[PATCH v2] selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID.

[PATCH v2] selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID.

[Stephen Smalley]

If the callee SID is bounded by the caller SID, then allowing
the transition to occur poses no risk of privilege escalation and we can
therefore safely allow the transition to occur.  Add this exemption
for both the case where a transition was explicitly requested by the
application and the case where an automatic transition is defined in
policy.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 security/selinux/hooks.c | 59 ++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 47 insertions(+), 12 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 83d06db..d96c91a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2086,6 +2086,41 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
 
 /* binprm security operations */
 
+static int check_nnp_nosuid(const struct linux_binprm *bprm,
+			    const struct task_security_struct *old_tsec,
+			    const struct task_security_struct *new_tsec)
+{
+	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
+	int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
+	int rc;
+
+	if (!nnp && !nosuid)
+		return 0; /* neither NNP nor nosuid */
+
+	if (new_tsec->sid == old_tsec->sid)
+		return 0; /* No change in credentials */
+
+	/*
+	 * The only transitions we permit under NNP or nosuid
+	 * are transitions to bounded SIDs, i.e. SIDs that are
+	 * guaranteed to only be allowed a subset of the permissions
+	 * of the current SID.
+	 */
+	rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
+	if (rc) {
+		/*
+		 * On failure, preserve the errno values for NNP vs nosuid.
+		 * NNP:  Operation not permitted for caller.
+		 * nosuid:  Permission denied to file.
+		 */
+		if (nnp)
+			return -EPERM;
+		else
+			return -EACCES;
+	}
+	return 0;
+}
+
 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
 {
 	const struct task_security_struct *old_tsec;
@@ -2122,14 +2157,10 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
 		/* Reset exec SID on execve. */
 		new_tsec->exec_sid = 0;
 
-		/*
-		 * Minimize confusion: if no_new_privs or nosuid and a
-		 * transition is explicitly requested, then fail the exec.
-		 */
-		if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
-			return -EPERM;
-		if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
-			return -EACCES;
+		/* Fail on NNP or nosuid if not an allowed transition. */
+		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
+		if (rc)
+			return rc;
 	} else {
 		/* Check for a default transition on this program. */
 		rc = security_transition_sid(old_tsec->sid, isec->sid,
@@ -2137,15 +2168,19 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
 					     &new_tsec->sid);
 		if (rc)
 			return rc;
+
+		/*
+		 * Fallback to old SID on NNP or nosuid if not an allowed
+		 * transition.
+		 */
+		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
+		if (rc)
+			new_tsec->sid = old_tsec->sid;
 	}
 
 	ad.type = LSM_AUDIT_DATA_PATH;
 	ad.u.path = bprm->file->f_path;
 
-	if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
-	    (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
-		new_tsec->sid = old_tsec->sid;
-
 	if (new_tsec->sid == old_tsec->sid) {
 		rc = avc_has_perm(old_tsec->sid, isec->sid,
 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
-- 
1.8.3.1

Re: [PATCH v2] selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID.

[Andy Lutomirski]

On Mon, Aug 4, 2014 at 10:36 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> If the callee SID is bounded by the caller SID, then allowing
> the transition to occur poses no risk of privilege escalation and we can
> therefore safely allow the transition to occur.  Add this exemption
> for both the case where a transition was explicitly requested by the
> application and the case where an automatic transition is defined in
> policy.

This still wants something like security_bounded_transition_noaudit,
right?  (Or just a parameter about whether to audit -- there will only
be two callers, I think.)

--Andy

>
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
>  security/selinux/hooks.c | 59 ++++++++++++++++++++++++++++++++++++++----------
>  1 file changed, 47 insertions(+), 12 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 83d06db..d96c91a 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -2086,6 +2086,41 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
>
>  /* binprm security operations */
>
> +static int check_nnp_nosuid(const struct linux_binprm *bprm,
> +                           const struct task_security_struct *old_tsec,
> +                           const struct task_security_struct *new_tsec)
> +{
> +       int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
> +       int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
> +       int rc;
> +
> +       if (!nnp && !nosuid)
> +               return 0; /* neither NNP nor nosuid */
> +
> +       if (new_tsec->sid == old_tsec->sid)
> +               return 0; /* No change in credentials */
> +
> +       /*
> +        * The only transitions we permit under NNP or nosuid
> +        * are transitions to bounded SIDs, i.e. SIDs that are
> +        * guaranteed to only be allowed a subset of the permissions
> +        * of the current SID.
> +        */
> +       rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
> +       if (rc) {
> +               /*
> +                * On failure, preserve the errno values for NNP vs nosuid.
> +                * NNP:  Operation not permitted for caller.
> +                * nosuid:  Permission denied to file.
> +                */
> +               if (nnp)
> +                       return -EPERM;
> +               else
> +                       return -EACCES;
> +       }
> +       return 0;
> +}
> +
>  static int selinux_bprm_set_creds(struct linux_binprm *bprm)
>  {
>         const struct task_security_struct *old_tsec;
> @@ -2122,14 +2157,10 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
>                 /* Reset exec SID on execve. */
>                 new_tsec->exec_sid = 0;
>
> -               /*
> -                * Minimize confusion: if no_new_privs or nosuid and a
> -                * transition is explicitly requested, then fail the exec.
> -                */
> -               if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
> -                       return -EPERM;
> -               if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
> -                       return -EACCES;
> +               /* Fail on NNP or nosuid if not an allowed transition. */
> +               rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
> +               if (rc)
> +                       return rc;
>         } else {
>                 /* Check for a default transition on this program. */
>                 rc = security_transition_sid(old_tsec->sid, isec->sid,
> @@ -2137,15 +2168,19 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
>                                              &new_tsec->sid);
>                 if (rc)
>                         return rc;
> +
> +               /*
> +                * Fallback to old SID on NNP or nosuid if not an allowed
> +                * transition.
> +                */
> +               rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
> +               if (rc)
> +                       new_tsec->sid = old_tsec->sid;
>         }
>
>         ad.type = LSM_AUDIT_DATA_PATH;
>         ad.u.path = bprm->file->f_path;
>
> -       if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
> -           (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
> -               new_tsec->sid = old_tsec->sid;
> -
>         if (new_tsec->sid == old_tsec->sid) {
>                 rc = avc_has_perm(old_tsec->sid, isec->sid,
>                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
> --
> 1.8.3.1
>



