* [PATCH] selinux: log raw contexts as untrusted strings
@ 2019-06-11 8:07 Ondrej Mosnacek
2019-06-11 17:02 ` Richard Guy Briggs
2019-06-11 22:56 ` Paul Moore
0 siblings, 2 replies; 6+ messages in thread
From: Ondrej Mosnacek @ 2019-06-11 8:07 UTC (permalink / raw)
To: selinux, Paul Moore; +Cc: linux-audit, stable
These strings may come from untrusted sources (e.g. file xattrs) so they
need to be properly escaped.
Reproducer:
# setenforce 0
# touch /tmp/test
# setfattr -n security.selinux -v 'kuřecí řízek' /tmp/test
# runcon system_u:system_r:sshd_t:s0 cat /tmp/test
(look at the generated AVCs)
Actual result:
type=AVC [...] trawcon=kuřecí řízek
Expected result:
type=AVC [...] trawcon=6B75C5996563C3AD20C599C3AD7A656B
Fixes: fede148324c3 ("selinux: log invalid contexts in AVCs")
Cc: stable@vger.kernel.org # v5.1+
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
security/selinux/avc.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 8346a4f7c5d7..a99be508f93d 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -739,14 +739,20 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
rc = security_sid_to_context_inval(sad->state, sad->ssid, &scontext,
&scontext_len);
if (!rc && scontext) {
- audit_log_format(ab, " srawcon=%s", scontext);
+ if (scontext_len && scontext[scontext_len - 1] == '\0')
+ scontext_len--;
+ audit_log_format(ab, " srawcon=");
+ audit_log_n_untrustedstring(ab, scontext, scontext_len);
kfree(scontext);
}
rc = security_sid_to_context_inval(sad->state, sad->tsid, &scontext,
&scontext_len);
if (!rc && scontext) {
- audit_log_format(ab, " trawcon=%s", scontext);
+ if (scontext_len && scontext[scontext_len - 1] == '\0')
+ scontext_len--;
+ audit_log_format(ab, " trawcon=");
+ audit_log_n_untrustedstring(ab, scontext, scontext_len);
kfree(scontext);
}
}
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] selinux: log raw contexts as untrusted strings
2019-06-11 8:07 [PATCH] selinux: log raw contexts as untrusted strings Ondrej Mosnacek
@ 2019-06-11 17:02 ` Richard Guy Briggs
2019-06-11 22:56 ` Paul Moore
1 sibling, 0 replies; 6+ messages in thread
From: Richard Guy Briggs @ 2019-06-11 17:02 UTC (permalink / raw)
To: Ondrej Mosnacek; +Cc: selinux, Paul Moore, linux-audit, stable
On 2019-06-11 10:07, Ondrej Mosnacek wrote:
> These strings may come from untrusted sources (e.g. file xattrs) so they
> need to be properly escaped.
>
> Reproducer:
> # setenforce 0
> # touch /tmp/test
> # setfattr -n security.selinux -v 'kuřecí řízek' /tmp/test
> # runcon system_u:system_r:sshd_t:s0 cat /tmp/test
> (look at the generated AVCs)
>
> Actual result:
> type=AVC [...] trawcon=kuřecí řízek
>
> Expected result:
> type=AVC [...] trawcon=6B75C5996563C3AD20C599C3AD7A656B
>
> Fixes: fede148324c3 ("selinux: log invalid contexts in AVCs")
> Cc: stable@vger.kernel.org # v5.1+
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> security/selinux/avc.c | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/security/selinux/avc.c b/security/selinux/avc.c
> index 8346a4f7c5d7..a99be508f93d 100644
> --- a/security/selinux/avc.c
> +++ b/security/selinux/avc.c
> @@ -739,14 +739,20 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
> rc = security_sid_to_context_inval(sad->state, sad->ssid, &scontext,
> &scontext_len);
> if (!rc && scontext) {
> - audit_log_format(ab, " srawcon=%s", scontext);
> + if (scontext_len && scontext[scontext_len - 1] == '\0')
> + scontext_len--;
> + audit_log_format(ab, " srawcon=");
> + audit_log_n_untrustedstring(ab, scontext, scontext_len);
> kfree(scontext);
> }
>
> rc = security_sid_to_context_inval(sad->state, sad->tsid, &scontext,
> &scontext_len);
> if (!rc && scontext) {
> - audit_log_format(ab, " trawcon=%s", scontext);
> + if (scontext_len && scontext[scontext_len - 1] == '\0')
> + scontext_len--;
> + audit_log_format(ab, " trawcon=");
> + audit_log_n_untrustedstring(ab, scontext, scontext_len);
> kfree(scontext);
> }
> }
> --
> 2.20.1
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] selinux: log raw contexts as untrusted strings
@ 2019-06-11 17:02 ` Richard Guy Briggs
0 siblings, 0 replies; 6+ messages in thread
From: Richard Guy Briggs @ 2019-06-11 17:02 UTC (permalink / raw)
To: Ondrej Mosnacek; +Cc: selinux, Paul Moore, linux-audit, stable
On 2019-06-11 10:07, Ondrej Mosnacek wrote:
> These strings may come from untrusted sources (e.g. file xattrs) so they
> need to be properly escaped.
