From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public•gmane.org (Eric W. Biederman)
To: Andrew Morton <akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public•gmane.org>
Cc: Stephen Smalley <sds-+05T5uksL2qpZYMLLGbcSA@public•gmane.org>,
jmorris-gx6/JNMH7DfYtjvyW6yDsg@public•gmane.org,
rjw-KKrjLPT3xs0@public•gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public•gmane.org,
kernel-testers-u79uwXL29TY76Z2rM5mHXA@public•gmane.org,
netdev-u79uwXL29TY76Z2rM5mHXA@public•gmane.org
Subject: Re: [Bug #11500] /proc/net bug related to selinux
Date: Wed, 17 Sep 2008 14:56:17 -0700 [thread overview]
Message-ID: <m1abe6308u.fsf@frodo.ebiederm.org> (raw)
In-Reply-To: <20080917125053.1f9ecf37.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org> (Andrew Morton's message of "Wed, 17 Sep 2008 12:50:53 -0700")
Andrew Morton <akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public•gmane.org> writes:
> On Mon, 15 Sep 2008 09:05:26 -0400
> Stephen Smalley <sds-+05T5uksL2qpZYMLLGbcSA@public•gmane.org> wrote:
>> On Sat, 2008-09-13 at 12:37 -0700, Andrew Morton wrote:
>> However, the most likely explanation is simply that when /proc/net was
>> changed from being a directory to being a symlink to /proc/self/net,
>> that introduced an additional permission check on accesses
>> of /proc/net/<whatever>, namely the read check on the symlink itself.
>> And since that check wasn't happening on /proc/net accesses with older
>> kernels, older policies didn't allow it.
>> As to why others haven't reported it, I expect that they have updated
>> their policies to newer ones that allow the necessary access. The fact
>> that legacy distros wouldn't have such updated policies isn't surprising
>> - they don't push updates to those distros for new kernels. FC5 and FC6
>> are both EOL'd, right?
>>
>> In any event, we didn't change anything in SELinux - the change was
>> elsewhere (in the proc/net implementation). Don't blame the messenger
>> please.
>>
>
> Vanilla FC5 broke and vanilla FC6 broke. Did vanilla FC7, 8 or 9 break?
>
> http://smolt.fedoraproject.org/static/stats/stats.html shows 11,000-odd
> people running FC5 and FC6. It would be incautious to assume that all
> those people have updated their selinux rules.
>
> And _requiring_ people to update their selinux rules to fix a
> kernel-caused regression is a pretty big deal for some people, I
> expect.
> Then again, given that this regression has been out there since 2.6.25,
> I guess not too many people are hurting from it. But we suck.
Looking at this discussion closely from what I see selinux is designed
to work on the principle of least privilege. If you make a user space
visible but compatible change, selinux will keep the system until
you update selinux. Is selinux exposing too much to user space?
selinux was taken into consideration when the change was made.
The patch was even updated with feedback from Stephen Smiley.
> commit e9720acd728a46cb40daa52c99a979f7c4ff195c
> Author: Pavel Emelyanov <xemul-GEFAQzZX7r8dnm+yROfE0A@public•gmane.org>
> Date: Fri Mar 7 11:08:40 2008 -0800
>
> [NET]: Make /proc/net a symlink on /proc/self/net (v3)
>
> Current /proc/net is done with so called "shadows", but current
> implementation is broken and has little chances to get fixed.
>
> The problem is that dentries subtree of /proc/net directory has
> fancy revalidation rules to make processes living in different
> net namespaces see different entries in /proc/net subtree, but
> currently, tasks see in the /proc/net subdir the contents of any
> other namespace, depending on who opened the file first.
>
> The proposed fix is to turn /proc/net into a symlink, which points
> to /proc/self/net, which in turn shows what previously was in
> /proc/net - the network-related info, from the net namespace the
> appropriate task lives in.
>
> # ls -l /proc/net
> lrwxrwxrwx 1 root root 8 Mar 5 15:17 /proc/net -> self/net
>
> In other words - this behaves like /proc/mounts, but unlike
> "mounts", "net" is not a file, but a directory.
>
> Changes from v2:
> * Fixed discrepancy of /proc/net nlink count and selinux labeling
> screwup pointed out by Stephen.
