From patchwork Mon Nov 23 21:07:41 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Stephen Smalley <sds@tycho.nsa.gov>
X-Patchwork-Id: 7686121
Return-Path: <selinux-bounces@tycho.nsa.gov>
X-Original-To: patchwork-selinux@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id 27F1CBF90C
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon, 23 Nov 2015 21:09:33 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 89D2D207E1
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon, 23 Nov 2015 21:09:32 +0000 (UTC)
Received: from emvm-gh1-uea08.nsa.gov (emvm-gh1-uea08.nsa.gov [63.239.67.9])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 9B151207DF
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon, 23 Nov 2015 21:09:31 +0000 (UTC)
X-TM-IMSS-Message-ID: <520c292100038064@nsa.gov>
Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by nsa.gov
	([63.239.67.9]) with ESMTP (TREND IMSS SMTP Service 7.1) id
	520c292100038064 ; Mon, 23 Nov 2015 16:07:22 -0500
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id tANL79kP000690;
	Mon, 23 Nov 2015 16:07:17 -0500
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	tANL76xx010835 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Mon, 23 Nov 2015 16:07:06 -0500
Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto
	[192.168.25.131])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id
	tANL76Bm000680; Mon, 23 Nov 2015 16:07:06 -0500
From: Stephen Smalley <sds@tycho.nsa.gov>
To: selinux@tycho.nsa.gov
Subject: [PATCH] selinux: fix bug in conditional rules handling
Date: Mon, 23 Nov 2015 16:07:41 -0500
Message-Id: <1448312861-3574-1-git-send-email-sds@tycho.nsa.gov>
X-Mailer: git-send-email 2.4.3
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-TM-AS-MML: disable
X-Spam-Status: No, score=-7.5 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

commit fa1aa143ac4a ("selinux: extended permissions for ioctls") introduced
a bug into the handling of conditional rules, skipping the processing
entirely when the caller does not provide an extended permissions (xperms)
structure.  Access checks from userspace using /sys/fs/selinux/access
do not include such a structure since that interface does not presently
expose extended permission information.  As a result, conditional rules
were being ignored entirely on userspace access requests, producing
denials when access was allowed by conditional rules in the policy.
Fix the bug by only skipping computation of extended permissions
in this situation, not the entire conditional rules processing.

Reported-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 security/selinux/ss/conditional.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index 18643bf..456e1a9 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -638,7 +638,7 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
 {
 	struct avtab_node *node;
 
-	if (!ctab || !key || !avd || !xperms)
+	if (!ctab || !key || !avd)
 		return;
 
 	for (node = avtab_search_node(ctab, key); node;
@@ -657,7 +657,7 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
 		if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) ==
 		    (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED)))
 			avd->auditallow |= node->datum.u.data;
-		if ((node->key.specified & AVTAB_ENABLED) &&
+		if (xperms && (node->key.specified & AVTAB_ENABLED) &&
 				(node->key.specified & AVTAB_XPERMS))
 			services_compute_xperms_drivers(xperms, node);
 	}