-- 
Andy Lutomirski
AMA Capital Management, LLC

Re: [PATCH v2] selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID.

[Stephen Smalley]

On 08/12/2014 02:01 PM, Andy Lutomirski wrote:
> On Mon, Aug 4, 2014 at 10:36 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> If the callee SID is bounded by the caller SID, then allowing
>> the transition to occur poses no risk of privilege escalation and we can
>> therefore safely allow the transition to occur.  Add this exemption
>> for both the case where a transition was explicitly requested by the
>> application and the case where an automatic transition is defined in
>> policy.
> 
> This still wants something like security_bounded_transition_noaudit,
> right?  (Or just a parameter about whether to audit -- there will only
> be two callers, I think.)

I think generating an audit record is correct in this case; the
operation would have succeeded if the type were bounded, so it is
correct and helpful to report this to the audit log for diagnosing
failures.  I think Paul's prior objection was that you could end up with
an audit record even when the operation succeeded when we allowed the
transitions on either a bounded transition or dyntransition permission,
but that is no longer the case.

> 
> --Andy
> 
>>
>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>> ---
>>  security/selinux/hooks.c | 59 ++++++++++++++++++++++++++++++++++++++----------
>>  1 file changed, 47 insertions(+), 12 deletions(-)
>>
>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>> index 83d06db..d96c91a 100644
>> --- a/security/selinux/hooks.c
>> +++ b/security/selinux/hooks.c
>> @@ -2086,6 +2086,41 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
>>
>>  /* binprm security operations */
>>
>> +static int check_nnp_nosuid(const struct linux_binprm *bprm,
>> +                           const struct task_security_struct *old_tsec,
>> +                           const struct task_security_struct *new_tsec)
>> +{
>> +       int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
>> +       int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
>> +       int rc;
>> +
>> +       if (!nnp && !nosuid)
>> +               return 0; /* neither NNP nor nosuid */
>> +
>> +       if (new_tsec->sid == old_tsec->sid)
>> +               return 0; /* No change in credentials */
>> +
>> +       /*
>> +        * The only transitions we permit under NNP or nosuid
>> +        * are transitions to bounded SIDs, i.e. SIDs that are
>> +        * guaranteed to only be allowed a subset of the permissions
>> +        * of the current SID.
>> +        */
>> +       rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
>> +       if (rc) {
>> +               /*
>> +                * On failure, preserve the errno values for NNP vs nosuid.
>> +                * NNP:  Operation not permitted for caller.
>> +                * nosuid:  Permission denied to file.
>> +                */
>> +               if (nnp)
>> +                       return -EPERM;
>> +               else
>> +                       return -EACCES;
>> +       }
>> +       return 0;
>> +}
>> +
>>  static int selinux_bprm_set_creds(struct linux_binprm *bprm)
>>  {
>>         const struct task_security_struct *old_tsec;
>> @@ -2122,14 +2157,10 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
>>                 /* Reset exec SID on execve. */
>>                 new_tsec->exec_sid = 0;
>>
>> -               /*
>> -                * Minimize confusion: if no_new_privs or nosuid and a
>> -                * transition is explicitly requested, then fail the exec.
>> -                */
>> -               if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
>> -                       return -EPERM;
>> -               if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
>> -                       return -EACCES;
>> +               /* Fail on NNP or nosuid if not an allowed transition. */
>> +               rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
>> +               if (rc)
>> +                       return rc;
>>         } else {
>>                 /* Check for a default transition on this program. */
>>                 rc = security_transition_sid(old_tsec->sid, isec->sid,
>> @@ -2137,15 +2168,19 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
>>                                              &new_tsec->sid);
>>                 if (rc)
>>                         return rc;
>> +
>> +               /*
>> +                * Fallback to old SID on NNP or nosuid if not an allowed
>> +                * transition.
>> +                */
>> +               rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
>> +               if (rc)
>> +                       new_tsec->sid = old_tsec->sid;
>>         }
>>
>>         ad.type = LSM_AUDIT_DATA_PATH;
>>         ad.u.path = bprm->file->f_path;
>>
>> -       if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
>> -           (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
>> -               new_tsec->sid = old_tsec->sid;
>> -
>>         if (new_tsec->sid == old_tsec->sid) {
>>                 rc = avc_has_perm(old_tsec->sid, isec->sid,
>>                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
>> --
>> 1.8.3.1
>>
> 
> 
> 