>
> Reproducer:
> # setenforce 0
> # touch /tmp/test
> # setfattr -n security.selinux -v 'kuřecí řízek' /tmp/test
> # runcon system_u:system_r:sshd_t:s0 cat /tmp/test
> (look at the generated AVCs)
>
> Actual result:
> type=AVC [...] trawcon=kuřecí řízek
>
> Expected result:
> type=AVC [...] trawcon=6B75C5996563C3AD20C599C3AD7A656B
>
> Fixes: fede148324c3 ("selinux: log invalid contexts in AVCs")
> Cc: stable@vger.kernel.org # v5.1+
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> security/selinux/avc.c | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/security/selinux/avc.c b/security/selinux/avc.c
> index 8346a4f7c5d7..a99be508f93d 100644
> --- a/security/selinux/avc.c
> +++ b/security/selinux/avc.c
> @@ -739,14 +739,20 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
> rc = security_sid_to_context_inval(sad->state, sad->ssid, &scontext,
> &scontext_len);
> if (!rc && scontext) {
> - audit_log_format(ab, " srawcon=%s", scontext);
> + if (scontext_len && scontext[scontext_len - 1] == '\0')
> + scontext_len--;
> + audit_log_format(ab, " srawcon=");
> + audit_log_n_untrustedstring(ab, scontext, scontext_len);
> kfree(scontext);
> }
>
> rc = security_sid_to_context_inval(sad->state, sad->tsid, &scontext,
> &scontext_len);
> if (!rc && scontext) {
> - audit_log_format(ab, " trawcon=%s", scontext);
> + if (scontext_len && scontext[scontext_len - 1] == '\0')
> + scontext_len--;
> + audit_log_format(ab, " trawcon=");
> + audit_log_n_untrustedstring(ab, scontext, scontext_len);
> kfree(scontext);
> }
> }
> --
> 2.20.1
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] selinux: log raw contexts as untrusted strings
2019-06-11 8:07 [PATCH] selinux: log raw contexts as untrusted strings Ondrej Mosnacek
2019-06-11 17:02 ` Richard Guy Briggs
@ 2019-06-11 22:56 ` Paul Moore
2019-06-12 7:37 ` Ondrej Mosnacek
1 sibling, 1 reply; 6+ messages in thread
From: Paul Moore @ 2019-06-11 22:56 UTC (permalink / raw)
To: Ondrej Mosnacek; +Cc: selinux, linux-audit, stable
On Tue, Jun 11, 2019 at 4:07 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> These strings may come from untrusted sources (e.g. file xattrs) so they
> need to be properly escaped.
