[RFC] Porting glibc away from deprecated libselinux APIs

[RFC] Porting glibc away from deprecated libselinux APIs

[Arjun Shankar]

[-- Attachment #1: Type: text/plain, Size: 724 bytes --]

Hi,

glibc currently uses several recently deprecated libselinux APIs:

1. makedb uses matchpathcon:

https://sourceware.org/git/?p=glibc.git;a=blob;f=nss/makedb.c;h=8e389a1683747cf1047f4de8fe603f2b5ccc5f3f;hb=HEAD

2. nscd uses avc_init and multiple old style callbacks:

https://sourceware.org/git/?p=glibc.git;a=blob;f=nscd/selinux.c;h=a4ea8008e201b9397aa4274bb558de471b0573af;hb=HEAD

We are currently trying to replace these uses with the newer interfaces,
with a proposed makedb patch written by Aurelien Jarno attached with this
email, and being discussed here:
https://sourceware.org/pipermail/libc-alpha/2020-July/116504.html

Would you be able to help review this and any follow-ups?

Thank you, and Cheers,
Arjun

[-- Attachment #2: Type: message/rfc822, Size: 7245 bytes --]

From: Aurelien Jarno <aurelien@aurel32.net>
To: libc-alpha@sourceware.org
Cc: Aurelien Jarno <aurelien@aurel32.net>
Subject: [PATCH] makedb: fix build with libselinux >= 3.1
Date: Tue, 21 Jul 2020 07:01:16 +0200
Message-ID: <20200721050115.204181-1-aurelien@aurel32.net>

glibc doesn't build with libselinux 3.1 that has been released recently
due to new deprecations introduced in that version and the fact that
glibc is built with -Werror by default:

| makedb.c: In function ‘set_file_creation_context’:
| makedb.c:849:3: error: ‘security_context_t’ is deprecated [-Werror=deprecated-declarations]
|   849 |   security_context_t ctx;
|       |   ^~~~~~~~~~~~~~~~~~
| makedb.c:863:3: error: ‘matchpathcon’ is deprecated: Use selabel_lookup instead [-Werror=deprecated-declarations]
|   863 |   if (matchpathcon (outname, S_IFREG | mode, &ctx) == 0 && ctx != NULL)
|       |   ^~
| In file included from makedb.c:50:
| /usr/include/selinux/selinux.h:500:12: note: declared here
|   500 | extern int matchpathcon(const char *path,
|       |            ^~~~~~~~~~~~
| cc1: all warnings being treated as errors

This patch is an attempt to fix that. It has only built tested, as I do
not have a system nor the knowledge to test that. I have checked that
the functions used as replacement are available since at least selinux
2.0.96, released more than 10 years ago, so we probably do not need any
version check in the configure script.
---
 nss/makedb.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

I believe this patch is not acceptable for glibc 2.32, I guess we should
just add a #pragma to ignore -Werror=deprecated-declarations in that
file.

Note: there is the same issue in nscd/selinux.c. I plan to have a look
once we settle on a strategy.

diff --git a/nss/makedb.c b/nss/makedb.c
index 8e389a16837..a5c4b521172 100644
--- a/nss/makedb.c
+++ b/nss/makedb.c
@@ -47,6 +47,7 @@
 
 /* SELinux support.  */
 #ifdef HAVE_SELINUX
+# include <selinux/label.h>
 # include <selinux/selinux.h>
 #endif
 
@@ -846,7 +847,8 @@ set_file_creation_context (const char *outname, mode_t mode)
 {
   static int enabled;
   static int enforcing;
-  security_context_t ctx;
+  struct selabel_handle *label_hnd = NULL;
+  char* ctx;
 
   /* Check if SELinux is enabled, and remember. */
   if (enabled == 0)
@@ -858,9 +860,16 @@ set_file_creation_context (const char *outname, mode_t mode)
   if (enforcing == 0)
     enforcing = security_getenforce () ? 1 : -1;
 
+  /* Open the file contexts backend. */
+  label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+  if (!label_hnd)
+    if (setfscreatecon (ctx) != 0)
+      error (enforcing > 0 ? EXIT_FAILURE : 0, 0,
+	     gettext ("cannot initialize SELinux context"));
+
   /* Determine the context which the file should have. */
   ctx = NULL;
-  if (matchpathcon (outname, S_IFREG | mode, &ctx) == 0 && ctx != NULL)
+  if (selabel_lookup(label_hnd, &ctx, outname, S_IFREG | mode) == 0 && ctx != NULL)
     {
       if (setfscreatecon (ctx) != 0)
 	error (enforcing > 0 ? EXIT_FAILURE : 0, 0,
@@ -868,7 +877,11 @@ set_file_creation_context (const char *outname, mode_t mode)
 	       outname);
 
       freecon (ctx);
+      selabel_close(label_hnd);
     }
+
+  /* Close the file contexts backend. */
+  selabel_close(label_hnd);
 }
 
 static void
-- 
2.27.0

Re: [RFC] Porting glibc away from deprecated libselinux APIs

[Stephen Smalley]

