Skip to content

gh-83074: Add preserve_security_context to shutil #23720

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

gh-83074: Add preserve_security_context to shutil #23720

wants to merge 3 commits into from
+191 −54

Conversation

tiran
Copy link
Member

@tiran tiran commented Dec 9, 2020
edited by bedevere-app bot
Loading

Users typically don't have permission to modify the restricted
security namespace of extended attributes. An LSM prevents
root processes in confined contexts from changing security
attributes, too.

Any write attempt from a confined context is considered a security
violation and logged in the system's security audit log. Therefore we
cannot safely except and ignore exceptions without flooding the audit
system.

Linux coreutils has a similar workaround. Tools like cp skips
security.selinux when it detects that SELinux is enabled
(preserve_security_context). The (security) context is only copied
with non-default --preserve=context or --preserve=all.

shutil.copy2() now behaves mostly like cp -p --preserve=xattr by default.

Signed-off-by: Christian Heimes christian@python.org

  • shutil.move needs extra attention.

https://bugs.python.org/issue38893

@tiran tiran requested a review from hynek December 9, 2020 15:23
@tiran
bpo-38893: Add preserve_security_context to shutil
559677f 
Users typically don't have permission to modify the restricted
`security` namespace of extended attributes. An LSM prevents
root processes in confined contexts from changing `security`
attributes, too.

Any write attempt from a confined context is considered a security
violation and logged in the system's security audit log. Therefore we
cannot safely except and ignore exceptions without flooding the audit
system.

Linux coreutils has a similar workaround. Tools like `cp` skips
`security.selinux` when it detects that SELinux is enabled
(`preserve_security_context`). The (security) context is only copied
with non-default `--preserve=context` or `--preserve=all`.

`shutil.copy2()` now behaves mostly like `cp -p --preserve=xattr` by default.

Signed-off-by: Christian Heimes <christian@python.org>
@tiran tiran force-pushed the bpo-38893-copy-xattr branch from 4155ce1 to 559677f Compare December 9, 2020 15:34
@hynek
Copy link
Member

hynek commented Dec 10, 2020

Hm isn't this a breaking change?

@tiran
Copy link
Member Author

tiran commented Dec 10, 2020

Hm isn't this a breaking change?

You could say that the PR changes behavior of the copy functions. In my opinion it fixes behavior of the copy function. In almost all cases it's conceptionally wrong to copy the SELinux context. Under SELinux, files are automatically labelled based on file name and context.

In best case the old behavior would result in wrong context, which will eventually be fixed by restorecon. In worst case (e.g. containers) it results into tons of audit events and PermissionsError.

@tiran
Actually run xattr tests
0e0c4c0 
- trusted namespace is only writable by processes with CAP_SYS_ADMIN.
  root check is not sufficient to detect the capabilitiy in containers.
- /tmp on tmpfs does not permit user xattr namespace
@tiran tiran force-pushed the bpo-38893-copy-xattr branch from 2f9186c to 0e0c4c0 Compare December 10, 2020 10:20
@ronaldoussoren
Copy link
Contributor

The current PR disables copying "security.*" attributes for all platforms, even though the security namespace is a linux feature. In particular, macOS does not have this feature.

@github-actions
Copy link

This PR is stale because it has been open for 30 days with no activity.

@github-actions github-actions bot added the stale Stale PR or inactive for long period of time. label Jan 12, 2021
@matchaxnb
Copy link

Hi @tiran wdyt about getting that to move? I don't have access to a macOS environment to try and fix that but I would really like this to be merged in cpython as it would avoid a number of monkey patching issues for running things like poetry under a k8s + SELinux environment. What can be done to help?

@frenzymadness
Copy link
Contributor

Yeah, I'm also working on some containerized applications where simple shutil.move caused us some problems. Would be nice to have this fixed.

@blairneumann
Copy link

It sounds like the security contexts should not be copied, and cpython's throwing errors because it's trying to copy something that it shouldn't. We need at least a non-default option to not copy the security context as intended.

@blairneumann
Copy link

It sounds like the security contexts should not be copied, and cpython's throwing errors because it's trying to copy something that it shouldn't. We need at least a non-default option to not copy the security context as intended.

Nevermind, we can just shutil.copy and os.remove instead of shutil.move

@matchaxnb
Copy link

matchaxnb commented Jan 26, 2022 via email

@jykae
Copy link

jykae commented Feb 17, 2022

Any proposed workaround for this until the issue gets fixed ?

@github-actions github-actions bot removed the stale Stale PR or inactive for long period of time. label Aug 2, 2022
@erlend-aasland erlend-aasland changed the title bpo-38893: Add preserve_security_context to shutil gh-83074: Add preserve_security_context to shutil Jan 4, 2024
@LeifMiddelschulte LeifMiddelschulte mannequin mentioned this pull request Jan 4, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hynek hynek Awaiting requested review from hynek

Assignees
No one assigned
Labels
awaiting core review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.