>
> Reproducer:
> # setenforce 0
> # touch /tmp/test
> # setfattr -n security.selinux -v 'kuřecí řízek' /tmp/test
> # runcon system_u:system_r:sshd_t:s0 cat /tmp/test
> (look at the generated AVCs)
>
> Actual result:
> type=AVC [...] trawcon=kuřecí řízek
>
> Expected result:
> type=AVC [...] trawcon=6B75C5996563C3AD20C599C3AD7A656B
>
> Fixes: fede148324c3 ("selinux: log invalid contexts in AVCs")
> Cc: stable@vger.kernel.org # v5.1+
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
> security/selinux/avc.c | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
Thanks, the patch looks fine to me, but it is borderline -stable
material in my opinion. I'll add it to the stable-5.2 branch, but in
the future I would prefer if you left the stable marking off patches
and sent a reply discussing *why* this should go to stable so we can
discuss it. I realize Greg likes to pull a lot of stuff into stable,
but I try to be a bit more conservative about what gets marked. Even
the simplest fix can still break things :)
I'm going to start building a test kernel now with this fix, but I
might hold off on sending this up to Linus for a couple of days to see
if I can catch Gen Zhang's patches in the same PR.
> diff --git a/security/selinux/avc.c b/security/selinux/avc.c
> index 8346a4f7c5d7..a99be508f93d 100644
> --- a/security/selinux/avc.c
> +++ b/security/selinux/avc.c
> @@ -739,14 +739,20 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
> rc = security_sid_to_context_inval(sad->state, sad->ssid, &scontext,
> &scontext_len);
> if (!rc && scontext) {
> - audit_log_format(ab, " srawcon=%s", scontext);
> + if (scontext_len && scontext[scontext_len - 1] == '\0')
> + scontext_len--;
> + audit_log_format(ab, " srawcon=");
> + audit_log_n_untrustedstring(ab, scontext, scontext_len);
> kfree(scontext);
> }
>
> rc = security_sid_to_context_inval(sad->state, sad->tsid, &scontext,
> &scontext_len);
> if (!rc && scontext) {
> - audit_log_format(ab, " trawcon=%s", scontext);
> + if (scontext_len && scontext[scontext_len - 1] == '\0')
> + scontext_len--;
> + audit_log_format(ab, " trawcon=");
> + audit_log_n_untrustedstring(ab, scontext, scontext_len);
> kfree(scontext);
> }
> }
> --
> 2.20.1
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] selinux: log raw contexts as untrusted strings
2019-06-11 22:56 ` Paul Moore
@ 2019-06-12 7:37 ` Ondrej Mosnacek
2019-06-12 15:01 ` Paul Moore
0 siblings, 1 reply; 6+ messages in thread
From: Ondrej Mosnacek @ 2019-06-12 7:37 UTC (permalink / raw)
To: Paul Moore; +Cc: selinux, Linux-Audit Mailing List, stable
On Wed, Jun 12, 2019 at 12:56 AM Paul Moore <paul@paul-moore.com> wrote:
> On Tue, Jun 11, 2019 at 4:07 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> > These strings may come from untrusted sources (e.g. file xattrs) so they
> > need to be properly escaped.
> >
> > Reproducer:
> > # setenforce 0
> > # touch /tmp/test
> > # setfattr -n security.selinux -v 'kuřecí řízek' /tmp/test
> > # runcon system_u:system_r:sshd_t:s0 cat /tmp/test
> > (look at the generated AVCs)
> >
> > Actual result:
> > type=AVC [...] trawcon=kuřecí řízek
> >
> > Expected result:
> > type=AVC [...] trawcon=6B75C5996563C3AD20C599C3AD7A656B
> >
> > Fixes: fede148324c3 ("selinux: log invalid contexts in AVCs")
> > Cc: stable@vger.kernel.org # v5.1+
> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > ---
> > security/selinux/avc.c | 10 ++++++++--
> > 1 file changed, 8 insertions(+), 2 deletions(-)
>
> Thanks, the patch looks fine to me, but it is borderline -stable
> material in my opinion. I'll add it to the stable-5.2 branch, but in
> the future I would prefer if you left the stable marking off patches
> and sent a reply discussing *why* this should go to stable so we can
> discuss it. I realize Greg likes to pull a lot of stuff into stable,
> but I try to be a bit more conservative about what gets marked. Even
> the simplest fix can still break things :)
OK, I was a bit unsure whether to mark it as stable or not and
eventually inclined to do so... I'll try be more careful about it in
the future.
>
> I'm going to start building a test kernel now with this fix, but I
> might hold off on sending this up to Linus for a couple of days to see
> if I can catch Gen Zhang's patches in the same PR.
