From patchwork Tue Dec 4 20:42:09 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 10712597 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 722F018B8 for ; Tue, 4 Dec 2018 20:39:36 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6511A2C15A for ; Tue, 4 Dec 2018 20:39:36 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 593732C27D; Tue, 4 Dec 2018 20:39:36 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D1C652C15A for ; Tue, 4 Dec 2018 20:39:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726408AbeLDUjf (ORCPT ); Tue, 4 Dec 2018 15:39:35 -0500 Received: from ucol19pa09.eemsg.mail.mil ([214.24.24.82]:37732 "EHLO ucol19pa09.eemsg.mail.mil" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726268AbeLDUjf (ORCPT ); Tue, 4 Dec 2018 15:39:35 -0500 X-EEMSG-check-008: 799673733|UCOL19PA09_EEMSG_MP7.csd.disa.mil X-IronPort-AV: E=Sophos;i="5.56,315,1539648000"; d="scan'208";a="799673733" Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.2]) by ucol19pa09.eemsg.mail.mil with ESMTP/TLS/DHE-RSA-AES256-SHA256; 04 Dec 2018 20:39:33 +0000 X-IronPort-AV: E=Sophos;i="5.56,315,1539648000"; d="scan'208";a="18422573" IronPort-PHdr: 9a23:Y6nnPhEynm8EK1/QyYPrnp1GYnF86YWxBRYc798ds5kLTJ7zo8mwAkXT6L1XgUPTWs2DsrQY07qQ6/iocFdDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZrKeTpAI7SiNm82/yv95HJbAhEmDmwbaluIBmqsA7cqtQYjYx+J6gr1xDHuGFIe+NYxWNpIVKcgRPx7dqu8ZBg7ipdpesv+9ZPXqvmcas4S6dYDCk9PGAu+MLrrxjDQhCR6XYaT24bjwBHAwnB7BH9Q5fxri73vfdz1SWGIcH7S60/Vjq476dvVRTmliEJOTAk+23Tk8B8kr5XrBenqhdiwYDbfZuVOeJ+cK3DYN0US2lPUMFeWCJOGY6wc4gCAvAdMetCs4Xxu10Dpga+Cwm2A+PvzydFiGLq3aIky+QhER/J3Ao9FNwTtXTbttH1NKMMXuG10aLFyi7DYO5N2Trm9IjJcgwuofGLXb5qd8rR0lMgGxnKjlWXt4zoJjWY3fkOvWiD9+dsSO2ihmE9pwxxvzSj3Nkgh4bXio4P11zJ8zhyzpwvKt2iUkF7ZMapEJ5Xty6HKYR7WtgiQ2R0uCYizb0GpIK7cDAKyJs5wx7fbOSKc5SS7RL5VeaRPCx4iGh5eLO/mxmy8U+gxvf6Vsaoy1ZFsjBJktzNtnAJzxDT686HReVh/kq5xDqC2A/e5vtELEwpj6bXNZEszqAqmpYOqUjDGzX5mETyjK+YbEUk/e2o5vz8Yrr7vZ+RLJN0iwHiPaQuncyzG+I4MhMUUGSB9uS806Pj8VXjQLpWlv02jrXZsJfCKMsAo665ABNV0pst6ha+ETim1s8VnXYCLF1feRKHi5LlNE3JIPD9Ff2/mUijkC93x/DaOb3sGo3NIWLekLflZrt981RTyBc3zdxG4pJUDbYBIOjtVUPrqNPYCRo5ORSuw+n7ENV9yp8eWWWXD6+CLqzStV6I5uQyI+iDf4IVpjn9JOY/5/L0jn82h0Udfa+30psTcny4Ge5mI0rKKUbr18wMFWYMoxoWUuPnkhuBXCRVanL0WLgztR8hD4fzNpvOXoCghvS62S6/GpBHLjRdBkukDWbjd4LCXewFLi2VPJkywXQ/SbG9Rtp5hlmVvwjgxu8idLLZ X-IPAS-Result: A2BeAACO5AZc/wHyM5BkHQEBBQEHBQGBUQgBCwGBWimBNTMnjBKMDlIGikYOjiqBeiAYAYRAgwwiNAkNAQMBAQEBAQECAWwogjYkgxALAUaBAk+CYj+BagMIDaYRM4VAgkcNghyHb4QvF3iBB4ERhWmCd4UOAokND4cTUI8cLgmOE4MjCxiBW4g2hxQBigmEcYtDOIFVKwgCGAghD4MngicXjjshAzCBBQEBimEBAQ Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 04 Dec 2018 20:39:33 +0000 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id wB4KdWgi006307; Tue, 4 Dec 2018 15:39:32 -0500 From: Stephen Smalley To: selinux@vger.kernel.org Cc: paul@paul-moore.com, bmktuwien@gmail.com, Stephen