From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754257AbbFOM7C (ORCPT ); Mon, 15 Jun 2015 08:59:02 -0400 Received: from emvm-gh1-uea09.nsa.gov ([63.239.67.10]:65333 "EHLO emvm-gh1-uea09.nsa.gov" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750917AbbFOM6y (ORCPT ); Mon, 15 Jun 2015 08:58:54 -0400 X-TM-IMSS-Message-ID: <99468bef00011f6d@nsa.gov> Message-ID: <557ECBC5.7000705@tycho.nsa.gov> Date: Mon, 15 Jun 2015 08:57:41 -0400 From: Stephen Smalley Organization: National Security Agency User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: David Howells CC: linux-unionfs@vger.kernel.org, selinux@tycho.nsa.gov, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, drquigl , Eric Paris Subject: Re: [PATCH 5/7] SELinux: Handle opening of a unioned file References: <16216.1417109138@warthog.procyon.org.uk> <545A51CB.6070107@tycho.nsa.gov> <20141105154217.2555.578.stgit@warthog.procyon.org.uk> <20141105154307.2555.9847.stgit@warthog.procyon.org.uk> <8813.1434123054@warthog.procyon.org.uk> In-Reply-To: <8813.1434123054@warthog.procyon.org.uk> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 06/12/2015 11:30 AM, David Howells wrote: > Hi Stephen, > > David Howells wrote: > >> Stephen Smalley wrote: >> >>> Also, would be good to create a common helper for use here, by >>> selinux_dentry_init_security(), selinux_inode_init_security(), and >>> may_create(). Already some seeming potential for inconsistencies there. >> >> selinux_dentry_init_security() and selinux_inode_init_security() do >> something different depending on SECURITY_FS_USE_MNTPOINT. Is the dentry >> variant wrong? Shouldn't it be using the mountpoint label if that flag _is_ >> set? > > Any answer to that? It looks like commit 415103f9932d45f7927f4b17e3a9a13834cdb9a1 changed selinux_inode_init_security()'s handling of SECURITY_FS_USE_MNTPOINT, and this change was never propagated to selinux_dentry_init_security(). However, that commit also did not update security/selinux/hooks.c:may_create()'s logic for computing the new file label when checking CREATE permission, and therefore introduced a potential inconsistency between the label used for the permission check and the label assigned to the inode. That's why I suggested that we need a common helper for all three to ensure consistency there. From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <557ECBC5.7000705@tycho.nsa.gov> Date: Mon, 15 Jun 2015 08:57:41 -0400 From: Stephen Smalley MIME-Version: 1.0 To: David Howells Subject: Re: [PATCH 5/7] SELinux: Handle opening of a unioned file References: <16216.1417109138@warthog.procyon.org.uk> <545A51CB.6070107@tycho.nsa.gov> <20141105154217.2555.578.stgit@warthog.procyon.org.uk> <20141105154307.2555.9847.stgit@warthog.procyon.org.uk> <8813.1434123054@warthog.procyon.org.uk> In-Reply-To: <8813.1434123054@warthog.procyon.org.uk> Content-Type: text/plain; charset=windows-1252 Cc: linux-unionfs@vger.kernel.org, linux-kernel@vger.kernel.org, drquigl , linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, linux-fsdevel@vger.kernel.org List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: On 06/12/2015 11:30 AM, David Howells wrote: > Hi Stephen, > > David Howells wrote: > >> Stephen Smalley wrote: >> >>> Also, would be good to create a common helper for use here, by >>> selinux_dentry_init_security(), selinux_inode_init_security(), and >>> may_create(). Already some seeming potential for inconsistencies there. >> >> selinux_dentry_init_security() and selinux_inode_init_security() do >> something different depending on SECURITY_FS_USE_MNTPOINT. Is the dentry >> variant wrong? Shouldn't it be using the mountpoint label if that flag _is_ >> set? > > Any answer to that? It looks like commit 415103f9932d45f7927f4b17e3a9a13834cdb9a1 changed selinux_inode_init_security()'s handling of SECURITY_FS_USE_MNTPOINT, and this change was never propagated to selinux_dentry_init_security(). However, that commit also did not update security/selinux/hooks.c:may_create()'s logic for computing the new file label when checking CREATE permission, and therefore introduced a potential inconsistency between the label used for the permission check and the label assigned to the inode. That's why I suggested that we need a common helper for all three to ensure consistency there.