From: Ondrej Mosnacek <omosnace@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: selinux@vger.kernel.org, Paul Moore <paul@paul-moore.com>
Subject: Re: [RFC PATCH v2 2/4] [squash] do not store entry for SECSID_NULL
Date: Wed, 28 Nov 2018 13:07:40 +0100 [thread overview]
Message-ID: <CAFqZXNtXRr01=OLsdjG6iWY1ZPpLTLAWpv9A1gcGaKcT1GB0Dg@mail.gmail.com> (raw)
In-Reply-To: <CAFqZXNt-9OOM1D+RdGL-cfchuZe8z7ixY1f6XSbYhUXvbGM8HQ@mail.gmail.com>
On Tue, Nov 27, 2018 at 8:45 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> On Tue, Nov 27, 2018 at 5:58 PM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> > On 11/27/18 5:36 AM, Ondrej Mosnacek wrote:
> > > This patch is kept separate only for review. Eventually it will be
> > > folded into the previous patch.
> >
> > This one triggers a lot of warnings (security_compute_av: unrecognized
> > SID 0, security_sid_to_context_core: unrecognized SID 0) and some
> > failures during selinux-testsuite inet_socket tests. While the policy
> > doesn't provide an entry for SECSID_NULL, the sidtab search logic was
> > remapping it to the unlabeled context and that was apparently being
> > relied upon by the labeled networking code IIUC.
>
> You're right, I made a mistake in the sidtab_search_core() function -
> it shouldn't just return NULL when sid == 0, but instead skip to the
> default-to-unlabeled fallback. This will be easy to fix.
>
> Thanks for testing!
>
> I wonder why I didn't get any inet_socket failures when running the
> testsuite myself... I will have to look at it closer tomorrow.
Hmm... I must have been accidentally testing a wrong kernel build. I
am now able to reproduce both the failures and the hang.
I am now building a new kernel with this and the convert_context issues fixed.
>
> >
> >
> > >
> > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > > ---
> > > security/selinux/ss/policydb.c | 2 +-
> > > security/selinux/ss/sidtab.c | 25 ++++++++++++++++---------
> > > security/selinux/ss/sidtab.h | 3 ++-
> > > 3 files changed, 19 insertions(+), 11 deletions(-)
> > >
> > > diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> > > index 59359fa0bd74..a50d625e7946 100644
> > > --- a/security/selinux/ss/policydb.c
> > > +++ b/security/selinux/ss/policydb.c
> > > @@ -912,7 +912,7 @@ int policydb_load_isids(struct policydb *p, struct sidtab *s)
> > > sidtab_destroy(s);
> > > goto out;
> > > }
> > > - if (c->sid[0] > SECINITSID_NUM) {
> > > + if (c->sid[0] == SECSID_NULL || c->sid[0] > SECINITSID_NUM) {
> > > pr_err("SELinux: Initial SID %s out of range.\n",
> > > c->u.name);
> > > sidtab_destroy(s);
> > > diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c
> > > index fd8115b211a6..e157d8240cf1 100644
> > > --- a/security/selinux/ss/sidtab.c
> > > +++ b/security/selinux/ss/sidtab.c
> > > @@ -23,7 +23,7 @@ int sidtab_init(struct sidtab *s)
> > > if (!s->htable)
> > > return -ENOMEM;
> > >
> > > - for (i = 0; i <= SECINITSID_NUM; i++)
> > > + for (i = 0; i < SECINITSID_NUM; i++)
> > > s->isids[i].set = 0;
> > >
> > > for (i = 0; i < SIDTAB_SIZE; i++)
> > > @@ -86,8 +86,15 @@ static int sidtab_insert(struct sidtab *s, u32 sid, struct context *context)
> > >
> > > int sidtab_set_initial(struct sidtab *s, u32 sid, struct context *context)
> > > {
> > > - struct sidtab_isid_entry *entry = &s->isids[sid];
> > > - int rc = context_cpy(&entry->context, context);
> > > + struct sidtab_isid_entry *entry;
> > > + int rc;
> > > +
