 2021 at 2:09 PM Topi Miettinen <toiwoton@gmail.com> wrote: >> On 18.6.2021 6.50, Paul Moore wrote: >>> On Sat, Jun 12, 2021 at 4:14 AM Topi Miettinen <toiwoton@gmail.com> wrote: >>>> >>>> Describe cases where nosuid_transition or nnp_transition are needed. >>>> >>>> Signed-off-by: Topi Miettinen <toiwoton@gmail.com> >>>> --- >>>> src/computing_security_contexts.md | 9 ++++++++- >>>> 1 file changed, 8 insertions(+), 1 deletion(-) >>>> >>>> diff --git a/src/computing_security_contexts.md b/src/computing_security_contexts.md >>>> index bb946b5..7bd1d87 100644 >>>> --- a/src/computing_security_contexts.md >>>> +++ b/src/computing_security_contexts.md >>>> @@ -84,7 +84,14 @@ Processes inherit their security context as follows: >>>> *default_type* (policy version 28) or if a security-aware process, >>>> by calling ***setexeccon**(3)* if permitted by policy prior to >>>> invoking exec. >>>> -3. At any time, a security-aware process may invoke ***setcon**(3)* to >>>> +3. If the file system is mounted with *nosuid* flag, type transitions >>>> + require permission *nosuid_transition*. If the thread has >>>> + *no_new_privs* attribute set, the transition requires >>>> + *nnp_transition*. For both transitions, policy capability >>>> + *nnp_nosuid_transition* is also required. See also >>>> + [**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module-and-selinux) >>>> + section. >>> >>> Thanks for adding this text, however I might suggest the following changes: >>> >>> "If the loaded SELinux policy has the nnp_nosuid_transition policy >>> capability enabled there are potentially two additional permissions >>> that are required to permit a domain transition: nosuid_transition for >>> nosuid mounted filesystems, and nnp_transition for for threads with >>> the no_new_privs flag." >>> >>> ... does that make sense? >> >> Yes. I'd then add: >> >> "If nnp_nosuid_transition policy capability is disabled, such domain >> transitions are denied." > > In most cases, yes that is correct, but bounded domain transitions are > still allowed in the case where the nnp_nosuid_transition policy > capability is not enabled. I see. May I propose then: "If nnp_nosuid_transition policy capability is disabled, such domain transitions are denied but bounded domain transitions are still allowed. In bounded transitions, target domain is only allowed a subset of the permissions of the source domain." -Topi
On 18.6.2021 23.37, Topi Miettinen wrote: > On 18.6.2021 22.32, Paul Moore wrote: >> On Fri, Jun 18, 2021 at 2:09 PM Topi Miettinen <toiwoton@gmail.com> >> wrote: >>> On 18.6.2021 6.50, Paul Moore wrote: >>>> On Sat, Jun 12, 2021 at 4:14 AM Topi Miettinen <toiwoton@gmail.com> >>>> wrote: >>>>> >>>>> Describe cases where nosuid_transition or nnp_transition are needed. >>>>> >>>>> Signed-off-by: Topi Miettinen <toiwoton@gmail.com> >>>>> --- >>>>> src/computing_security_contexts.md | 9 ++++++++- >>>>> 1 file changed, 8 insertions(+), 1 deletion(-) >>>>> >>>>> diff --git a/src/computing_security_contexts.md >>>>> b/src/computing_security_contexts.md >>>>> index bb946b5..7bd1d87 100644 >>>>> --- a/src/computing_security_contexts.md >>>>> +++ b/src/computing_security_contexts.md >>>>> @@ -84,7 +84,14 @@ Processes inherit their security context as >>>>> follows: >>>>> *default_type* (policy version 28) or if a security-aware >>>>> process, >>>>> by calling ***setexeccon**(3)* if permitted by policy prior to >>>>> invoking exec. >>>>> -3. At any time, a security-aware process may invoke >>>>> ***setcon**(3)* to >>>>> +3. If the file system is mounted with *nosuid* flag, type transitions >>>>> + require permission *nosuid_transition*. If the thread has >>>>> + *no_new_privs* attribute set, the transition requires >>>>> + *nnp_transition*. For both transitions, policy capability >>>>> + *nnp_nosuid_transition* is also required. See also >>>>> + [**Linux Security Module and >>>>> SELinux**](lsm_selinux.md#linux-security-module-and-selinux) >>>>> + section. >>>> >>>> Thanks for adding this text, however I might suggest the following >>>> changes: >>>> >>>> "If the loaded SELinux policy has the nnp_nosuid_transition policy >>>> capability enabled there are potentially two additional permissions >>>> that are required to permit a domain transition: nosuid_transition for >>>> nosuid mounted filesystems, and nnp_transition for for threads with >>>> the no_new_privs flag." >>>> >>>> ... does that make sense? >>> >>> Yes. I'd then add: >>> >>> "If nnp_nosuid_transition policy capability is disabled, such domain >>> transitions are denied." >> >> In most cases, yes that is correct, but bounded domain transitions are >> still allowed in the case where the nnp_nosuid_transition policy >> capability is not enabled. > > I see. May I propose then: > > "If nnp_nosuid_transition policy capability is disabled, such domain > transitions are denied but bounded domain transitions are still allowed. > In bounded transitions, target domain is only allowed a subset of the > permissions of the source domain." By the way, the background for this patch (and