From patchwork Fri Jan 25 10:06:48 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 10780927 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 09B7B746 for ; Fri, 25 Jan 2019 10:07:51 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EC4122F0F4 for ; Fri, 25 Jan 2019 10:07:50 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E065F2F0F9; Fri, 25 Jan 2019 10:07:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B76312F0C7 for ; Fri, 25 Jan 2019 10:07:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727955AbfAYKHt (ORCPT ); Fri, 25 Jan 2019 05:07:49 -0500 Received: from mail-wr1-f68.google.com ([209.85.221.68]:46136 "EHLO mail-wr1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726878AbfAYKHt (ORCPT ); Fri, 25 Jan 2019 05:07:49 -0500 Received: by mail-wr1-f68.google.com with SMTP id l9so9579662wrt.13 for ; Fri, 25 Jan 2019 02:07:47 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Oy8KcznAf9g6eSSxJbggh8BsOEGr4rIkQni41J/fxbM=; b=JQsHQE1IXD2qgGUREwdIeRrmVSMjFIhF01KUOVFMVJoZRFpEveo1yJrtEHG2afz2GD Ney5qGNmv7B2WDc5F8TIiJkNbS4mM5hxEkIg6kCfX+1cmdnN05nwhjYAkfInR7+rTqNF N1FeeSR5a7rRo04UtLvLNw3DQpV6lXxiPRNo31/duQnp5HrzkcMn5Mco1NA9op6Wh3lE a50MKIPfFlJu9l/maMox82wL3H21ycbPMwXxfcwjl7kbkD15framiBwHAHhYLarJd3G/ PVro/rx8ua8mRSCNzGEZ3onzfsbEUmHZWH05UdriYuDFgbZ9d3WiLVzXHT8VS2JcSPyS HqJQ== X-Gm-Message-State: AJcUukfWJ5fxg2Tpdi8QHuA4AzjYAZt1YQMyAKio/aIoIDFk+VDfF+n8 kspjCAC5ccK/dzoVuzN2cQhOr3UN8mM= X-Google-Smtp-Source: ALg8bN6vay93IIAa4SJ3ZEDR7pt5npMmZCPe8laERsx54xCLrhrLSR5GrnjN8D1hNFCwJSE/bgJq/g== X-Received: by 2002:adf:a14d:: with SMTP id r13mr10354463wrr.169.1548410866471; Fri, 25 Jan 2019 02:07:46 -0800 (PST) Received: from p600.fit.wifi.vutbr.cz ([147.229.117.36]) by smtp.gmail.com with ESMTPSA id v6sm89155089wro.57.2019.01.25.02.07.44 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 25 Jan 2019 02:07:45 -0800 (PST) From: Ondrej Mosnacek To: selinux@vger.kernel.org, Paul Moore Cc: Stephen Smalley , linux-audit@redhat.com, Ondrej Mosnacek Subject: [PATCH v3 1/4] selinux: inline some AVC functions used only once Date: Fri, 25 Jan 2019 11:06:48 +0100 Message-Id: <20190125100651.21753-2-omosnace@redhat.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190125100651.21753-1-omosnace@redhat.com> References: <20190125100651.21753-1-omosnace@redhat.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP avc_dump_av() and avc_dump_query() are each used only in one place. Get rid of them and open code their contents in the call sites. Signed-off-by: Ondrej Mosnacek Reviewed-by: Stephen Smalley --- security/selinux/avc.c | 140 +++++++++++++++++------------------------ 1 file changed, 58 insertions(+), 82 deletions(-) diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 9b63d8ee1687..502162eeb3a0 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -129,75 +129,6 @@ static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass) return (ssid ^ (tsid<<2) ^ (tclass<<4)) & (AVC_CACHE_SLOTS - 1); } -/** - * avc_dump_av - Display an access vector in human-readable form. - * @tclass: target security class - * @av: access vector - */ -static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av) -{ - const char **perms; - int i, perm; - - if (av == 0) { - audit_log_format(ab, " null"); - return; - } - - BUG_ON(!tclass || tclass >= ARRAY_SIZE(secclass_map)); - perms = secclass_map[tclass-1].perms; - - audit_log_format(ab, " {"); - i = 0; - perm = 1; - while (i < (sizeof(av) * 8)) { - if ((perm & av) && perms[i]) { - audit_log_format(ab, " %s", perms[i]); - av &= ~perm; - } - i++; - perm <<= 1; - } - - if (av) - audit_log_format(ab, " 0x%x", av); - - audit_log_format(ab, " }"); -} - -/** - * avc_dump_query - Display a SID pair and a class in human-readable form. - * @ssid: source security identifier - * @tsid: target security identifier - * @tclass: target security class - */ -static void avc_dump_query(struct audit_buffer *ab, struct selinux_state *state, - u32 ssid, u32 tsid, u16 tclass) -{ - int rc; - char *scontext; - u32 scontext_len; - - rc = security_sid_to_context(state, ssid, &scontext, &scontext_len); - if (rc) - audit_log_format(ab, "ssid=%d", ssid); - else { - audit_log_format(ab, "scontext=%s", scontext); - kfree(scontext); - } - - rc = security_sid_to_context(state, tsid, &scontext, &scontext_len); - if (rc) - audit_log_format(ab, " tsid=%d", tsid); - else { - audit_log_format(ab, " tcontext=%s", scontext); - kfree(scontext); - } - - BUG_ON(!tclass || tclass >= ARRAY_SIZE(secclass_map)); - audit_log_format(ab, " tclass=%s", secclass_map[tclass-1].name); -} - /** * avc_init - Initialize the AVC. * @@ -735,11 +666,37 @@ out: static void avc_audit_pre_callback(struct audit_buffer *ab, void *a) { struct common_audit_data *ad = a; - audit_log_format(ab, "avc: %s ", - ad->selinux_audit_data->denied ? "denied" : "granted"); - avc_dump_av(ab, ad->selinux_audit_data->tclass, - ad->selinux_audit_data->audited); - audit_log_format(ab, " for "); + struct selinux_audit_data *sad = ad->selinux_audit_data; + u32 av = sad->audited; + const char **perms; + int i, perm; + + audit_log_format(ab, "avc: %s ", sad->denied ? "denied" : "granted"); + + if (av == 0) { + audit_log_string(ab, " null"); + return; + } + + BUG_ON(!sad->tclass || sad->tclass >= ARRAY_SIZE(secclass_map)); + perms = secclass_map[sad->tclass-1].perms; + + audit_log_string(ab, " {"); + i = 0; + perm = 1; + while (i < (sizeof(av) * 8)) { + if ((perm & av) && perms[i]) { + audit_log_format(ab, " %s", perms[i]); + av &= ~perm; + } + i++; + perm <<= 1; + } + + if (av) + audit_log_format(ab, " 0x%x", av); + + audit_log_string(ab, " } for "); } /** @@ -751,15 +708,34 @@ static void avc_audit_pre_callback(struct audit_buffer *ab, void *a) static void avc_audit_post_callback(struct audit_buffer *ab, void *a) { struct common_audit_data *ad = a; - audit_log_format(ab, " "); - avc_dump_query(ab, ad->selinux_audit_data->state, - ad->selinux_audit_data->ssid, - ad->selinux_audit_data->tsid, - ad->selinux_audit_data->tclass); - if (ad->selinux_audit_data->denied) { - audit_log_format(ab, " permissive=%u", - ad->selinux_audit_data->result ? 0 : 1); + struct selinux_audit_data *sad = ad->selinux_audit_data; + char *scontext; + u32 scontext_len; + int rc; + + rc = security_sid_to_context(sad->state, sad->ssid, &scontext, + &scontext_len); + if (rc) + audit_log_format(ab, " ssid=%d", sad->ssid); + else { + audit_log_format(ab, " scontext=%s", scontext); + kfree(scontext); } + + rc = security_sid_to_context(sad->state, sad->tsid, &scontext, + &scontext_len); + if (rc) + audit_log_format(ab, " tsid=%d", sad->tsid); + else { + audit_log_format(ab, " tcontext=%s", scontext); + kfree(scontext); + } + + BUG_ON(!sad->tclass || sad->tclass >= ARRAY_SIZE(secclass_map)); + audit_log_format(ab, " tclass=%s", secclass_map[sad->tclass-1].name); + + if (sad->denied) + audit_log_format(ab, " permissive=%u", sad->result ? 