[RFC,v2,20/22] selinux: more strict bounds check

Message ID	20241216164055.96267-20-cgoettsche@seltendoof.de (mailing list archive)
State	New
Headers	show Received: from server02.seltendoof.de (server02.seltendoof.de [168.119.48.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C804620C03C; Mon, 16 Dec 2024 16:42:02 +0000 (UTC) From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgoettsche@seltendoof.de> To: selinux@vger.kernel.org Cc: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>, Paul Moore <paul@paul-moore.com>, Stephen Smalley <stephen.smalley.work@gmail.com>, Ondrej Mosnacek <omosnace@redhat.com>, Nathan Chancellor <nathan@kernel.org>, Nick Desaulniers <ndesaulniers@google.com>, Bill Wendling <morbo@google.com>, Justin Stitt <justinstitt@google.com>, =?utf-8?q?Thi=C3=A9baud_Weksteen?= <tweek@google.com>, =?utf-8?q?Bram_Bonn?= =?utf-8?q?=C3=A9?= <brambonne@google.com>, Masahiro Yamada <masahiroy@kernel.org>, linux-kernel@vger.kernel.org, llvm@lists.linux.dev, Casey Schaufler <casey@schaufler-ca.com>, Canfeng Guo <guocanfeng@uniontech.com>, GUO Zihua <guozihua@huawei.com> Subject: [RFC PATCH v2 20/22] selinux: more strict bounds check Date: Mon, 16 Dec 2024 17:40:18 +0100 Message-ID: <20241216164055.96267-20-cgoettsche@seltendoof.de> In-Reply-To: <20241216164055.96267-1-cgoettsche@seltendoof.de> References: <20241216164055.96267-1-cgoettsche@seltendoof.de> Reply-To: cgzones@googlemail.com Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
Series	[RFC,v2,01/22] selinux: supply missing field initializers \| expand [RFC,v2,01/22] selinux: supply missing field initializers [RFC,v2,02/22] selinux: avoid using types indicating user space interaction [RFC,v2,03/22] selinux: align and constify functions [RFC,v2,04/22] selinux: rework match_ipv6_addrmask() [RFC,v2,05/22] selinux: avoid nontransitive comparison [RFC,v2,06/22] selinux: rename comparison functions for clarity [RFC,v2,07/22] selinux: use known type instead of void pointer [RFC,v2,08/22] selinux: avoid unnecessary indirection in struct level_datum [RFC,v2,09/22] selinux: make use of str_read() [RFC,v2,10/22] selinux: use u16 for security classes [RFC,v2,11/22] selinux: more strict policy parsing [RFC,v2,12/22] selinux: check length fields in policies [RFC,v2,13/22] selinux: validate constraints [RFC,v2,14/22] selinux: pre-validate conditional expressions [RFC,v2,15/22] selinux: introduce ebitmap_highest_set_bit() [RFC,v2,16/22] selinux: check type attr map overflows [RFC,v2,17/22] selinux: reorder policydb_index() [RFC,v2,18/22] selinux: beef up isvalid checks [RFC,v2,19/22] selinux: validate symbols [RFC,v2,20/22] selinux: more strict bounds check [RFC,v2,21/22] selinux: check for simple types [RFC,v2,22/22] selinux: restrict policy strings

Message ID

20241216164055.96267-20-cgoettsche@seltendoof.de (mailing list archive)

State

New

Headers

From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgoettsche@seltendoof.de>
To: selinux@vger.kernel.org
Cc: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Paul Moore <paul@paul-moore.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Ondrej Mosnacek <omosnace@redhat.com>, Nathan Chancellor <nathan@kernel.org>,
 Nick Desaulniers <ndesaulniers@google.com>, Bill Wendling <morbo@google.com>,
 Justin Stitt <justinstitt@google.com>,
 =?utf-8?q?Thi=C3=A9baud_Weksteen?= <tweek@google.com>, =?utf-8?q?Bram_Bonn?=
	=?utf-8?q?=C3=A9?= <brambonne@google.com>,
 Masahiro Yamada <masahiroy@kernel.org>, linux-kernel@vger.kernel.org,
 llvm@lists.linux.dev, Casey Schaufler <casey@schaufler-ca.com>,
 Canfeng Guo <guocanfeng@uniontech.com>, GUO Zihua <guozihua@huawei.com>
Subject: [RFC PATCH v2 20/22] selinux: more strict bounds check
Date: Mon, 16 Dec 2024 17:40:18 +0100
Message-ID: <20241216164055.96267-20-cgoettsche@seltendoof.de>
In-Reply-To: <20241216164055.96267-1-cgoettsche@seltendoof.de>
References: <20241216164055.96267-1-cgoettsche@seltendoof.de>
Reply-To: cgzones@googlemail.com
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Series

