| Message ID | 20190611080719.28625-1-omosnace@redhat.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | selinux: log raw contexts as untrusted strings | expand |
On 2019-06-11 10:07, Ondrej Mosnacek wrote: > These strings may come from untrusted sources (e.g. file xattrs) so they > need to be properly escaped. > > Reproducer: > # setenforce 0 > # touch /tmp/test > # setfattr -n security.selinux -v 'kuřecí řízek' /tmp/test > # runcon system_u:system_r:sshd_t:s0 cat /tmp/test > (look at the generated AVCs) > > Actual result: > type=AVC [...] trawcon=kuřecí řízek > > Expected result: > type=AVC [...] trawcon=6B75C5996563C3AD20C599C3AD7A656B > > Fixes: fede148324c3 ("selinux: log invalid contexts in AVCs") > Cc: stable@vger.kernel.org # v5.1+ > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Acked-by: Richard Guy Briggs <rgb@redhat.com> > --- > security/selinux/avc.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > > diff --git a/security/selinux/avc.c b/security/selinux/avc.c > index 8346a4f7c5d7..a99be508f93d 100644 > --- a/security/selinux/avc.c > +++ b/security/selinux/avc.c > @@ -739,14 +739,20 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) > rc = security_sid_to_context_inval(sad->state, sad->ssid, &scontext, > &scontext_len); > if (!rc && scontext) { > - audit_log_format(ab, " srawcon=%s", scontext); > + if (scontext_len && scontext[scontext_len - 1] == '\0') > + scontext_len--; > + audit_log_format(ab, " srawcon="); > + audit_log_n_untrustedstring(ab, scontext, scontext_len); > kfree(scontext); > } > > rc = security_sid_to_context_inval(sad->state, sad->tsid, &scontext, > &scontext_len); > if (!rc && scontext) { > - audit_log_format(ab, " trawcon=%s", scontext); > + if (scontext_len && scontext[scontext_len - 1] == '\0') > + scontext_len--; > + audit_log_format(ab, " trawcon="); > + audit_log_n_untrustedstring(ab, scontext, scontext_len); > kfree(scontext); > } > } > -- > 2.20.1 > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635
On Tue, Jun 11, 2019 at 4:07 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > These strings may come from untrusted sources (e.g. file xattrs) so they > need to be properly escaped. > > Reproducer: > # setenforce 0 > # touch /tmp/test > # setfattr -n security.selinux -v 'kuřecí řízek' /tmp/test > # runcon system_u:system_r:sshd_t:s0 cat /tmp/test > (look at the generated AVCs) > > Actual result: > type=AVC [...] trawcon=kuřecí řízek > > Expected result: > type=AVC [...] trawcon=6B75C5996563C3AD20C599C3AD7A656B > > Fixes: fede148324c3 ("selinux: log invalid contexts in AVCs") > Cc: stable@vger.kernel.org # v5.1+ > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > --- > security/selinux/avc.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) Thanks, the patch looks fine to me, but it is borderline -stable material in my opinion. I'll add it to the stable-5.2 branch, but in the future I would prefer if you left the stable marking off patches and sent a reply discussing *why* this should go to stable so we can discuss it. I realize Greg likes to pull a lot of stuff into stable, but I try to be a bit more conservative about what gets marked. Even the simplest fix can still break things :) I'm going to start building a test kernel now with this fix, but I might hold off on sending this up to Linus for a couple of days to see if I can catch Gen Zhang's patches in the same PR. > diff --git a/security/selinux/avc.c b/security/selinux/avc.c > index 8346a4f7c5d7..a99be508f93d 100644 > --- a/security/selinux/avc.c > +++ b/security/selinux/avc.c > @@ -739,14 +739,20 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) > rc = security_sid_to_context_inval(sad->state, sad->ssid, &scontext, > &scontext_len); > if (!rc && scontext) { > - audit_log_format(ab, " srawcon=%s", scontext); > + if (scontext_len && scontext[scontext_len - 1] == '\0') > + scontext_len--; > + audit_log_format(ab, " srawcon="); > + audit_log_n_untrustedstring(ab, scontext, scontext_len); > kfree(scontext); > } > > rc = security_sid_to_context_inval(sad->state, sad->tsid, &scontext, > &scontext_len); > if (!rc && scontext) { > - audit_log_format(ab, " trawcon=%s", scontext); > + if (scontext_len && scontext[scontext_len - 1] == '\0') > + scontext_len--; > + audit_log_format(ab, " trawcon="); > + audit_log_n_untrustedstring(ab, scontext, scontext_len); > kfree(scontext); > } > } > -- > 2.20.1
On Wed, Jun 12, 2019 at 12:56 AM Paul Moore <paul@paul-moore.com> wrote: > On Tue, Jun 11, 2019 at 4:07 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > These strings may come from untrusted sources (e.g. file xattrs) so they > > need to be properly escaped. > > > > Reproducer: > > # setenforce 0 > > # touch /tmp/test > > # setfattr -n security.selinux -v 'kuřecí řízek' /tmp/test > > # runcon system_u:system_r:sshd_t:s0 cat /tmp/test > > (look at the generated AVCs) > > > > Actual result: > > type=AVC [...] trawcon=kuřecí řízek > > > > Expected result: > > type=AVC [...] trawcon=6B75C5996563C3AD20C599C3AD7A656B > > > > Fixes: fede148324c3 ("selinux: log invalid contexts in AVCs") > > Cc: stable@vger.kernel.org # v5.1+ > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > > --- > > security/selinux/avc.c | 10 ++++++++-- > > 1 file changed, 8 insertions(+), 2 deletions(-) > > Thanks, the patch looks fine to me, but it is borderline -stable > material in my opinion. I'll