From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.3 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A219DC0650F for ; Fri, 9 Aug 2019 00:56:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 6DCE3216C8 for ; Fri, 9 Aug 2019 00:56:46 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="RsjUSps4" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404787AbfHIA4q (ORCPT ); Thu, 8 Aug 2019 20:56:46 -0400 Received: from sonic310-28.consmr.mail.gq1.yahoo.com ([98.137.69.154]:39348 "EHLO sonic310-28.consmr.mail.gq1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2404764AbfHIA4p (ORCPT ); Thu, 8 Aug 2019 20:56:45 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1565312204; bh=ZAqxTU1mVpN2DNfSunQYOqVdORCofONN2YGYiRZ/Rp4=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=RsjUSps4Rl58rP5a7dzJXyDKdBHQ2hb6Jre5l6pMWA9TxERvDwYNyDUlBrO5S7plMZfRXaGLPqGa/cWlBw+SemOgOKYwWojhmiOBVGE+i0R+a2HgGPQzGyab9cV9qPB4Z411oNgb5TRSD5ZaVH0OeswJg4NpkJeYmNR0DJ3lofeqi7136tmXp8lmLNxYNiLPT83pjaOHsVDR1bNHaSiX9PCJhlF7Ock79FVESmtBJEgYZd4DpjwgJuxgh7ncJjUGbXtJn6T9vrUjAHqL13z9Bj9ppDzdVdsypZmEgObQsYo5x/Z2AnGDnKUGPdelEGGmsxFjgmfpnphDrWlnCTHajw== X-YMail-OSG: qHR6PVsVM1l9NMKMbLgMQBOKvpgR4NiDjQo7.bgjUp.lz5kCLFFArFa_uAoUYkO EdtvC1dVAs1DscUJtnsTosw4L6QX7OGRfdnFGtwumr.aVhsGJiV6DwvBsQ4eQ5oBMdAd9WCGlZAb owcLQFhKgdQ1TBecd.BgIV3yYbPB0dUHYhDcA6PUj.e7Y15UcB2hH8jU4hZS6mAQe5auiEP5MAOK 0tHeaFF_CN1CXifbju0kDpYPAxinoqx8Vr0FTKUu0_iNM4KV8CGzZ0iRnndVXgfcYhtTsBt6VkjW dmB6ERecd2rcFQQXDsf7X5ecgCA6aUzcW9wMOgNsNn37L5hQUM5IL8zjC0.ZBSGLTuTkC0eLiVla hgnRrnyt1yd6usuNWemBEEsEMI4wNl08sPRbIeCr74iqigWoljJGXwUAdJJHeciYJk5lAV_okcId 2lx..dEnV7el2mlMFyCgEVWvq_uRtOhsW6O10wUBfliZqA5gV3q3dHBKFHArajYTQLZ4vWFbUIdL wrqV7vP4HiE3o8Zb5f59op5B537WRYZuTnxXID5f_hKaln3rLHyabTiWUGvvVnBc0vpPnpCmUyIB 4UZ.FEwwBKfNLF0sHkNNXw4a.3h_0XV7grpHGJ9z4Ov_JXoUNo8r3pOWBvVhm3I5FInZbau_Ly8L AGYv47rLkbrvf30v_whgdlhHenTYv0tvxBqHJZbOhoSGUgRaGxH0kNNrAXM.tVHJLI8GJH.lxpqe O6NDG480TfgHSihKcKL8Go2Xnf.6Pg1ejrMgBOfo79SW6zCtZuvJzQZZOxqoLYoQXDObEQFIZl6M wcHX2Ke2gp3eltcWX3JKYTKeWtZPLsQcPTPei6lCxlrYliCa.dIUPkd7VzKxw6sXyT180HrtkCnB fI5UiXax82zwOPFrBDK.vmcnOBx1fszF9zVlOeZap4fC9IGUYazDldAA.vMK2iNf0IRGYt0rWvR9 exmFdh7j3fo8GPN6UQRTxYaYwWZQAh3puc2851Q.Cn7mI8MajXmsH0SCvVFLY86nGWZrHVnxFjpM rVn.eXVPQQyKRdkWJdvZLmGVi6X4KkFUoSFKgReu9iw3WjpPzQH9D.ky8AqO1NgAYPGY7ESB.hkr SbokryZNfaNbsER2AYxhjd8vvmTRO0pV9qKGeXOmk2rdLToXPEnQLRa29BbKlCP8KUk40riFah3H uY_LjGX0BpxykDuncKVKhyRSY3l0bhqUwPoFZxLMUyePVnXUDXi4DJTCj2ZUz7hMKcEaZRwvHgfC is5Qto8eQnz4bIsxCmusRksluqqh3fEZJsmhAOWyjMtjU4JZ_tWPfRCK3zGEX7.hl Received: from sonic.gate.mail.ne1.yahoo.com by sonic310.consmr.mail.gq1.yahoo.com with HTTP; Fri, 9 Aug 2019 00:56:44 +0000 Received: by smtp420.mail.gq1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID c42b56befc7a07ce75680b367cf34946; Fri, 09 Aug 2019 00:56:42 +0000 (UTC) Subject: Re: [PATCH v7 22/28] SELinux: Verify LSM display sanity in binder To: Kees Cook Cc: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov References: <20190807194410.9762-1-casey@schaufler-ca.com> <20190807194410.9762-23-casey@schaufler-ca.com> <201908081454.FF7420D8D@keescook> From: Casey Schaufler Openpgp: preference=signencrypt Autocrypt: addr=casey@schaufler-ca.com; keydata= mQINBFzV9HABEAC/mmv3jeJyF7lR7QhILYg1+PeBLIMZv7KCzBSc/4ZZipoWdmr77Lel/RxQ 1PrNx0UaM5r6Hj9lJmJ9eg4s/TUBSP67mTx+tsZ1RhG78/WFf9aBe8MSXxY5cu7IUwo0J/CG vdSqACKyYPV5eoTJmnMxalu8/oVUHyPnKF3eMGgE0mKOFBUMsb2pLS/enE4QyxhcZ26jeeS6 3BaqDl1aTXGowM5BHyn7s9LEU38x/y2ffdqBjd3au2YOlvZ+XUkzoclSVfSR29bomZVVyhMB h1jTmX4Ac9QjpwsxihT8KNGvOM5CeCjQyWcW/g8LfWTzOVF9lzbx6IfEZDDoDem4+ZiPsAXC SWKBKil3npdbgb8MARPes2DpuhVm8yfkJEQQmuLYv8GPiJbwHQVLZGQAPBZSAc7IidD2zbf9 XAw1/SJGe1poxOMfuSBsfKxv9ba2i8hUR+PH7gWwkMQaQ97B1yXYxVEkpG8Y4MfE5Vd3bjJU kvQ/tOBUCw5zwyIRC9+7zr1zYi/3hk+OG8OryZ5kpILBNCo+aePeAJ44znrySarUqS69tuXd a3lMPHUJJpUpIwSKQ5UuYYkWlWwENEWSefpakFAIwY4YIBkzoJ/t+XJHE1HTaJnRk6SWpeDf CreF3+LouP4njyeLEjVIMzaEpwROsw++BX5i5vTXJB+4UApTAQARAQABtChDYXNleSBTY2hh dWZsZXIgPGNhc2V5QHNjaGF1Zmxlci1jYS5jb20+iQJUBBMBCAA+FiEEC+9tH1YyUwIQzUIe OKUVfIxDyBEFAlzV9HACGwMFCRLMAwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQOKUV fIxDyBG6ag/6AiRl8yof47YOEVHlrmewbpnlBTaYNfJ5cZflNRKRX6t4bp1B2YV1whlDTpiL vNOwFkh+ZE0eI5M4x8Gw2Oiok+4Q5liA9PHTozQYF+Ia+qdL5EehfbLGoEBqklpGvG3h8JsO 7SvONJuFDgvab/U/UriDYycJwzwKZuhVtK9EMpnTtUDyP3DY+Q8h7MWsniNBLVXnh4yBIEJg SSgDn3COpZoFTPGKE+rIzioo/GJe8CTa2g+ZggJiY/myWTS3quG0FMvwvNYvZ4I2g6uxSl7n bZVqAZgqwoTAv1HSXIAn9muwZUJL03qo25PFi2gQmX15BgJKQcV5RL0GHFHRThDS3IyadOgK P2j78P8SddTN73EmsG5OoyzwZAxXfck9A512BfVESqapHurRu2qvMoUkQaW/2yCeRQwGTsFj /rr0lnOBkyC6wCmPSKXe3dT2mnD5KnCkjn7KxLqexKt4itGjJz4/ynD/qh+gL7IPbifrQtVH JI7cr0fI6Tl8V6efurk5RjtELsAlSR6fKV7hClfeDEgLpigHXGyVOsynXLr59uE+g/+InVic jKueTq7LzFd0BiduXGO5HbGyRKw4MG5DNQvC//85EWmFUnDlD3WHz7Hicg95D+2IjD2ZVXJy x3LTfKWdC8bU8am1fi+d6tVEFAe/KbUfe+stXkgmfB7pxqW5Ag0EXNX0cAEQAPIEYtPebJzT wHpKLu1/j4jQcke06Kmu5RNuj1pEje7kX5IKzQSs+CPH0NbSNGvrA4dNGcuDUTNHgb5Be9hF zVqRCEvF2j7BFbrGe9jqMBWHuWheQM8RRoa2UMwQ704mRvKr4sNPh01nKT52ASbWpBPYG3/t WbYaqfgtRmCxBnqdOx5mBJIBh9Q38i63DjQgdNcsTx2qS7HFuFyNef5LCf3jogcbmZGxG/b7 yF4OwmGsVc8ufvlKo5A9Wm+tnRjLr/9Mn9vl5Xa/tQDoPxz26+aWz7j1in7UFzAarcvqzsdM Em6S7uT+qy5jcqyuipuenDKYF/yNOVSNnsiFyQTFqCPCpFihOnuaWqfmdeUOQHCSo8fD4aRF