From 8ba1d53739d960cf118762da7850e625a8b462d9 Mon Sep 17 00:00:00 2001 From: Nicholas Mc Guire Date: Wed, 8 May 2019 08:21:17 +0200 Subject: selinux: provide __le variables explicitly While the endiannes is being handled properly sparse was unable to verify this due to type inconsistency. So introduce an additional __le32 respectively _le64 variable to be passed to le32/64_to_cpu() to allow sparse to verify proper typing. Note that this patch does not change the generated binary on little-endian systems - on 32bit powerpc it does change the binary. Signed-off-by: Nicholas Mc Guire Signed-off-by: Paul Moore --- security/selinux/ss/ebitmap.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c index 8f624f80055b..09929fc5ab47 100644 --- a/security/selinux/ss/ebitmap.c +++ b/security/selinux/ss/ebitmap.c @@ -347,7 +347,9 @@ int ebitmap_read(struct ebitmap *e, void *fp) { struct ebitmap_node *n = NULL; u32 mapunit, count, startbit, index; + __le32 ebitmap_start; u64 map; + __le64 mapbits; __le32 buf[3]; int rc, i; @@ -381,12 +383,12 @@ int ebitmap_read(struct ebitmap *e, void *fp) goto bad; for (i = 0; i < count; i++) { - rc = next_entry(&startbit, fp, sizeof(u32)); + rc = next_entry(&ebitmap_start, fp, sizeof(u32)); if (rc < 0) { pr_err("SELinux: ebitmap: truncated map\n"); goto bad; } - startbit = le32_to_cpu(startbit); + startbit = le32_to_cpu(ebitmap_start); if (startbit & (mapunit - 1)) { pr_err("SELinux: ebitmap start bit (%d) is " @@ -423,12 +425,12 @@ int ebitmap_read(struct ebitmap *e, void *fp) goto bad; } - rc = next_entry(&map, fp, sizeof(u64)); + rc = next_entry(&mapbits, fp, sizeof(u64)); if (rc < 0) { pr_err("SELinux: ebitmap: truncated map\n"); goto bad; } - map = le64_to_cpu(map); + map = le64_to_cpu(mapbits); index = (startbit - n->startbit) / EBITMAP_UNIT_SIZE; while (map) { -- cgit v1.2.3-59-g8ed1b From beee56f3543ae688f7b3f65a5e234b59856eff48 Mon Sep 17 00:00:00 2001 From: Ondrej Mosnacek Date: Sat, 4 May 2019 21:59:06 +0200 Subject: selinux: remove some no-op BUG_ONs Since acdf52d97f82 ("selinux: convert to kvmalloc"), these check whether an address-of value is NULL, which is pointless. Signed-off-by: Ondrej Mosnacek Signed-off-by: Paul Moore --- security/selinux/ss/services.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index cc043bc8fd4c..20a089d0aca8 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -651,9 +651,7 @@ static void context_struct_compute_av(struct policydb *policydb, avkey.target_class = tclass; avkey.specified = AVTAB_AV | AVTAB_XPERMS; sattr = &policydb->type_attr_map_array[scontext->type - 1]; - BUG_ON(!sattr); tattr = &policydb->type_attr_map_array[tcontext->type - 1]; - BUG_ON(!tattr); ebitmap_for_each_positive_bit(sattr, snode, i) { ebitmap_for_each_positive_bit(tattr, tnode, j) { avkey.source_type = i + 1; @@ -1059,9 +1057,7 @@ void security_compute_xperms_decision(struct selinux_state *state, avkey.target_class = tclass; avkey.specified = AVTAB_XPERMS; sattr = &policydb->type_attr_map_array[scontext->type - 1]; - BUG_ON(!sattr); tattr = &policydb->type_attr_map_array[tcontext->type - 1]; - BUG_ON(!tattr); ebitmap_for_each_positive_bit(sattr, snode, i) { ebitmap_for_each_positive_bit(tattr, tnode, j) { avkey.source_type = i + 1; -- cgit v1.2.3-59-g8ed1b From 464c258aa45b09f16aa0f05847ed8895873262d9 Mon Sep 17 00:00:00 2001 From: Ondrej Mosnacek Date: Wed, 12 Jun 2019 10:12:26 +0200 Subject: selinux: fix empty write to keycreate file When sid == 0 (we are resetting keycreate_sid to the default value), we should skip the KEY__CREATE check. Before this patch, doing a zero-sized write to /proc/self/keycreate would check if the current task can create unlabeled keys (which would usually fail with -EACCESS and generate an AVC). Now it skips the check and correctly sets the task's keycreate_sid to 0. Bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1719067 Tested using the reproducer from the report above. Fixes: 4eb582cf1fbd ("[PATCH] keys: add a way to store the appropriate context for newly-created keys") Reported-by: Kir Kolyshkin Signed-off-by: Ondrej Mosnacek Signed-off-by: Paul Moore --- security/selinux/hooks.