add it to the stable-5.2 branch, but in > the future I would prefer if you left the stable marking off patches > and sent a reply discussing *why* this should go to stable so we can > discuss it. I realize Greg likes to pull a lot of stuff into stable, > but I try to be a bit more conservative about what gets marked. Even > the simplest fix can still break things :) OK, I was a bit unsure whether to mark it as stable or not and eventually inclined to do so... I'll try be more careful about it in the future. > > I'm going to start building a test kernel now with this fix, but I > might hold off on sending this up to Linus for a couple of days to see > if I can catch Gen Zhang's patches in the same PR. > > > diff --git a/security/selinux/avc.c b/security/selinux/avc.c > > index 8346a4f7c5d7..a99be508f93d 100644 > > --- a/security/selinux/avc.c > > +++ b/security/selinux/avc.c > > @@ -739,14 +739,20 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) > > rc = security_sid_to_context_inval(sad->state, sad->ssid, &scontext, > > &scontext_len); > > if (!rc && scontext) { > > - audit_log_format(ab, " srawcon=%s", scontext); > > + if (scontext_len && scontext[scontext_len - 1] == '\0') > > + scontext_len--; > > + audit_log_format(ab, " srawcon="); > > + audit_log_n_untrustedstring(ab, scontext, scontext_len); > > kfree(scontext); > > } > > > > rc = security_sid_to_context_inval(sad->state, sad->tsid, &scontext, > > &scontext_len); > > if (!rc && scontext) { > > - audit_log_format(ab, " trawcon=%s", scontext); > > + if (scontext_len && scontext[scontext_len - 1] == '\0') > > + scontext_len--; > > + audit_log_format(ab, " trawcon="); > > + audit_log_n_untrustedstring(ab, scontext, scontext_len); > > kfree(scontext); > > } > > } > > -- > > 2.20.1 > > -- > paul moore > www.paul-moore.com
On Wed, Jun 12, 2019 at 3:37 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > On Wed, Jun 12, 2019 at 12:56 AM Paul Moore <paul@paul-moore.com> wrote: > > On Tue, Jun 11, 2019 at 4:07 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > > These strings may come from untrusted sources (e.g. file xattrs) so they > > > need to be properly escaped. > > > > > > Reproducer: > > > # setenforce 0 > > > # touch /tmp/test > > > # setfattr -n security.selinux -v 'kuřecí řízek' /tmp/test > > > # runcon system_u:system_r:sshd_t:s0 cat /tmp/test > > > (look at the generated AVCs) > > > > > > Actual result: > > > type=AVC [...] trawcon=kuřecí řízek > > > > > > Expected result: > > > type=AVC [...] trawcon=6B75C5996563C3AD20C599C3AD7A656B > > > > > > Fixes: fede148324c3 ("selinux: log invalid contexts in AVCs") > > > Cc: stable@vger.kernel.org # v5.1+ > > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > > > --- > > > security/selinux/avc.c | 10 ++++++++-- > > > 1 file changed, 8 insertions(+), 2 deletions(-) > > > > Thanks, the patch looks fine to me, but it is borderline -stable > > material in my opinion. I'll add it to the stable-5.2 branch, but in > > the future I would prefer if you left the stable marking off patches > > and sent a reply discussing *why* this should go to stable so we can > > discuss it. I realize Greg likes to pull a lot of stuff into stable, > > but I try to be a bit more conservative about what gets marked. Even > > the simplest fix can still break things :) > > OK, I was a bit unsure whether to mark it as stable or not and > eventually inclined to do so... I'll try be more careful about it in > the future. If it makes you feel better, it's not that big of a deal, I just felt it was worth mentioning since we've been doing a bit of a "best practices for submitting SELinux kernel patches" on the mailing list lately and I felt this was worth mentioning. The basic idea is that I think marking something for stable shouldn't be taken lightly and it is worth a discussion, even if it is short.
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 8346a4f7c5d7..a99be508f93d 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -739,14 +739,20 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) rc = security_sid_to_context_inval(sad->state, sad->ssid, &scontext, &scontext_len); if (!rc && scontext) { - audit_log_format(ab, " srawcon=%s", scontext); + if (scontext_len && scontext[scontext_len - 1] == '\0') + scontext_len--; + audit_log_format(ab, " srawcon="); + audit_log_n_untrustedstring(ab, scontext, scontext_len); kfree(scontext); } rc = security_sid_to_context_inval(sad->state, sad->tsid, &scontext, &scontext_len); if (!rc && scontext) { - audit_log_format(ab, " trawcon=%s", scontext); + if (scontext_len && scontext[scontext_len - 1] == '\0') + scontext_len--; + audit_log_format(ab, " trawcon="); + audit_log_n_untrustedstring(ab, scontext, scontext_len); kfree(scontext); } }
These strings may come from untrusted sources (e.g. file xattrs) so they need to be properly escaped. Reproducer: # setenforce 0 # touch /tmp/test # setfattr -n security.selinux -v 'kuřecí řízek' /tmp/test # runcon system_u:system_r:sshd_t:s0 cat /tmp/test (look at the generated AVCs) Actual result: type=AVC [...] trawcon=kuřecí řízek Expected result: type=AVC [...] trawcon=6B75C5996563C3AD20C599C3AD7A656B Fixes: fede148324c3 ("selinux: log invalid contexts in AVCs") Cc: stable@vger.kernel.org # v5.1+ Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- security/selinux/avc.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-)