Re: [PATCH v2] selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID.

[Andy Lutomirski]

On Aug 12, 2014 11:07 AM, "Stephen Smalley" <sds@tycho.nsa.gov> wrote:
>
> On 08/12/2014 02:01 PM, Andy Lutomirski wrote:
> > On Mon, Aug 4, 2014 at 10:36 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> >> If the callee SID is bounded by the caller SID, then allowing
> >> the transition to occur poses no risk of privilege escalation and we can
> >> therefore safely allow the transition to occur.  Add this exemption
> >> for both the case where a transition was explicitly requested by the
> >> application and the case where an automatic transition is defined in
> >> policy.
> >
> > This still wants something like security_bounded_transition_noaudit,
> > right?  (Or just a parameter about whether to audit -- there will only
> > be two callers, I think.)
>
> I think generating an audit record is correct in this case; the
> operation would have succeeded if the type were bounded, so it is
> correct and helpful to report this to the audit log for diagnosing
> failures.  I think Paul's prior objection was that you could end up with
> an audit record even when the operation succeeded when we allowed the
> transitions on either a bounded transition or dyntransition permission,
> but that is no longer the case.

Fair enough.

Does this have any chance of making 3.17?

--Andy

Re: [PATCH v2] selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID.

[Paul Moore]

On Tuesday, August 12, 2014 11:56:42 AM Andy Lutomirski wrote:
> On Aug 12, 2014 11:07 AM, "Stephen Smalley" <sds@tycho.nsa.gov> wrote:
> > On 08/12/2014 02:01 PM, Andy Lutomirski wrote:
> > > On Mon, Aug 4, 2014 at 10:36 AM, Stephen Smalley wrote:
> > >> If the callee SID is bounded by the caller SID, then allowing
> > >> the transition to occur poses no risk of privilege escalation and we
> > >> can therefore safely allow the transition to occur.  Add this exemption
> > >> for both the case where a transition was explicitly requested by the
> > >> application and the case where an automatic transition is defined in
> > >> policy.
> > > 
> > > This still wants something like security_bounded_transition_noaudit,
> > > right?  (Or just a parameter about whether to audit -- there will only
> > > be two callers, I think.)
> > 
> > I think generating an audit record is correct in this case; the
> > operation would have succeeded if the type were bounded, so it is
> > correct and helpful to report this to the audit log for diagnosing
> > failures.  I think Paul's prior objection was that you could end up with
> > an audit record even when the operation succeeded when we allowed the
> > transitions on either a bounded transition or dyntransition permission,
> > but that is no longer the case.
> 
> Fair enough.

Yes, the audit problem is no longer an issue and the comments look good to me.

> Does this have any chance of making 3.17?

No.  That ship has sailed.

However, I would still like to see some more Reviewed-by/Tested-by mails 
before we merge this for 3.18.  Andy, based on discussion on this thread and 
previous threads, I assume you're happy with this patch?

-- 
paul moore
www.paul-moore.com

Re: [PATCH v2] selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID.

[Andy Lutomirski]

On Tue, Aug 12, 2014 at 12:08 PM, Paul Moore <paul@paul-moore.com> wrote:
> On Tuesday, August 12, 2014 11:56:42 AM Andy Lutomirski wrote:
>> On Aug 12, 2014 11:07 AM, "Stephen Smalley" <sds@tycho.nsa.gov> wrote:
>> > On 08/12/2014 02:01 PM, Andy Lutomirski wrote:
>> > > On Mon, Aug 4, 2014 at 10:36 AM, Stephen Smalley wrote:
>> > >> If the callee SID is bounded by the caller SID, then allowing
>> > >> the transition to occur poses no risk of privilege escalation and we
>> > >> can therefore safely allow the transition to occur.  Add this exemption
>> > >> for both the case where a transition was explicitly requested by the
>> > >> application and the case where an automatic transition is defined in
>> > >> policy.
>> > >
>> > > This still wants something like security_bounded_transition_noaudit,
>> > > right?  (Or just a parameter about whether to audit -- there will only
>> > > be two callers, I think.)
>> >
>> > I think generating an audit record is correct in this case; the
>> > operation would have succeeded if the type were bounded, so it is
>> > correct and helpful to report this to the audit log for diagnosing
>> > failures.  I think Paul's prior objection was that you could end up with
>> > an audit record even when the operation succeeded when we allowed the
>> > transitions on either a bounded transition or dyntransition permission,
>> > but that is no longer the case.
>>
>> Fair enough.
>
> Yes, the audit problem is no longer an issue and the comments look good to me.
>
>> Does this have any chance of making 3.17?
>
> No.  That ship has sailed.
>
> However, I would still like to see some more Reviewed-by/Tested-by mails
> before we merge this for 3.18.  Andy, based on discussion on this thread and
> previous threads, I assume you're happy with this patch?

