| Message ID | 20220224102417.42268-1-richard_c_haines@btinternet.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | [V3] security/selinux: Always allow FIOCLEX and FIONCLEX | expand |
On Thu, Feb 24, 2022 at 5:24 AM Richard Haines <richard_c_haines@btinternet.com> wrote: > > These ioctls are equivalent to fcntl(fd, F_SETFD, flags), which SELinux > always allows too. Furthermore, a failed FIOCLEX could result in a file > descriptor being leaked to a process that should not have access to it. > > As this patch removes access controls, a policy capability needs to be > enabled in policy to always allow these ioctls. > > Based-on-patch-by: Demi Marie Obenour <demiobenour@gmail.com> > Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> > --- > V2 Change: Control via a policy capability. > V3 Change: Update switch check. > > security/selinux/hooks.c | 6 ++++++ > security/selinux/include/policycap.h | 1 + > security/selinux/include/policycap_names.h | 3 ++- > security/selinux/include/security.h | 7 +++++++ > 4 files changed, 16 insertions(+), 1 deletion(-) This looks good to me, but before I merge this are the SELinux userspace folks okay with the policy capability's name and enum value? > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 5b6895e4f..d369c2d82 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -3745,6 +3745,12 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd, > CAP_OPT_NONE, true); > break; > > + case FIOCLEX: > + case FIONCLEX: > + if (!selinux_policycap_ioctl_skip_cloexec()) > + error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); > + break; > + > /* default case assumes that the command will go > * to the file's ioctl() function. > */ > diff --git a/security/selinux/include/policycap.h b/security/selinux/include/policycap.h > index 2ec038efb..44d73dc32 100644 > --- a/security/selinux/include/policycap.h > +++ b/security/selinux/include/policycap.h > @@ -11,6 +11,7 @@ enum { > POLICYDB_CAPABILITY_CGROUPSECLABEL, > POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION, > POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS, > + POLICYDB_CAPABILITY_IOCTL_CLOEXEC, > __POLICYDB_CAPABILITY_MAX > }; > #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) > diff --git a/security/selinux/include/policycap_names.h b/security/selinux/include/policycap_names.h > index b89289f09..ebd64afe1 100644 > --- a/security/selinux/include/policycap_names.h > +++ b/security/selinux/include/policycap_names.h > @@ -12,7 +12,8 @@ const char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX] = { > "always_check_network", > "cgroup_seclabel", > "nnp_nosuid_transition", > - "genfs_seclabel_symlinks" > + "genfs_seclabel_symlinks", > + "ioctl_skip_cloexec" > }; > > #endif /* _SELINUX_POLICYCAP_NAMES_H_ */ > diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h > index ac0ece013..8a789c22b 100644 > --- a/security/selinux/include/security.h > +++ b/security/selinux/include/security.h > @@ -219,6 +219,13 @@ static inline bool selinux_policycap_genfs_seclabel_symlinks(void) > return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS]); > } > > +static inline bool selinux_policycap_ioctl_skip_cloexec(void) > +{ > + struct selinux_state *state = &selinux_state; > + > + return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_IOCTL_CLOEXEC]); > +} > + > struct selinux_policy_convert_data; > > struct selinux_load_state { > -- > 2.35.1
On Fri, Feb 25, 2022 at 1:34 AM Paul Moore <paul@paul-moore.com> wrote: > On Thu, Feb 24, 2022 at 5:24 AM Richard Haines > <richard_c_haines@btinternet.com> wrote: > > > > These ioctls are equivalent to fcntl(fd, F_SETFD, flags), which SELinux > > always allows too. Furthermore, a failed FIOCLEX could result in a file > > descriptor being leaked to a process that should not have access to it. > > > > As this patch removes access controls, a policy capability needs to be > > enabled in policy to always allow these ioctls. > > > > Based-on-patch-by: Demi Marie Obenour <demiobenour@gmail.com> > > Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> > > --- > > V2 Change: Control via a policy capability. > > V3 Change: Update switch check. > > > > security/selinux/hooks.c | 6 ++++++ > > security/selinux/include/policycap.h | 1 + > > security/selinux/include/policycap_names.h | 3 ++- > > security/selinux/include/security.h | 7 +++++++ > > 4 files changed, 16 insertions(+), 1 deletion(-) > > This looks good to me, but