[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v5 0/9] virtiofsd: Add support for file security context at f
|
From: |
Vivek Goyal |
|
Subject: |
Re: [PATCH v5 0/9] virtiofsd: Add support for file security context at file creation |
|
Date: |
Mon, 7 Feb 2022 08:24:08 -0500 |
On Mon, Feb 07, 2022 at 01:05:16PM +0000, Daniel P. Berrangé wrote:
> On Wed, Feb 02, 2022 at 02:39:26PM -0500, Vivek Goyal wrote:
> > Hi,
> >
> > This is V5 of the patches. I posted V4 here.
> >
> > https://listman.redhat.com/archives/virtio-fs/2022-January/msg00041.html
> >
> > These will allow us to support SELinux with virtiofs. This will send
> > SELinux context at file creation to server and server can set it on
> > file.
>
> I've not entirely figured it out from the code, so easier for me
> to ask...
>
> How is the SELinux labelled stored on the host side ? It is stored
> directly in the security.* xattr namespace, or is is subject to
> xattr remapping that virtiofsd already supports.
>
> Storing directly means virtiofsd has to run in an essentially
> unconfined context, to let it do arbitrary changes on security.*
> xattrs without being blocked by SELinux) and has risk that guest
> initiated changes can open holes in the host confinement if
> the exported FS is generally visible to processes on the host.
>
>
> Using remapping lets virtiofsd be strictly isolated by SELinux
> policy on the host, and ensures that guest context changes
> can't open up holes in the host.
>
> Both are valid use cases, so I'd ultimately expect us to want
> to support both, but my preference for a "default" behaviour
> would be remapping.
I am expecting users to configure virtiofsd to remap "security.selinux"
to "trusted.virtiofsd.security.selinux" and that will allow guest
and host security selinux to co-exist and allow separate SELinux policies
for guest and host.
I agree that my preference for a default behavior is remapping as well.
That makes most sense.
One downside of mapping to trusted namespace is that it requires
CAP_SYS_ADMIN for virtiofsd.
Having said that, these patches don't enforce the remapping default. That
has to come from the user because it also needs to be given CAP_SYS_ADMIN.
So out of box default is no remapping and passthrough SELinux.
Thanks
Vivek
>
> Regards,
> Daniel
> --
> |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org -o- https://fstop138.berrange.com :|
> |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
>
- Re: [PATCH v5 3/9] virtiofsd: Parse extended "struct fuse_init_in", (continued)
- [PATCH v5 2/9] linux-headers: Update headers to v5.17-rc1, Vivek Goyal, 2022/02/02
- [PATCH v5 7/9] virtiofsd: Create new file with fscreate set, Vivek Goyal, 2022/02/02
- Re: [PATCH v5 0/9] virtiofsd: Add support for file security context at file creation, Dr. David Alan Gilbert, 2022/02/07
- Re: [PATCH v5 0/9] virtiofsd: Add support for file security context at file creation, Daniel P . Berrangé, 2022/02/07
- Re: [PATCH v5 0/9] virtiofsd: Add support for file security context at file creation,
Vivek Goyal <=
- Re: [PATCH v5 0/9] virtiofsd: Add support for file security context at file creation, Vivek Goyal, 2022/02/07