> > > + if (sid == 0 || sid > SECINITSID_NUM)
> > > + return -EINVAL;
> > > +
> > > + entry = &s->isids[sid - 1];
> > > +
> > > + rc = context_cpy(&entry->context, context);
> > > if (rc)
> > > return rc;
> > >
> > > @@ -116,19 +123,19 @@ static struct context *sidtab_search_core(struct sidtab *s, u32 sid, int force)
> > > struct context *context;
> > > struct sidtab_isid_entry *entry;
> > >
> > > - if (!s)
> > > + if (!s || sid == 0)
> > > return NULL;
> > >
> > > if (sid > SECINITSID_NUM) {
> > > context = sidtab_lookup(s, sid - (SECINITSID_NUM + 1));
> > > } else {
> > > - entry = &s->isids[sid];
> > > + entry = &s->isids[sid - 1];
> > > context = entry->set ? &entry->context : NULL;
> > > }
> > > if (context && (!context->len || force))
> > > return context;
> > >
> > > - entry = &s->isids[SECINITSID_UNLABELED];
> > > + entry = &s->isids[SECINITSID_UNLABELED - 1];
> > > return entry->set ? &entry->context : NULL;
> > > }
> > >
> > > @@ -283,11 +290,11 @@ int sidtab_context_to_sid(struct sidtab *s, struct context *context, u32 *sid)
> > > int rc;
> > > u32 i;
> > >
> > > - for (i = 0; i <= SECINITSID_NUM; i++) {
> > > + for (i = 0; i < SECINITSID_NUM; i++) {
> > > struct sidtab_isid_entry *entry = &s->isids[i];
> > >
> > > if (entry->set && context_cmp(context, &entry->context)) {
> > > - *sid = i;
> > > + *sid = i + 1;
> > > return 0;
> > > }
> > > }
> > > @@ -334,7 +341,7 @@ void sidtab_destroy(struct sidtab *s)
> > > if (!s)
> > > return;
> > >
> > > - for (i = 0; i <= SECINITSID_NUM; i++)
> > > + for (i = 0; i < SECINITSID_NUM; i++)
> > > if (s->isids[i].set)
> > > context_destroy(&s->isids[i].context);
> > >
> > > diff --git a/security/selinux/ss/sidtab.h b/security/selinux/ss/sidtab.h
> > > index dc0a80bc8894..e657ae6bf996 100644
> > > --- a/security/selinux/ss/sidtab.h
> > > +++ b/security/selinux/ss/sidtab.h
> > > @@ -36,7 +36,8 @@ struct sidtab {
> > > struct sidtab_node *cache[SIDTAB_CACHE_LEN];
> > > spinlock_t lock;
> > >
> > > - struct sidtab_isid_entry isids[SECINITSID_NUM + 1];
> > > + /* index == SID - 1 (no entry for SECSID_NULL) */
> > > + struct sidtab_isid_entry isids[SECINITSID_NUM];
> > > };
> > >
> > > int sidtab_init(struct sidtab *s);
> > >
> >
>
> --
> Ondrej Mosnacek <omosnace at redhat dot com>
> Associate Software Engineer, Security Technologies
> Red Hat, Inc.
--
Ondrej Mosnacek <omosnace at redhat dot com>
Associate Software Engineer, Security Technologies
Red Hat, Inc.
next prev parent reply other threads:[~2018-11-28 12:07 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-27 10:36 [RFC PATCH v2 0/4] Fix ENOMEM errors during policy reload Ondrej Mosnacek
2018-11-27 10:36 ` [RFC PATCH v2 1/4] selinux: use separate table for initial SID lookup Ondrej Mosnacek
2018-11-27 10:36 ` [RFC PATCH v2 2/4] [squash] do not store entry for SECSID_NULL Ondrej Mosnacek
2018-11-27 17:00 ` Stephen Smalley
2018-11-27 17:14 ` Stephen Smalley
2018-11-27 19:45 ` Ondrej Mosnacek
2018-11-28 12:07 ` Ondrej Mosnacek [this message]
2018-11-27 10:36 ` [RFC PATCH v2 3/4] selinux: overhaul sidtab to fix bug and improve performance Ondrej Mosnacek
2018-11-27 19:41 ` Stephen Smalley
2018-11-27 20:03 ` Ondrej Mosnacek
2018-11-27 10:36 ` [RFC PATCH v2 4/4] [squash] add back reverse lookup cache to sidtab Ondrej Mosnacek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAFqZXNtXRr01=OLsdjG6iWY1ZPpLTLAWpv9A1gcGaKcT1GB0Dg@mail.gmail.com' \
--to=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).