Yes.

Reviewed-by: Andy Lutomirski <luto@amacapital.net>

Not actually tested-by because I don't have the slightest clue how to
write a bounded transition rule to test with.

--Andy

>
> --
> paul moore
> www.paul-moore.com
>



-- 
Andy Lutomirski
AMA Capital Management, LLC

Re: [PATCH v2] selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID.

[Stephen Smalley]

[-- Attachment #1: Type: text/plain, Size: 1978 bytes --]

On 08/12/2014 03:08 PM, Paul Moore wrote:
> On Tuesday, August 12, 2014 11:56:42 AM Andy Lutomirski wrote:
>> On Aug 12, 2014 11:07 AM, "Stephen Smalley" <sds@tycho.nsa.gov> wrote:
>>> On 08/12/2014 02:01 PM, Andy Lutomirski wrote:
>>>> On Mon, Aug 4, 2014 at 10:36 AM, Stephen Smalley wrote:
>>>>> If the callee SID is bounded by the caller SID, then allowing
>>>>> the transition to occur poses no risk of privilege escalation and we
>>>>> can therefore safely allow the transition to occur.  Add this exemption
>>>>> for both the case where a transition was explicitly requested by the
>>>>> application and the case where an automatic transition is defined in
>>>>> policy.
>>>>
>>>> This still wants something like security_bounded_transition_noaudit,
>>>> right?  (Or just a parameter about whether to audit -- there will only
>>>> be two callers, I think.)
>>>
>>> I think generating an audit record is correct in this case; the
>>> operation would have succeeded if the type were bounded, so it is
>>> correct and helpful to report this to the audit log for diagnosing
>>> failures.  I think Paul's prior objection was that you could end up with
>>> an audit record even when the operation succeeded when we allowed the
>>> transitions on either a bounded transition or dyntransition permission,
>>> but that is no longer the case.
>>
>> Fair enough.
> 
> Yes, the audit problem is no longer an issue and the comments look good to me.
> 
>> Does this have any chance of making 3.17?
> 
> No.  That ship has sailed.
> 
> However, I would still like to see some more Reviewed-by/Tested-by mails 
> before we merge this for 3.18.  Andy, based on discussion on this thread and 
> previous threads, I assume you're happy with this patch?

Attached is the patch for the selinux-testsuite,
against git://git.selinuxproject.org/~serge/selinux-testsuite.
Once it goes into a kernel I can make the test kernel version-specific
and thus ensure it passes on old and new kernels.




[-- Attachment #2: 0001-Add-tests-for-bounded-transitions-under-NO_NEW_PRIVS.patch --]
[-- Type: text/x-patch, Size: 7215 bytes --]

>From b9df9e4ed35e036603143c4ead39c26a3af5787d Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 13 Jun 2014 12:40:16 -0400
Subject: [PATCH] Add tests for bounded transitions under NO_NEW_PRIVS.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 policy/Makefile      |  2 +-
 policy/test_nnp.te   | 33 +++++++++++++++++++++++++++++++++
 tests/Makefile       |  2 +-
 tests/nnp/Makefile   |  7 +++++++
 tests/nnp/checkcon.c | 40 ++++++++++++++++++++++++++++++++++++++++
 tests/nnp/execnnp.c  | 25 +++++++++++++++++++++++++
 tests/nnp/test       | 42 ++++++++++++++++++++++++++++++++++++++++++
 7 files changed, 149 insertions(+), 2 deletions(-)
 create mode 100644 policy/test_nnp.te
 create mode 100644 tests/nnp/Makefile
 create mode 100644 tests/nnp/checkcon.c
 create mode 100644 tests/nnp/execnnp.c
 create mode 100755 tests/nnp/test