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index c61787b15f27..f77b314d0575 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6331,11 +6331,12 @@ static int selinux_setprocattr(const char *name, void *value, size_t size) } else if (!strcmp(name, "fscreate")) { tsec->create_sid = sid; } else if (!strcmp(name, "keycreate")) { - error = avc_has_perm(&selinux_state, - mysid, sid, SECCLASS_KEY, KEY__CREATE, - NULL); - if (error) - goto abort_change; + if (sid) { + error = avc_has_perm(&selinux_state, mysid, sid, + SECCLASS_KEY, KEY__CREATE, NULL); + if (error) + goto abort_change; + } tsec->keycreate_sid = sid; } else if (!strcmp(name, "sockcreate")) { tsec->sockcreate_sid = sid; -- cgit v1.2.3-59-g8ed1b From ea74a685ad819aeed316a9bae3d2a5bf762da82d Mon Sep 17 00:00:00 2001 From: Richard Guy Briggs Date: Thu, 27 Jun 2019 12:48:01 -0400 Subject: selinux: format all invalid context as untrusted The userspace tools expect all fields of the same name to be logged consistently with the same encoding. Since the invalid_context fields contain untrusted strings in selinux_inode_setxattr() and selinux_setprocattr(), encode all instances of this field the same way as though they were untrusted even though compute_sid_handle_invalid_context() and security_sid_mls_copy() are trusted. Please see github issue https://github.com/linux-audit/audit-kernel/issues/57 Signed-off-by: Richard Guy Briggs Signed-off-by: Paul Moore --- security/selinux/ss/services.c | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 20a089d0aca8..d3a8f6fbc552 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -1584,6 +1584,7 @@ static int compute_sid_handle_invalid_context( struct policydb *policydb = &state->ss->policydb; char *s = NULL, *t = NULL, *n = NULL; u32 slen, tlen, nlen; + struct audit_buffer *ab; if (context_struct_to_string(policydb, scontext, &s, &slen)) goto out; @@ -1591,12 +1592,14 @@ static int compute_sid_handle_invalid_context( goto out; if (context_struct_to_string(policydb, newcontext, &n, &nlen)) goto out; - audit_log(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR, - "op=security_compute_sid invalid_context=%s" - " scontext=%s" - " tcontext=%s" - " tclass=%s", - n, s, t, sym_name(policydb, SYM_CLASSES, tclass-1)); + ab = audit_log_start(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR); + audit_log_format(ab, + "op=security_compute_sid invalid_context="); + /* no need to record the NUL with untrusted strings */ + audit_log_n_untrustedstring(ab, n, nlen - 1); + audit_log_format(ab, " scontext=%s tcontext=%s tclass=%s", + s, t, sym_name(policydb, SYM_CLASSES, tclass-1)); + audit_log_end(ab); out: kfree(s); kfree(t); @@ -3003,10 +3006,16 @@ int security_sid_mls_copy(struct selinux_state *state, if (rc) { if (!context_struct_to_string(policydb, &newcon, &s, &len)) { - audit_log(audit_context(), - GFP_ATOMIC, AUDIT_SELINUX_ERR, - "op=security_sid_mls_copy " - "invalid_context=%s", s); + struct audit_buffer *ab; + + ab = audit_log_start(audit_context(), + GFP_ATOMIC, + AUDIT_SELINUX_ERR); + audit_log_format(ab, + "op=security_sid_mls_copy invalid_context="); + /* don't record NUL with untrusted strings */ + audit_log_n_untrustedstring(ab, s, len - 1); + audit_log_end(ab); kfree(s); } goto out_unlock; -- cgit v1.2.3-59-g8ed1b