[RFC,30/44] selinux: add limits for SELinux namespaces

Message ID	20250102164509.25606-31-stephen.smalley.work@gmail.com (mailing list archive)
State	New
Delegated to:	Paul Moore
Headers	show Received: from mail-qt1-f172.google.com (mail-qt1-f172.google.com [209.85.160.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7EA5515666D for <selinux@vger.kernel.org>; Thu, 2 Jan 2025 16:45:57 +0000 (UTC) From: Stephen Smalley <stephen.smalley.work@gmail.com> To: selinux@vger.kernel.org Cc: paul@paul-moore.com, omosnace@redhat.com, Stephen Smalley <stephen.smalley.work@gmail.com> Subject: [RFC PATCH 30/44] selinux: add limits for SELinux namespaces Date: Thu, 2 Jan 2025 11:44:55 -0500 Message-Id: <20250102164509.25606-31-stephen.smalley.work@gmail.com> In-Reply-To: <20250102164509.25606-1-stephen.smalley.work@gmail.com> References: <20250102164509.25606-1-stephen.smalley.work@gmail.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	SELinux namespace support \| expand [RFC,00/44] SELinux namespace support [RFC,01/44] selinux: restore passing of selinux_state [RFC,02/44] selinux: introduce current_selinux_state [RFC,03/44] selinux: support multiple selinuxfs instances [RFC,04/44] selinux: dynamically allocate selinux namespace [RFC,05/44] netstate,selinux: create the selinux netlink socket per network namespace [RFC,06/44] selinux: support per-task/cred selinux namespace [RFC,07/44] selinux: introduce cred_selinux_state() and use it [RFC,08/44] selinux: add a selinuxfs interface to unshare selinux namespace [RFC,09/44] selinuxfs: restrict write operations to the same selinux namespace [RFC,10/44] selinux: introduce a global SID table [RFC,11/44] selinux: wrap security server interfaces to use the global SID table [RFC,12/44] selinux: update hook functions to use correct selinux namespace [RFC,13/44] selinux: introduce cred_task_has_perm() [RFC,14/44] selinux: introduce cred_has_extended_perms() [RFC,15/44] selinux: introduce cred_self_has_perm() [RFC,16/44] selinux: introduce cred_has_perm() [RFC,17/44] selinux: introduce cred_ssid_has_perm() and cred_other_has_perm() [RFC,18/44] selinux: introduce task_obj_perm() [RFC,19/44] selinux: fix selinux_lsm_getattr() check [RFC,20/44] selinux: update bprm hooks for selinux namespaces [RFC,21/44] selinux: add kerneldoc to new permission checking functions [RFC,22/44] selinux: convert selinux_file_send_sigiotask() to namespace-aware helper [RFC,23/44] selinux: rename cred_has_perm() to cred_tsid_has_perm() [RFC,24/44] selinux: convert additional checks to cred_ssid_has_perm() [RFC,25/44] selinux: introduce selinux_state_has_perm() [RFC,26/44] selinux: annotate selinuxfs permission checks [RFC,27/44] selinux: annotate process transition permission checks [RFC,28/44] selinux: convert xfrm and netlabel permission checks [RFC,29/44] selinux: switch selinux_lsm_setattr() checks to current namespace [RFC,30/44] selinux: add limits for SELinux namespaces [RFC,31/44] selinux: fix namespace creation [RFC,32/44] selinux: limit selinux netlink notifications to init namespace [RFC,33/44] selinux: refactor selinux_state_create() [RFC,34/44] selinux: make open_perms namespace-aware [RFC,35/44] selinux: split cred_ssid_has_perm() into two cases [RFC,36/44] selinux: set initial SID context for init to "kernel" in global SID table [RFC,37/44] selinux: disallow writes to /sys/fs/selinux/user in non-init namespaces [RFC,38/44] selinux: convert nlmsg_sock_has_extended_perms() to namespace-aware [RFC,39/44] selinux: defer inode init on current selinux state [RFC,40/44] selinux: init inode from nearest initialized namespace [RFC,41/44] selinux: allow userspace to detect non-init SELinux namespace [RFC,42/44] selinux: exempt creation of init SELinux namespace from limits [RFC,43/44] selinux: introduce a Kconfig option for SELinux namespaces [RFC,44/44] selinux: fix inode initialization when no namespace is initialized

Message ID

20250102164509.25606-31-stephen.smalley.work@gmail.com (mailing list archive)

State

New

Delegated to:

Paul Moore

Headers

From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: selinux@vger.kernel.org
Cc: paul@paul-moore.com,
	omosnace@redhat.com,
	Stephen Smalley <stephen.smalley.work@gmail.com>
Subject: [RFC PATCH 30/44] selinux: add limits for SELinux namespaces
Date: Thu,  2 Jan 2025 11:44:55 -0500
Message-Id: <20250102164509.25606-31-stephen.smalley.work@gmail.com>
In-Reply-To: <20250102164509.25606-1-stephen.smalley.work@gmail.com>
References: <20250102164509.25606-1-stephen.smalley.work@gmail.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