diff --git a/policy/Makefile b/policy/Makefile
index a0a6c88..683f454 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -14,7 +14,7 @@ TARGETS = \
 	test_entrypoint.te test_execshare.te test_exectrace.te \
 	test_execute_no_trans.te test_fdreceive.te test_file.te \
 	test_inherit.te test_ioctl.te test_ipc.te test_link.te test_mkdir.te \
-	test_open.te test_ptrace.te test_readlink.te \
+	test_nnp.te test_open.te test_ptrace.te test_readlink.te \
 	test_relabel.te test_rename.te test_rxdir.te test_setattr.te \
 	test_setnice.te test_sigkill.te test_stat.te test_sysctl.te \
 	test_task_create.te test_task_getpgid.te test_task_getsched.te \
diff --git a/policy/test_nnp.te b/policy/test_nnp.te
new file mode 100644
index 0000000..55eccd8
--- /dev/null
+++ b/policy/test_nnp.te
@@ -0,0 +1,33 @@
+#################################
+#
+# Policy for testing NO_NEW_PRIVS transitions.
+#
+
+# A domain bounded by the unconfined domain.
+type test_nnp_bounded_t;
+domain_type(test_nnp_bounded_t)
+typeattribute test_nnp_bounded_t testdomain;
+typebounds unconfined_t test_nnp_bounded_t;
+
+# The entrypoint type for this domain.
+type test_nnp_bounded_exec_t;
+files_type(test_nnp_bounded_exec_t)
+domain_entry_file(test_nnp_bounded_t, test_nnp_bounded_exec_t)
+
+# Run it!  This should succeed on patched kernels, fail on old ones.
+unconfined_runs_test(test_nnp_bounded_t)
+unconfined_run_to(test_nnp_bounded_t, test_nnp_bounded_exec_t)
+
+# A domain that is not bounded by the calling domain.
+type test_nnp_notbounded_t;
+domain_type(test_nnp_notbounded_t)
+typeattribute test_nnp_notbounded_t testdomain;
+
+# The entrypoint type for this domain.
+type test_nnp_notbounded_exec_t;
+files_type(test_nnp_notbounded_exec_t)
+domain_entry_file(test_nnp_notbounded_t, test_nnp_notbounded_exec_t)
+
+# Run it!  This should fail always.
+unconfined_runs_test(test_nnp_notbounded_t)
+unconfined_run_to(test_nnp_notbounded_t, test_nnp_notbounded_exec_t)
diff --git a/tests/Makefile b/tests/Makefile
index 5886403..4cfecdf 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -1,6 +1,6 @@
 REDHAT_RELEASE=$(shell rpm -q redhat-release)
 
-SUBDIRS=domain_trans entrypoint execshare exectrace execute_no_trans fdreceive inherit link mkdir msg open ptrace readlink relabel rename rxdir sem setattr setnice shm sigkill stat sysctl task_create task_setnice task_setscheduler task_getscheduler task_getsid task_getpgid task_setpgid wait file ioctl capable_file capable_net capable_sys dyntrans dyntrace bounds
+SUBDIRS=domain_trans entrypoint execshare exectrace execute_no_trans fdreceive inherit link mkdir msg nnp open ptrace readlink relabel rename rxdir sem setattr setnice shm sigkill stat sysctl task_create task_setnice task_setscheduler task_getscheduler task_getsid task_getpgid task_setpgid wait file ioctl capable_file capable_net capable_sys dyntrans dyntrace bounds
 #SUBDIRS=socket unix_socket unix_secure
 
 ifeq (redhat-release-4, $(findstring redhat-release-4, $(REDHAT_RELEASE)))
diff --git a/tests/nnp/Makefile b/tests/nnp/Makefile
new file mode 100644
index 0000000..4e8e400
--- /dev/null
+++ b/tests/nnp/Makefile
@@ -0,0 +1,7 @@
+TARGETS=execnnp checkcon
+
+LDLIBS += -lselinux
+
+all: $(TARGETS)
+clean:
+	rm -f $(TARGETS)
diff --git a/tests/nnp/checkcon.c b/tests/nnp/checkcon.c
new file mode 100644
index 0000000..1967506
--- /dev/null
+++ b/tests/nnp/checkcon.c
@@ -0,0 +1,40 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <selinux/selinux.h>
+#include <selinux/context.h>
+
+int main(int argc, char **argv)
+{
+    char *con = NULL;
+    context_t c;
+    const char *type;
+    int rc;
+
+    if (argc != 2) {
+        fprintf(stderr, "usage:  %s expected-type\n", argv[0]);
+        exit(-1);
+    }
+
+    if (getcon(&con) < 0) {
+        perror("getcon");
+        exit(-1);
+    }
+
+    c = context_new(con);
+    if (!c) {
+        perror("context_new");
+        exit(-1);
+    }
+
+    type = context_type_get(c);
+    if (!type) {
+        perror("context_type_get");
+        exit(-1);
+
+    }
+
+    rc = strcmp(type, argv[1]);
+    exit(rc);
+}
diff --git a/tests/nnp/execnnp.c b/tests/nnp/execnnp.c
new file mode 100644
index 0000000..9de5967
--- /dev/null
+++ b/tests/nnp/execnnp.c
@@ -0,0 +1,25 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/prctl.h>
+
+int main(int argc, char **argv)
+{
+    int rc;
+
+    if (argc < 2) {
+	fprintf(stderr, "usage:  %s command [args...]\n", argv[0]);
+	exit(-1);
+    }
+
+    rc = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+    if (rc < 0) {
+        perror("prctl PR_SET_NO_NEW_PRIVS");
+        exit(-1);
+    }
+
+    execvp(argv[1], &argv[1]);
+    perror(argv[1]);
+    exit(1);
+}
diff --git a/tests/nnp/test b/tests/nnp/test
new file mode 100755
index 0000000..4ac961a
--- /dev/null
+++ b/tests/nnp/test
@@ -0,0 +1,42 @@
+#!/usr/bin/perl
+
+# Depends on kernel patch with the following subject line:
+# selinux:  Permit bounded transitions under NO_NEW_PRIVS or NOSUID.
+
+use Test;
+BEGIN { plan tests => 4}
+
+$basedir = $0;  $basedir =~ s|(.*)/[^/]*|$1|;
+
+# Remove any leftover programs from prior failed runs.
+system("rm -f $basedir/true");
+
+# Set entrypoint type for bounded domain.
+system("chcon -t test_nnp_bounded_exec_t $basedir/checkcon");
+
+# Transition to bounded type via setexec.
+$result = system("$basedir/execnnp runcon -t test_nnp_bounded_t $basedir/checkcon test_nnp_bounded_t 2>&1");
+ok($result,0); #this should pass
+
+# Automatic transition to bounded domain via exec.
+$result = system("$basedir/execnnp $basedir/checkcon test_nnp_bounded_t 2>&1");
+ok($result,0); #this should pass
+
+# Use true as an entrypoint program to test ability to exec at all.
+system("cp /bin/true $basedir/true");
+
+# Set entrypoint type for notbounded domain.
+system("chcon -t test_nnp_notbounded_exec_t $basedir/checkcon $basedir/true");
+
+# Transition to notbounded domain via setexec.
+$result = system("$basedir/execnnp runcon -t test_nnp_notbounded_t $basedir/true 2>&1");
+ok($result); #this should fail
+
+# Automatic transition to notbounded domain via exec.
+$result = system("$basedir/execnnp $basedir/checkcon test_nnp_notbounded_t 2>&1");
+ok($result); #this should fail
+
+# Cleanup.
+system("rm -f $basedir/true");
+
+exit;
-- 
1.9.3

