From patchwork Fri Apr 29 16:29:57 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 8983981 Return-Path: X-Original-To: patchwork-selinux@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 24743BF29F for ; Fri, 29 Apr 2016 16:30:59 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 70B07201DD for ; Fri, 29 Apr 2016 16:30:58 +0000 (UTC) Received: from emsm-gh1-uea10.nsa.gov (smtp.nsa.gov [8.44.101.8]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 80968201C8 for ; Fri, 29 Apr 2016 16:30:57 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.24,552,1454976000"; d="scan'208";a="13198827" IronPort-PHdr: =?us-ascii?q?9a23=3AI2mKhxRGGpkaOsIxkr2ybTjZ1Npsv+yvbD5Q0YIu?= =?us-ascii?q?jvd0So/mwa64YBSN2/xhgRfzUJnB7Loc0qyN4/CmCTJLscrJmUtBWaIPfidNsd?= =?us-ascii?q?8RkQ0kDZzNImzAB9muURYHGt9fXkRu5XCxPBsdMs//Y1rPvi/6tmZKSV3BPAZ4?= =?us-ascii?q?bt74BpTVx5zukbviq9uDPU4Y2HKUWvBbElaflU3prM4YgI9veO4a6yDihT92Qd?= =?us-ascii?q?lQ3n5iPlmJnhzxtY+a9Z9n9DlM6bp6r5YTGfayQ6NtVrFcDTI7I0gp9cbrsl/F?= =?us-ascii?q?VgLJ6XwCAUsMlR8dOBTI9BH3WN/KtyL+sudskH2BMdbeUaE/WTPk6bxiDhDvln?= =?us-ascii?q?FUZHYC7GjLh5ko3+pgqxW7qkknzg=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2HeBgAiiyNX/wHyM5BdHAGDG4FBD7tsIYVvgTdMAQEBAQE?= =?us-ascii?q?BAgJiJ0ESAYFZghwCJBMUIAsDAwkCFykICAMBLRUfCwUYBIgJxG0ejnwRAWiFC?= =?us-ascii?q?gWHdpAdjhcCiU+FQI8wYoIFG4FnUIVSgXqBNQEBAQ?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea10.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 29 Apr 2016 16:30:50 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u3TGSq8I005370; Fri, 29 Apr 2016 12:29:39 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u3TGSfhP217318 for ; Fri, 29 Apr 2016 12:28:41 -0400 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u3TGSUsb005350; Fri, 29 Apr 2016 12:28:30 -0400 From: Stephen Smalley To: selinux@tycho.nsa.gov Subject: [PATCH v2] selinux: Only apply bounds checking to source types Date: Fri, 29 Apr 2016 12:29:57 -0400 Message-Id: <1461947397-4478-1-git-send-email-sds@tycho.nsa.gov> X-Mailer: git-send-email 2.5.5 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: Stephen Smalley MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The current bounds checking of both source and target types requires allowing any domain that has access to the child domain to also have the same permissions to the parent, which is undesirable. Drop the target bounds checking. KaiGai Kohei originally removed all use of target bounds in commit 7d52a155e38d ("selinux: remove dead code in type_attribute_bounds_av()") but this was reverted in commit 2ae3ba39389b ("selinux: libsepol: remove dead code in check_avtab_hierarchy_callback()") because it would have required explicitly allowing the parent any permissions to the child that the child is allowed to itself. This change in contrast retains the logic for the case where both source and target types are bounded, thereby allowing access if the parent of the source is allowed the corresponding permissions to the parent of the target. Signed-off-by: Stephen Smalley --- v2 retains the logic for the case where both source and target types are bounded as described above, and amends the patch description to explain the difference from KaiGai's earlier attempt. security/selinux/ss/services.c | 22 ++++------------------ 1 file changed, 4 insertions(+), 18 deletions(-) diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 89df646..ca42265 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -573,28 +573,14 @@ static void type_attribute_bounds_av(struct context *scontext, masked = ~lo_avd.allowed & avd->allowed; } - if (target->bounds) { - memset(&lo_avd, 0, sizeof(lo_avd)); - - memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext)); - lo_tcontext.type = target->bounds; - - context_struct_compute_av(scontext, - &lo_tcontext, - tclass, - &lo_avd, - NULL); - if ((lo_avd.allowed & avd->allowed) == avd->allowed) - return; /* no masked permission */ - masked = ~lo_avd.allowed & avd->allowed; - } - if (source->bounds && target->bounds) { memset(&lo_avd, 0, sizeof(lo_avd)); + /* - * lo_scontext and lo_tcontext are already - * set up. + * lo_scontext is already set up above. */ + memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext)); + lo_tcontext.type = target->bounds; context_struct_compute_av(&lo_scontext, &lo_tcontext,