[2/2] selinux: fall back to ref-walk if audit is required

Message ID	20191122172245.7875-2-sds@tycho.nsa.gov (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=EAti=ZO=vger.kernel.org=linux-security-module-owner@kernel.org> IronPort-PHdr: 9a23:fQo4whY4vd9rRWYCUK0hVOz/LSx+4OfEezUN459isYplN5qZps25Yx7h7PlgxGXEQZ/co6odzbaP6Oa5BDBLsMbJmUtBWaQEbwUCh8QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYdFRrlKAV6OPn+FJLMgMSrzeCy/IDYbxlViDanbr5+MRu7oR/MusQWjoZuJaI8xxjUqXZUZupawn9lK0iOlBjm/Mew+5Bj8yVUu/0/8sNLTLv3caclQ7FGFToqK2866tHluhnFVguP+2ATUn4KnRpSAgjK9w/1U5HsuSbnrOV92S2aPcrrTbAoXDmp8qlmRAP0hCoBKjU2/nvXishth6xFphyvqQF0z4rNbI2LMPdye6XQds4YS2VcRMZcTyxPDJ2hYYUBDOQPOuRXr4fyqFUBthayGQqhCfnzxjJSmnP6was32PkhHwHc2wwgGsoDvmnIrNrrLKcSUf66zK/VxjveavNZwzP96IzWfREhvPqBWqlwftfKyUQ0CwPEjkmfqYziPz+P0OQNqHKU4/BvVeKolW4qsgd8qSWsyMc0koTFm40Yx1/e+Sh53Yo5P8O0RUFlbdK+DZddsTyROZFsTcM4WW5ovT43yrgBuZGmYicH0I8nxxvDa/yfdIiI/w7jWP6RIThmgHJlf6qyhwqo/ki6y+38S9K03ExLripDnNnMsWsN2ALP5cSdVvt8/luu2TaI1wzJ7OFLPVs0mrbBJ54kw74wkoIfsUXFHiDohEX7lLKae0or9+Sy6+nrf6/qqoGTOoNqkA3yL7wimsmlDuQ5NggOUXKb+eO51LD75k32Xa5Kg+YqkqjZrJ/aJcMbqrS/Aw9OyIkv8Rm/DzC40NgAh3kIMEpFeA6bj4juI1zOJPH4DfGig1WjiTtr3O7JMaH8ApXXL3jDjLfgca94605b1QUz0NRf6IxPB7EfL/L8RFXxuMbbDhAnKQy0xfjoCNFn2oMZQ2KPDbeTMLnOvl+Q+uIvP+6MaZcRuDb8Lfgl+vHvgWY3mV8GYKamw4UXZ268Hvl9PUWZbmTjgs0bHWcJoAU+Vurqh0OGUTJJYHayRa087CkhCI26FYfDWpytgLuZ0Se9AJJWZ2RGBUuXHHfzaoWEQOkDZDiPLcB/ijYET6SuS5c91RGysw/306RnLuvO+i0frp/i1cZ65+vSlREs7zB0C8Wd02eQT2B7hG8IQCU23K9lrUxgyVeJybJ4jOBAFdxP+/NJVR83NJDdz+x+D9D/QQHBccmTSFagXNqmBSs9TtUrw98Be0x9Acmtjgjf3yq2BL8Yj6SLC4Yp8qLYxHXxP9xyy2vC1KU4ilkmRcxPNXe4iaJl6wfTAIvJmV2Dl6m2baQcwDLN9GCbwGqVok5YVA9wUaPYXXEQfUbWs9v56V3YT7O0CrQoLBFBycicJatOcNHpik9GRPiwcOjZNnm8n2a2GAag2LyBdszpdn8b0SGbD1ILwC4J+nPTDhQzHiespSrlCTVqEV/+Kxf3/fJWtGKwTkhyyRqDKUJmyezmqVYumfWARqZLjfo/syA7pmAxRgew From: Stephen Smalley <sds@tycho.nsa.gov> To: selinux@vger.kernel.org Cc: paul@paul-moore.com, will@kernel.org, viro@zeniv.linux.org.uk, neilb@suse.de, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, Stephen Smalley <sds@tycho.nsa.gov> Subject: [PATCH 2/2] selinux: fall back to ref-walk if audit is required Date: Fri, 22 Nov 2019 12:22:45 -0500 Message-Id: <20191122172245.7875-2-sds@tycho.nsa.gov> In-Reply-To: <20191122172245.7875-1-sds@tycho.nsa.gov> References: <20191122172245.7875-1-sds@tycho.nsa.gov> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk
Series	[1/2] selinux: revert "stop passing MAY_NOT_BLOCK to the AVC upon follow_link" \| expand [1/2] selinux: revert "stop passing MAY_NOT_BLOCK to the AVC upon follow_link" [2/2] selinux: fall back to ref-walk if audit is required

