From patchwork Thu Apr 28 20:43:34 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 8974451 Return-Path: X-Original-To: patchwork-selinux@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id C46829F1C1 for ; Thu, 28 Apr 2016 20:45:02 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 0AD3820268 for ; Thu, 28 Apr 2016 20:45:02 +0000 (UTC) Received: from emsm-gh1-uea10.nsa.gov (emsm-gh1-uea10.nsa.gov [8.44.101.8]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 0AA3E201C0 for ; Thu, 28 Apr 2016 20:45:00 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.24,548,1454976000"; d="scan'208";a="13168071" IronPort-PHdr: =?us-ascii?q?9a23=3ARvv5whyzeohLJ8rXCy+O+j09IxM/srCxBDY+r6Qd?= =?us-ascii?q?0e4UIJqq85mqBkHD//Il1AaPBtWLraIYwLOL6ejJYi8p39WoiDg6aptCVhsI24?= =?us-ascii?q?09vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6kO74TNaIBjjLw09?= =?us-ascii?q?fr2zQd6CyZTrnLnvodX6WEZhunmUWftKNhK4rAHc5IE9oLBJDeIP8CbPuWZCYO?= =?us-ascii?q?9MxGlldhq5lhf44dqsrtY4q3wD86Fpy8kVSqj+fqIlXZREHT8mNCYz/8Stuh7d?= =?us-ascii?q?HiWV4X5JaXkbihpFBUD+6Rj+Wprg+n/huvFVxDiRPcqwS6s9Hzul8fE4G1fTlC?= =?us-ascii?q?4bOmthoynsgctqgfcDrQ=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2FSBQDodSJX/wHyM5BeHAGDG4FBD7tdH4VugThMAQEBAQE?= =?us-ascii?q?BAgJiJ4ItghwCJBMUIAsDAwkCFykICAMBLRUfCwUYBIgJxAcejnsRAYVyBYd0k?= =?us-ascii?q?ByIc4UkAolPhT4CjzBiggUbgWdQhjOBNQEBAQ?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea10.nsa.gov with ESMTP; 28 Apr 2016 20:44:45 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u3SKgE85025329; Thu, 28 Apr 2016 16:43:13 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u3SKg5hP206847 for ; Thu, 28 Apr 2016 16:42:05 -0400 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u3SKg186025251; Thu, 28 Apr 2016 16:42:01 -0400 From: Stephen Smalley To: selinux@tycho.nsa.gov Subject: [PATCH] selinux: Only apply bounds checking to source types Date: Thu, 28 Apr 2016 16:43:34 -0400 Message-Id: <1461876214-31134-1-git-send-email-sds@tycho.nsa.gov> X-Mailer: git-send-email 2.5.5 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: jwcart2@tycho.ns.gov, Stephen Smalley MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The current bounds checking of both source and target types requires allowing any domain that has access to the child domain to also have the same permissions to the parent, which is undesirable. Drop the target bounds checking. KaiGai Kohei originally removed this checking in commit 7d52a155e38d ("selinux: remove dead code in type_attribute_bounds_av()") but this was reverted in commit 2ae3ba39389b ("selinux: libsepol: remove dead code in check_avtab_hierarchy_callback()"). However, it seems to be justified in order to allow use of typebounds for exec-based domain transitions under NNP without loosening policy for the parent domain. Signed-off-by: Stephen Smalley --- security/selinux/ss/services.c | 77 +++++++++++------------------------------- 1 file changed, 19 insertions(+), 58 deletions(-) diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 89df646..4b23a48 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -543,77 +543,38 @@ static void type_attribute_bounds_av(struct context *scontext, struct av_decision *avd) { struct context lo_scontext; - struct context lo_tcontext; struct av_decision lo_avd; struct type_datum *source; - struct type_datum *target; - u32 masked = 0; + u32 masked; source = flex_array_get_ptr(policydb.type_val_to_struct_array, scontext->type - 1); BUG_ON(!source); - target = flex_array_get_ptr(policydb.type_val_to_struct_array, - tcontext->type - 1); - BUG_ON(!target); - - if (source->bounds) { - memset(&lo_avd, 0, sizeof(lo_avd)); + if (!source->bounds) + return; - memcpy(&lo_scontext, scontext, sizeof(lo_scontext)); - lo_scontext.type = source->bounds; + memset(&lo_avd, 0, sizeof(lo_avd)); - context_struct_compute_av(&lo_scontext, - tcontext, - tclass, - &lo_avd, - NULL); - if ((lo_avd.allowed & avd->allowed) == avd->allowed) - return; /* no masked permission */ - masked = ~lo_avd.allowed & avd->allowed; - } + memcpy(&lo_scontext, scontext, sizeof(lo_scontext)); + lo_scontext.type = source->bounds; - if (target->bounds) { - memset(&lo_avd, 0, sizeof(lo_avd)); + context_struct_compute_av(&lo_scontext, + tcontext, + tclass, + &lo_avd, + NULL); + if ((lo_avd.allowed & avd->allowed) == avd->allowed) + return; /* no masked permission */ - memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext)); - lo_tcontext.type = target->bounds; + masked = ~lo_avd.allowed & avd->allowed; - context_struct_compute_av(scontext, - &lo_tcontext, - tclass, - &lo_avd, - NULL); - if ((lo_avd.allowed & avd->allowed) == avd->allowed) - return; /* no masked permission */ - masked = ~lo_avd.allowed & avd->allowed; - } + /* mask violated permissions */ + avd->allowed &= ~masked; - if (source->bounds && target->bounds) { - memset(&lo_avd, 0, sizeof(lo_avd)); - /* - * lo_scontext and lo_tcontext are already - * set up. - */ - - context_struct_compute_av(&lo_scontext, - &lo_tcontext, - tclass, - &lo_avd, - NULL); - if ((lo_avd.allowed & avd->allowed) == avd->allowed) - return; /* no masked permission */ - masked = ~lo_avd.allowed & avd->allowed; - } - - if (masked) { - /* mask violated permissions */ - avd->allowed &= ~masked; - - /* audit masked permissions */ - security_dump_masked_av(scontext, tcontext, - tclass, masked, "bounds"); - } + /* audit masked permissions */ + security_dump_masked_av(scontext, tcontext, + tclass, masked, "bounds"); } /*