| Message ID | 20200812140907.1102299-1-dburgener@linux.microsoft.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Update SELinuxfs out of tree and then swapover | expand |
On Wed, Aug 12, 2020 at 10:09 AM Daniel Burgener <dburgener@linux.microsoft.com> wrote: > > In the current implementation, on policy load /sys/fs/selinux is updated > by deleting the previous contents of > /sys/fs/selinux/{class,booleans,policy_capabilities} and then recreating > them. This means that there is a period of time when the contents of > these directories do not exist which can cause race conditions as > userspace relies on them for information about the policy. In addition, > it means that error recovery in the event of failure is challenging. I haven't looked closely yet, but note that my patches stopped removing the policy_capabilities directory entries altogether and only create them during initialization of the mount, because the set of directory entries is not policy-dependent (only the values read from them are policy-dependent, not the names themselves). It was a mistake to ever re-create those entries in the first place. So you only need to deal with the class and booleans directories in your patches. Also, I would recommend cc'ing viro and linux-fsdevel on your patch set in addition to selinux so that they can look at it from a vfs point of view.
On 8/12/20 2:51 PM, Stephen Smalley wrote: > On Wed, Aug 12, 2020 at 10:09 AM Daniel Burgener > <dburgener@linux.microsoft.com> wrote: >> In the current implementation, on policy load /sys/fs/selinux is updated >> by deleting the previous contents of >> /sys/fs/selinux/{class,booleans,policy_capabilities} and then recreating >> them. This means that there is a period of time when the contents of >> these directories do not exist which can cause race conditions as >> userspace relies on them for information about the policy. In addition, >> it means that error recovery in the event of failure is challenging. > I haven't looked closely yet, but note that my patches stopped > removing the policy_capabilities directory entries altogether and only > create them during initialization of the mount, because the set of > directory entries is not policy-dependent (only the values read from > them are policy-dependent, not the names themselves). It was a > mistake to ever re-create those entries in the first place. So you > only need to deal with the class and booleans directories in your > patches. Also, I would recommend cc'ing viro and linux-fsdevel on > your patch set in addition to selinux so that they can look at it from > a vfs point of view. Oops, that was a mistake in the fixing up of the cover letter. When I rebased on your patches I fixed that issue in code and in the commit message for the second patch in the series, but it looks like I missed it here and in the other commit messages. I'll clean that up and resend with the additional ccs. Thanks! -Daniel
In the current implementation, on policy load /sys/fs/selinux is updated by deleting the previous contents of /sys/fs/selinux/{class,booleans,policy_capabilities} and then recreating them. This means that there is a period of time when the contents of these directories do not exist which can cause race conditions as userspace relies on them for information about the policy. In addition, it means that error recovery in the event of failure is challenging. This patch series follows the design outlined by Al Viro in a previous e-mail to the list[1]. This approach is to first create the new directory structures out of tree, then to perform the swapover, and finally to delete the old directories. Not handled in this series is error recovery in the event of failure. Error recovery in the selinuxfs recreation is unhandled in the current code, so this series will not cause any regression in this regard. Handling directory recreation in this manner is a prerequisite to make proper error handling possible. In order to demonstrate the race condition that this series fixes, you can use the following commands: while true; do cat /sys/fs/selinux/class/service/perms/status >/dev/null; done & while true; do load_policy; done; In the existing code, this will display errors fairly often as the class lookup fails. (In normal operation from systemd, this would result in a permission check which would be allowed or denied based on policy settings around unknown object classes.) After applying this patch series you should expect to no longer see such error messages. This series is relative to https://patchwork.kernel.org/patch/11705743/, Stephen Smalley's series to split policy loading into a prep and commit. [1] https://lore.kernel.org/selinux/20181002155810.GP32577@ZenIV.linux.org.uk/ Daniel Burgener (4): selinux: Create function for selinuxfs directory cleanup selinux: Refactor selinuxfs directory populating functions selinux: Standardize string literal usage for selinuxfs directory names selinux: Create new booleans, class and policycap dirs out of tree security/selinux/selinuxfs.c | 200 +++++++++++++++++++++++++++-------- 1 file changed, 158 insertions(+), 42 deletions(-)