0 : 1); } /* This is the slow part of avc audit with big stack footprint */ From patchwork Fri Jan 25 10:06:49 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 10780929 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 22F686C2 for ; Fri, 25 Jan 2019 10:07:51 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 124C32F0C7 for ; Fri, 25 Jan 2019 10:07:51 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 065FC2F121; Fri, 25 Jan 2019 10:07:51 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9955D2F0D0 for ; Fri, 25 Jan 2019 10:07:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726878AbfAYKHu (ORCPT ); Fri, 25 Jan 2019 05:07:50 -0500 Received: from mail-wr1-f68.google.com ([209.85.221.68]:37223 "EHLO mail-wr1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727914AbfAYKHu (ORCPT ); Fri, 25 Jan 2019 05:07:50 -0500 Received: by mail-wr1-f68.google.com with SMTP id s12so9632403wrt.4 for ; Fri, 25 Jan 2019 02:07:49 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=GLvIX/eHSfIOuaUDcW5+tFt8JBlGohA0LcGVV1V+IIs=; b=OONPHPPBapw1Jp+WCSegbkIhKRC8xSejPvRn67s5VcGcDkaQRmrcCbVczaV9ofjk9N SKgbpH4tjs/x+OWaEkUDJcgLOyHDJpovDkrRTEk7/HrI9M0lTxg9t4HBM/7MLqOilHr7 zUFOwPcyyjGGiD2F6ieeywyFcOnFSrQaVAo2IKAilxd1Dc0H0m8u2LsAZITNAdBZiVv3 xYTh6xXI3h7WKdKNuG2aecNKEfg7jEuoh2pRUg174/DB3Z5u1bz6XT36inZcWE8JvdCG xZeCwOBTh2UvuOVFQ+EVqHY2yGDknp5ut5aC1Pc+8VKIB9dyOyBGgMf1XDNNHGqDUKv6 rC2Q== X-Gm-Message-State: AHQUAub5l0WhgM2VbZkSQwjvhdaYPP1iTUIuHDrlblGOFDi8t1kbUAX+ YQH85EQ1xirozrjsJ34nc8MfdQu7JOU= X-Google-Smtp-Source: AHgI3IbLt60IATQHVJtEChA+cQ/8NLkLVsBFHR3DoFrhQFseLG9Kl2A/unO2R1WfZGWgkg/k9W9dzw== X-Received: by 2002:adf:ef88:: with SMTP id d8mr1770057wro.163.1548410868234; Fri, 25 Jan 2019 02:07:48 -0800 (PST) Received: from p600.fit.wifi.vutbr.cz ([147.229.117.36]) by smtp.gmail.com with ESMTPSA id v6sm89155089wro.57.2019.01.25.02.07.46 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 25 Jan 2019 02:07:46 -0800 (PST) From: Ondrej Mosnacek To: selinux@vger.kernel.org, Paul Moore Cc: Stephen Smalley , linux-audit@redhat.com, Ondrej Mosnacek Subject: [PATCH v3 2/4] selinux: replace some BUG_ON()s with a WARN_ON() Date: Fri, 25 Jan 2019 11:06:49 +0100 Message-Id: <20190125100651.21753-3-omosnace@redhat.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190125100651.21753-1-omosnace@redhat.com> References: <20190125100651.21753-1-omosnace@redhat.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP We don't need to crash the machine in these cases. Let's just detect the buggy state early and error out with a warning. Signed-off-by: Ondrej Mosnacek Reviewed-by: Stephen Smalley --- security/selinux/avc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 502162eeb3a0..5ebad47391c9 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -678,7 +678,6 @@ static void avc_audit_pre_callback(struct audit_buffer *ab, void *a) return; } - BUG_ON(!sad->tclass || sad->tclass >= ARRAY_SIZE(secclass_map)); perms = secclass_map[sad->tclass-1].perms; audit_log_string(ab, " {"); @@ -731,7 +730,6 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) kfree(scontext); } - BUG_ON(!sad->tclass || sad->tclass >= ARRAY_SIZE(secclass_map)); audit_log_format(ab, " tclass=%s", secclass_map[sad->tclass-1].name); if (sad->denied) @@ -748,6 +746,9 @@ noinline int slow_avc_audit(struct selinux_state *state, struct common_audit_data stack_data; struct selinux_audit_data sad; + if (WARN_ON(!tclass || tclass >= ARRAY_SIZE(secclass_map))) + return -EINVAL; + if (!a) { a = &stack_data; a->type = LSM_AUDIT_DATA_NONE; From patchwork Fri Jan 25 10:06:50 