before I merge this are the SELinux > userspace folks okay with the policy capability's name and enum value? Since you mention it... I would suggest naming the enum POLICYDB_CAPABILITY_IOCTL_SKIP_CLOEXEC to match the display name. Yes, it becomes awkwardly long, but e.g. POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS is already longer than that, so I'd prefer more descriptiveness over brevity. (IMHO the POLICYDB_CAPABILITY_ prefix is ridiculously long for no reason and we should simply shorten it (just POLCAP_ would be perfectly fine, IMHO) instead of trying to abbreviate the rest. Of course, this doesn't have to be done now - I'm taking a note to myself to splice in such rename next time I add a new capability, if not earlier.) -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
On Fri, Feb 25, 2022 at 5:02 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > (IMHO the POLICYDB_CAPABILITY_ prefix is ridiculously long for no > reason and we should simply shorten it (just POLCAP_ would be > perfectly fine, IMHO) instead of trying to abbreviate the rest. Of > course, this doesn't have to be done now - I'm taking a note to myself > to splice in such rename next time I add a new capability, if not > earlier.) Yeah, that prefix is probably longer than it needs to be. Since we're at -rc5 right now, with -rc6 just a few days away, I'll go ahead and toss out a patch to shorten the names next week. While I have very mixed feelings on style/formatting-only patches, things like this should go into selinux/next at the end of the -rcX cycle so as not to cause unnecessary conflicts for people making "real" changes :)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 5b6895e4f..d369c2d82 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3745,6 +3745,12 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd, CAP_OPT_NONE, true); break; + case FIOCLEX: + case FIONCLEX: + if (!selinux_policycap_ioctl_skip_cloexec()) + error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); + break; + /* default case assumes that the command will go * to the file's ioctl() function. */ diff --git a/security/selinux/include/policycap.h b/security/selinux/include/policycap.h index 2ec038efb..44d73dc32 100644 --- a/security/selinux/include/policycap.h +++ b/security/selinux/include/policycap.h @@ -11,6 +11,7 @@ enum { POLICYDB_CAPABILITY_CGROUPSECLABEL, POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION, POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS, + POLICYDB_CAPABILITY_IOCTL_CLOEXEC, __POLICYDB_CAPABILITY_MAX }; #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) diff --git a/security/selinux/include/policycap_names.h b/security/selinux/include/policycap_names.h index b89289f09..ebd64afe1 100644 --- a/security/selinux/include/policycap_names.h +++ b/security/selinux/include/policycap_names.h @@ -12,7 +12,8 @@ const char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX] = { "always_check_network", "cgroup_seclabel", "nnp_nosuid_transition", - "genfs_seclabel_symlinks" + "genfs_seclabel_symlinks", + "ioctl_skip_cloexec" }; #endif /* _SELINUX_POLICYCAP_NAMES_H_ */ diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index ac0ece013..8a789c22b 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -219,6 +219,13 @@ static inline bool selinux_policycap_genfs_seclabel_symlinks(void) return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS]); } +static inline bool selinux_policycap_ioctl_skip_cloexec(void) +{ + struct selinux_state *state = &selinux_state; + + return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_IOCTL_CLOEXEC]); +} + struct selinux_policy_convert_data; struct selinux_load_state {
These ioctls are equivalent to fcntl(fd, F_SETFD, flags), which SELinux always allows too. Furthermore, a failed FIOCLEX could result in a file descriptor being leaked to a process that should not have access to it. As this patch removes access controls, a policy capability needs to be enabled in policy to always allow these ioctls. Based-on-patch-by: Demi Marie Obenour <demiobenour@gmail.com> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> --- V2 Change: Control via a policy capability. V3 Change: Update switch check. security/selinux/hooks.c | 6 ++++++ security/selinux/include/policycap.h | 1 + security/selinux/include/policycap_names.h | 3 ++- security/selinux/include/security.h | 7 +++++++ 4 files changed, 16 insertions(+), 1 deletion(-)