Message ID

20191122172245.7875-2-sds@tycho.nsa.gov (mailing list archive)

State

New, archived

Headers

IronPort-PHdr: 
 9a23:fQo4whY4vd9rRWYCUK0hVOz/LSx+4OfEezUN459isYplN5qZps25Yx7h7PlgxGXEQZ/co6odzbaP6Oa5BDBLsMbJmUtBWaQEbwUCh8QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYdFRrlKAV6OPn+FJLMgMSrzeCy/IDYbxlViDanbr5+MRu7oR/MusQWjoZuJaI8xxjUqXZUZupawn9lK0iOlBjm/Mew+5Bj8yVUu/0/8sNLTLv3caclQ7FGFToqK2866tHluhnFVguP+2ATUn4KnRpSAgjK9w/1U5HsuSbnrOV92S2aPcrrTbAoXDmp8qlmRAP0hCoBKjU2/nvXishth6xFphyvqQF0z4rNbI2LMPdye6XQds4YS2VcRMZcTyxPDJ2hYYUBDOQPOuRXr4fyqFUBthayGQqhCfnzxjJSmnP6was32PkhHwHc2wwgGsoDvmnIrNrrLKcSUf66zK/VxjveavNZwzP96IzWfREhvPqBWqlwftfKyUQ0CwPEjkmfqYziPz+P0OQNqHKU4/BvVeKolW4qsgd8qSWsyMc0koTFm40Yx1/e+Sh53Yo5P8O0RUFlbdK+DZddsTyROZFsTcM4WW5ovT43yrgBuZGmYicH0I8nxxvDa/yfdIiI/w7jWP6RIThmgHJlf6qyhwqo/ki6y+38S9K03ExLripDnNnMsWsN2ALP5cSdVvt8/luu2TaI1wzJ7OFLPVs0mrbBJ54kw74wkoIfsUXFHiDohEX7lLKae0or9+Sy6+nrf6/qqoGTOoNqkA3yL7wimsmlDuQ5NggOUXKb+eO51LD75k32Xa5Kg+YqkqjZrJ/aJcMbqrS/Aw9OyIkv8Rm/DzC40NgAh3kIMEpFeA6bj4juI1zOJPH4DfGig1WjiTtr3O7JMaH8ApXXL3jDjLfgca94605b1QUz0NRf6IxPB7EfL/L8RFXxuMbbDhAnKQy0xfjoCNFn2oMZQ2KPDbeTMLnOvl+Q+uIvP+6MaZcRuDb8Lfgl+vHvgWY3mV8GYKamw4UXZ268Hvl9PUWZbmTjgs0bHWcJoAU+Vurqh0OGUTJJYHayRa087CkhCI26FYfDWpytgLuZ0Se9AJJWZ2RGBUuXHHfzaoWEQOkDZDiPLcB/ijYET6SuS5c91RGysw/306RnLuvO+i0frp/i1cZ65+vSlREs7zB0C8Wd02eQT2B7hG8IQCU23K9lrUxgyVeJybJ4jOBAFdxP+/NJVR83NJDdz+x+D9D/QQHBccmTSFagXNqmBSs9TtUrw98Be0x9Acmtjgjf3yq2BL8Yj6SLC4Yp8qLYxHXxP9xyy2vC1KU4ilkmRcxPNXe4iaJl6wfTAIvJmV2Dl6m2baQcwDLN9GCbwGqVok5YVA9wUaPYXXEQfUbWs9v56V3YT7O0CrQoLBFBycicJatOcNHpik9GRPiwcOjZNnm8n2a2GAag2LyBdszpdn8b0SGbD1ILwC4J+nPTDhQzHiespSrlCTVqEV/+Kxf3/fJWtGKwTkhyyRqDKUJmyezmqVYumfWARqZLjfo/syA7pmAxRgew
From: Stephen Smalley <sds@tycho.nsa.gov>
To: selinux@vger.kernel.org
Cc: paul@paul-moore.com, will@kernel.org, viro@zeniv.linux.org.uk,
        neilb@suse.de, linux-fsdevel@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        Stephen Smalley <sds@tycho.nsa.gov>
Subject: [PATCH 2/2] selinux: fall back to ref-walk if audit is required
Date: Fri, 22 Nov 2019 12:22:45 -0500
Message-Id: <20191122172245.7875-2-sds@tycho.nsa.gov>
In-Reply-To: <20191122172245.7875-1-sds@tycho.nsa.gov>
References: <20191122172245.7875-1-sds@tycho.nsa.gov>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk

Series

[1/2] selinux: revert "stop passing MAY_NOT_BLOCK to the AVC upon follow_link" | expand

Commit Message

Stephen Smalley Nov. 22, 2019, 5:22 p.m. UTC

commit bda0be7ad994 ("security: make inode_follow_link RCU-walk aware")
passed down the rcu flag to the SELinux AVC, but failed to adjust the
test in slow_avc_audit() to also return -ECHILD on LSM_AUDIT_DATA_DENTRY.
Previously, we only returned -ECHILD if generating an audit record with
LSM_AUDIT_DATA_INODE since this was only relevant from inode_permission.
Move the handling of MAY_NOT_BLOCK to avc_audit() and its inlined
equivalent in selinux_inode_permission() immediately after we determine
that audit is required, and always fall back to ref-walk in this case.

Fixes: bda0be7ad994 ("security: make inode_follow_link RCU-walk aware")
Reported-by: Will Deacon <will@kernel.org>
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 security/selinux/avc.c         | 24 +++++-------------------
 security/selinux/hooks.c       | 11 +++++++----
 security/selinux/include/avc.h |  8 +++++---
 3 files changed, 17 insertions(+), 26 deletions(-)

Comments

Paul Moore Dec. 9, 2019, 11:42 p.m. UTC | #1

On Fri, Nov 22, 2019 at 12:23 PM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> commit bda0be7ad994 ("security: make inode_follow_link RCU-walk aware")
> passed down the rcu flag to the SELinux AVC, but failed to adjust the
> test in slow_avc_audit() to also return -ECHILD on LSM_AUDIT_DATA_DENTRY.
> Previously, we only returned -ECHILD if generating an audit record with
> LSM_AUDIT_DATA_INODE since this was only relevant from inode_permission.
> Move the handling of MAY_NOT_BLOCK to avc_audit() and its inlined
> equivalent in selinux_inode_permission() immediately after we determine
> that audit is required, and always fall back to ref-walk in this case.
>
> Fixes: bda0be7ad994 ("security: make inode_follow_link RCU-walk aware")
> Reported-by: Will Deacon <will@kernel.org>
> Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
>  security/selinux/avc.c         | 24 +++++-------------------
>  security/selinux/hooks.c       | 11 +++++++----
>  security/selinux/include/avc.h |  8 +++++---
>  3 files changed, 17 insertions(+), 26 deletions(-)

Also merged into selinux/next, thanks.

diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 74c43ebe34bb..23dc888ae305 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -424,7 +424,7 @@  static inline int avc_xperms_audit(struct selinux_state *state,
 	if (likely(!audited))
 		return 0;
 	return slow_avc_audit(state, ssid, tsid, tclass, requested,
-			audited, denied, result, ad, 0);
+			audited, denied, result, ad);
 }
 
 static void avc_node_free(struct rcu_head *rhead)
@@ -758,8 +758,7 @@  static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
 noinline int slow_avc_audit(struct selinux_state *state,
 			    u32 ssid, u32 tsid, u16 tclass,
 			    u32 requested, u32 audited, u32 denied, int result,
-			    struct common_audit_data *a,
-			    unsigned int flags)
+			    struct common_audit_data *a)
 {
 	struct common_audit_data stack_data;
 	struct selinux_audit_data sad;
@@ -772,17 +771,6 @@  noinline int slow_avc_audit(struct selinux_state *state,
 		a->type = LSM_AUDIT_DATA_NONE;
 	}
 