>
> > diff --git a/security/selinux/avc.c b/security/selinux/avc.c
> > index 8346a4f7c5d7..a99be508f93d 100644
> > --- a/security/selinux/avc.c
> > +++ b/security/selinux/avc.c
> > @@ -739,14 +739,20 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
> > rc = security_sid_to_context_inval(sad->state, sad->ssid, &scontext,
> > &scontext_len);
> > if (!rc && scontext) {
> > - audit_log_format(ab, " srawcon=%s", scontext);
> > + if (scontext_len && scontext[scontext_len - 1] == '\0')
> > + scontext_len--;
> > + audit_log_format(ab, " srawcon=");
> > + audit_log_n_untrustedstring(ab, scontext, scontext_len);
> > kfree(scontext);
> > }
> >
> > rc = security_sid_to_context_inval(sad->state, sad->tsid, &scontext,
> > &scontext_len);
> > if (!rc && scontext) {
> > - audit_log_format(ab, " trawcon=%s", scontext);
> > + if (scontext_len && scontext[scontext_len - 1] == '\0')
> > + scontext_len--;
> > + audit_log_format(ab, " trawcon=");
> > + audit_log_n_untrustedstring(ab, scontext, scontext_len);
> > kfree(scontext);
> > }
> > }
> > --
> > 2.20.1
>
> --
> paul moore
> www.paul-moore.com
--
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] selinux: log raw contexts as untrusted strings
2019-06-12 7:37 ` Ondrej Mosnacek
@ 2019-06-12 15:01 ` Paul Moore
0 siblings, 0 replies; 6+ messages in thread
From: Paul Moore @ 2019-06-12 15:01 UTC (permalink / raw)
To: Ondrej Mosnacek; +Cc: selinux, Linux-Audit Mailing List, stable
On Wed, Jun 12, 2019 at 3:37 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> On Wed, Jun 12, 2019 at 12:56 AM Paul Moore <paul@paul-moore.com> wrote:
> > On Tue, Jun 11, 2019 at 4:07 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> > > These strings may come from untrusted sources (e.g. file xattrs) so they
> > > need to be properly escaped.
> > >
> > > Reproducer:
> > > # setenforce 0
> > > # touch /tmp/test
> > > # setfattr -n security.selinux -v 'kuřecí řízek' /tmp/test
> > > # runcon system_u:system_r:sshd_t:s0 cat /tmp/test
> > > (look at the generated AVCs)
> > >
> > > Actual result:
> > > type=AVC [...] trawcon=kuřecí řízek
> > >
> > > Expected result:
> > > type=AVC [...] trawcon=6B75C5996563C3AD20C599C3AD7A656B
> > >
> > > Fixes: fede148324c3 ("selinux: log invalid contexts in AVCs")
> > > Cc: stable@vger.kernel.org # v5.1+
> > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > > ---
> > > security/selinux/avc.c | 10 ++++++++--
> > > 1 file changed, 8 insertions(+), 2 deletions(-)
> >
> > Thanks, the patch looks fine to me, but it is borderline -stable
> > material in my opinion. I'll add it to the stable-5.2 branch, but in
> > the future I would prefer if you left the stable marking off patches
> > and sent a reply discussing *why* this should go to stable so we can
> > discuss it. I realize Greg likes to pull a lot of stuff into stable,
> > but I try to be a bit more conservative about what gets marked. Even
> > the simplest fix can still break things :)
>
> OK, I was a bit unsure whether to mark it as stable or not and
> eventually inclined to do so... I'll try be more careful about it in
> the future.
If it makes you feel better, it's not that big of a deal, I just felt
it was worth mentioning since we've been doing a bit of a "best
practices for submitting SELinux kernel patches" on the mailing list
lately and I felt this was worth mentioning. The basic idea is that I
think marking something for stable shouldn't be taken lightly and it
is worth a discussion, even if it is short.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-06-12 15:01 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-11 8:07 [PATCH] selinux: log raw contexts as untrusted strings Ondrej Mosnacek
2019-06-11 17:02 ` Richard Guy Briggs
2019-06-11 17:02 ` Richard Guy Briggs
2019-06-11 22:56 ` Paul Moore
2019-06-12 7:37 ` Ondrej Mosnacek
2019-06-12 15:01 ` Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.