From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-17.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7FE70C433DB for ; Fri, 19 Mar 2021 13:36:46 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 10F0264EEE for ; Fri, 19 Mar 2021 13:36:45 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 10F0264EEE Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=linux-audit-bounces@redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1616161005; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=yXdEPPGBmbuKs1nQTuWyeV7+u7NzbhJHrbUZPV2dlW4=; b=hXwG+5dDlOjAx0DGrxZ1MNNUAzZrSaJVv8TU+CfX1tbXEUsaYOq6X6qez6Vmk1RK+eh+AZ ZJ86MpMDRKosUXa2W4gG9Cl4/FaWTkvrcdswvS590h+ZtESIHyzV8RUf+KPzjKWlF0iIld 4h6SDaJn2ObHndViRA9k2rpQT1pUclI= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-443-J0AHF-yiN8mjjoyCxmT9_A-1; Fri, 19 Mar 2021 09:36:42 -0400 X-MC-Unique: J0AHF-yiN8mjjoyCxmT9_A-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id C2D6E83DD22; Fri, 19 Mar 2021 13:36:38 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A7F5F610F3; Fri, 19 Mar 2021 13:36:38 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 67F761809C83; Fri, 19 Mar 2021 13:36:38 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 12JDabTf018052 for ; Fri, 19 Mar 2021 09:36:37 -0400 Received: by smtp.corp.redhat.com (Postfix) id 248981992D; Fri, 19 Mar 2021 13:36:37 +0000 (UTC) Received: from madcap2.tricolour.ca (unknown [10.10.110.27]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8201B19C79; Fri, 19 Mar 2021 13:36:28 +0000 (UTC) Date: Fri, 19 Mar 2021 09:36:25 -0400 From: Richard Guy Briggs To: Paul Moore Subject: Re: [PATCH v2 2/3] selinux: clarify task subjective and objective credentials Message-ID: <20210319133625.GD2781019@madcap2.tricolour.ca> References: <161609713992.55424.6906498317563652734.stgit@olly> <161610014979.55424.673449459081578214.stgit@olly> MIME-Version: 1.0 In-Reply-To: <161610014979.55424.673449459081578214.stgit@olly> User-Agent: Mutt/1.10.1 (2018-07-13) X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-loop: linux-audit@redhat.com Cc: selinux@vger.kernel.org, linux-security-module@vger.kernel.org, linux-audit@redhat.com, John Johansen X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Disposition: inline Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On 2021-03-18 16:42, Paul Moore wrote: > SELinux has a function, task_sid(), which returns the task's > objective credentials, but unfortunately is used in a few places > where the subjective task credentials should be used. Most notably > in the new security_task_getsecid_subj() LSM hook. > > This patch fixes this and attempts to make things more obvious by > introducing a new function, task_sid_subj(), and renaming the > existing task_sid() function to task_sid_obj(). > > This patch also adds an interesting function in task_sid_binder(). > The task_sid_binder() function has a comment which hopefully > describes it's reason for being, but it basically boils down to the > simple fact that we can't safely access another task's subjective > credentials so in the case of binder we need to stick with the > objective credentials regardless. > > Signed-off-by: Paul Moore Reviewed-by: Richard Guy Briggs > --- > security/selinux/hooks.c | 112 ++++++++++++++++++++++++++++++---------------- > 1 file changed, 73 insertions(+), 39 deletions(-) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 24ca545c6e1b..901a3ce453f1 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -229,10 +229,23 @@ static inline u32 cred_sid(const struct cred *cred) > return tsec->sid; > } > > +/* > + * get the subjective security ID of a task > + */ > +static inline u32 task_sid_subj(const struct task_struct *task) > +{ > + u32 sid; > + > + rcu_read_lock(); > + sid = cred_sid(rcu_dereference(task->cred)); > + rcu_read_unlock(); > + return sid; > +} > + > /* > * get the objective security ID of a task > */ > -static inline u32 task_sid(const struct task_struct *task) > +static inline u32 task_sid_obj(const struct task_struct *task) > { > u32 sid; > > @@ -242,6 +255,29 @@ static inline u32 task_sid(const struct task_struct *task) > return sid; > } > > +/* > + * get the security ID of a task for use with binder > + */ > +static inline u32 task_sid_binder(const struct task_struct *task) > +{ > + /* > + * In many case where this function is used we should be using the > + * task's subjective