From patchwork Wed Jan 16 20:57:10 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Iooss X-Patchwork-Id: 10766909 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3B0F891E for ; Wed, 16 Jan 2019 20:57:31 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2A66E2E5EB for ; Wed, 16 Jan 2019 20:57:31 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1DCCE2E148; Wed, 16 Jan 2019 20:57:31 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B64F12E148 for ; Wed, 16 Jan 2019 20:57:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726783AbfAPU5a (ORCPT ); Wed, 16 Jan 2019 15:57:30 -0500 Received: from mx1.polytechnique.org ([129.104.30.34]:49851 "EHLO mx1.polytechnique.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726743AbfAPU5a (ORCPT ); Wed, 16 Jan 2019 15:57:30 -0500 Received: from localhost.localdomain (89-156-252-9.rev.numericable.fr [89.156.252.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ssl.polytechnique.org (Postfix) with ESMTPSA id F1C03561260 for ; Wed, 16 Jan 2019 21:57:27 +0100 (CET) From: Nicolas Iooss To: selinux@vger.kernel.org Subject: [PATCH 1/1] libselinux: do not dereference symlink with statfs in selinux_restorecon Date: Wed, 16 Jan 2019 21:57:10 +0100 Message-Id: <20190116205710.30659-1-nicolas.iooss@m4x.org> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Wed Jan 16 21:57:28 2019 +0100 (CET)) X-Org-Mail: nicolas.iooss.2010@polytechnique.org Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP When selinux_restorecon() is used to relabel symlinks, it performs the following syscalls (as seen by running strace on restorecond): lstat("/root/symlink", {st_mode=S_IFLNK|0777, st_size=6, ...}) = 0 statfs("/root/symlink", 0x7ffd6bb4d090) = -1 ENOENT (No such file or directory) lstat("/root/symlink", {st_mode=S_IFLNK|0777, st_size=6, ...}) = 0 lgetxattr("/root/symlink", "security.selinux", "sysadm_u:object_r:user_home_t", 255) = 30 The second one triggers a SELinux check for lnk_file:read, as statfs() dereferences symbolic links. This call to statfs() is only used to find out whether "restoreconlast" xattr can be ignored, which is always the case for non-directory files (the first syscall, lstat(), is actually used to perform this check). Skip the call to statfs() when setrestoreconlast is already false. This silences an AVC denial that would otherwise be reported to audit.log (cf. https://github.com/SELinuxProject/refpolicy/pull/22). Signed-off-by: Nicolas Iooss Acked-by: Stephen Smalley --- libselinux/src/selinux_restorecon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c index 3df2d382d50b..42a48f5a1b0b 100644 --- a/libselinux/src/selinux_restorecon.c +++ b/libselinux/src/selinux_restorecon.c @@ -881,7 +881,7 @@ int selinux_restorecon(const char *pathname_orig, setrestoreconlast = false; /* Ignore restoreconlast on in-memory filesystems */ - if (statfs(pathname, &sfsb) == 0) { + if (setrestoreconlast && statfs(pathname, &sfsb) == 0) { if (sfsb.f_type == RAMFS_MAGIC || sfsb.f_type == TMPFS_MAGIC) setrestoreconlast = false; }