On Tue, Jul 21, 2020 at 8:07 AM Arjun Shankar <arjun.is@lostca.se> wrote:
>
> Hi,
>
> glibc currently uses several recently deprecated libselinux APIs:
>
> 1. makedb uses matchpathcon:
>
> https://sourceware.org/git/?p=glibc.git;a=blob;f=nss/makedb.c;h=8e389a1683747cf1047f4de8fe603f2b5ccc5f3f;hb=HEAD

Should migrate to selabel_open/lookup/close.

> 2. nscd uses avc_init and multiple old style callbacks:
>
> https://sourceware.org/git/?p=glibc.git;a=blob;f=nscd/selinux.c;h=a4ea8008e201b9397aa4274bb558de471b0573af;hb=HEAD

Wondering if nscd can migrate to using the higher level
selinux_check_access() interface instead of direct usage of the
avc_*() interfaces.

> We are currently trying to replace these uses with the newer interfaces,
> with a proposed makedb patch written by Aurelien Jarno attached with this
> email, and being discussed here:
> https://sourceware.org/pipermail/libc-alpha/2020-July/116504.html
>
> Would you be able to help review this and any follow-ups?

Yes, please cc the selinux list on any future patches.

> diff --git a/nss/makedb.c b/nss/makedb.c
> index 8e389a16837..a5c4b521172 100644
> --- a/nss/makedb.c
> +++ b/nss/makedb.c
> @@ -846,7 +847,8 @@ set_file_creation_context (const char *outname, mode_t mode)
>  {
>    static int enabled;
>    static int enforcing;
> -  security_context_t ctx;
> +  struct selabel_handle *label_hnd = NULL;
> +  char* ctx;
>
>    /* Check if SELinux is enabled, and remember. */
>    if (enabled == 0)
> @@ -858,9 +860,16 @@ set_file_creation_context (const char *outname, mode_t mode)
>    if (enforcing == 0)
>      enforcing = security_getenforce () ? 1 : -1;
>
> +  /* Open the file contexts backend. */
> +  label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
> +  if (!label_hnd)
> +    if (setfscreatecon (ctx) != 0)

The setfscreatecon(ctx) call here makes no sense to me.  You haven't
yet looked up a context.  And if !label_hnd, then selabel_open()
failed.

> +      error (enforcing > 0 ? EXIT_FAILURE : 0, 0,
> +            gettext ("cannot initialize SELinux context"));
> +
>    /* Determine the context which the file should have. */
>    ctx = NULL;
> -  if (matchpathcon (outname, S_IFREG | mode, &ctx) == 0 && ctx != NULL)
> +  if (selabel_lookup(label_hnd, &ctx, outname, S_IFREG | mode) == 0 && ctx != NULL)

ctx can't be NULL if selabel_lookup() returned 0.

>      {
>        if (setfscreatecon (ctx) != 0)
>         error (enforcing > 0 ? EXIT_FAILURE : 0, 0,
> @@ -868,7 +877,11 @@ set_file_creation_context (const char *outname, mode_t mode)
>                outname);
>
>        freecon (ctx);
> +      selabel_close(label_hnd);

You don't want to call this twice on the same handle.

>      }
> +
> +  /* Close the file contexts backend. */
> +  selabel_close(label_hnd);

Re: [RFC] Porting glibc away from deprecated libselinux APIs

[Florian Weimer]

* Stephen Smalley:

> On Tue, Jul 21, 2020 at 8:07 AM Arjun Shankar <arjun.is@lostca.se> wrote:
>>
>> Hi,
>>
>> glibc currently uses several recently deprecated libselinux APIs:
>>
>> 1. makedb uses matchpathcon:
>>
>> https://sourceware.org/git/?p=glibc.git;a=blob;f=nss/makedb.c;h=8e389a1683747cf1047f4de8fe603f2b5ccc5f3f;hb=HEAD
>
> Should migrate to selabel_open/lookup/close.
>
>> 2. nscd uses avc_init and multiple old style callbacks:
>>
>> https://sourceware.org/git/?p=glibc.git;a=blob;f=nscd/selinux.c;h=a4ea8008e201b9397aa4274bb558de471b0573af;hb=HEAD
>
> Wondering if nscd can migrate to using the higher level
> selinux_check_access() interface instead of direct usage of the
> avc_*() interfaces.

Somewhat related:

I do not know the reason *why* we have SELinux-specific code in glibc,
and in this places in particular.  What makes nscd and makedb special?
ldconfig also writes a file used across trust boundaries
(/etc/ld.so.cache), and yet we don't label it explicitly.