-	/*
-	 * When in a RCU walk do the audit on the RCU retry.  This is because
-	 * the collection of the dname in an inode audit message is not RCU
-	 * safe.  Note this may drop some audits when the situation changes
-	 * during retry. However this is logically just as if the operation
-	 * happened a little later.
-	 */
-	if ((a->type == LSM_AUDIT_DATA_INODE) &&
-	    (flags & MAY_NOT_BLOCK))
-		return -ECHILD;
-
 	sad.tclass = tclass;
 	sad.requested = requested;
 	sad.ssid = ssid;
@@ -855,16 +843,14 @@  static int avc_update_node(struct selinux_avc *avc,
 	/*
 	 * If we are in a non-blocking code path, e.g. VFS RCU walk,
 	 * then we must not add permissions to a cache entry
-	 * because we cannot safely audit the denial.  Otherwise,
+	 * because we will not audit the denial.  Otherwise,
 	 * during the subsequent blocking retry (e.g. VFS ref walk), we
 	 * will find the permissions already granted in the cache entry
 	 * and won't audit anything at all, leading to silent denials in
 	 * permissive mode that only appear when in enforcing mode.
 	 *
-	 * See the corresponding handling in slow_avc_audit(), and the
-	 * logic in selinux_inode_follow_link and selinux_inode_permission
-	 * for the VFS MAY_NOT_BLOCK flag, which is transliterated into
-	 * AVC_NONBLOCKING for avc_has_perm_noaudit().
+	 * See the corresponding handling of MAY_NOT_BLOCK in avc_audit()
+	 * and selinux_inode_permission().
 	 */
 	if (flags & AVC_NONBLOCKING)
 		return 0;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3eaa3b419463..fd34e25c016f 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3015,8 +3015,7 @@  static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
 
 static noinline int audit_inode_permission(struct inode *inode,
 					   u32 perms, u32 audited, u32 denied,
-					   int result,
-					   unsigned flags)
+					   int result)
 {
 	struct common_audit_data ad;
 	struct inode_security_struct *isec = selinux_inode(inode);
@@ -3027,7 +3026,7 @@  static noinline int audit_inode_permission(struct inode *inode,
 
 	rc = slow_avc_audit(&selinux_state,
 			    current_sid(), isec->sid, isec->sclass, perms,
-			    audited, denied, result, &ad, flags);
+			    audited, denied, result, &ad);
 	if (rc)
 		return rc;
 	return 0;
@@ -3074,7 +3073,11 @@  static int selinux_inode_permission(struct inode *inode, int mask)
 	if (likely(!audited))
 		return rc;
 
-	rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
+	/* fall back to ref-walk if we have to generate audit */
+	if (flags & MAY_NOT_BLOCK)
+		return -ECHILD;
+
+	rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
 	if (rc2)
 		return rc2;
 	return rc;
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index 74ea50977c20..cf4cc3ef959b 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -100,8 +100,7 @@  static inline u32 avc_audit_required(u32 requested,
 int slow_avc_audit(struct selinux_state *state,
 		   u32 ssid, u32 tsid, u16 tclass,
 		   u32 requested, u32 audited, u32 denied, int result,
-		   struct common_audit_data *a,
-		   unsigned flags);
+		   struct common_audit_data *a);
 
 /**
  * avc_audit - Audit the granting or denial of permissions.
@@ -135,9 +134,12 @@  static inline int avc_audit(struct selinux_state *state,
 	audited = avc_audit_required(requested, avd, result, 0, &denied);
 	if (likely(!audited))
 		return 0;
+	/* fall back to ref-walk if we have to generate audit */
+	if (flags & MAY_NOT_BLOCK)
+		return -ECHILD;
 	return slow_avc_audit(state, ssid, tsid, tclass,
 			      requested, audited, denied, result,
-			      a, flags);
+			      a);
 }
 
 #define AVC_STRICT 1 /* Ignore permissive mode. */

[2/2] selinux: fall back to ref-walk if audit is required

Commit Message

Comments

Patch