Smalley Subject: [RFC][PATCH] selinux: avoid silent denials in permissive mode under RCU walk Date: Tue, 4 Dec 2018 15:42:09 -0500 Message-Id: <20181204204209.21542-1-sds@tycho.nsa.gov> X-Mailer: git-send-email 2.19.2 MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP commit 0dc1ba24f7fff6 ("SELINUX: Make selinux cache VFS RCU walks safe") results in no audit messages at all if in permissive mode because the cache is updated during the rcu walk and thus no denial occurs on the subsequent ref walk. Fix this by not updating the cache when performing a non-blocking permission check. This only affects search and symlink read checks during rcu walk. Fixes: 0dc1ba24f7fff6 ("SELINUX: Make selinux cache VFS RCU walks safe") Reported-by: BMK Signed-off-by: Stephen Smalley --- security/selinux/avc.c | 9 ++++++--- security/selinux/hooks.c | 4 +++- security/selinux/include/avc.h | 1 + 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 635e5c1e3e48..f0e7bc0dc442 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -1021,8 +1021,10 @@ static noinline int avc_denied(struct selinux_state *state, !(avd->flags & AVD_FLAGS_PERMISSIVE)) return -EACCES; - avc_update_node(state->avc, AVC_CALLBACK_GRANT, requested, driver, - xperm, ssid, tsid, tclass, avd->seqno, NULL, flags); + if (!(flags & AVC_NONBLOCKING)) + avc_update_node(state->avc, AVC_CALLBACK_GRANT, requested, + driver, xperm, ssid, tsid, tclass, avd->seqno, + NULL, flags); return 0; } @@ -1199,7 +1201,8 @@ int avc_has_perm_flags(struct selinux_state *state, struct av_decision avd; int rc, rc2; - rc = avc_has_perm_noaudit(state, ssid, tsid, tclass, requested, 0, + rc = avc_has_perm_noaudit(state, ssid, tsid, tclass, requested, + (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0, &avd); rc2 = avc_audit(state, ssid, tsid, tclass, requested, &avd, rc, diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 7ce012d9ec51..9b05f84808d9 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3196,7 +3196,9 @@ static int selinux_inode_permission(struct inode *inode, int mask) return PTR_ERR(isec); rc = avc_has_perm_noaudit(&selinux_state, - sid, isec->sid, isec->sclass, perms, 0, &avd); + sid, isec->sid, isec->sclass, perms, + (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0, + &avd); audited = avc_audit_required(perms, &avd, rc, from_access ? FILE__AUDIT_ACCESS : 0, &denied); diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index ef899bcfd2cb..74ea50977c20 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h @@ -142,6 +142,7 @@ static inline int avc_audit(struct selinux_state *state, #define AVC_STRICT 1 /* Ignore permissive mode. */ #define AVC_EXTENDED_PERMS 2 /* update extended permissions */ +#define AVC_NONBLOCKING 4 /* non blocking */ int avc_has_perm_noaudit(struct selinux_state *state, u32 ssid, u32 tsid, u16 tclass, u32 requested,