1
linux/security/selinux/ss
Ondrej Mosnacek ae254858ce selinux: introduce an initial SID for early boot processes
Currently, SELinux doesn't allow distinguishing between kernel threads
and userspace processes that are started before the policy is first
loaded - both get the label corresponding to the kernel SID. The only
way a process that persists from early boot can get a meaningful label
is by doing a voluntary dyntransition or re-executing itself.

Reusing the kernel label for userspace processes is problematic for
several reasons:
1. The kernel is considered to be a privileged domain and generally
   needs to have a wide range of permissions allowed to work correctly,
   which prevents the policy writer from effectively hardening against
   early boot processes that might remain running unintentionally after
   the policy is loaded (they represent a potential extra attack surface
   that should be mitigated).
2. Despite the kernel being treated as a privileged domain, the policy
   writer may want to impose certain special limitations on kernel
   threads that may conflict with the requirements of intentional early
   boot processes. For example, it is a good hardening practice to limit
   what executables the kernel can execute as usermode helpers and to
   confine the resulting usermode helper processes. However, a
   (legitimate) process surviving from early boot may need to execute a
   different set of executables.
3. As currently implemented, overlayfs remembers the security context of
   the process that created an overlayfs mount and uses it to bound
   subsequent operations on files using this context. If an overlayfs
   mount is created before the SELinux policy is loaded, these "mounter"
   checks are made against the kernel context, which may clash with
   restrictions on the kernel domain (see 2.).

To resolve this, introduce a new initial SID (reusing the slot of the
former "init" initial SID) that will be assigned to any userspace
process started before the policy is first loaded. This is easy to do,
as we can simply label any process that goes through the
bprm_creds_for_exec LSM hook with the new init-SID instead of
propagating the kernel SID from the parent.

To provide backwards compatibility for existing policies that are
unaware of this new semantic of the "init" initial SID, introduce a new
policy capability "userspace_initial_context" and set the "init" SID to
the same context as the "kernel" SID unless this capability is set by
the policy.

Another small backwards compatibility measure is needed in
security_sid_to_context_core() for before the initial SELinux policy
load - see the code comment for explanation.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
[PM: edited comments based on feedback/discussion]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-11-21 18:39:59 -05:00
..
avtab.c selinux: refactor avtab_node comparisons 2023-11-20 20:28:22 -05:00
avtab.h selinux: move debug functions into debug configuration 2023-07-28 14:09:24 -04:00
conditional.c selinux: drop avtab_search() 2023-07-19 11:04:28 -04:00
conditional.h selinux: avoid bool as identifier name 2023-06-05 17:04:01 -04:00
constraint.h selinux: update my email address 2023-07-19 11:27:02 -04:00
context.c
context.h selinux: update my email address 2023-07-19 11:27:02 -04:00
ebitmap.c selinux: update my email address 2023-07-19 11:27:02 -04:00
ebitmap.h selinux: update my email address 2023-07-19 11:27:02 -04:00
hashtab.c selinux: print sum of chain lengths^2 for hash tables 2023-09-13 13:46:56 -04:00
hashtab.h selinux: print sum of chain lengths^2 for hash tables 2023-09-13 13:46:56 -04:00
mls_types.h selinux: update my email address 2023-07-19 11:27:02 -04:00
mls.c selinux: avoid implicit conversions in mls code 2023-08-03 22:19:57 -04:00
mls.h selinux: update my email address 2023-07-19 11:27:02 -04:00
policydb.c selinux: introduce an initial SID for early boot processes 2023-11-21 18:39:59 -05:00
policydb.h selinux: update my email address 2023-07-19 11:27:02 -04:00
services.c selinux: introduce an initial SID for early boot processes 2023-11-21 18:39:59 -05:00
services.h selinux: update type for number of class permissions in services code 2023-08-09 19:07:48 -04:00
sidtab.c selinux: Annotate struct sidtab_str_cache with __counted_by 2023-09-12 16:58:40 -04:00
sidtab.h selinux: update my email address 2023-07-19 11:27:02 -04:00
symtab.c selinux: update my email address 2023-07-19 11:27:02 -04:00
symtab.h selinux: update my email address 2023-07-19 11:27:02 -04:00