Re: [RFC PATCH 22/27] KEYS: Replace uid/gid/perm permissions checking with an ACL

[RFC PATCH 00/27] Containers and using authenticated filesystems · David Howells <dhowells@redhat.com> · 2019-02-15
[RFC PATCH 01/27] containers: Rename linux/container.h to linux/container_dev.h · David Howells <dhowells@redhat.com> · 2019-02-15
[RFC PATCH 02/27] containers: Implement containers as kernel objects · David Howells <dhowells@redhat.com> · 2019-02-15
Re: [RFC PATCH 02/27] containers: Implement containers as kernel objects · Trond Myklebust <hidden> · 2019-02-17
Re: [RFC PATCH 02/27] containers: Implement containers as kernel objects · David Howells <dhowells@redhat.com> · 2019-02-19
Re: [RFC PATCH 02/27] containers: Implement containers as kernel objects · Trond Myklebust <hidden> · 2019-02-20
Re: [RFC PATCH 02/27] containers: Implement containers as kernel objects · James Bottomley <James.Bottomley@HansenPartnership.com> · 2019-02-17
Re: [RFC PATCH 02/27] containers: Implement containers as kernel objects · David Howells <dhowells@redhat.com> · 2019-02-19
Re: [RFC PATCH 02/27] containers: Implement containers as kernel objects · James Bottomley <James.Bottomley@HansenPartnership.com> · 2019-02-20
Re: [RFC PATCH 02/27] containers: Implement containers as kernel objects · Ian Kent <raven@themaw.net> · 2019-02-20
Re: [RFC PATCH 02/27] containers: Implement containers as kernel objects · James Bottomley <James.Bottomley@HansenPartnership.com> · 2019-02-20
Re: [RFC PATCH 02/27] containers: Implement containers as kernel objects · Ian Kent <raven@themaw.net> · 2019-02-20
Re: [RFC PATCH 02/27] containers: Implement containers as kernel objects · Paul Moore <paul@paul-moore.com> · 2019-02-20
Re: [RFC PATCH 02/27] containers: Implement containers as kernel objects · Tycho Andersen <hidden> · 2019-02-19
Re: [RFC PATCH 02/27] containers: Implement containers as kernel objects · Ian Kent <raven@themaw.net> · 2019-02-20
Re: [RFC PATCH 02/27] containers: Implement containers as kernel objects · Christian Brauner <christian@brauner.io> · 2019-02-20
Re: [RFC PATCH 02/27] containers: Implement containers as kernel objects · Ian Kent <raven@themaw.net> · 2019-02-21
[RFC PATCH 03/27] containers: Provide /proc/containers · David Howells <dhowells@redhat.com> · 2019-02-15
[RFC PATCH 04/27] containers: Allow a process to be forked into a container · David Howells <dhowells@redhat.com> · 2019-02-15
Re: [RFC PATCH 04/27] containers: Allow a process to be forked into a container · Stephen Smalley <hidden> · 2019-02-15
[RFC PATCH 05/27] containers: Open a socket inside a container · David Howells <dhowells@redhat.com> · 2019-02-15
[RFC PATCH 06/27] containers, vfs: Allow syscall dirfd arguments to take a container fd · David Howells <dhowells@redhat.com> · 2019-02-15
[RFC PATCH 07/27] containers: Make fsopen() able to create a superblock in a container · David Howells <dhowells@redhat.com> · 2019-02-15
[RFC PATCH 08/27] containers, vfs: Honour CONTAINER_NEW_EMPTY_FS_NS · David Howells <dhowells@redhat.com> · 2019-02-15
Re: [RFC PATCH 08/27] containers, vfs: Honour CONTAINER_NEW_EMPTY_FS_NS · Al Viro <viro@zeniv.linux.org.uk> · 2019-02-17
[RFC PATCH 10/27] containers: Provide fs_context op for container setting · David Howells <dhowells@redhat.com> · 2019-02-15
[RFC PATCH 09/27] vfs: Allow mounting to other namespaces · David Howells <dhowells@redhat.com> · 2019-02-15
Re: [RFC PATCH 09/27] vfs: Allow mounting to other namespaces · Al Viro <viro@zeniv.linux.org.uk> · 2019-02-17
[RFC PATCH 11/27] containers: Sample program for driving container objects · David Howells <dhowells@redhat.com> · 2019-02-15
[RFC PATCH 12/27] containers: Allow a daemon to intercept request_key upcalls in a container · David Howells <dhowells@redhat.com> · 2019-02-15
[RFC PATCH 13/27] keys: Provide a keyctl to query a request_key authentication key · David Howells <dhowells@redhat.com> · 2019-02-15
[RFC PATCH 14/27] keys: Break bits out of key_unlink() · David Howells <dhowells@redhat.com> · 2019-02-15
[RFC PATCH 15/27] keys: Make __key_link_begin() handle lockdep nesting · David Howells <dhowells@redhat.com> · 2019-02-15
[RFC PATCH 16/27] keys: Grant Link permission to possessers of request_key auth keys · David Howells <dhowells@redhat.com> · 2019-02-15
[RFC PATCH 17/27] keys: Add a keyctl to move a key between keyrings · David Howells <dhowells@redhat.com> · 2019-02-15
[RFC PATCH 18/27] keys: Find the least-recently used unseen key in a keyring. · David Howells <dhowells@redhat.com> · 2019-02-15
[RFC PATCH 19/27] containers: Sample: request_key upcall handling · David Howells <dhowells@redhat.com> · 2019-02-15
[RFC PATCH 20/27] container, keys: Add a container keyring · David Howells <dhowells@redhat.com> · 2019-02-15
Re: [RFC PATCH 20/27] container, keys: Add a container keyring · Eric Biggers <ebiggers@kernel.org> · 2019-02-15
[RFC PATCH 21/27] keys: Fix request_key() lack of Link perm check on found key · David Howells <dhowells@redhat.com> · 2019-02-15
[RFC PATCH 24/27] keys: Allow a container to be specified as a subject in a key's ACL · David Howells <dhowells@redhat.com> · 2019-02-15
[RFC PATCH 26/27] keys: Allow containers to be included in key ACLs by name · David Howells <dhowells@redhat.com> · 2019-02-15
[RFC PATCH 27/27] containers: Sample to grant access to a key in a container · David Howells <dhowells@redhat.com> · 2019-02-15
[RFC PATCH 25/27] keys: Provide a way to ask for the container keyring · David Howells <dhowells@redhat.com> · 2019-02-15
[RFC PATCH 23/27] KEYS: Provide KEYCTL_GRANT_PERMISSION · David Howells <dhowells@redhat.com> · 2019-02-15
[RFC PATCH 22/27] KEYS: Replace uid/gid/perm permissions checking with an ACL · David Howells <dhowells@redhat.com> · 2019-02-15
Re: [RFC PATCH 22/27] KEYS: Replace uid/gid/perm permissions checking with an ACL · Stephen Smalley <hidden> · 2019-02-15
Re: [RFC PATCH 22/27] KEYS: Replace uid/gid/perm permissions checking with an ACL · David Howells <dhowells@redhat.com> · 2019-02-15
Re: [RFC PATCH 00/27] Containers and using authenticated filesystems · James Morris <jmorris@namei.org> · 2019-02-15