others for mount(2), mount(8) and selinux(8)) was that I recently proposed new heuristics for systemd where in case no_new_privileges would be implied (for example, due to use of seccomp), all file systems would be mounted `nosuid` since setuid/setgid wouldn't be allowed anyway. The heuristics patch was applied but later reverted because of problems it may cause for SELinux. I didn't know then how SELinux uses the flag to also control domain transitions. Also the case seems to be underdocumented, which I'm trying to improve with the patches. Regarding the heuristics, perhaps instead of tying MAC behavior (also FS capabilities) to a DAC concept of setuid/setgid with MS_NOSUID, there should be new mount flags which would allow more precise handling of all combinations of SUID, SELinux domain transitions and FS capabilities. For example "nosuid,security=selinux=domain_transitions_allowed:capability=fs_caps_allowed". Then systemd could safely mount all file systems "nosuid" (when NNP is already going to be enforced) while keeping behavior of SELinux domain transitions and FS capabilities unchanged. -Topi
On Fri, Jun 18, 2021 at 4:37 PM Topi Miettinen <toiwoton@gmail.com> wrote: > On 18.6.2021 22.32, Paul Moore wrote: > > On Fri, Jun 18, 2021 at 2:09 PM Topi Miettinen <toiwoton@gmail.com> wrote: > >> On 18.6.2021 6.50, Paul Moore wrote: > >>> On Sat, Jun 12, 2021 at 4:14 AM Topi Miettinen <toiwoton@gmail.com> wrote: > >>>> > >>>> Describe cases where nosuid_transition or nnp_transition are needed. > >>>> > >>>> Signed-off-by: Topi Miettinen <toiwoton@gmail.com> > >>>> --- > >>>> src/computing_security_contexts.md | 9 ++++++++- > >>>> 1 file changed, 8 insertions(+), 1 deletion(-) > >>>> > >>>> diff --git a/src/computing_security_contexts.md b/src/computing_security_contexts.md > >>>> index bb946b5..7bd1d87 100644 > >>>> --- a/src/computing_security_contexts.md > >>>> +++ b/src/computing_security_contexts.md > >>>> @@ -84,7 +84,14 @@ Processes inherit their security context as follows: > >>>> *default_type* (policy version 28) or if a security-aware process, > >>>> by calling ***setexeccon**(3)* if permitted by policy prior to > >>>> invoking exec. > >>>> -3. At any time, a security-aware process may invoke ***setcon**(3)* to > >>>> +3. If the file system is mounted with *nosuid* flag, type transitions > >>>> + require permission *nosuid_transition*. If the thread has > >>>> + *no_new_privs* attribute set, the transition requires > >>>> + *nnp_transition*. For both transitions, policy capability > >>>> + *nnp_nosuid_transition* is also required. See also > >>>> + [**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module-and-selinux) > >>>> + section. > >>> > >>> Thanks for adding this text, however I might suggest the following changes: > >>> > >>> "If the loaded SELinux policy has the nnp_nosuid_transition policy > >>> capability enabled there are potentially two additional permissions > >>> that are required to permit a domain transition: nosuid_transition for > >>> nosuid mounted filesystems, and nnp_transition for for threads with > >>> the no_new_privs flag." > >>> > >>> ... does that make sense? > >> > >> Yes. I'd then add: > >> > >> "If nnp_nosuid_transition policy capability is disabled, such domain > >> transitions are denied." > > > > In most cases, yes that is correct, but bounded domain transitions are > > still allowed in the case where the nnp_nosuid_transition policy > > capability is not enabled. > > I see. May I propose then: > > "If nnp_nosuid_transition policy capability is disabled, such domain > transitions are denied but bounded domain transitions are still allowed. > In bounded transitions, target domain is only allowed a subset of the > permissions of the source domain." That sounds good to me.
diff --git a/src/computing_security_contexts.md b/src/computing_security_contexts.md index bb946b5..7bd1d87 100644 --- a/src/computing_security_contexts.md +++ b/src/computing_security_contexts.md @@ -84,7 +84,14 @@ Processes inherit their security context as follows: *default_type* (policy version 28) or if a security-aware process, by calling ***setexeccon**(3)* if permitted by policy prior to invoking exec. -3. At any time, a security-aware process may invoke ***setcon**(3)* to +3. If the file system is mounted with *nosuid* flag, type transitions + require permission *nosuid_transition*. If the thread has + *no_new_privs* attribute set, the transition requires + *nnp_transition*. For both transitions, policy capability + *nnp_nosuid_transition* is also required. See also + [**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module-and-selinux) + section. +4. At any time, a security-aware process may invoke ***setcon**(3)* to switch its security context (if permitted by policy) although this practice is generally discouraged - exec-based transitions are preferred.
Describe cases where nosuid_transition or nnp_transition are needed. Signed-off-by: Topi Miettinen <toiwoton@gmail.com> --- src/computing_security_contexts.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)