Commit 7c0f8963 authored by Linus Torvalds's avatar Linus Torvalds

Merge tag 'selinux-pr-20190702' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

Pull selinux updates from Paul Moore:
 "Like the audit pull request this is a little early due to some
  upcoming vacation plans and uncertain network access while I'm away.
  Also like the audit PR, the list of patches here is pretty minor, the
  highlights include:

   - Explicitly use __le variables to make sure "sparse" can verify
     proper byte endian handling.

   - Remove some BUG_ON()s that are no longer needed.

   - Allow zero-byte writes to the "keycreate" procfs attribute without
     requiring key:create to make it easier for userspace to reset the
     keycreate label.

   - Consistently log the "invalid_context" field as an untrusted string
     in the AUDIT_SELINUX_ERR audit records"

* tag 'selinux-pr-20190702' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: format all invalid context as untrusted
  selinux: fix empty write to keycreate file
  selinux: remove some no-op BUG_ONs
  selinux: provide __le variables explicitly
parents 61fc5771 ea74a685
...@@ -6351,11 +6351,12 @@ static int selinux_setprocattr(const char *name, void *value, size_t size) ...@@ -6351,11 +6351,12 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
} else if (!strcmp(name, "fscreate")) { } else if (!strcmp(name, "fscreate")) {
tsec->create_sid = sid; tsec->create_sid = sid;
} else if (!strcmp(name, "keycreate")) { } else if (!strcmp(name, "keycreate")) {
error = avc_has_perm(&selinux_state, if (sid) {
mysid, sid, SECCLASS_KEY, KEY__CREATE, error = avc_has_perm(&selinux_state, mysid, sid,
NULL); SECCLASS_KEY, KEY__CREATE, NULL);
if (error) if (error)
goto abort_change; goto abort_change;
}
tsec->keycreate_sid = sid; tsec->keycreate_sid = sid;
} else if (!strcmp(name, "sockcreate")) { } else if (!strcmp(name, "sockcreate")) {
tsec->sockcreate_sid = sid; tsec->sockcreate_sid = sid;
......
...@@ -347,7 +347,9 @@ int ebitmap_read(struct ebitmap *e, void *fp) ...@@ -347,7 +347,9 @@ int ebitmap_read(struct ebitmap *e, void *fp)
{ {
struct ebitmap_node *n = NULL; struct ebitmap_node *n = NULL;
u32 mapunit, count, startbit, index; u32 mapunit, count, startbit, index;
__le32 ebitmap_start;
u64 map; u64 map;
__le64 mapbits;
__le32 buf[3]; __le32 buf[3];
int rc, i; int rc, i;
...@@ -381,12 +383,12 @@ int ebitmap_read(struct ebitmap *e, void *fp) ...@@ -381,12 +383,12 @@ int ebitmap_read(struct ebitmap *e, void *fp)
goto bad; goto bad;
for (i = 0; i < count; i++) { for (i = 0; i < count; i++) {
rc = next_entry(&startbit, fp, sizeof(u32)); rc = next_entry(&ebitmap_start, fp, sizeof(u32));
if (rc < 0) { if (rc < 0) {
pr_err("SELinux: ebitmap: truncated map\n"); pr_err("SELinux: ebitmap: truncated map\n");
goto bad; goto bad;
} }
startbit = le32_to_cpu(startbit); startbit = le32_to_cpu(ebitmap_start);
if (startbit & (mapunit - 1)) { if (startbit & (mapunit - 1)) {
pr_err("SELinux: ebitmap start bit (%d) is " pr_err("SELinux: ebitmap start bit (%d) is "
...@@ -423,12 +425,12 @@ int ebitmap_read(struct ebitmap *e, void *fp) ...@@ -423,12 +425,12 @@ int ebitmap_read(struct ebitmap *e, void *fp)
goto bad; goto bad;
} }
rc = next_entry(&map, fp, sizeof(u64)); rc = next_entry(&mapbits, fp, sizeof(u64));
if (rc < 0) { if (rc < 0) {
pr_err("SELinux: ebitmap: truncated map\n"); pr_err("SELinux: ebitmap: truncated map\n");
goto bad; goto bad;
} }
map = le64_to_cpu(map); map = le64_to_cpu(mapbits);
index = (startbit - n->startbit) / EBITMAP_UNIT_SIZE; index = (startbit - n->startbit) / EBITMAP_UNIT_SIZE;
while (map) { while (map) {
......
...@@ -649,9 +649,7 @@ static void context_struct_compute_av(struct policydb *policydb, ...@@ -649,9 +649,7 @@ static void context_struct_compute_av(struct policydb *policydb,
