154 lines
6.9 KiB
Diff
154 lines
6.9 KiB
Diff
From mboxrd@z Thu Jan 1 00:00:00 1970
|
|
Return-Path: <SRS0=e2dy=XH=vger.kernel.org=selinux-owner@kernel.org>
|
|
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
|
|
aws-us-west-2-korg-lkml-1.web.codeaurora.org
|
|
X-Spam-Level:
|
|
X-Spam-Status: No, score=-15.0 required=3.0
|
|
tests=HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,
|
|
MENTIONS_GIT_HOSTING,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT
|
|
autolearn=ham autolearn_force=no version=3.4.0
|
|
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
|
|
by smtp.lore.kernel.org (Postfix) with ESMTP id 0CE63C4CEC5
|
|
for <selinux@archiver.kernel.org>; Thu, 12 Sep 2019 13:30:40 +0000 (UTC)
|
|
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
|
|
by mail.kernel.org (Postfix) with ESMTP id DC0B020CC7
|
|
for <selinux@archiver.kernel.org>; Thu, 12 Sep 2019 13:30:39 +0000 (UTC)
|
|
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
|
|
id S1732192AbfILNaj (ORCPT <rfc822;selinux@archiver.kernel.org>);
|
|
Thu, 12 Sep 2019 09:30:39 -0400
|
|
Received: from mx1.redhat.com ([209.132.183.28]:52278 "EHLO mx1.redhat.com"
|
|
rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
|
|
id S1731687AbfILNaj (ORCPT <rfc822;selinux@vger.kernel.org>);
|
|
Thu, 12 Sep 2019 09:30:39 -0400
|
|
Received: from mail-qt1-f197.google.com (mail-qt1-f197.google.com [209.85.160.197])
|
|
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
|
|
(No client certificate requested)
|
|
by mx1.redhat.com (Postfix) with ESMTPS id 97CC359465
|
|
for <selinux@vger.kernel.org>; Thu, 12 Sep 2019 13:30:38 +0000 (UTC)
|
|
Received: by mail-qt1-f197.google.com with SMTP id c8so13609684qtd.20
|
|
for <selinux@vger.kernel.org>; Thu, 12 Sep 2019 06:30:38 -0700 (PDT)
|
|
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
|
|
d=1e100.net; s=20161025;
|
|
h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
|
|
:content-transfer-encoding;
|
|
bh=S/MIBrjCy5DTvfqPzJTJqDQQH1pDu780wgGyHs56w4k=;
|
|
b=H7fZr4X/c4ge0SXeHHRXrq3U4J60PWfSRqdCphTWxKjyLvBs8nktbJczT562oH7Hxv
|
|
hdvVjKgAzNxIXFdQetnmveDXojtHFrE21PNdo5ONQIyh35oZyrJB4ewZdUrNfbrvDc2y
|
|
ElMr/HoKEX5pY+GMJE4nzeBotlfCWU9BoAxJPUhzKA9Oib+AqDzQ0hCGH6pQY9RXRXBV
|
|
IMH21FE5dxQGtLHNCJXVxE14edDeRo8qQFWQw6ooogK7JvduuJrWBn3BmCbKz1YLTNZE
|
|
9wRXvaHFVGNhr79JrRcItTp6Sx+tZ3XY46CV+Wi6Rq1fu8MePP9zFdIQXw9wqyd+UgLa
|
|
AIlw==
|
|
X-Gm-Message-State: APjAAAXpWx500L+bZRH8M7OzuSb0aBlsvvjaBYCGvSkzojpa2nRWjtk0
|
|
cjKEj45ivsUgPW2Bbi6CGEtspqM4wmwb72z+ajR4hy5OjMT3KRh6W71HFbVPrlLYQTvse11Ax2d
|
|
wGOma7U/qIGDDYkjh/Q==
|
|
X-Received: by 2002:ac8:7b2e:: with SMTP id l14mr8094193qtu.11.1568295037636;
|
|
Thu, 12 Sep 2019 06:30:37 -0700 (PDT)
|
|
X-Google-Smtp-Source: APXvYqzybFpoaFyGZXafGEdtHCL3XllpHltaXggcIZEb7De49V/kJzm1pU6vpg1gN8HtgnB3cilLuA==
|
|
X-Received: by 2002:ac8:7b2e:: with SMTP id l14mr8094176qtu.11.1568295037442;
|
|
Thu, 12 Sep 2019 06:30:37 -0700 (PDT)
|
|
Received: from localhost.localdomain ([12.133.141.2])
|
|
by smtp.gmail.com with ESMTPSA id h68sm11848865qkd.35.2019.09.12.06.30.35
|
|
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
|
|
Thu, 12 Sep 2019 06:30:36 -0700 (PDT)
|
|
From: Jonathan Lebon <jlebon@redhat.com>
|
|
To: selinux@vger.kernel.org
|
|
Cc: Jonathan Lebon <jlebon@redhat.com>,
|
|
Victor Kamensky <kamensky@cisco.com>
|
|
Subject: [PATCH v2] selinux: allow labeling before policy is loaded
|
|
Date: Thu, 12 Sep 2019 09:30:07 -0400
|
|
Message-Id: <20190912133007.27545-1-jlebon@redhat.com>
|
|
X-Mailer: git-send-email 2.21.0
|
|
MIME-Version: 1.0
|
|
Content-Transfer-Encoding: 8bit
|
|
Sender: selinux-owner@vger.kernel.org
|
|
Precedence: bulk
|
|
List-ID: <selinux.vger.kernel.org>
|
|
X-Mailing-List: selinux@vger.kernel.org
|
|
Archived-At: <https://lore.kernel.org/selinux/20190912133007.27545-1-jlebon@redhat.com/>
|
|
List-Archive: <https://lore.kernel.org/selinux/>
|
|
List-Post: <mailto:selinux@vger.kernel.org>
|
|
|
|
Currently, the SELinux LSM prevents one from setting the
|
|
`security.selinux` xattr on an inode without a policy first being
|
|
loaded. However, this restriction is problematic: it makes it impossible
|
|
to have newly created files with the correct label before actually
|
|
loading the policy.
