Re: [RFC][PATCH 0/8] Mount, FS, Block and Keyrings notifications [ver #2]

From: Stephen Smalley
Date: Wed Jun 05 2019 - 14:29:56 EST

On 6/5/19 1:47 PM, Andy Lutomirski wrote:

On Jun 5, 2019, at 10:01 AM, Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote:

On 6/5/2019 9:04 AM, Andy Lutomirski wrote:
On Wed, Jun 5, 2019 at 7:51 AM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote:
On 6/5/2019 1:41 AM, David Howells wrote:
Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote:

I will try to explain the problem once again. If process A
sends a signal (writes information) to process B the kernel
checks that either process A has the same UID as process B
or that process A has privilege to override that policy.
Process B is passive in this access control decision, while
process A is active. In the event delivery case, process A
does something (e.g. modifies a keyring) that generates an
event, which is then sent to process B's event buffer.
I think this might be the core sticking point here. It looks like two
different situations:

(1) A explicitly sends event to B (eg. signalling, sendmsg, etc.)

(2) A implicitly and unknowingly sends event to B as a side effect of some
other action (eg. B has a watch for the event A did).

The LSM treats them as the same: that is B must have MAC authorisation to send
a message to A.

Threat is about what you can do, not what you intend to do.

And it would be really great if you put some thought into what
a rational model would be for UID based controls, too.

But there are problems with not sending the event:

(1) B's internal state is then corrupt (or, at least, unknowingly invalid).
Then B is a badly written program.
Either I'm misunderstanding you or I strongly disagree.

A program needs to be aware of the conditions under
which it gets event, *including the possibility that
it may not get an event that it's not allowed*. Do you
regularly write programs that go into corrupt states
if an open() fails? Or where read() returns less than
the amount of data you ask for?

I do not regularly write programs that handle read() omitting data in the middle of a TCP stream. I also donât write programs that wait for processes to die and need to handle the case where a child is dead, waitid() can see it, but SIGCHLD wasnât sent because âsecurityâ.

If B has
authority to detect a certain action, and A has authority to perform
that action, then refusing to notify B because B is somehow missing
some special authorization to be notified by A is nuts.

You are hand-waving the notion of authority. You are assuming
that if A can read X and B can read X that A can write B.

No, read it again please. Iâm assuming that if A can *write* X and B can read X then A can send information to B.

I guess the questions here are:

1) How do we handle recursive notification support, since we can't check that B can read everything below a given directory easily? Perhaps we can argue that if I have watch permission to / then that implies visibility to everything below it but that is rather broad.

2) Is there always a corresponding labeled object in view for each of these notifications to which we can check access when the watch is set?

3) Are notifications only generated for write events or can they be generated by processes that only have read access to the object?