From: Paul Moore <paul@paul-moore.com>
To: selinux@vger.kernel.org
Subject: [RFC PATCH] selinux: use SECINITSID_KERNEL as the subj/obj in the lockdown hook
Date: Thu, 23 Sep 2021 17:18:30 -0400 [thread overview]
Message-ID: <163243191040.178880.4295195865966623164.stgit@olly> (raw)
The original SELinux lockdown implementation in 59438b46471a
("security,lockdown,selinux: implement SELinux lockdown") used the
current task's credentials as both the subject and object in the
SELinux lockdown hook, selinux_lockdown(). Unfortunately that
proved to be incorrect in a number of cases as the core kernel was
calling the LSM lockdown hook in places where the credentials from
the "current" task_struct were not the correct credentials to use
in the SELinux access check.
Attempts were made to resolve this by adding a credential pointer
to the LSM lockdown hook as well as suggesting that the single hook
be split into two: one for user tasks, one for kernel tasks; however
neither approach was deemed acceptable by Linus.
In order to resolve the problem of an incorrect SELinux domain being
used in the lockdown check, this patch makes the decision to perform
all of the lockdown access control checks against the
SECINITSID_KERNEL domain. This is far from ideal, but it is what
we have available to us at this point in time.
Fixes: 59438b46471a ("security,lockdown,selinux: implement SELinux lockdown")
Signed-off-by: Paul Moore <paul@paul-moore.com>
--
NOTES: While trivial, this patch is completely untested; I'm posting
this simply to see what comments there may be within the SELinux
community to such an approach as the current code is flawed and needs
to be corrected.
---
security/selinux/hooks.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 6517f221d52c..4f016a49e3a6 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -7016,7 +7016,7 @@ static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
static int selinux_lockdown(enum lockdown_reason what)
{
struct common_audit_data ad;
- u32 sid = current_sid();
+ u32 sid = SECINITSID_KERNEL;
int invalid_reason = (what <= LOCKDOWN_NONE) ||
(what == LOCKDOWN_INTEGRITY_MAX) ||
(what >= LOCKDOWN_CONFIDENTIALITY_MAX);
next reply other threads:[~2021-09-23 21:18 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-23 21:18 Paul Moore [this message]
2021-09-24 13:08 ` [RFC PATCH] selinux: use SECINITSID_KERNEL as the subj/obj in the lockdown hook Stephen Smalley
2021-09-24 14:22 ` Paul Moore
2021-09-24 15:12 ` Stephen Smalley
2021-09-24 16:38 ` Ondrej Mosnacek
2021-09-24 19:10 ` Paul Moore
2021-09-24 19:03 ` Paul Moore
2021-09-25 21:07 ` Chris PeBenito
2021-09-27 14:07 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=163243191040.178880.4295195865966623164.stgit@olly \
--to=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).