On 18.6.2021 23.37, Topi Miettinen wrote:
On 18.6.2021 22.32, Paul Moore wrote:
On Fri, Jun 18, 2021 at 2:09 PM Topi Miettinen <toiwoton@xxxxxxxxx>
wrote:
On 18.6.2021 6.50, Paul Moore wrote:
On Sat, Jun 12, 2021 at 4:14 AM Topi Miettinen <toiwoton@xxxxxxxxx>
wrote:
Describe cases where nosuid_transition or nnp_transition are needed.
Signed-off-by: Topi Miettinen <toiwoton@xxxxxxxxx>
---
src/computing_security_contexts.md | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/computing_security_contexts.md
b/src/computing_security_contexts.md
index bb946b5..7bd1d87 100644
--- a/src/computing_security_contexts.md
+++ b/src/computing_security_contexts.md
@@ -84,7 +84,14 @@ Processes inherit their security context as
follows:
*default_type* (policy version 28) or if a security-aware
process,
by calling ***setexeccon**(3)* if permitted by policy prior to
invoking exec.
-3. At any time, a security-aware process may invoke
***setcon**(3)* to
+3. If the file system is mounted with *nosuid* flag, type transitions
+ require permission *nosuid_transition*. If the thread has
+ *no_new_privs* attribute set, the transition requires
+ *nnp_transition*. For both transitions, policy capability
+ *nnp_nosuid_transition* is also required. See also
+ [**Linux Security Module and
SELinux**](lsm_selinux.md#linux-security-module-and-selinux)
+ section.
Thanks for adding this text, however I might suggest the following
changes:
"If the loaded SELinux policy has the nnp_nosuid_transition policy
capability enabled there are potentially two additional permissions
that are required to permit a domain transition: nosuid_transition for
nosuid mounted filesystems, and nnp_transition for for threads with
the no_new_privs flag."
... does that make sense?
Yes. I'd then add:
"If nnp_nosuid_transition policy capability is disabled, such domain
transitions are denied."
In most cases, yes that is correct, but bounded domain transitions are
still allowed in the case where the nnp_nosuid_transition policy
capability is not enabled.
I see. May I propose then:
"If nnp_nosuid_transition policy capability is disabled, such domain
transitions are denied but bounded domain transitions are still allowed.
In bounded transitions, target domain is only allowed a subset of the
permissions of the source domain."
By the way, the background for this patch (and others for mount(2),
mount(8) and selinux(8)) was that I recently proposed new heuristics for
systemd where in case no_new_privileges would be implied (for example,
due to use of seccomp), all file systems would be mounted `nosuid` since
setuid/setgid wouldn't be allowed anyway. The heuristics patch was
applied but later reverted because of problems it may cause for SELinux.
I didn't know then how SELinux uses the flag to also control domain
transitions. Also the case seems to be underdocumented, which I'm trying
to improve with the patches.
Regarding the heuristics, perhaps instead of tying MAC behavior (also FS
capabilities) to a DAC concept of setuid/setgid with MS_NOSUID, there
should be new mount flags which would allow more precise handling of all
combinations of SUID, SELinux domain transitions and FS capabilities.
For example
"nosuid,security=selinux=domain_transitions_allowed:capability=fs_caps_allowed".
Then systemd could safely mount all file systems "nosuid" (when NNP is
already going to be enforced) while keeping behavior of SELinux domain
transitions and FS capabilities unchanged.
-Topi
