[PATCH 1/2] Move XATTR_SECURITY_PREFIX macro to common location

[PATCH 1/2] Move XATTR_SECURITY_PREFIX macro to common location

[Chris Wright]

Move the XATTR_SECURITY_PREFIX macro to the xattr.h header so that it's
in a common location.

 fs/devpts/xattr_security.c |    2 --
 fs/ext2/xattr_security.c   |    2 --
 fs/ext3/xattr_security.c   |    2 --
 include/linux/xattr.h      |    2 ++
 security/selinux/hooks.c   |    7 +++----
 5 files changed, 5 insertions(+), 10 deletions(-)

===== fs/devpts/xattr_security.c 1.1 vs edited =====
--- 1.1/fs/devpts/xattr_security.c	Sun May 25 14:08:03 2003
+++ edited/fs/devpts/xattr_security.c	Fri Jan 16 12:14:14 2004
@@ -8,8 +8,6 @@
 #include <linux/security.h>
 #include "xattr.h"
 
-#define XATTR_SECURITY_PREFIX "security."
-
 static size_t
 devpts_xattr_security_list(struct dentry *dentry, char *buffer)
 {
===== fs/ext2/xattr_security.c 1.1 vs edited =====
--- 1.1/fs/ext2/xattr_security.c	Mon May  5 06:19:21 2003
+++ edited/fs/ext2/xattr_security.c	Fri Jan 16 12:14:14 2004
@@ -10,8 +10,6 @@
 #include <linux/ext2_fs.h>
 #include "xattr.h"
 
-#define XATTR_SECURITY_PREFIX "security."
-
 static size_t
 ext2_xattr_security_list(char *list, struct inode *inode,
 			const char *name, int name_len)
===== fs/ext3/xattr_security.c 1.1 vs edited =====
--- 1.1/fs/ext3/xattr_security.c	Mon May  5 06:18:48 2003
+++ edited/fs/ext3/xattr_security.c	Fri Jan 16 12:14:15 2004
@@ -11,8 +11,6 @@
 #include <linux/ext3_fs.h>
 #include "xattr.h"
 
-#define XATTR_SECURITY_PREFIX "security."
-
 static size_t
 ext3_xattr_security_list(char *list, struct inode *inode,
 		    const char *name, int name_len)
===== include/linux/xattr.h 1.4 vs edited =====
--- 1.4/include/linux/xattr.h	Tue Feb 25 08:21:08 2003
+++ edited/include/linux/xattr.h	Fri Jan 16 12:14:15 2004
@@ -12,4 +12,6 @@
 #define XATTR_CREATE	0x1	/* set value, fail if attr already exists */
 #define XATTR_REPLACE	0x2	/* set value, fail if attr does not exist */
 
+#define XATTR_SECURITY_PREFIX	"security."
+
 #endif	/* _LINUX_XATTR_H */
===== security/selinux/hooks.c 1.11 vs edited =====
--- 1.11/security/selinux/hooks.c	Tue Dec 30 00:40:59 2003
+++ edited/security/selinux/hooks.c	Fri Jan 16 12:14:15 2004
@@ -16,10 +16,6 @@
  *      as published by the Free Software Foundation.
  */
 
-#define XATTR_SECURITY_PREFIX "security."
-#define XATTR_SELINUX_SUFFIX "selinux"
-#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
-
 #include <linux/config.h>
 #include <linux/module.h>
 #include <linux/init.h>
@@ -61,6 +57,9 @@
 
 #include "avc.h"
 #include "objsec.h"
+
+#define XATTR_SELINUX_SUFFIX "selinux"
+#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
 
 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
 int selinux_enforcing = 0;

[PATCH 2/2] Default hooks protecting the XATTR_SECURITY_PREFIX namespace

[Chris Wright]

Add default hooks for both the dummy and capability code to protect the
XATTR_SECURITY_PREFIX namespace.  These EAs were fully accessible to
unauthorized users, so a user that rebooted from an SELinux kernel to a
default kernel would leave those critical EAs unprotected.