>
> To get the correct nlink count the ->getattr callback for /proc/net
> is overridden to read one from the net->proc_net entry.
>
> To make selinux still work the net->proc_net entry is initialized
> properly, i.e. with the "net" name and the proc_net parent.
>
> Selinux fixes are
> Acked-by: Stephen Smalley <sds-+05T5uksL2qpZYMLLGbcSA@public•gmane.org>
>
> Changes from v1:
> * Fixed a task_struct leak in get_proc_task_net, pointed out by Paul.
>
> Signed-off-by: Pavel Emelyanov <xemul-GEFAQzZX7r8dnm+yROfE0A@public•gmane.org>
> Acked-by: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public•gmane.org>
> Signed-off-by: David S. Miller <davem-fT/PcQaiUtIeIZ0/mPfg9Q@public•gmane.org>
prev parent reply other threads:[~2008-09-17 21:56 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <j3zWxt-CgYL.A.WTF.bbsyIB@albercik>
[not found] ` <SpS7rta8n4.A.DCB.IfsyIB@albercik>
2008-09-13 8:47 ` [Bug #11271] BUG: fealnx in 2.6.27-rc1 Jaswinder Singh
[not found] ` <SpS7rta8n4.A.i9G.ZcsyIB@albercik>
[not found] ` <alpine.LRH.1.10.0809130812460.12313@tundra.namei.org>
[not found] ` <20080912152443.c4e59f42.akpm@linux-foundation.org>
[not found] ` <alpine.LRH.1.10.0809131012310.13073@tundra.namei.org>
[not found] ` <20080913123722.e238ae2a.akpm@linux-foundation.org>
[not found] ` <1221483926.30816.18.camel@moss-spartans.epoch.ncsc.mil>
[not found] ` <1221483926.30816.18.camel-/ugcdrsPCSfIm9DtXLC9OUVfdvkotuLY+aIohriVLy8@public.gmane.org>
2008-09-17 19:50 ` [Bug #11500] /proc/net bug related to selinux Andrew Morton
2008-09-17 21:24 ` Paul Moore
2008-09-17 21:39 ` Eric W. Biederman
[not found] ` <m1vdwu4fku.fsf-B27657KtZYmhTnVgQlOflh2eb7JE58TQ@public.gmane.org>
2008-09-17 22:11 ` Andrew Morton
2008-09-17 21:48 ` Andrew Morton
2008-09-17 22:12 ` Paul Moore
2008-09-17 22:24 ` Andrew Morton
[not found] ` <20080917152407.76230f0c.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2008-09-17 22:53 ` Eric W. Biederman
[not found] ` <20080917144842.7df59f9e.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2008-09-17 22:32 ` Eric W. Biederman
2008-09-18 12:38 ` Stephen Smalley
2008-09-18 13:03 ` Stephen Smalley
2008-09-18 18:09 ` Eric W. Biederman
2008-09-18 18:34 ` Stephen Smalley
[not found] ` <1221762850.24048.107.camel-/ugcdrsPCSfIm9DtXLC9OUVfdvkotuLY+aIohriVLy8@public.gmane.org>
2008-09-19 16:58 ` david-gFPdbfVZQbY
2008-09-19 17:07 ` Stephen Smalley
2008-09-29 16:49 ` Stephen Smalley
[not found] ` <200809171724.36269.paul.moore-VXdhtT5mjnY@public.gmane.org>
2008-09-17 22:23 ` David Miller
[not found] ` <20080917125053.1f9ecf37.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2008-09-17 21:56 ` Eric W. Biederman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m1abe6308u.fsf@frodo.ebiederm.org \
--to=ebiederm-as9lmozglivwk0htik3j/w@public$(echo .)gmane.org \
--cc=akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public$(echo .)gmane.org \
--cc=jmorris-gx6/JNMH7DfYtjvyW6yDsg@public$(echo .)gmane.org \
--cc=kernel-testers-u79uwXL29TY76Z2rM5mHXA@public$(echo .)gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public$(echo .)gmane.org \
--cc=netdev-u79uwXL29TY76Z2rM5mHXA@public$(echo .)gmane.org \
--cc=rjw-KKrjLPT3xs0@public$(echo .)gmane.org \
--cc=sds-+05T5uksL2qpZYMLLGbcSA@public$(echo .)gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox