From patchwork Fri Aug 3 09:36:04 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jann Horn X-Patchwork-Id: 10554891 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E1924174A for ; Fri, 3 Aug 2018 09:36:13 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D19892C3A1 for ; Fri, 3 Aug 2018 09:36:13 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C1BA52C4B2; Fri, 3 Aug 2018 09:36:13 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED,RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6AD282C3A1 for ; Fri, 3 Aug 2018 09:36:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732275AbeHCLbl (ORCPT ); Fri, 3 Aug 2018 07:31:41 -0400 Received: from mail-qk0-f201.google.com ([209.85.220.201]:38791 "EHLO mail-qk0-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732233AbeHCLbl (ORCPT ); Fri, 3 Aug 2018 07:31:41 -0400 Received: by mail-qk0-f201.google.com with SMTP id u68-v6so4787168qku.5 for ; Fri, 03 Aug 2018 02:36:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=gKam9WaYXvtGukQ1JMxYeC89hlAklM7RuKowpz4IWCY=; b=quK21zVntwsOGQrbPbPpyc/0lMQvpBVCDXVlBeGNW21FLAF1trai59UDBYPCE2GG/V DrQ7Wwp4WdeSOZ/jtyUQ/XymWPItKEwzjxI0gCqwTGxtnh8jvfx6ilpNHucV9x0LWmJU VzRhHCalGiCEL9tHGMtgd4YoPWmkXGtlXukYc/nM4QqkrmEJBu3vhSui9BXR+3TEYpQT gJHyPvgkqslr2PR8Em9VAaKoYO/sMGGIp5oNpDTmkI2XSdC/dZXKUetfY3x7vPdpDXZ4 ouGKVPmjp1/2tPuZbJyOdiCRdcWWgY2GdZNGNk72BsqJFUWurqvr1RBvfNYwbtM5SppP xGSw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=gKam9WaYXvtGukQ1JMxYeC89hlAklM7RuKowpz4IWCY=; b=ow+onVkMkRnGh9pb8uKNdE1iDmfj6920/p4ghbt6U38WYh8t4VA4KKNSgHhM/cHAIf JFhwRru8+yfZt1Tk0F6SlpypCKk8AFIV9MGw3/5YXCzV0BNsThuXX5Wdsbwe+phBGpbf RI+MH5Wgubl2Ooq2VYRvo3doOQAKl4aZ1x1FsFOH8iZdlGHXXtqF0bxdQis+JOKRyJow W3+ELMPrJnWnMnbBTMolnzekduHs53TGHprAq1lRvS/xLDaQ50t04vc0x44MKz6csUSG 3bki+9N/oiiUVy0ZqBa818F7d74E7O1wKozvFtak0ygoP/shXZBPQwTfyq2c2kCLBcrs 6Ecg== X-Gm-Message-State: AOUpUlFPwi0KjztSyxWglN2NJcjTsfDy157gX/ibfG23XShXjverkDxS rQxnDs1EYUCCNOrNq5H/c3m+nKXMiw== X-Google-Smtp-Source: AAOMgpd1k5tas7kSjFbEj5zQSMmxweGcg5QVx7HyvV7lX36a+VEaslYsfPMUd807C87+qsfiIAif5sEZoQ== X-Received: by 2002:ac8:1019:: with SMTP id z25-v6mr3481000qti.14.1533288971594; Fri, 03 Aug 2018 02:36:11 -0700 (PDT) Date: Fri, 3 Aug 2018 11:36:04 +0200 Message-Id: <20180803093604.38254-1-jannh@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.18.0.597.ga71716f1ad-goog Subject: [PATCH] selinux: stricter parsing in mls_context_to_sid() From: Jann Horn To: Paul Moore , Stephen Smalley , Eric Paris , selinux@tycho.nsa.gov, jannh@google.com Cc: James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP mls_context_to_sid incorrectly accepted MLS context strings that are followed by a dash and trailing garbage. Before this change, the following command works: # mount -t tmpfs -o 'context=system_u:object_r:tmp_t:s0-s0:c0-BLAH' \ none mount After this change, it fails with the following error message in dmesg: SELinux: security_context_str_to_sid(system_u:object_r:tmp_t:s0-s0:c0-BLAH) failed for (dev tmpfs, type tmpfs) errno=-22 This is not an important bug; but it is a small quirk that was useful for exploiting a vulnerability in fusermount. This patch does not change the behavior when the policy does not have MLS enabled. Signed-off-by: Jann Horn Acked-by: Stephen Smalley --- security/selinux/ss/mls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c index 39475fb455bc..2c73d612d2ee 100644 --- a/security/selinux/ss/mls.c +++ b/security/selinux/ss/mls.c @@ -344,7 +344,7 @@ int mls_context_to_sid(struct policydb *pol, break; } } - if (delim == '-') { + if (delim == '-' && l == 0) { /* Extract high sensitivity. */ scontextp = p; while (*p && *p != ':')