SID, but we can't reliably access the subjective > + * creds of a task other than our own so we must use the objective > + * creds/SID, which are safe to access. The downside is that if a task > + * is temporarily overriding it's creds it will not be reflected here; > + * however, it isn't clear that binder would handle that case well > + * anyway. > + * > + * If this ever changes and we can safely reference the subjective > + * creds/SID of another task, this function will make it easier to > + * identify the various places where we make use of the task SIDs in > + * the binder code. It is also likely that we will need to adjust > + * the main drivers/android binder code as well. > + */ > + return task_sid_obj(task); > +} > + > static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); > > /* > @@ -2035,11 +2071,8 @@ static inline u32 open_file_to_av(struct file *file) > > static int selinux_binder_set_context_mgr(struct task_struct *mgr) > { > - u32 mysid = current_sid(); > - u32 mgrsid = task_sid(mgr); > - > return avc_has_perm(&selinux_state, > - mysid, mgrsid, SECCLASS_BINDER, > + current_sid(), task_sid_binder(mgr), SECCLASS_BINDER, > BINDER__SET_CONTEXT_MGR, NULL); > } > > @@ -2047,8 +2080,7 @@ static int selinux_binder_transaction(struct task_struct *from, > struct task_struct *to) > { > u32 mysid = current_sid(); > - u32 fromsid = task_sid(from); > - u32 tosid = task_sid(to); > + u32 fromsid = task_sid_binder(from); > int rc; > > if (mysid != fromsid) { > @@ -2059,19 +2091,16 @@ static int selinux_binder_transaction(struct task_struct *from, > return rc; > } > > - return avc_has_perm(&selinux_state, > - fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, > - NULL); > + return avc_has_perm(&selinux_state, fromsid, task_sid_binder(to), > + SECCLASS_BINDER, BINDER__CALL, NULL); > } > > static int selinux_binder_transfer_binder(struct task_struct *from, > struct task_struct *to) > { > - u32 fromsid = task_sid(from); > - u32 tosid = task_sid(to); > - > return avc_has_perm(&selinux_state, > - fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, > + task_sid_binder(from), task_sid_binder(to), > + SECCLASS_BINDER, BINDER__TRANSFER, > NULL); > } > > @@ -2079,7 +2108,7 @@ static int selinux_binder_transfer_file(struct task_struct *from, > struct task_struct *to, > struct file *file) > { > - u32 sid = task_sid(to); > + u32 sid = task_sid_binder(to); > struct file_security_struct *fsec = selinux_file(file); > struct dentry *dentry = file->f_path.dentry; > struct inode_security_struct *isec; > @@ -2115,10 +2144,10 @@ static int selinux_binder_transfer_file(struct task_struct *from, > } > > static int selinux_ptrace_access_check(struct task_struct *child, > - unsigned int mode) > + unsigned int mode) > { > u32 sid = current_sid(); > - u32 csid = task_sid(child); > + u32 csid = task_sid_obj(child); > > if (mode & PTRACE_MODE_READ) > return avc_has_perm(&selinux_state, > @@ -2131,15 +2160,15 @@ static int selinux_ptrace_access_check(struct task_struct *child, > static int selinux_ptrace_traceme(struct task_struct *parent) > { > return avc_has_perm(&selinux_state, > - task_sid(parent), current_sid(), SECCLASS_PROCESS, > - PROCESS__PTRACE, NULL); > + task_sid_subj(parent), task_sid_obj(current), > + SECCLASS_PROCESS, PROCESS__PTRACE, NULL); > } > > static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, > kernel_cap_t *inheritable, kernel_cap_t *permitted) > { > return avc_has_perm(&selinux_state, > - current_sid(), task_sid(target), SECCLASS_PROCESS, > + current_sid(), task_sid_obj(target), SECCLASS_PROCESS, > PROCESS__GETCAP, NULL); > } > > @@ -2264,7 +2293,7 @@ static u32 ptrace_parent_sid(void) > rcu_read_lock(); > tracer = ptrace_parent(current); > if (tracer) > - sid = task_sid(tracer); > + sid = task_sid_obj(tracer); > rcu_read_unlock(); > > return sid; > @@ -3921,7 +3950,7 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk, > struct fown_struct *fown, int signum) > { > struct file *file; > - u32 sid = task_sid(tsk); > + u32 sid = task_sid_obj(tsk); > u32 perm; > struct file_security_struct *fsec; > > @@ -4140,47 +4169,52 @@ static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents) > static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) > { > return avc_has_perm(&selinux_state, > - current_sid(), task_sid(p), SECCLASS_PROCESS, > + current_sid(), task_sid_obj(p), SECCLASS_PROCESS, > PROCESS__SETPGID, NULL); > } > > static