* selinux_check_access is not thread-safe
@ 2021-05-24 17:23 Seth Moore
2021-06-03 13:20 ` Stephen Smalley
0 siblings, 1 reply; 2+ messages in thread
From: Seth Moore @ 2021-05-24 17:23 UTC (permalink / raw)
To: selinux
Originally posted here: https://github.com/SELinuxProject/selinux/issues/287
By default, selinux_check_access does not appear to be thread-safe. It
calls avc_open, which then calls avc_init, passing NULL for all
callback function tables. The result is that no locking is done for
the AVC, which can corrupt the cache if multiple threads are calling
selinux_check_access.
It looks like calling avc_init, supplying lock callbacks, is the
"easy" answer. However, the avc_init man page says that avc_init is
deprecated. There's a new function for setting callbacks,
selinux_set_callback, but it does not seem to support locking.
I see a few possible solutions:
1. Update selinux_set_callback to support AVC lock functions.
2. Update the man pages to indicate selinux is not intended to be
thread-safe anymore.
3. Update the avc_init man page, indicating it's safe to use (un-deprecate?)
Note that we have observed buggy behavior with Android keystore2. Our
quick-n-dirty fix was a serializing lock around all selinux calls:
https://android.googlesource.com/platform/system/security/+/ff188d3a6ca38919e568f0c89f74d90c011526e9
My prefered fix is either #1 or #3, as they provide slightly
finger-grained locking than our fix.
Cheers,
Seth
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: selinux_check_access is not thread-safe
2021-05-24 17:23 selinux_check_access is not thread-safe Seth Moore
@ 2021-06-03 13:20 ` Stephen Smalley
0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2021-06-03 13:20 UTC (permalink / raw)
To: Seth Moore; +Cc: SElinux list
On Mon, May 24, 2021 at 1:24 PM Seth Moore <sethmo@google.com> wrote:
>
> Originally posted here: https://github.com/SELinuxProject/selinux/issues/287
>
> By default, selinux_check_access does not appear to be thread-safe. It
> calls avc_open, which then calls avc_init, passing NULL for all
> callback function tables. The result is that no locking is done for
> the AVC, which can corrupt the cache if multiple threads are calling
> selinux_check_access.
>
> It looks like calling avc_init, supplying lock callbacks, is the
> "easy" answer. However, the avc_init man page says that avc_init is
> deprecated. There's a new function for setting callbacks,
> selinux_set_callback, but it does not seem to support locking.
>
> I see a few possible solutions:
> 1. Update selinux_set_callback to support AVC lock functions.
> 2. Update the man pages to indicate selinux is not intended to be
> thread-safe anymore.
> 3. Update the avc_init man page, indicating it's safe to use (un-deprecate?)
>
> Note that we have observed buggy behavior with Android keystore2. Our
> quick-n-dirty fix was a serializing lock around all selinux calls:
> https://android.googlesource.com/platform/system/security/+/ff188d3a6ca38919e568f0c89f74d90c011526e9
>
> My prefered fix is either #1 or #3, as they provide slightly
> finger-grained locking than our fix.
I would recommend #1.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-06-03 13:20 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-24 17:23 selinux_check_access is not thread-safe Seth Moore
2021-06-03 13:20 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.