SELinux namespace support | expand

Commit Message

Stephen Smalley Jan. 2, 2025, 4:44 p.m. UTC

Add maxns and maxnsdepth limits for SELinux namespaces
to enable control over the max number of SELinux namespaces
and the max depth to which one can nest SELinux namespaces.
Provide Kconfig options to control the default values for both
limits, and allow them to be overridden via selinuxfs in the
init SELinux namespace only.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 security/selinux/Kconfig            |  18 ++++
 security/selinux/hooks.c            |  18 +++-
 security/selinux/include/classmap.h |   2 +-
 security/selinux/include/security.h |   2 +
 security/selinux/selinuxfs.c        | 129 ++++++++++++++++++++++++++++
 5 files changed, 167 insertions(+), 2 deletions(-)

diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index 61abc1e094a8..82db54462253 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -87,3 +87,21 @@  config SECURITY_SELINUX_DEBUG
 
 		echo -n 'file "security/selinux/*" +p' > \
 			/proc/dynamic_debug/control
+
+config SECURITY_SELINUX_MAXNS
+	int "SELinux default maximum number of namespaces"
+	depends on SECURITY_SELINUX
+	range 0 65535
+	default 65535
+	help
+	  This option sets the default maximum number of SELinux namespaces.
+	  The value may be viewed or modified via /sys/fs/selinux/maxns.
+
+config SECURITY_SELINUX_MAXNSDEPTH
+	int "SELinux default maximum depth of namespaces"
+	depends on SECURITY_SELINUX
+	range 0 32
+	default 32
+	help
+	  This option sets the default maximum depth of SELinux namespaces.
+	  The value may be viewed or modified via /sys/fs/selinux/maxnsdepth.
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d9a1d2e075a8..3bf4428ccfca 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -7571,6 +7571,11 @@  static struct security_hook_list selinux_hooks[] __ro_after_init = {
 
 static void selinux_state_free(struct work_struct *work);
 
+unsigned int selinux_maxns = CONFIG_SECURITY_SELINUX_MAXNS;
+unsigned int selinux_maxnsdepth = CONFIG_SECURITY_SELINUX_MAXNSDEPTH;
+
+static atomic_t selinux_nsnum = ATOMIC_INIT(0);
+
 int selinux_state_create(struct selinux_state *parent,
 			 u32 creator_sid,
 			 struct selinux_state **state)
@@ -7578,6 +7583,12 @@  int selinux_state_create(struct selinux_state *parent,
 	struct selinux_state *newstate;
 	int rc;
 
+	if (atomic_read(&selinux_nsnum) >= selinux_maxns)
+		return -ENOSPC;
+
+	if (parent && parent->depth >= selinux_maxnsdepth)
+		return -ENOSPC;
+
 	newstate = kzalloc(sizeof(*newstate), GFP_KERNEL);
 	if (!newstate)
 		return -ENOMEM;
@@ -7594,8 +7605,12 @@  int selinux_state_create(struct selinux_state *parent,
 	if (rc)
 		goto err;
 
-	if (parent)
+	if (parent) {
 		newstate->parent = get_selinux_state(parent);
+		newstate->depth = parent->depth + 1;
+	}
+
+	atomic_inc(&selinux_nsnum);
 
 	*state = newstate;
 	return 0;
@@ -7615,6 +7630,7 @@  static void selinux_state_free(struct work_struct *work)
 			__free_page(state->status_page);
 		selinux_policy_free(state->policy);
 		selinux_avc_free(state->avc);
+		atomic_dec(&selinux_nsnum);
 		kfree(state);
 		state = parent;
 	} while (state && refcount_dec_and_test(&state->count));
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 84285fba2c06..425cd18a1fa8 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -50,7 +50,7 @@  const struct security_class_mapping secclass_map[] = {
 	  { "compute_av", "compute_create", "compute_member", "check_context",
 	    "load_policy", "compute_relabel", "compute_user", "setenforce",
 	    "setbool", "setsecparam", "setcheckreqprot", "read_policy",
-	    "validate_trans", "unshare", NULL } },
+	    "validate_trans", "unshare", "setmaxns", "setmaxnsdepth", NULL } },
 	{ "process",
 	  { "fork",	    "transition",    "sigchld",	    "sigkill",
 	    "sigstop",	    "signull",	     "signal",	    "ptrace",
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index bf2d13227113..830f890b4cb9 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -111,10 +111,12 @@  struct selinux_state {
 	refcount_t count;
 	struct work_struct work;
 	u32 creator_sid; /* SID of namespace creator */
+	unsigned short depth;
 } __randomize_layout;
 
 extern struct selinux_state *init_selinux_state;
 
+extern unsigned int selinux_maxns, selinux_maxnsdepth;
 int selinux_state_create(struct selinux_state *parent, u32 creator_sid,
 			 struct selinux_state **state);
 void __put_selinux_state(struct selinux_state *state);
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 590c883ae86d..7a0947dece69 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -66,6 +66,8 @@  enum sel_inos {
 	SEL_POLICY,	/* allow userspace to read the in kernel policy */
 	SEL_VALIDATE_TRANS, /* compute validatetrans decision */
 	SEL_UNSHARE,	    /* unshare selinux namespace */
+	SEL_MAXNS,	    /* maximum number of SELinux namespaces */
+	SEL_MAXNSDEPTH,	    /* maximum depth of SELinux namespaces */
 	SEL_INO_NEXT,	/* The next inode number to use */
 };
 