Re: [PATCH v2] selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID.

[Andy Lutomirski]

On Tue, Aug 12, 2014 at 12:21 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 08/12/2014 03:08 PM, Paul Moore wrote:
>> On Tuesday, August 12, 2014 11:56:42 AM Andy Lutomirski wrote:
>>> On Aug 12, 2014 11:07 AM, "Stephen Smalley" <sds@tycho.nsa.gov> wrote:
>>>> On 08/12/2014 02:01 PM, Andy Lutomirski wrote:
>>>>> On Mon, Aug 4, 2014 at 10:36 AM, Stephen Smalley wrote:
>>>>>> If the callee SID is bounded by the caller SID, then allowing
>>>>>> the transition to occur poses no risk of privilege escalation and we
>>>>>> can therefore safely allow the transition to occur.  Add this exemption
>>>>>> for both the case where a transition was explicitly requested by the
>>>>>> application and the case where an automatic transition is defined in
>>>>>> policy.
>>>>>
>>>>> This still wants something like security_bounded_transition_noaudit,
>>>>> right?  (Or just a parameter about whether to audit -- there will only
>>>>> be two callers, I think.)
>>>>
>>>> I think generating an audit record is correct in this case; the
>>>> operation would have succeeded if the type were bounded, so it is
>>>> correct and helpful to report this to the audit log for diagnosing
>>>> failures.  I think Paul's prior objection was that you could end up with
>>>> an audit record even when the operation succeeded when we allowed the
>>>> transitions on either a bounded transition or dyntransition permission,
>>>> but that is no longer the case.
>>>
>>> Fair enough.
>>
>> Yes, the audit problem is no longer an issue and the comments look good to me.
>>
>>> Does this have any chance of making 3.17?
>>
>> No.  That ship has sailed.
>>
>> However, I would still like to see some more Reviewed-by/Tested-by mails
>> before we merge this for 3.18.  Andy, based on discussion on this thread and
>> previous threads, I assume you're happy with this patch?
>
> Attached is the patch for the selinux-testsuite,
> against git://git.selinuxproject.org/~serge/selinux-testsuite.
> Once it goes into a kernel I can make the test kernel version-specific
> and thus ensure it passes on old and new kernels.
>

The test case looks good to me.  Arguably it could check the error
code, too, but that's minor.

--Andy

Re: [PATCH v2] selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID.

[Paul Moore]

On Tuesday, August 12, 2014 03:21:14 PM Stephen Smalley wrote:
> Attached is the patch for the selinux-testsuite,
> against git://git.selinuxproject.org/~serge/selinux-testsuite.
> Once it goes into a kernel I can make the test kernel version-specific
> and thus ensure it passes on old and new kernels.

