From: Laurent Bigonville <bigon@debian.org>
To: 924716@bugs.debian.org, Russell Coker <russell@coker.com.au>
Cc: selinux@vger.kernel.org
Subject: Re: cron: SE Linux support uses obsolete API and gets wrong results
Date: Tue, 10 Sep 2019 18:21:00 +0200 [thread overview]
Message-ID: <d706a78c-d6d0-13bb-c9af-7ec4365b9b44@debian.org> (raw)
In-Reply-To: <155273036154.15358.7183530710711818912.reportbug@xev>
[-- Attachment #1: Type: text/plain, Size: 2795 bytes --]
On Sat, 16 Mar 2019 20:59:21 +1100 Russell Coker <russell@coker.com.au>
wrote:
Hello,
>
> Mar 16 20:36:39 xev cron[14032]: (rjc) ENTRYPOINT FAILED (crontabs/rjc)
> Mar 16 20:36:39 xev cron[14032]: (torrent) ENTRYPOINT FAILED
(crontabs/torrent)
> Mar 16 20:36:39 xev cron[14032]: (test) ENTRYPOINT FAILED (crontabs/test)
>
> When I restart crond (or run crontab for a user) on a system with the
"strict"
> configuration of SE Linux policy (user roles other than unconfined_r)
I see
> the above in the cron log.
>
> In file included from user.c:34:
> /usr/include/selinux/flask.h:5:2: warning: #warning "Please remove
any #include's of this header in your source code." [-Wcpp]
> #warning "Please remove any #include's of this header in your source
code."
> ^~~~~~~
> /usr/include/selinux/flask.h:6:2: warning: #warning "Instead, use
string_to_security_class() to map the class name to a value." [-Wcpp]
> #warning "Instead, use string_to_security_class() to map the class
name to a value."
> ^~~~~~~
> In file included from user.c:35:
> /usr/include/selinux/av_permissions.h:1:2: warning: #warning "Please
remove any #include of this header in your source code." [-Wcpp]
> #warning "Please remove any #include of this header in your source code."
> ^~~~~~~
> /usr/include/selinux/av_permissions.h:2:2: warning: #warning
"Instead, use string_to_av_perm() to map the permission name to a
value." [-Wcpp]
> #warning "Instead, use string_to_av_perm() to map the permission name
to a value."
> ^~~~~~~
>
> When I compile the cron package I see the above. The above is the
cause of
> the incorrect processing of entry points.
>
> The following patch fixes these problems.
>
> Please note that the bug means that when the cron package that is
currently in
> testing is run with the SE Linux libraries in testing it checks for
> execute_no_trans permission not entrypoint. It is unlikely that a hostile
> party could create a crontab file with a context for which
execute_no_trans is
> allowed without having the ability to get elevated privileges in
other ways,
> but it can't be theoretically impossible.
>
> I can't be certain that there are no security implications of the bug
so I
> think that getting this fix into Buster is important.
Please find here an other patch based on Russell's one.
The changes compared to the original patch are the fact that I'm
cleaning context_list in case of error and I'm also using
security_deny_unknown() to check whether we should allow the access in
case the class or the permission is not defined.
Russel do you think you could check if this is still OK?
Are there any other comment?
Kind regards,
Laurent Bigonville
[-- Attachment #2: 924716.patch --]
[-- Type: text/x-patch, Size: 1475 bytes --]
diff -u cron-3.0pl1/user.c cron-3.0pl1/user.c
--- cron-3.0pl1/user.c
+++ cron-3.0pl1/user.c
@@ -31,8 +31,6 @@
#ifdef WITH_SELINUX
#include <selinux/context.h>
#include <selinux/selinux.h>
-#include <selinux/flask.h>
-#include <selinux/av_permissions.h>
#include <selinux/get_context_list.h>
static int get_security_context(char *name, int crontab_fd, security_context_t
@@ -108,13 +106,35 @@
* permission check for this purpose.
*/
+ security_class_t tclass = string_to_security_class("file");
+ if (!tclass) {
+ log_it(name, getpid(), "Failed to translate security class file", tabname);
+ freeconary(context_list);
+ if (security_deny_unknown() == 0) {
+ return 0;
+ } else {
+ return -1;
+ }
+ }
+
+ access_vector_t bit = string_to_av_perm(tclass, "entrypoint");
+ if (!bit) {
+ log_it(name, getpid(), "Failed to translate av perm entrypoint", tabname);
+ freeconary(context_list);
+ if (security_deny_unknown() == 0) {
+ return 0;
+ } else {
+ return -1;
+ }
+ }
+
for (i = 0; i < list_count; i++) {
retval = security_compute_av(context_list[i],
file_context,
- SECCLASS_FILE,
- FILE__ENTRYPOINT,
+ tclass,
+ bit,
&avd);
- if (!retval && ((FILE__ENTRYPOINT & avd.allowed) == FILE__ENTRYPOINT)) {
+ if(!retval && ((bit & avd.allowed) == bit)) {
*rcontext = strdup(context_list[i]);
freecon(file_context);
freeconary(context_list);
parent reply other threads:[~2019-09-10 16:21 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <155273036154.15358.7183530710711818912.reportbug@xev>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d706a78c-d6d0-13bb-c9af-7ec4365b9b44@debian.org \
--to=bigon@debian.org \
--cc=924716@bugs.debian.org \
--cc=russell@coker.com.au \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).