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 10780935 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 53F316C2 for ; Fri, 25 Jan 2019 10:07:54 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 435FA2F0D0 for ; Fri, 25 Jan 2019 10:07:54 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 372322F0C7; Fri, 25 Jan 2019 10:07:54 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 24D0C2F0C7 for ; Fri, 25 Jan 2019 10:07:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727914AbfAYKHw (ORCPT ); Fri, 25 Jan 2019 05:07:52 -0500 Received: from mail-wm1-f68.google.com ([209.85.128.68]:36225 "EHLO mail-wm1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727996AbfAYKHw (ORCPT ); Fri, 25 Jan 2019 05:07:52 -0500 Received: by mail-wm1-f68.google.com with SMTP id p6so6036003wmc.1 for ; Fri, 25 Jan 2019 02:07:51 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=oyODzxGht9RaSmgg9jGFKOJL+ty1bMeltBCvPetHwxM=; b=mGM/8n8gLWD9DaGnPZ3bVmmjHxzLKS9SnkRRPgPlPedwQ5egBaQo/tl4fwnxIkKXWt z2n39QghpS36dapJLjTJOUGD9AkZVPTNKKyxX7i/wfJqhrANNNm61qxHTjfG9RhxmvD0 Gus6oDDKnYcYnINPy0lsCNOTU856GWKYviORs4kZFaK5P95sMSK3L3zLq4bO9JHPnYtj kXsrRqyZFBlrAPqjdpc7vGWwhIufSjAeKay/7151TSWGzNM9+u8pCdryJyjj8vzKo31Y X0I8GMnpiJF/MiJeW6E0q118u0AV0nFEA5gX69wKVMLlRe9k7KVz5NoaRvfKPDK5w9yg Ld5w== X-Gm-Message-State: AJcUukcvPJqOXXv24LLuJlWnoZQSqsg0dd2JVgLkqwdgIm1TU+88DiAE QV51WiDau2yHoYWWdpi7C3LTzkROrzc= X-Google-Smtp-Source: ALg8bN5huMWiGitkhfIB3L+8bi/04AUwaeb5qpByVpA/DANj5rIolcL+1Ggz6Lq8O/aM3uRVj9AATg== X-Received: by 2002:a1c:b456:: with SMTP id d83mr6467137wmf.115.1548410870299; Fri, 25 Jan 2019 02:07:50 -0800 (PST) Received: from p600.fit.wifi.vutbr.cz ([147.229.117.36]) by smtp.gmail.com with ESMTPSA id v6sm89155089wro.57.2019.01.25.02.07.48 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 25 Jan 2019 02:07:49 -0800 (PST) From: Ondrej Mosnacek To: selinux@vger.kernel.org, Paul Moore Cc: Stephen Smalley , linux-audit@redhat.com, Ondrej Mosnacek Subject: [PATCH v3 3/4] selinux: remove some useless BUG_ONs Date: Fri, 25 Jan 2019 11:06:50 +0100 Message-Id: <20190125100651.21753-4-omosnace@redhat.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190125100651.21753-1-omosnace@redhat.com> References: <20190125100651.21753-1-omosnace@redhat.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP These BUG_ONs do not really protect from any catastrophic situation so there is no need to have them there. Signed-off-by: Ondrej Mosnacek --- security/selinux/avc.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 5ebad47391c9..478fa4213c25 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -1044,7 +1044,6 @@ int avc_has_extended_perms(struct selinux_state *state, int rc = 0, rc2; xp_node = &local_xp_node; - BUG_ON(!requested); rcu_read_lock(); @@ -1134,8 +1133,6 @@ inline int avc_has_perm_noaudit(struct selinux_state *state, int rc = 0; u32 denied; - BUG_ON(!requested); - rcu_read_lock(); node = avc_lookup(state->avc, ssid, tsid, tclass); From patchwork Fri Jan 25 10:06:51 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 10780937 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1084C746 for ; Fri, 25 Jan 2019 10:07:56 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F1C382F0C7 for ; Fri, 25 Jan 2019 10:07:55 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E5FED2F0F4; Fri, 25 Jan 2019 10:07:55 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6839D2F0C7 for ; Fri, 25 Jan 2019 10:07:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727959AbfAYKHz (ORCPT ); Fri, 25 Jan 2019 05:07:55 -0500 Received: from mail-wr1-f68.google.com ([209.85.221.68]:44800 "EHLO mail-wr1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727996AbfAYKHy (ORCPT ); Fri, 25 Jan 2019 05:07:54 -0500 Received: by mail-wr1-f68.google.com with SMTP id z5so9598882wrt.11 for ; Fri, 25 Jan 2019 02:07:52 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ahfiFzkzW3c7iFI8v5bmrruVllmd62YbhhBJcLq3gVA=; b=S03cCsPqLwqnY/ggAIUOAaWWLRCXbpfCwTRUckYJhmAFzdPETbuxhitpan8jmFMUy0 /OkeJPkG82TqzbUbVuVFrclx8zoBrpXf0g4e/6hK88X0/3bcNk7NEJo388XuUGF/uxNr JznL89nF0S9LB31uqW9Y82Hzq47UNcQc4N+Fqw1XDbWoQGYYIP9i++HTyONXnC+Lg02F rqvVhsJwcpBXXw/psnSn05f/PS4DCbOO7QipoPHVc5Pc5PKK6GShDjz9jqtR0sflnswy 5BjRoeGesmGdnLp4zDyf+EzEYWkSOD4Je3oSXN0WeNenxZ6LAZVogCEXK7MpwhUtA8Fq 2tjQ== X-Gm-Message-State: AJcUukdLhaBu6BiCKNOiXAHtJtPwUQIN20vVS9wrDtFSzjSwYwpuWWwn eGw9xy/5RuBdlsT9WsIdIo24nRyZYIM= X-Google-Smtp-Source: ALg8bN4Tu3rqCq7YWEDiC6MFZj5P7QXxKt7GzkmkPPJYpEwhBl9MGtkwECvbS37dvh78tEmbX/qMzA== X-Received: by 2002:adf:90e5:: with SMTP id i92mr10317943wri.210.1548410871877; Fri, 25 Jan 2019 02:07:51 -0800 (PST) Received: from p600.fit.wifi.vutbr.cz ([147.229.117.36]) by smtp.gmail.com with ESMTPSA id v6sm89155089wro.57.2019.01.25.02.07.50 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 25 Jan 2019 02:07:50 -0800 (PST) From: Ondrej Mosnacek To: selinux@vger.kernel.org, Paul Moore Cc: Stephen Smalley , linux-audit@redhat.com, Ondrej Mosnacek , Daniel Walsh Subject: [PATCH v3 4/4] selinux: log invalid contexts in AVCs Date: Fri, 25 Jan 2019 11:06:51 +0100 Message-Id: <20190125100651.21753-5-omosnace@redhat.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190125100651.21753-1-omosnace@redhat.com> References: <20190125100651.21753-1-omosnace@redhat.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP In case a file has an invalid context set, in an AVC record generated upon access to such file, the target context is always reported as unlabeled. This patch adds new optional fields to the AVC record (srawcon and trawcon) that report the actual context string if it differs from the one reported in scontext/tcontext. This is useful for diagnosing SELinux denials involving invalid contexts. To trigger an AVC that illustrates this situation: # setenforce 0 # touch /tmp/testfile # setfattr -n security.selinux -v system_u:object_r:banana_t:s0 /tmp/testfile # runcon system_u:system_r:sshd_t:s0 cat /tmp/testfile AVC before: type=AVC msg=audit(1547801083.248:11): avc: denied { open } for pid=1149 comm="cat" path="/tmp/testfile" dev="tmpfs" ino=6608 scontext=system_u:system_r:sshd_t:s0 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file permissive=1 AVC after: type=AVC msg=audit(1547801083.248:11): avc: denied { open } for pid=1149 comm="cat" path="/tmp/testfile" dev="tmpfs" ino=6608 scontext=system_u:system_r:sshd_t:s0 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file permissive=1 trawcon=system_u:object_r:banana_t:s0 Note that it is also possible to encounter this situation with the 'scontext' field - e.g. when a new policy is loaded while a process is running, whose context is not valid in the new policy. Cc: Daniel Walsh Link: https://bugzilla.redhat.com/show_bug.cgi?id=1135683 Signed-off-by: Ondrej Mosnacek Reviewed-by: Stephen Smalley --- security/selinux/avc.c | 15 ++++++++++++ security/selinux/include/security.h | 3 +++ security/selinux/ss/services.c | 37 +++++++++++++++++++++++++---- 3 files changed, 50 insertions(+), 5 deletions(-) diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 478fa4213c25..047de65589bd 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -734,6 +734,21 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) if (sad->denied) audit_log_format(ab, " permissive=%u", sad->result ? 