I just applied the kernel patch to the SELinux next branch and ran the 
testsuite against it to ensure everything was okay and ran into the problems 
below:

<<<<
Running as user root with context unconfined_u:unconfined_r:unconfined_t

domain_trans/test ....... ok   
entrypoint/test ......... ok   
execshare/test .......... ok   
exectrace/test .......... ok   
execute_no_trans/test ... ok   
fdreceive/test .......... ok   
inherit/test ............ ok   
link/test ............... ok   
mkdir/test .............. ok   
msg/test ................ ok     
nnp/test ................ 1/4 # Test 1 got: "32256" (nnp/test at line 19)
#   Expected: "0"
#  nnp/test line 19 is: ok($result,0); #this should pass
# Test 2 got: "256" (nnp/test at line 23)
#   Expected: "0"
#  nnp/test line 23 is: ok($result,0); #this should pass
nnp/test ................ Failed 2/4 subtests 
open/test ............... ok   
ptrace/test ............. ok   
readlink/test ........... ok   
relabel/test ............ ok   
rename/test ............. ok   
rxdir/test .............. ok   
sem/test ................ ok     
setattr/test ............ ok   
setnice/test ............ ok   
shm/test ................ ok     
sigkill/test ............ ok     
stat/test ............... ok   
sysctl/test ............. ok   
task_create/test ........ ok   
task_setnice/test ....... ok   
task_setscheduler/test .. ok   
task_getscheduler/test .. ok   
task_getsid/test ........ ok   
task_getpgid/test ....... ok   
task_setpgid/test ....... ok   
wait/test ............... ok   
file/test ............... ok     
ioctl/test .............. ok   
capable_file/test ....... ok     
capable_net/test ........ ok   
capable_sys/test ........ ok   
dyntrans/test ........... ok   
dyntrace/test ........... ok   
bounds/test ............. ok
<<<<

When I run the test by hand using the command line below, the following 
appears in the audit log:

 # ls -Z checkcon
 unconfined_u:object_r:test_nnp_bounded_exec_t:s0 checkcon
 # ./execnnp runcon -t test_nnp_bounded_t ./checkcon test_nnp_bounded_t
 runcon: ./checkcon: Permission denied

<<<<
type=SELINUX_ERR msg=audit(1409261360.961:1953): op=security_compute_av 
reason=bounds scontext=unconfined_u:unconfined_r:test_nnp_bounded_t:s0-
s0:c0.c1023 tcontext=unconfined_u:object_r:test_nnp_bounded_exec_t:s0 
tclass=file perms=entrypoint
type=AVC msg=audit(1409261360.961:1953): avc:  denied  { entrypoint } for  
pid=15556 comm="runcon" path="/root/sources/selinux_testsuite-
upstream/tests/nnp/checkcon" dev="vda3" ino=423593 
scontext=unconfined_u:unconfined_r:test_nnp_bounded_t:s0-s0:c0.c1023 
tcontext=unconfined_u:object_r:test_nnp_bounded_exec_t:s0 tclass=file 
permissive=0
type=SYSCALL msg=audit(1409261360.961:1953): arch=c000003e syscall=59 
success=no exit=-13 a0=7fffd720e76c a1=7fffd720df50 a2=7fffd720df68 
a3=6e5f747365743a72 items=0 ppid=4569 pid=15556 auid=0 uid=0 gid=0 euid=0 
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="runcon" 
exe="/usr/bin/runcon" subj=unconfined_u:unconfined_r:unconfined_t:s0-
s0:c0.c1023 key=(null)
<<<<

Unfortunately that is about as far as I'm going to be able to get today on 
this, so I'm tossing this out hoping you'll have an answer before I can touch 
this next.

-- 
paul moore
www.paul-moore.com

Re: [PATCH v2] selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID.

[Stephen Smalley]

[-- Attachment #1: Type: text/plain, Size: 4387 bytes --]

On 08/28/2014 05:36 PM, Paul Moore wrote:
> On Tuesday, August 12, 2014 03:21:14 PM Stephen Smalley wrote:
>> Attached is the patch for the selinux-testsuite,
>> against git://git.selinuxproject.org/~serge/selinux-testsuite.
>> Once it goes into a kernel I can make the test kernel version-specific
>> and thus ensure it passes on old and new kernels.
> 
> I just applied the kernel patch to the SELinux next branch and ran the 
> testsuite against it to ensure everything was okay and ran into the problems 
> below:
> 
> <<<<
> Running as user root with context unconfined_u:unconfined_r:unconfined_t
> 
> domain_trans/test ....... ok   
> entrypoint/test ......... ok   
> execshare/test .......... ok   
> exectrace/test .......... ok   
> execute_no_trans/test ... ok   
> fdreceive/test .......... ok   
> inherit/test ............ ok   
> link/test ............... ok   
> mkdir/test .............. ok   
> msg/test ................ ok     
> nnp/test ................ 1/4 # Test 1 got: "32256" (nnp/test at line 19)
> #   Expected: "0"
> #  nnp/test line 19 is: ok($result,0); #this should pass
> # Test 2 got: "256" (nnp/test at line 23)
> #   Expected: "0"
> #  nnp/test line 23 is: ok($result,0); #this should pass
> nnp/test ................ Failed 2/4 subtests 

This is the output I get on an unpatched kernel.
On the patched kernel, all tests pass.