int selinux_task_getpgid(struct task_struct *p) > { > return avc_has_perm(&selinux_state, > - current_sid(), task_sid(p), SECCLASS_PROCESS, > + current_sid(), task_sid_obj(p), SECCLASS_PROCESS, > PROCESS__GETPGID, NULL); > } > > static int selinux_task_getsid(struct task_struct *p) > { > return avc_has_perm(&selinux_state, > - current_sid(), task_sid(p), SECCLASS_PROCESS, > + current_sid(), task_sid_obj(p), SECCLASS_PROCESS, > PROCESS__GETSESSION, NULL); > } > > -static void selinux_task_getsecid(struct task_struct *p, u32 *secid) > +static void selinux_task_getsecid_subj(struct task_struct *p, u32 *secid) > +{ > + *secid = task_sid_subj(p); > +} > + > +static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid) > { > - *secid = task_sid(p); > + *secid = task_sid_obj(p); > } > > static int selinux_task_setnice(struct task_struct *p, int nice) > { > return avc_has_perm(&selinux_state, > - current_sid(), task_sid(p), SECCLASS_PROCESS, > + current_sid(), task_sid_obj(p), SECCLASS_PROCESS, > PROCESS__SETSCHED, NULL); > } > > static int selinux_task_setioprio(struct task_struct *p, int ioprio) > { > return avc_has_perm(&selinux_state, > - current_sid(), task_sid(p), SECCLASS_PROCESS, > + current_sid(), task_sid_obj(p), SECCLASS_PROCESS, > PROCESS__SETSCHED, NULL); > } > > static int selinux_task_getioprio(struct task_struct *p) > { > return avc_has_perm(&selinux_state, > - current_sid(), task_sid(p), SECCLASS_PROCESS, > + current_sid(), task_sid_obj(p), SECCLASS_PROCESS, > PROCESS__GETSCHED, NULL); > } > > @@ -4211,7 +4245,7 @@ static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, > upon context transitions. See selinux_bprm_committing_creds. */ > if (old_rlim->rlim_max != new_rlim->rlim_max) > return avc_has_perm(&selinux_state, > - current_sid(), task_sid(p), > + current_sid(), task_sid_obj(p), > SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); > > return 0; > @@ -4220,21 +4254,21 @@ static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, > static int selinux_task_setscheduler(struct task_struct *p) > { > return avc_has_perm(&selinux_state, > - current_sid(), task_sid(p), SECCLASS_PROCESS, > + current_sid(), task_sid_obj(p), SECCLASS_PROCESS, > PROCESS__SETSCHED, NULL); > } > > static int selinux_task_getscheduler(struct task_struct *p) > { > return avc_has_perm(&selinux_state, > - current_sid(), task_sid(p), SECCLASS_PROCESS, > + current_sid(), task_sid_obj(p), SECCLASS_PROCESS, > PROCESS__GETSCHED, NULL); > } > > static int selinux_task_movememory(struct task_struct *p) > { > return avc_has_perm(&selinux_state, > - current_sid(), task_sid(p), SECCLASS_PROCESS, > + current_sid(), task_sid_obj(p), SECCLASS_PROCESS, > PROCESS__SETSCHED, NULL); > } > > @@ -4253,14 +4287,14 @@ static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info, > else > secid = cred_sid(cred); > return avc_has_perm(&selinux_state, > - secid, task_sid(p), SECCLASS_PROCESS, perm, NULL); > + secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL); > } > > static void selinux_task_to_inode(struct task_struct *p, > struct inode *inode) > { > struct inode_security_struct *isec = selinux_inode(inode); > - u32 sid = task_sid(p); > + u32 sid = task_sid_obj(p); > > spin_lock(&isec->lock); > isec->sclass = inode_mode_to_security_class(inode->i_mode); > @@ -6153,7 +6187,7 @@ static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *m > struct ipc_security_struct *isec; > struct msg_security_struct *msec; > struct common_audit_data ad; > - u32 sid = task_sid(target); > + u32 sid = task_sid_subj(target); > int rc; > > isec = selinux_ipc(msq); > @@ -7149,8 +7183,8 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { > LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), > LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), > LSM_HOOK_INIT(task_getsid, selinux_task_getsid), > - LSM_HOOK_INIT(task_getsecid_subj, selinux_task_getsecid), > - LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid), > + LSM_HOOK_INIT(task_getsecid_subj, selinux_task_getsecid_subj), > + LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid_obj), > LSM_HOOK_INIT(task_setnice, selinux_task_setnice), > LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), > LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://listman.redhat.com/mailman/listinfo/linux-audit - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit