1. 16 Jan, 2019 2 commits
  2. 11 Jan, 2019 5 commits
    • Ondrej Mosnacek's avatar
      selinux: do not override context on context mounts · 53e0c2aa
      Ondrej Mosnacek authored
      Ignore all selinux_inode_notifysecctx() calls on mounts with SBLABEL_MNT
      flag unset. This is achived by returning -EOPNOTSUPP for this case in
      selinux_inode_setsecurtity() (because that function should not be called
      in such case anyway) and translating this error to 0 in
      selinux_inode_notifysecctx().
      
      This fixes behavior of kernfs-based filesystems when mounted with the
      'context=' option. Before this patch, if a node's context had been
      explicitly set to a non-default value and later the filesystem has been
      remounted with the 'context=' option, then this node would show up as
      having the manually-set context and not the mount-specified one.
      
      Steps to reproduce:
          # mount -t cgroup2 cgroup2 /sys/fs/cgroup/unified
          # chcon unconfined_u:object_r:user_home_t:s0 /sys/fs/cgroup/unified/cgroup.stat
          # ls -lZ /sys/fs/cgroup/unified
          total 0
          -r--r--r--. 1 root root system_u:object_r:cgroup_t:s0        0 Dec 13 10:41 cgroup.controllers
          -rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0        0 Dec 13 10:41 cgroup.max.depth
          -rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0        0 Dec 13 10:41 cgroup.max.descendants
          -rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0        0 Dec 13 10:41 cgroup.procs
          -r--r--r--. 1 root root unconfined_u:object_r:user_home_t:s0 0 Dec 13 10:41 cgroup.stat
          -rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0        0 Dec 13 10:41 cgroup.subtree_control
          -rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0        0 Dec 13 10:41 cgroup.threads
          # umount /sys/fs/cgroup/unified
          # mount -o context=system_u:object_r:tmpfs_t:s0 -t cgroup2 cgroup2 /sys/fs/cgroup/unified
      
      Result before:
          # ls -lZ /sys/fs/cgroup/unified
          total 0
          -r--r--r--. 1 root root system_u:object_r:tmpfs_t:s0         0 Dec 13 10:41 cgroup.controllers
          -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0         0 Dec 13 10:41 cgroup.max.depth
          -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0         0 Dec 13 10:41 cgroup.max.descendants
          -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0         0 Dec 13 10:41 cgroup.procs
          -r--r--r--. 1 root root unconfined_u:object_r:user_home_t:s0 0 Dec 13 10:41 cgroup.stat
          -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0         0 Dec 13 10:41 cgroup.subtree_control
          -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0         0 Dec 13 10:41 cgroup.threads
      
      Result after:
          # ls -lZ /sys/fs/cgroup/unified
          total 0
          -r--r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.controllers
          -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.max.depth
          -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.max.descendants
          -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.procs
          -r--r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.stat
          -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.subtree_control
          -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.threads
      Signed-off-by: 's avatarOndrej Mosnacek <omosnace@redhat.com>
      Reviewed-by: 's avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: 's avatarPaul Moore <paul@paul-moore.com>
      53e0c2aa
    • Ondrej Mosnacek's avatar
      selinux: never allow relabeling on context mounts · a83d6dda
      Ondrej Mosnacek authored
      In the SECURITY_FS_USE_MNTPOINT case we never want to allow relabeling
      files/directories, so we should never set the SBLABEL_MNT flag. The
      'special handling' in selinux_is_sblabel_mnt() is only intended for when
      the behavior is set to SECURITY_FS_USE_GENFS.
      
      While there, make the logic in selinux_is_sblabel_mnt() more explicit
      and add a BUILD_BUG_ON() to make sure that introducing a new
      SECURITY_FS_USE_* forces a review of the logic.
      
      Fixes: d5f3a5f6 ("selinux: add security in-core xattr support for pstore and debugfs")
      Signed-off-by: 's avatarOndrej Mosnacek <omosnace@redhat.com>
      Reviewed-by: 's avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: 's avatarPaul Moore <paul@paul-moore.com>
      a83d6dda
    • Stephen Smalley's avatar
      selinux: stop passing MAY_NOT_BLOCK to the AVC upon follow_link · e46e01ee
      Stephen Smalley authored
      commit bda0be7a ("security: make inode_follow_link RCU-walk aware")
      switched selinux_inode_follow_link() to use avc_has_perm_flags() and
      pass down the MAY_NOT_BLOCK flag if called during RCU walk.  However,
      the only test of MAY_NOT_BLOCK occurs during slow_avc_audit()
      and only if passing an inode as audit data (LSM_AUDIT_DATA_INODE).  Since
      selinux_inode_follow_link() passes a dentry directly, passing MAY_NOT_BLOCK
      here serves no purpose.  Switch selinux_inode_follow_link() to use
      avc_has_perm() and drop avc_has_perm_flags() since there are no other
      users.
      Signed-off-by: 's avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: 's avatarPaul Moore <paul@paul-moore.com>
      e46e01ee
    • Stephen Smalley's avatar
      selinux: avoid silent denials in permissive mode under RCU walk · 3a28cff3
      Stephen Smalley authored
      commit 0dc1ba24 ("SELINUX: Make selinux cache VFS RCU walks safe")
      results in no audit messages at all if in permissive mode because the
      cache is updated during the rcu walk and thus no denial occurs on
      the subsequent ref walk.  Fix this by not updating the cache when
      performing a non-blocking permission check.  This only affects search
      and symlink read checks during rcu walk.
      
      Fixes: 0dc1ba24 ("SELINUX: Make selinux cache VFS RCU walks safe")
      Reported-by: 's avatarBMK <bmktuwien@gmail.com>
      Signed-off-by: 's avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: 's avatarPaul Moore <paul@paul-moore.com>
      3a28cff3
    • Stephen Smalley's avatar
      selinux: fix GPF on invalid policy · 5b0e7310
      Stephen Smalley authored
      levdatum->level can be NULL if we encounter an error while loading
      the policy during sens_read prior to initializing it.  Make sure
      sens_destroy handles that case correctly.
      
      Reported-by: syzbot+6664500f0f18f07a5c0e@syzkaller.appspotmail.com
      Signed-off-by: 's avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: 's avatarPaul Moore <paul@paul-moore.com>
      5b0e7310
  3. 10 Jan, 2019 1 commit
  4. 08 Jan, 2019 32 commits