mbox series

[0/1] selinux,smack: don't bypass permissions check in inode_setsecctx hook

Message ID 20240828195129.223395-1-smayhew@redhat.com (mailing list archive)
Headers show
Series selinux,smack: don't bypass permissions check in inode_setsecctx hook | expand

Message

Scott Mayhew Aug. 28, 2024, 7:51 p.m. UTC
Marek Gresko reports that the root user on an NFS client is able to
change the security labels on files on an NFS filesystem that is
exported with root squashing enabled.

I wasn't able to do a bisect on this issue... partially because when I
go back far enough I have trouble building a kernel that actually boots
in a KVM guest, but also because not all of the related code landed in
mainline at the same time (more on that in a bit).

Although I wasn't able to do a bisect, I do believe this behavior goes
all the way back to the introduction of labeled NFS.  I was able to
reproduce this behavior on all versions of RHEL, going all the way back
to RHEL 7.0, which was based on a 3.10 kernel with post-3.10 code
(including the labeled NFS code) backported on top.

The v1 posting of the labeled NFS patchset actually mentions a similar
issue related to root squashing:
https://lore.kernel.org/lkml/7e0fb38c0802280622o75a474deg38157ff6aace16b@mail.gmail.com/t/

There is no mention of root squashing issues (fixed or otherwise) in
subsequent postings.

The inode_setsecctx hooks first appear in v2:
https://lore.kernel.org/all/1221511278-28051-1-git-send-email-dpquigl@tycho.nsa.gov/
The posting mentions other mailing list discussions related to the
hooks, but I'm not really able to find anything specific on why the
caller of the setsecctx hook would be expected to perform the
permissions checking rather than doing it in the hook itself.

The inode_setsecctx hook was merged in September 2009 (merge commit
f6f79190866d).  It looks like this was for labeling support on sysfs,
which used the inode_getsecctx and inode_notifysecctx hooks, but not the
inode_setsecctx hook.  It doesn't look like there was any user of the
inode_setsecctx hook until the labeled NFS code was merged in July 2013
(merge commit 0ff08ba5d066).

The end of the kerneldoc comment for __vfs_setxattr_noperm() states:

 *  This function requires the caller to lock the inode's i_mutex before it
 *  is executed. It also assumes that the caller will make the appropriate
 *  permission checks.

nfsd_setattr() does do permissions checking via fh_verify() and
nfsd_permission(), but those don't do all the same permissions checks
that are done by security_inode_setxattr() and its related LSM hooks do.

Since nfsd_setattr() is the only consumer of security_inode_setsecctx(),
simplest solution appears to be to replace the call to
__vfs_setxattr_noperm() with a call to __vfs_setxattr_locked().  This
fixes the above issue and has the added benefit of causing nfsd to
recall conflicting delegations on a file when a client tries to change
its security label.

I guess it's also worth mentioning that when nfsd rejects root's attempt
to set a label on a file on a root squashed export, the error on the
wire is NFS4ERR_PERM rather than NFS4ERR_ACCESS.

-Scott

Scott Mayhew (1):
  selinux,smack: don't bypass permissions check in inode_setsecctx hook

 security/selinux/hooks.c   | 4 ++--
 security/smack/smack_lsm.c | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)