avkey.target_class = tclass; avkey.target_class = tclass;
avkey.specified = AVTAB_AV | AVTAB_XPERMS; avkey.specified = AVTAB_AV | AVTAB_XPERMS;
sattr = &policydb->type_attr_map_array[scontext->type - 1]; sattr = &policydb->type_attr_map_array[scontext->type - 1];
BUG_ON(!sattr);
tattr = &policydb->type_attr_map_array[tcontext->type - 1]; tattr = &policydb->type_attr_map_array[tcontext->type - 1];
BUG_ON(!tattr);
ebitmap_for_each_positive_bit(sattr, snode, i) { ebitmap_for_each_positive_bit(sattr, snode, i) {
ebitmap_for_each_positive_bit(tattr, tnode, j) { ebitmap_for_each_positive_bit(tattr, tnode, j) {
avkey.source_type = i + 1; avkey.source_type = i + 1;
...@@ -1057,9 +1055,7 @@ void security_compute_xperms_decision(struct selinux_state *state, ...@@ -1057,9 +1055,7 @@ void security_compute_xperms_decision(struct selinux_state *state,
avkey.target_class = tclass; avkey.target_class = tclass;
avkey.specified = AVTAB_XPERMS; avkey.specified = AVTAB_XPERMS;
sattr = &policydb->type_attr_map_array[scontext->type - 1]; sattr = &policydb->type_attr_map_array[scontext->type - 1];
BUG_ON(!sattr);
tattr = &policydb->type_attr_map_array[tcontext->type - 1]; tattr = &policydb->type_attr_map_array[tcontext->type - 1];
BUG_ON(!tattr);
ebitmap_for_each_positive_bit(sattr, snode, i) { ebitmap_for_each_positive_bit(sattr, snode, i) {
ebitmap_for_each_positive_bit(tattr, tnode, j) { ebitmap_for_each_positive_bit(tattr, tnode, j) {
avkey.source_type = i + 1; avkey.source_type = i + 1;
...@@ -1586,6 +1582,7 @@ static int compute_sid_handle_invalid_context( ...@@ -1586,6 +1582,7 @@ static int compute_sid_handle_invalid_context(
struct policydb *policydb = &state->ss->policydb; struct policydb *policydb = &state->ss->policydb;
char *s = NULL, *t = NULL, *n = NULL; char *s = NULL, *t = NULL, *n = NULL;
u32 slen, tlen, nlen; u32 slen, tlen, nlen;
struct audit_buffer *ab;
if (context_struct_to_string(policydb, scontext, &s, &slen)) if (context_struct_to_string(policydb, scontext, &s, &slen))
goto out; goto out;
...@@ -1593,12 +1590,14 @@ static int compute_sid_handle_invalid_context( ...@@ -1593,12 +1590,14 @@ static int compute_sid_handle_invalid_context(
goto out; goto out;
if (context_struct_to_string(policydb, newcontext, &n, &nlen)) if (context_struct_to_string(policydb, newcontext, &n, &nlen))
goto out; goto out;
audit_log(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR, ab = audit_log_start(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR);
"op=security_compute_sid invalid_context=%s" audit_log_format(ab,
" scontext=%s" "op=security_compute_sid invalid_context=");
" tcontext=%s" /* no need to record the NUL with untrusted strings */
" tclass=%s", audit_log_n_untrustedstring(ab, n, nlen - 1);
n, s, t, sym_name(policydb, SYM_CLASSES, tclass-1)); audit_log_format(ab, " scontext=%s tcontext=%s tclass=%s",
s, t, sym_name(policydb, SYM_CLASSES, tclass-1));
audit_log_end(ab);
out: out:
kfree(s); kfree(s);
kfree(t); kfree(t);
...@@ -3005,10 +3004,16 @@ int security_sid_mls_copy(struct selinux_state *state, ...@@ -3005,10 +3004,16 @@ int security_sid_mls_copy(struct selinux_state *state,
if (rc) { if (rc) {
if (!context_struct_to_string(policydb, &newcon, &s, if (!context_struct_to_string(policydb, &newcon, &s,
&len)) { &len)) {
audit_log(audit_context(), struct audit_buffer *ab;
GFP_ATOMIC, AUDIT_SELINUX_ERR,
"op=security_sid_mls_copy " ab = audit_log_start(audit_context(),
"invalid_context=%s", s); GFP_ATOMIC,
AUDIT_SELINUX_ERR);
audit_log_format(ab,
"op=security_sid_mls_copy invalid_context=");
/* don't record NUL with untrusted strings */
audit_log_n_untrustedstring(ab, s, len - 1);
audit_log_end(ab);
kfree(s); kfree(s);
} }
goto out_unlock; goto out_unlock;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment