Re: [PATCH 5/7] SELinux: Handle opening of a unioned file
From: Stephen Smalley
Date: Wed Nov 05 2014 - 11:53:58 EST
On 11/05/2014 10:43 AM, David Howells wrote:
> Handle the opening of a unioned file by trying to derive the label that would
> be attached to the union-layer inode if it doesn't exist.
>
> If the union-layer inode does exist (as it necessarily does in overlayfs, but
> not in unionmount), we assume that it has the right label and use that.
> Otherwise we try to get it from the superblock.
>
> If the superblock has a globally-applied label, we use that, otherwise we try
> to transition to an appropriate label. This union label is then stored in the
> file_security_struct.
>
> We then perform an additional check to make sure that the calling task is
> granted permission by the union-layer inode label to open the file in addition
> to a check to make sure that the task is granted permission to open the lower
> file with the lower inode label.
>
> Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
> ---
>
> security/selinux/hooks.c | 56 +++++++++++++++++++++++++++++++++++++
> security/selinux/include/objsec.h | 1 +
> 2 files changed, 57 insertions(+)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 6fd8090cc7a5..f43f07fdc028 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -3431,6 +3431,58 @@ static int selinux_file_receive(struct file *file)
> return file_has_perm(cred, file, file_to_av(file));
> }
>
> +/*
> + * We have a file opened on a unioned file system that falls through to a file
> + * on a lower layer. If there is a union inode, we try to get the label from
> + * that, otherwise we need to get it from the superblock.
> + */
> +static int selinux_file_open_union(struct file *file,
> + const struct path *union_path,
> + struct file_security_struct *fsec,
> + const struct cred *cred)
> +{
> + const struct superblock_security_struct *sbsec;
> + const struct inode_security_struct *isec, *dsec;
> + const struct task_security_struct *tsec = current_security();
> + struct common_audit_data ad;
> + const struct inode *inode = union_path->dentry->d_inode;
> + struct dentry *dir;
> + int rc;
> +
> + sbsec = union_path->dentry->d_sb->s_security;
> +
> + if (inode) {
> + isec = inode->i_security;
> + fsec->union_isid = isec->sid;
> + } else if ((sbsec->flags & SE_SBINITIALIZED) &&
> + (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
> + fsec->union_isid = sbsec->mntpoint_sid;
> + } else {
> + dir = dget_parent(union_path->dentry);
> + dsec = dir->d_inode->i_security;
> +
> + rc = security_transition_sid(
> + tsec->sid, dsec->sid,
> + inode_mode_to_security_class(file_inode(file)->i_mode),
> + &union_path->dentry->d_name,
> + &fsec->union_isid);
> + dput(dir);
> + if (rc) {
> + printk(KERN_WARNING "%s: "
> + "security_transition_sid failed, rc=%d (name=%pD)\n",
> + __func__, -rc, file);
> + return rc;
> + }
> + }
How do we know that this union_isid will bear any relation to the actual
SID assigned to the union inode when it is created? If the union inode
does not already exist, when/where does it get created?
Also, would be good to create a common helper for use here, by
selinux_dentry_init_security(), selinux_inode_init_security(), and
may_create(). Already some seeming potential for inconsistencies there.
> +
> + /* We need to check that the union file is allowed to be opened as well
> + * as checking that the lower file is allowed to be opened.
> + */
> + ad.type = LSM_AUDIT_DATA_PATH;
> + ad.u.path = *union_path;
> + return inode_has_perm(cred, file_inode(file), fsec->union_isid, &ad);
Something is seriously wrong here; you are passing fsec->union_isid
where we expect a permissions bitmap / access vector.
> +}
> +
> static int selinux_file_open(struct file *file, const struct path *union_path,
> const struct cred *cred)
> {
> @@ -3456,6 +3508,10 @@ static int selinux_file_open(struct file *file, const struct path *union_path,
> * new inode label or new policy.
> * This check is not redundant - do not remove.
> */
> +
> + if (union_path->dentry != file->f_path.dentry)
> + selinux_file_open_union(file, union_path, fsec, cred);
Ignored return value.
> +
> return file_path_has_perm(cred, file, open_file_to_av(file));
> }
>
> diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
> index 81fa718d5cb3..f088c080aa9e 100644
> --- a/security/selinux/include/objsec.h
> +++ b/security/selinux/include/objsec.h
> @@ -54,6 +54,7 @@ struct file_security_struct {
> u32 sid; /* SID of open file description */
> u32 fown_sid; /* SID of file owner (for SIGIO) */
> u32 isid; /* SID of inode at the time of file open */
> + u32 union_isid; /* SID of would-be inodes in union top (or 0) */
> u32 pseqno; /* Policy seqno at the time of file open */
> };
>
>
> _______________________________________________
> Selinux mailing list
> Selinux@xxxxxxxxxxxxx
> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxxx
> To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxxx
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/