 include/linux/security.h |    6 ++++--
 security/capability.c    |    3 +++
 security/commoncap.c     |   22 ++++++++++++++++++++++
 security/dummy.c         |    9 +++++++++
 4 files changed, 38 insertions(+), 2 deletions(-)

===== include/linux/security.h 1.26 vs edited =====
--- 1.26/include/linux/security.h	Thu Oct  2 00:12:10 2003
+++ edited/include/linux/security.h	Fri Jan 16 12:14:15 2004
@@ -46,6 +46,8 @@
 extern int cap_bprm_set_security (struct linux_binprm *bprm);
 extern void cap_bprm_compute_creds (struct linux_binprm *bprm);
 extern int cap_bprm_secureexec(struct linux_binprm *bprm);
+extern int cap_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags);
+extern int cap_inode_removexattr(struct dentry *dentry, char *name);
 extern int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags);
 extern void cap_task_reparent_to_init (struct task_struct *p);
 extern int cap_syslog (int type);
@@ -2136,7 +2138,7 @@
 static inline int security_inode_setxattr (struct dentry *dentry, char *name,
 					   void *value, size_t size, int flags)
 {
-	return 0;
+	return cap_inode_setxattr(dentry, name, value, size, flags);
 }
 
 static inline void security_inode_post_setxattr (struct dentry *dentry, char *name,
@@ -2155,7 +2157,7 @@
 
 static inline int security_inode_removexattr (struct dentry *dentry, char *name)
 {
-	return 0;
+	return cap_inode_removexattr(dentry, name);
 }
 
 static inline int security_inode_getsecurity(struct dentry *dentry, const char *name, void *buffer, size_t size)
===== security/capability.c 1.21 vs edited =====
--- 1.21/security/capability.c	Fri Sep 12 08:47:26 2003
+++ edited/security/capability.c	Fri Jan 16 12:14:15 2004
@@ -39,6 +39,9 @@
 	.bprm_set_security =		cap_bprm_set_security,
 	.bprm_secureexec =		cap_bprm_secureexec,
 
+	.inode_setxattr =		cap_inode_setxattr,
+	.inode_removexattr =		cap_inode_removexattr,
+
 	.task_post_setuid =		cap_task_post_setuid,
 	.task_reparent_to_init =	cap_task_reparent_to_init,
 
===== security/commoncap.c 1.1 vs edited =====
--- 1.1/security/commoncap.c	Fri Sep 12 08:47:26 2003
+++ edited/security/commoncap.c	Fri Jan 16 12:14:15 2004
@@ -21,6 +21,7 @@
 #include <linux/skbuff.h>
 #include <linux/netlink.h>
 #include <linux/ptrace.h>
+#include <linux/xattr.h>
 
 int cap_capable (struct task_struct *tsk, int cap)
 {
@@ -171,6 +172,25 @@
 		current->egid != current->gid);
 }
 
+int cap_inode_setxattr(struct dentry *dentry, char *name, void *value,
+		       size_t size, int flags)
+{
+	if (!strncmp(name, XATTR_SECURITY_PREFIX, 
+		     sizeof(XATTR_SECURITY_PREFIX) - 1)  &&
+	    !capable(CAP_SYS_ADMIN))
+		return -EPERM;
+	return 0;
+}
+
+int cap_inode_removexattr(struct dentry *dentry, char *name)
+{
+	if (!strncmp(name, XATTR_SECURITY_PREFIX, 
+		     sizeof(XATTR_SECURITY_PREFIX) - 1)  &&
+	    !capable(CAP_SYS_ADMIN))
+		return -EPERM;
+	return 0;
+}
+
 /* moved from kernel/sys.c. */
 /* 
  * cap_emulate_setxuid() fixes the effective / permitted capabilities of
@@ -344,6 +364,8 @@
 EXPORT_SYMBOL(cap_bprm_set_security);
 EXPORT_SYMBOL(cap_bprm_compute_creds);
 EXPORT_SYMBOL(cap_bprm_secureexec);
+EXPORT_SYMBOL(cap_inode_setxattr);
+EXPORT_SYMBOL(cap_inode_removexattr);
 EXPORT_SYMBOL(cap_task_post_setuid);
 EXPORT_SYMBOL(cap_task_reparent_to_init);
 EXPORT_SYMBOL(cap_syslog);
===== security/dummy.c 1.28 vs edited =====
--- 1.28/security/dummy.c	Thu Oct  2 00:12:10 2003
+++ edited/security/dummy.c	Fri Jan 16 12:29:24 2004
@@ -24,6 +24,7 @@
 #include <linux/skbuff.h>
 #include <linux/netlink.h>
 #include <net/sock.h>
+#include <linux/xattr.h>
 