From: David Howells <dhowells@redhat.com>
Date: 2019-02-15 17:39:40
Also in: keyrings, linux-cifs, linux-fsdevel, linux-nfs, lkml, selinux

Stephen Smalley [off-list ref] wrote:

quoted

--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c

@@ -6560,6 +6560,7 @@ static int selinux_key_permission(key_ref_t key_ref,
  {
  	struct key *key;
  	struct key_security_struct *ksec;
+	unsigned oldstyle_perm;
  	u32 sid;
    	/* if no specific permissions are requested, we skip the

@@ -6568,13 +6569,26 @@ static int selinux_key_permission(key_ref_t key_ref,
  	if (perm == 0)
  		return 0;
  +	oldstyle_perm = perm & (KEY_NEED_VIEW | KEY_NEED_READ | KEY_NEED_WRITE

|
+				KEY_NEED_SEARCH | KEY_NEED_LINK);
+	if (perm & KEY_NEED_SETSEC)
+		oldstyle_perm |= OLD_KEY_NEED_SETATTR;
+	if (perm & KEY_NEED_INVAL)
+		oldstyle_perm |= KEY_NEED_SEARCH;
+	if (perm & KEY_NEED_REVOKE && !(perm & OLD_KEY_NEED_SETATTR))
+		oldstyle_perm |= KEY_NEED_WRITE;
+	if (perm & KEY_NEED_JOIN)
+		oldstyle_perm |= KEY_NEED_SEARCH;
+	if (perm & KEY_NEED_CLEAR)
+		oldstyle_perm |= KEY_NEED_WRITE;
+
  	sid = cred_sid(cred);
    	key = key_ref_to_ptr(key_ref);
  	ksec = key->security;
    	return avc_has_perm(&selinux_state,
-			    sid, ksec->sid, SECCLASS_KEY, perm, NULL);
+			    sid, ksec->sid, SECCLASS_KEY, oldstyle_perm, NULL);

This might be ok temporarily for compatibility but we'll want to ultimately
define the new permissions in SELinux and switch over to using them if a new
policy capability bit is set to indicate that the policy supports them.  We
should probably decouple the SELinux permission bits from the KEY_NEED_*
values and explicitly map them all at the same time.

Sounds reasonable.  I should probably detach the first two ACL patches from
the set and push them separately.

David

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help