|
|
|
|
This is relevant in distributions like Fedora, where the policy is
|
|
loaded by systemd shortly after pivoting out of the initrd. In such
|
|
instances, all files created prior to pivoting will be unlabeled. One
|
|
then has to relabel them after pivoting, an operation which inherently
|
|
races with other processes trying to access those same files.
|
|
|
|
Going further, there are use cases for creating the entire root
|
|
filesystem on first boot from the initrd (e.g. Container Linux supports
|
|
this today[1], and we'd like to support it in Fedora CoreOS as well[2]).
|
|
One can imagine doing this in two ways: at the block device level (e.g.
|
|
laying down a disk image), or at the filesystem level. In the former,
|
|
labeling can simply be part of the image. But even in the latter
|
|
scenario, one still really wants to be able to set the right labels when
|
|
populating the new filesystem.
|
|
|
|
This patch enables this by changing behaviour in the following two ways:
|
|
1. allow `setxattr` if we're not initialized
|
|
2. don't try to set the in-core inode SID if we're not initialized;
|
|
instead leave it as `LABEL_INVALID` so that revalidation may be
|
|
attempted at a later time
|
|
|
|
Note the first hunk of this patch is mostly the same as a previously
|
|
discussed one[3], though it was part of a larger series which wasn't
|
|
accepted.
|
|
|
|
Co-developed-by: Victor Kamensky <kamensky@cisco.com>
|
|
Signed-off-by: Victor Kamensky <kamensky@cisco.com>
|
|
Signed-off-by: Jonathan Lebon <jlebon@redhat.com>
|
|
|
|
[1] https://coreos.com/os/docs/latest/root-filesystem-placement.html
|
|
[2] https://github.com/coreos/fedora-coreos-tracker/issues/94
|
|
[3] https://www.spinics.net/lists/linux-initramfs/msg04593.html
|
|
|
|
---
|
|
|
|
v2:
|
|
- return early in selinux_inode_setxattr if policy hasn't been loaded
|
|
|
|
---
|
|
|
|
security/selinux/hooks.c | 12 ++++++++++++
|
|
1 file changed, 12 insertions(+)
|
|
|
|
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
|
|
index 94de51628..dbe96c707 100644
|
|
--- a/security/selinux/hooks.c
|
|
+++ b/security/selinux/hooks.c
|
|
@@ -3142,6 +3142,9 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
|
|
return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
|
|
}
|
|
|
|
+ if (!selinux_state.initialized)
|
|
+ return (inode_owner_or_capable(inode) ? 0 : -EPERM);
|
|
+
|
|
sbsec = inode->i_sb->s_security;
|
|
if (!(sbsec->flags & SBLABEL_MNT))
|
|
return -EOPNOTSUPP;
|
|
@@ -3225,6 +3228,15 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
|
|
return;
|
|
}
|
|
|
|
+ if (!selinux_state.initialized) {
|
|
+ /* If we haven't even been initialized, then we can't validate
|
|
+ * against a policy, so leave the label as invalid. It may
|
|
+ * resolve to a valid label on the next revalidation try if
|
|
+ * we've since initialized.
|
|
+ */
|
|
+ return;
|
|
+ }
|
|
+
|
|
rc = security_context_to_sid_force(&selinux_state, value, size,
|
|
&newsid);
|
|
if (rc) {
|
|
--
|
|
2.21.0
|
|
|
|
|