From patchwork Thu Apr 28 20:43:34 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Stephen Smalley <sds@tycho.nsa.gov>
X-Patchwork-Id: 8974451
Return-Path: <selinux-bounces@tycho.nsa.gov>
X-Original-To: patchwork-selinux@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id C46829F1C1
	for <patchwork-selinux@patchwork.kernel.org>;
	Thu, 28 Apr 2016 20:45:02 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 0AD3820268
	for <patchwork-selinux@patchwork.kernel.org>;
	Thu, 28 Apr 2016 20:45:02 +0000 (UTC)
Received: from emsm-gh1-uea10.nsa.gov (emsm-gh1-uea10.nsa.gov [8.44.101.8])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 0AA3E201C0
	for <patchwork-selinux@patchwork.kernel.org>;
	Thu, 28 Apr 2016 20:45:00 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.24,548,1454976000"; d="scan'208";a="13168071"
IronPort-PHdr: =?us-ascii?q?9a23=3ARvv5whyzeohLJ8rXCy+O+j09IxM/srCxBDY+r6Qd?=
	=?us-ascii?q?0e4UIJqq85mqBkHD//Il1AaPBtWLraIYwLOL6ejJYi8p39WoiDg6aptCVhsI24?=
	=?us-ascii?q?09vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6kO74TNaIBjjLw09?=
	=?us-ascii?q?fr2zQd6CyZTrnLnvodX6WEZhunmUWftKNhK4rAHc5IE9oLBJDeIP8CbPuWZCYO?=
	=?us-ascii?q?9MxGlldhq5lhf44dqsrtY4q3wD86Fpy8kVSqj+fqIlXZREHT8mNCYz/8Stuh7d?=
	=?us-ascii?q?HiWV4X5JaXkbihpFBUD+6Rj+Wprg+n/huvFVxDiRPcqwS6s9Hzul8fE4G1fTlC?=
	=?us-ascii?q?4bOmthoynsgctqgfcDrQ=3D=3D?=
X-IPAS-Result: =?us-ascii?q?A2FSBQDodSJX/wHyM5BeHAGDG4FBD7tdH4VugThMAQEBAQE?=
	=?us-ascii?q?BAgJiJ4ItghwCJBMUIAsDAwkCFykICAMBLRUfCwUYBIgJxAcejnsRAYVyBYd0k?=
	=?us-ascii?q?ByIc4UkAolPhT4CjzBiggUbgWdQhjOBNQEBAQ?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea10.nsa.gov with ESMTP; 28 Apr 2016 20:44:45 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u3SKgE85025329;
	Thu, 28 Apr 2016 16:43:13 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u3SKg5hP206847 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Thu, 28 Apr 2016 16:42:05 -0400
Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto
	[192.168.25.131])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id
	u3SKg186025251; Thu, 28 Apr 2016 16:42:01 -0400
From: Stephen Smalley <sds@tycho.nsa.gov>
To: selinux@tycho.nsa.gov
Subject: [PATCH] selinux: Only apply bounds checking to source types
Date: Thu, 28 Apr 2016 16:43:34 -0400
Message-Id: <1461876214-31134-1-git-send-email-sds@tycho.nsa.gov>
X-Mailer: git-send-email 2.5.5
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
Cc: jwcart2@tycho.ns.gov, Stephen Smalley <sds@tycho.nsa.gov>
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

The current bounds checking of both source and target types
requires allowing any domain that has access to the child
domain to also have the same permissions to the parent, which
is undesirable.  Drop the target bounds checking.

KaiGai Kohei originally removed this checking in
commit 7d52a155e38d ("selinux: remove dead code in
type_attribute_bounds_av()") but this was reverted in
commit 2ae3ba39389b ("selinux: libsepol: remove dead code in
check_avtab_hierarchy_callback()").

However, it seems to be justified in order to allow use of typebounds
for exec-based domain transitions under NNP without loosening policy
for the parent domain.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 security/selinux/ss/services.c | 77 +++++++++++-------------------------------
 1 file changed, 19 insertions(+), 58 deletions(-)

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 89df646..4b23a48 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -543,77 +543,38 @@ static void type_attribute_bounds_av(struct context *scontext,
 				     struct av_decision *avd)
 {
 	struct context lo_scontext;
-	struct context lo_tcontext;
 	struct av_decision lo_avd;
 	struct type_datum *source;
-	struct type_datum *target;
-	u32 masked = 0;
+	u32 masked;
 
 	source = flex_array_get_ptr(policydb.type_val_to_struct_array,
 				    scontext->type - 1);
 	BUG_ON(!source);
 
-	target = flex_array_get_ptr(policydb.type_val_to_struct_array,
-				    tcontext->type - 1);
-	BUG_ON(!target);
-
-	if (source->bounds) {
-		memset(&lo_avd, 0, sizeof(lo_avd));
+	if (!source->bounds)
+		return;
 
-		memcpy(&lo_scontext, scontext, sizeof(lo_scontext));
-		lo_scontext.type = source->bounds;
+	memset(&lo_avd, 0, sizeof(lo_avd));
 
-		context_struct_compute_av(&lo_scontext,
-					  tcontext,
-					  tclass,
-					  &lo_avd,
-					  NULL);
-		if ((lo_avd.allowed & avd->allowed) == avd->allowed)
-			return;		/* no masked permission */
-		masked = ~lo_avd.allowed & avd->allowed;
-	}
+	memcpy(&lo_scontext, scontext, sizeof(lo_scontext));
+	lo_scontext.type = source->bounds;
 
-	if (target->bounds) {
-		memset(&lo_avd, 0, sizeof(lo_avd));
+	context_struct_compute_av(&lo_scontext,
+				  tcontext,
+				  tclass,
+				  &lo_avd,
+				  NULL);
+	if ((lo_avd.allowed & avd->allowed) == avd->allowed)
+		return;		/* no masked permission */
 
-		memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext));
-		lo_tcontext.type = target->bounds;
+	masked = ~lo_avd.allowed & avd->allowed;
 
-		context_struct_compute_av(scontext,
-					  &lo_tcontext,
-					  tclass,
-					  &lo_avd,
-					  NULL);
-		if ((lo_avd.allowed & avd->allowed) == avd->allowed)
-			return;		/* no masked permission */
-		masked = ~lo_avd.allowed & avd->allowed;
-	}
+	/* mask violated permissions */
+	avd->allowed &= ~masked;
 
-	if (source->bounds && target->bounds) {
-		memset(&lo_avd, 0, sizeof(lo_avd));
-		/*
-		 * lo_scontext and lo_tcontext are already
-		 * set up.
-		 */
-
-		context_struct_compute_av(&lo_scontext,
-					  &lo_tcontext,
-					  tclass,
-					  &lo_avd,
-					  NULL);
-		if ((lo_avd.allowed & avd->allowed) == avd->allowed)
-			return;		/* no masked permission */
-		masked = ~lo_avd.allowed & avd->allowed;
-	}
-
-	if (masked) {
-		/* mask violated permissions */
-		avd->allowed &= ~masked;
-
-		/* audit masked permissions */
-		security_dump_masked_av(scontext, tcontext,
-					tclass, masked, "bounds");
-	}
+	/* audit masked permissions */
+	security_dump_masked_av(scontext, tcontext,
+				tclass, masked, "bounds");
 }
 
 /*