emsuxqcsq0Jp2ODq73DOTsdFxX2ESXYoFt3Oy7QmIxeEgiHBzdKU2bruIB5OVaZ4zWF+jusM Uh+jh+44w9DZkDNjxRAA5CxPlmBIn1OOYt1tsphrHg1cH1fDLK/pDjsJZkiH8EIjhckOtGSb aoUUMMJ85nVhN1EbU/A3DkWCVFEA//Vu1+BckbSbJKE7Hl6WdW19BXOZ7v3jo1q6lWwcFYth esJfk3ZPPJXuBokrFH8kqnEQ9W2QgrjDX3et2WwZFLOoOCItWxT0/1QO4ikcef/E7HXQf/ij Dxf9HG2o5hOlMIAkJq/uLNMvABEBAAGJAjwEGAEIACYWIQQL720fVjJTAhDNQh44pRV8jEPI EQUCXNX0cAIbDAUJEswDAAAKCRA4pRV8jEPIEWkzEACKFUnpp+wIVHpckMfBqN8BE5dUbWJc GyQ7wXWajLtlPdw1nNw0Wrv+ob2RCT7qQlUo6GRLcvj9Fn5tR4hBvR6D3m8aR0AGHbcC62cq I7LjaSDP5j/em4oVL2SMgNTrXgE2w33JMGjAx9oBzkxmKUqprhJomPwmfDHMJ0t7y39Da724 oLPTkQDpJL1kuraM9TC5NyLe1+MyIxqM/8NujoJbWeQUgGjn9uxQAil7o/xSCjrWCP3kZDID vd5ZaHpdl8e1mTExQoKr4EWgaMjmD/a3hZ/j3KfTVNpM2cLfD/QwTMaC2fkK8ExMsz+rUl1H icmcmpptCwOSgwSpPY1Zfio6HvEJp7gmDwMgozMfwQuT9oxyFTxn1X3rn1IoYQF3P8gsziY5 qtTxy2RrgqQFm/hr8gM78RhP54UPltIE96VywviFzDZehMvuwzW//fxysIoK97Y/KBZZOQs+ /T+Bw80Pwk/dqQ8UmIt2ffHEgwCTbkSm711BejapWCfklxkMZDp16mkxSt2qZovboVjXnfuq wQ1QL4o4t1hviM7LyoflsCLnQFJh6RSBhBpKQinMJl/z0A6NYDkQi6vEGMDBWX/M2vk9Jvwa v0cEBfY3Z5oFgkh7BUORsu1V+Hn0fR/Lqq/Pyq+nTR26WzGDkolLsDr3IH0TiAVH5ZuPxyz6 abzjfg== Message-ID: <3ab05d95-b60e-a915-ede5-68af9cf37b31@schaufler-ca.com> Date: Thu, 8 Aug 2019 17:56:31 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: <201908081454.FF7420D8D@keescook> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: en-US Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org On 8/8/2019 2:55 PM, Kees Cook wrote: > On Wed, Aug 07, 2019 at 12:44:04PM -0700, Casey Schaufler wrote: >> Verify that the tasks on the ends of a binder transaction >> use LSM display values that don't cause SELinux contexts >> to be interpreted by another LSM or another LSM's context >> to be interpreted by SELinux. No judgement is made in cases >> that where SELinux contexts are not used in the binder >> transaction. >> >> Signed-off-by: Casey Schaufler >> --- >> security/selinux/hooks.c | 34 ++++++++++++++++++++++++++++++++++ >> 1 file changed, 34 insertions(+) >> >> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c >> index 352be16a887d..fcad2e3432d2 100644 >> --- a/security/selinux/hooks.c >> +++ b/security/selinux/hooks.c >> @@ -2009,6 +2009,28 @@ static inline u32 open_file_to_av(struct file *= file) >> return av; >> } >> =20 >> +/* >> + * Verify that if the "display" LSM is SELinux for either task >> + * that it is for both tasks. >> + */ >> +static inline bool compatible_task_displays(struct task_struct *here,= >> + struct task_struct *there) >> +{ >> + int h =3D lsm_task_display(here); >> + int t =3D lsm_task_display(there); >> + >> + if (h =3D=3D t) >> + return true; >> + >> + /* unspecified is only ok if SELinux isn't going to be involved */ >> + if (selinux_lsmid.slot =3D=3D 0) >> + return ((h =3D=3D 0 && t =3D=3D LSMBLOB_INVALID) || >> + (t =3D=3D 0 && h =3D=3D LSMBLOB_INVALID)); > What is "0" here? Doesn't that just mean the first LSM. I though only -= 1 > had a special meaning (and had a #define name for it). I try not to write obscure code, but I seem to have done so here. The lsm in slot 0 (the first registered "display" lsm) will get used if the display value is LSMBLOB_INVALID. We've already checked to see if the display values are the same, and they're not. If selinux is in slot 0, one of the display values is 0 and the other is LSMBLOB_INVALID, the displays are compatible. Otherwise, they're not. If selinux is not in slot 0 and either of the displays slots is selinux's slot, it's not compatible. Simple, no? I'll have a go at making the code more obvious or, failing that, better documented. > > -Kees > >> + >> + /* it's ok only if neither display is SELinux */ >> + return (h !=3D selinux_lsmid.slot && t !=3D selinux_lsmid.slot); >> +} >> + >> /* Hook functions begin here. */ >> =20 >> static int selinux_binder_set_context_mgr(struct task_struct *mgr) >> @@ -2016,6 +2038,9 @@ static int selinux_binder_set_context_mgr(struct= task_struct *mgr) >> u32 mysid =3D current_sid(); >> u32 mgrsid =3D task_sid(mgr); >> =20 >> + if (!compatible_task_displays(current, mgr)) >> + return -EINVAL; >> + >> return avc_has_perm(&selinux_state, >> mysid, mgrsid, SECCLASS_BINDER, >> BINDER__SET_CONTEXT_MGR, NULL); >> @@ -2029,6 +2054,9 @@ static int selinux_binder_transaction(struct tas= k_struct *from, >> u32 tosid =3D task_sid(to); >> int rc; >> =20 >> + if (!compatible_task_displays(from, to)) >> + return -EINVAL; >> + >> if (mysid !=3D fromsid) { >> rc =3D avc_has_perm(&selinux_state, >> mysid, fromsid, SECCLASS_BINDER, >> @@ -2048,6 +2076,9 @@ static int selinux_binder_transfer_binder(struct= task_struct *from, >> u32 fromsid =3D task_sid(from); >> u32 tosid =3D task_sid(to); >> =20 >> + if (!compatible_task_displays(from, to)) >> + return -EINVAL; >> + >> return avc_has_perm(&selinux_state, >> fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, >> NULL); >> @@ -2064,6 +2095,9 @@ static int selinux_binder_transfer_file(struct t= ask_struct *from, >> struct common_audit_data ad; >> int rc; >> =20 >> + if (!compatible_task_displays(from, to)) >> + return -EINVAL; >> + >> ad.type =3D LSM_AUDIT_DATA_PATH; >> ad.u.path =3D file->f_path; >> =20 >> --=20 >> 2.20.1 >>