> open/test ............... ok   
> ptrace/test ............. ok   
> readlink/test ........... ok   
> relabel/test ............ ok   
> rename/test ............. ok   
> rxdir/test .............. ok   
> sem/test ................ ok     
> setattr/test ............ ok   
> setnice/test ............ ok   
> shm/test ................ ok     
> sigkill/test ............ ok     
> stat/test ............... ok   
> sysctl/test ............. ok   
> task_create/test ........ ok   
> task_setnice/test ....... ok   
> task_setscheduler/test .. ok   
> task_getscheduler/test .. ok   
> task_getsid/test ........ ok   
> task_getpgid/test ....... ok   
> task_setpgid/test ....... ok   
> wait/test ............... ok   
> file/test ............... ok     
> ioctl/test .............. ok   
> capable_file/test ....... ok     
> capable_net/test ........ ok   
> capable_sys/test ........ ok   
> dyntrans/test ........... ok   
> dyntrace/test ........... ok   
> bounds/test ............. ok
> <<<<
> 
> When I run the test by hand using the command line below, the following 
> appears in the audit log:

Just FYI, you can more easily re-run the failed test just by running its
test script, e.g. ./nnp/test, rather than manually running individual
commands from it.

> 
>  # ls -Z checkcon
>  unconfined_u:object_r:test_nnp_bounded_exec_t:s0 checkcon
>  # ./execnnp runcon -t test_nnp_bounded_t ./checkcon test_nnp_bounded_t
>  runcon: ./checkcon: Permission denied
> 
> <<<<
> type=SELINUX_ERR msg=audit(1409261360.961:1953): op=security_compute_av 
> reason=bounds scontext=unconfined_u:unconfined_r:test_nnp_bounded_t:s0-
> s0:c0.c1023 tcontext=unconfined_u:object_r:test_nnp_bounded_exec_t:s0 
> tclass=file perms=entrypoint

Ok, so since your base policy does not allow unconfined_t entrypoint to
all file types, it was denied to test_nnp_bounded_t since it is bounded
by unconfined_t.

> type=AVC msg=audit(1409261360.961:1953): avc:  denied  { entrypoint } for  
> pid=15556 comm="runcon" path="/root/sources/selinux_testsuite-
> upstream/tests/nnp/checkcon" dev="vda3" ino=423593 
> scontext=unconfined_u:unconfined_r:test_nnp_bounded_t:s0-s0:c0.c1023 
> tcontext=unconfined_u:object_r:test_nnp_bounded_exec_t:s0 tclass=file 
> permissive=0
> type=SYSCALL msg=audit(1409261360.961:1953): arch=c000003e syscall=59 
> success=no exit=-13 a0=7fffd720e76c a1=7fffd720df50 a2=7fffd720df68 
> a3=6e5f747365743a72 items=0 ppid=4569 pid=15556 auid=0 uid=0 gid=0 euid=0 
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="runcon" 
> exe="/usr/bin/runcon" subj=unconfined_u:unconfined_r:unconfined_t:s0-
> s0:c0.c1023 key=(null)
> <<<<
> 
> Unfortunately that is about as far as I'm going to be able to get today on 
> this, so I'm tossing this out hoping you'll have an answer before I can touch 
> this next.

It runs fine on Fedora 20.  I am guessing you are running on rawhide /
Fedora 21, and that this is a difference in your base policy.  Try this
patch for selinux-testsuite on top of the current one.




[-- Attachment #2: 0001-Explicitly-allow-unconfined_t-entrypoint-to-test_nnp.patch --]
[-- Type: text/x-patch, Size: 864 bytes --]

>From fb7a3f11041213e3babba1b7b65d8aff014799bc Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 29 Aug 2014 08:50:20 -0400
Subject: [PATCH] Explicitly allow unconfined_t entrypoint to
 test_nnp_bounded_exec_t.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 policy/test_nnp.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/test_nnp.te b/policy/test_nnp.te
index 55eccd8..206882d 100644
--- a/policy/test_nnp.te
+++ b/policy/test_nnp.te
@@ -13,6 +13,7 @@ typebounds unconfined_t test_nnp_bounded_t;
 type test_nnp_bounded_exec_t;
 files_type(test_nnp_bounded_exec_t)
 domain_entry_file(test_nnp_bounded_t, test_nnp_bounded_exec_t)
+domain_entry_file(unconfined_t, test_nnp_bounded_exec_t)
 
 # Run it!  This should succeed on patched kernels, fail on old ones.
 unconfined_runs_test(test_nnp_bounded_t)
-- 
1.9.3

Re: [PATCH v2] selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID.

[Paul Moore]

On Friday, August 29, 2014 09:12:10 AM Stephen Smalley wrote:
> It runs fine on Fedora 20.  I am guessing you are running on rawhide /
> Fedora 21, and that this is a difference in your base policy.

Yep.  In general I test the SELinux next patches against Fedora Rawhide.

> Try this patch for selinux-testsuite on top of the current one.

That solved it, thanks.  The kernel patch is now merged upstream and in should 
be in the next linux-next tree.

-- 
paul moore
www.paul-moore.com