(nscd is a daemon that runs under its own user and loads NSS service
modules.  makedb is similar to ldconfig.)

Do you have an idea why we need this code in glibc in the first place?
Could it be that it is simply there to work around an incomplete system
policy?

Thanks,
Florian

Re: [RFC] Porting glibc away from deprecated libselinux APIs

[Stephen Smalley]

On Tue, Jul 21, 2020 at 9:05 AM Florian Weimer <fweimer@redhat.com> wrote:
>
> * Stephen Smalley:
>
> > On Tue, Jul 21, 2020 at 8:07 AM Arjun Shankar <arjun.is@lostca.se> wrote:
> >>
> >> Hi,
> >>
> >> glibc currently uses several recently deprecated libselinux APIs:
> >>
> >> 1. makedb uses matchpathcon:
> >>
> >> https://sourceware.org/git/?p=glibc.git;a=blob;f=nss/makedb.c;h=8e389a1683747cf1047f4de8fe603f2b5ccc5f3f;hb=HEAD
> >
> > Should migrate to selabel_open/lookup/close.
> >
> >> 2. nscd uses avc_init and multiple old style callbacks:
> >>
> >> https://sourceware.org/git/?p=glibc.git;a=blob;f=nscd/selinux.c;h=a4ea8008e201b9397aa4274bb558de471b0573af;hb=HEAD
> >
> > Wondering if nscd can migrate to using the higher level
> > selinux_check_access() interface instead of direct usage of the
> > avc_*() interfaces.
>
> Somewhat related:
>
> I do not know the reason *why* we have SELinux-specific code in glibc,
> and in this places in particular.  What makes nscd and makedb special?
> ldconfig also writes a file used across trust boundaries
> (/etc/ld.so.cache), and yet we don't label it explicitly.
>
> (nscd is a daemon that runs under its own user and loads NSS service
> modules.  makedb is similar to ldconfig.)
>
> Do you have an idea why we need this code in glibc in the first place?
> Could it be that it is simply there to work around an incomplete system
> policy?

It could be that at the time we didn't have restorecond or support for
name-based type transitions and therefore they needed the makedb
changes to keep its file in the proper security context.  WRT nscd,
using SELinux to provide the policy decisions is both more flexible
and more robust than a DAC-based scheme, and allows central management
of the overall system policy.  Dan Walsh and/or prior glibc
maintainers might recall more of the specifics.

Re: [RFC] Porting glibc away from deprecated libselinux APIs

[Daniel Walsh]

On 7/21/20 09:13, Stephen Smalley wrote:
> On Tue, Jul 21, 2020 at 9:05 AM Florian Weimer <fweimer@redhat.com> wrote:
>> * Stephen Smalley:
>>
>>> On Tue, Jul 21, 2020 at 8:07 AM Arjun Shankar <arjun.is@lostca.se> wrote:
>>>> Hi,
>>>>
>>>> glibc currently uses several recently deprecated libselinux APIs:
>>>>
>>>> 1. makedb uses matchpathcon:
>>>>
>>>> https://sourceware.org/git/?p=glibc.git;a=blob;f=nss/makedb.c;h=8e389a1683747cf1047f4de8fe603f2b5ccc5f3f;hb=HEAD
>>> Should migrate to selabel_open/lookup/close.
>>>
>>>> 2. nscd uses avc_init and multiple old style callbacks:
>>>>
>>>> https://sourceware.org/git/?p=glibc.git;a=blob;f=nscd/selinux.c;h=a4ea8008e201b9397aa4274bb558de471b0573af;hb=HEAD
>>> Wondering if nscd can migrate to using the higher level
>>> selinux_check_access() interface instead of direct usage of the
>>> avc_*() interfaces.
>> Somewhat related:
>>
>> I do not know the reason *why* we have SELinux-specific code in glibc,
>> and in this places in particular.  What makes nscd and makedb special?
>> ldconfig also writes a file used across trust boundaries
>> (/etc/ld.so.cache), and yet we don't label it explicitly.
>>
>> (nscd is a daemon that runs under its own user and loads NSS service
>> modules.  makedb is similar to ldconfig.)
>>
>> Do you have an idea why we need this code in glibc in the first place?
>> Could it be that it is simply there to work around an incomplete system
>> policy?
> It could be that at the time we didn't have restorecond or support for
> name-based type transitions and therefore they needed the makedb
> changes to keep its file in the proper security context.  WRT nscd,
> using SELinux to provide the policy decisions is both more flexible
> and more robust than a DAC-based scheme, and allows central management
> of the overall system policy.  Dan Walsh and/or prior glibc
> maintainers might recall more of the specifics.
>
Going way back, this was added I recall by Uli Drepper, for speed of
some httpd transactions?