 static int dummy_ptrace (struct task_struct *parent, struct task_struct *child)
 {
@@ -387,6 +388,10 @@
 static int dummy_inode_setxattr (struct dentry *dentry, char *name, void *value,
 				size_t size, int flags)
 {
+	if (!strncmp(name, XATTR_SECURITY_PREFIX,
+		     sizeof(XATTR_SECURITY_PREFIX) - 1) &&
+	    !capable(CAP_SYS_ADMIN))
+		return -EPERM;
 	return 0;
 }
 
@@ -407,6 +412,10 @@
 
 static int dummy_inode_removexattr (struct dentry *dentry, char *name)
 {
+	if (!strncmp(name, XATTR_SECURITY_PREFIX,
+		     sizeof(XATTR_SECURITY_PREFIX) - 1) &&
+	    !capable(CAP_SYS_ADMIN))
+		return -EPERM;
 	return 0;
 }
 

Re: [PATCH 2/2] Default hooks protecting the XATTR_SECURITY_PREFIX namespace

[Andreas Gruenbacher]

Hello Chris,

the patch looks fine to me. Thank you all for reacting so quickly.

On Fri, 2004-01-16 at 22:20, Chris Wright wrote:
> Add default hooks for both the dummy and capability code to protect the
> XATTR_SECURITY_PREFIX namespace.  These EAs were fully accessible to
> unauthorized users, so a user that rebooted from an SELinux kernel to a
> default kernel would leave those critical EAs unprotected.

Regards,
-- 
Andreas Gruenbacher <agruen@suse.de>
SUSE Labs, SUSE LINUX AG

Re: [PATCH 2/2] Default hooks protecting the XATTR_SECURITY_PREFIX namespace

[Theodore Ts'o]

On Fri, Jan 16, 2004 at 01:20:04PM -0800, Chris Wright wrote:
> Add default hooks for both the dummy and capability code to protect the
> XATTR_SECURITY_PREFIX namespace.  These EAs were fully accessible to
> unauthorized users, so a user that rebooted from an SELinux kernel to a
> default kernel would leave those critical EAs unprotected.
> 
>  include/linux/security.h |    6 ++++--
>  security/capability.c    |    3 +++
>  security/commoncap.c     |   22 ++++++++++++++++++++++
>  security/dummy.c         |    9 +++++++++
>  4 files changed, 38 insertions(+), 2 deletions(-)

Everyone realizes the protection is minimal, right?  If you boot into
a default kernel, and administrator is careless with the system
configs because SELinux means that "it doesn't matter" if the intruder
cracks root, then all someone has to do is crack root when the system
is mistakenly booted using a default kernel.  At that point, running
debugfs or some other tool with direct access to the hard drive is the
least of your problems; the intruder can just simply trojan some
executable (or the kernel for that matter) that will be trusted once
SELinux is booted again, and it's all over....

						- Ted

Re: [PATCH 2/2] Default hooks protecting the XATTR_SECURITY_PREFIX namespace

[Chris Wright]

* Theodore Ts'o (tytso@mit.edu) wrote:
> Everyone realizes the protection is minimal, right?  If you boot into

Yes.  This is mostly about default protection where there was none.  Trusting
a default kernel to do all the right things before booting back to a
more secure kernel is indeed risky.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net