[RFC,v2,01/22] selinux: supply missing field initializers | expand

Commit Message

Christian Göttsche Dec. 16, 2024, 4:40 p.m. UTC

From: Christian Göttsche <cgzones@googlemail.com>

Validate the types used in bounds checks.
Replace the usage of BUG(), to avoid halting the system on malformed
polices.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 security/selinux/ss/policydb.c | 29 +++++++++++++++++++++++++++--
 security/selinux/ss/policydb.h |  1 +
 security/selinux/ss/services.c |  3 +++
 3 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index e9e478650e74..57ab2a811a15 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -1020,6 +1020,15 @@  bool policydb_class_isvalid(const struct policydb *p, u16 class)
 	return true;
 }
 
+bool policydb_user_isvalid(const struct policydb *p, u32 user)
+{
+	if (!user || user > p->p_roles.nprim)
+		return false;
+	if (!p->sym_val_to_name[SYM_USERS][user - 1])
+		return false;
+	return true;
+}
+
 bool policydb_role_isvalid(const struct policydb *p, u32 role)
 {
 	if (!role || role > p->p_roles.nprim)
@@ -1940,6 +1949,12 @@  static int user_bounds_sanity_check(void *key, void *datum, void *datap)
 			return -EINVAL;
 		}
 
+		if (!policydb_user_isvalid(p, upper->bounds)) {
+			pr_err("SELinux: user %s: invalid boundary id %d\n",
+			       (char *) key, upper->bounds);
+			return -EINVAL;
+		}
+
 		upper = p->user_val_to_struct[upper->bounds - 1];
 		ebitmap_for_each_positive_bit(&user->roles, node, bit)
 		{
@@ -1977,6 +1992,12 @@  static int role_bounds_sanity_check(void *key, void *datum, void *datap)
 			return -EINVAL;
 		}
 
+		if (!policydb_role_isvalid(p, upper->bounds)) {
+			pr_err("SELinux: role %s: invalid boundary id %d\n",
+			       (char *) key, upper->bounds);
+			return -EINVAL;
+		}
+
 		upper = p->role_val_to_struct[upper->bounds - 1];
 		ebitmap_for_each_positive_bit(&role->types, node, bit)
 		{
@@ -2011,9 +2032,13 @@  static int type_bounds_sanity_check(void *key, void *datum, void *datap)
 			return -EINVAL;
 		}
 
-		upper = p->type_val_to_struct[upper->bounds - 1];
-		BUG_ON(!upper);
+		if (!policydb_type_isvalid(p, upper->bounds)) {
+			pr_err("SELinux: type %s: invalid boundary id %d\n",
+			       (char *) key, upper->bounds);
+			return -EINVAL;
+		}
 
+		upper = p->type_val_to_struct[upper->bounds - 1];
 		if (upper->attribute) {
 			pr_err("SELinux: type %s: "
 			       "bounded by attribute %s\n",
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
index aa3b21bd5286..512d2081733b 100644
--- a/security/selinux/ss/policydb.h
+++ b/security/selinux/ss/policydb.h
@@ -323,6 +323,7 @@  extern bool policydb_context_isvalid(const struct policydb *p, const struct cont
 extern bool policydb_class_isvalid(const struct policydb *p, u16 class);
 extern bool policydb_type_isvalid(const struct policydb *p, u32 type);
 extern bool policydb_role_isvalid(const struct policydb *p, u32 role);
+extern bool policydb_user_isvalid(const struct policydb *p, u32 user);
 extern bool policydb_boolean_isvalid(const struct policydb *p, u32 boolean);
 extern int policydb_read(struct policydb *p, struct policy_file *fp);
 extern int policydb_write(struct policydb *p, struct policy_file *fp);
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 227fe7832c08..6dd281ddef7a 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -711,6 +711,9 @@  static void context_struct_compute_av(struct policydb *policydb,
 	 * If the given source and target types have boundary
 	 * constraint, lazy checks have to mask any violated
 	 * permission and notice it to userspace via audit.
+	 *
+	 * Infinite recursion is avoided via a depth pre-check in
+	 * type_bounds_sanity_check().
 	 */
 	type_attribute_bounds_av(policydb, scontext, tcontext,
 				 tclass, avd);

[RFC,v2,20/22] selinux: more strict bounds check

Commit Message

Patch