0 : 1); + + /* in case of invalid context report also the actual context string */ + rc = security_sid_to_context_inval(sad->state, sad->ssid, &scontext, + &scontext_len); + if (!rc && scontext) { + audit_log_format(ab, " srawcon=%s", scontext); + kfree(scontext); + } + + rc = security_sid_to_context_inval(sad->state, sad->tsid, &scontext, + &scontext_len); + if (!rc && scontext) { + audit_log_format(ab, " trawcon=%s", scontext); + kfree(scontext); + } } /* This is the slow part of avc audit with big stack footprint */ diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index ba8eedf42b90..f68fb25b5702 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -255,6 +255,9 @@ int security_sid_to_context(struct selinux_state *state, u32 sid, int security_sid_to_context_force(struct selinux_state *state, u32 sid, char **scontext, u32 *scontext_len); +int security_sid_to_context_inval(struct selinux_state *state, + u32 sid, char **scontext, u32 *scontext_len); + int security_context_to_sid(struct selinux_state *state, const char *scontext, u32 scontext_len, u32 *out_sid, gfp_t gfp); diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index dd44126c8d14..9be05c3e99dc 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -1281,7 +1281,8 @@ const char *security_get_initial_sid_context(u32 sid) static int security_sid_to_context_core(struct selinux_state *state, u32 sid, char **scontext, - u32 *scontext_len, int force) + u32 *scontext_len, int force, + int only_invalid) { struct policydb *policydb; struct sidtab *sidtab; @@ -1326,8 +1327,14 @@ static int security_sid_to_context_core(struct selinux_state *state, rc = -EINVAL; goto out_unlock; } - rc = context_struct_to_string(policydb, context, scontext, - scontext_len); + if (only_invalid && !context->len) { + scontext = NULL; + scontext_len = 0; + rc = 0; + } else { + rc = context_struct_to_string(policydb, context, scontext, + scontext_len); + } out_unlock: read_unlock(&state->ss->policy_rwlock); out: @@ -1349,14 +1356,34 @@ int security_sid_to_context(struct selinux_state *state, u32 sid, char **scontext, u32 *scontext_len) { return security_sid_to_context_core(state, sid, scontext, - scontext_len, 0); + scontext_len, 0, 0); } int security_sid_to_context_force(struct selinux_state *state, u32 sid, char **scontext, u32 *scontext_len) { return security_sid_to_context_core(state, sid, scontext, - scontext_len, 1); + scontext_len, 1, 0); +} + +/** + * security_sid_to_context_inval - Obtain a context for a given SID if it + * is invalid. + * @sid: security identifier, SID + * @scontext: security context + * @scontext_len: length in bytes + * + * Write the string representation of the context associated with @sid + * into a dynamically allocated string of the correct size, but only if the + * context is invalid in the current policy. Set @scontext to point to + * this string (or NULL if the context is valid) and set @scontext_len to + * the length of the string (or 0 if the context is valid). + */ +int security_sid_to_context_inval(struct selinux_state *state, u32 sid, + char **scontext, u32 *scontext_len) +{ + return security_sid_to_context_core(state, sid, scontext, + scontext_len, 1, 1); } /*