@@ -399,6 +401,131 @@  static const struct file_operations sel_unshare_ops = {
 	.llseek		= generic_file_llseek,
 };
 
+static ssize_t sel_read_maxns(struct file *filp, char __user *buf,
+			     size_t count, loff_t *ppos)
+{
+	char tmpbuf[TMPBUFLEN];
+	ssize_t length;
+
+	length = scnprintf(tmpbuf, TMPBUFLEN, "%u", selinux_maxns);
+	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
+}
+
+
+static ssize_t sel_write_maxns(struct file *file, const char __user *buf,
+				 size_t count, loff_t *ppos)
+
+{
+	struct selinux_fs_info *fsi = file_inode(file)->i_sb->s_fs_info;
+	struct selinux_state *state = fsi->state;
+	char *page = NULL;
+	ssize_t length;
+
+	/*
+	 * Only permit setting from the init SELinux namespace, and only
+	 * on the init SELinux namespace.
+	 */
+	if (current_selinux_state != init_selinux_state ||
+	    state != init_selinux_state)
+		return -EPERM;
+
+	length = avc_has_perm(current_selinux_state,
+			      current_sid(), SECINITSID_SECURITY,
+			      SECCLASS_SECURITY, SECURITY__SETMAXNS,
+			      NULL);
+	if (length)
+		return length;
+
+	if (count >= PAGE_SIZE)
+		return -ENOMEM;
+
+	/* No partial writes. */
+	if (*ppos != 0)
+		return -EINVAL;
+
+	page = memdup_user_nul(buf, count);
+	if (IS_ERR(page))
+		return PTR_ERR(page);
+
+	length = kstrtouint(page, 0, &selinux_maxns);
+	if (length)
+		goto out;
+
+	length = count;
+out:
+	kfree(page);
+	return length;
+}
+
+static const struct file_operations sel_maxns_ops = {
+	.read		= sel_read_maxns,
+	.write		= sel_write_maxns,
+	.llseek		= generic_file_llseek,
+};
+
+static ssize_t sel_read_maxnsdepth(struct file *filp, char __user *buf,
+				   size_t count, loff_t *ppos)
+{
+	char tmpbuf[TMPBUFLEN];
+	ssize_t length;
+
+	length = scnprintf(tmpbuf, TMPBUFLEN, "%u", selinux_maxnsdepth);
+	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
+}
+
+
+static ssize_t sel_write_maxnsdepth(struct file *file, const char __user *buf,
+				    size_t count, loff_t *ppos)
+
+{
+	struct selinux_fs_info *fsi = file_inode(file)->i_sb->s_fs_info;
+	struct selinux_state *state = fsi->state;
+	char *page = NULL;
+	ssize_t length;
+
+	/*
+	 * Only permit setting from the init SELinux namespace, and only
+	 * on the init SELinux namespace.
+	 */
+	if (current_selinux_state != init_selinux_state ||
+	    state != init_selinux_state)
+		return -EPERM;
+
+	length = avc_has_perm(current_selinux_state,
+			      current_sid(), SECINITSID_SECURITY,
+			      SECCLASS_SECURITY, SECURITY__SETMAXNSDEPTH,
+			      NULL);
+	if (length)
+		return length;
+
+	if (count >= PAGE_SIZE)
+		return -ENOMEM;
+
+	/* No partial writes. */
+	if (*ppos != 0)
+		return -EINVAL;
+
+	page = memdup_user_nul(buf, count);
+	if (IS_ERR(page))
+		return PTR_ERR(page);
+
+	length = kstrtouint(page, 0, &selinux_maxnsdepth);
+	if (length)
+		goto out;
+
+	length = count;
+out:
+	kfree(page);
+	return length;
+}
+
+static const struct file_operations sel_maxnsdepth_ops = {
+	.read		= sel_read_maxnsdepth,
+	.write		= sel_write_maxnsdepth,
+	.llseek		= generic_file_llseek,
+};
+
+
 static ssize_t sel_read_policyvers(struct file *filp, char __user *buf,
 				   size_t count, loff_t *ppos)
 {
@@ -2213,6 +2340,8 @@  static int sel_fill_super(struct super_block *sb, struct fs_context *fc)
 		[SEL_VALIDATE_TRANS] = {"validatetrans", &sel_transition_ops,
 					S_IWUGO},
 		[SEL_UNSHARE] = {"unshare", &sel_unshare_ops, 0200},
+		[SEL_MAXNS] = {"maxns", &sel_maxns_ops, 0600},
+		[SEL_MAXNSDEPTH] = {"maxnsdepth", &sel_maxnsdepth_ops, 0600},
 		/* last one */ {""}
 	};

[RFC,30/44] selinux: add limits for SELinux namespaces

Commit Message

Patch