lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6134.1163617750@redhat.com>
Date:	Wed, 15 Nov 2006 19:09:10 +0000
From:	David Howells <dhowells@...hat.com>
To:	David Howells <dhowells@...hat.com>
Cc:	James Morris <jmorris@...ei.org>,
	Linus Torvalds <torvalds@...l.org>,
	Andrew Morton <akpm@...l.org>,
	Stephen Smalley <sds@...ho.nsa.gov>,
	trond.myklebust@....uio.no, selinux@...ho.nsa.gov,
	linux-kernel@...r.kernel.org, aviro@...hat.com, steved@...hat.com
Subject: Re: [PATCH 12/19] CacheFiles: Permit a process's create SID to be overridden 

David Howells <dhowells@...hat.com> wrote:

> > I think we need to add a separate field for this purpose, which can only 
> > be written to via the in-kernel API and overrides fscreate.
> 
> So, like my acts-as security ID patch?

How about this then?

I haven't removed the old fscreate overriding patch yet, not have I put in the
error handling in CacheFiles.

And whilst selinux_fscreate_as_secid() does perform a MAC check, I think that
PROCESS__SETFSCREATE is probably the wroing thing to use.  I think there should
be a PROCESS__SETFSCREATEAS or similar.  I assume that doing that would require
the userspace policy compiler to be modified.

David
---

 include/linux/security.h          |   35 ++++++++++++++++++++++++++++++++
 security/dummy.c                  |   14 +++++++++++++
 security/selinux/hooks.c          |   40 +++++++++++++++++++++++++++++++------
 security/selinux/include/objsec.h |    1 +
 fs/cachefiles/internal.h          |    7 +++---
 5 files changed, 87 insertions(+), 10 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index 8cfeefc..33a20f9 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1171,6 +1171,17 @@ #ifdef CONFIG_SECURITY
  *      owning security ID, and return the security ID as which the process was
  *      previously acting.
  *
+ * @fscreate_as_secid:
+ *	Set the security ID as which to create files, returning the security ID
+ *	as which the process was previously creating files.
+ *	@secid contains the security ID to act as.
+ *	@oldsecid points to where the old security ID will be placed (or NULL).
+ *
+ * @fscreate_as_self:
+ *	Reset the security ID as which to create files to be the same as the
+ *	process's own creation security ID, and return the security ID as which
+ *	the process was previously creating files.
+ *
  * @cachefiles_get_secid:
  *	Determine the security ID for the CacheFiles module to use when
  *	accessing the filesystem containing the cache.
@@ -1366,6 +1377,8 @@ struct security_operations {
 	u32 (*set_fscreate_secid)(u32 secid);
 	u32 (*act_as_secid)(u32 secid);
 	u32 (*act_as_self)(void);
+	int (*fscreate_as_secid)(u32 secid, u32 *oldsecid);
+	u32 (*fscreate_as_self)(void);
 	int (*cachefiles_get_secid)(u32 secid, u32 *modsecid);
 
 #ifdef CONFIG_SECURITY_NETWORK
@@ -2189,6 +2202,16 @@ static inline u32 security_act_as_self(v
 	return security_ops->act_as_self();
 }
 
+static inline int security_fscreate_as_secid(u32 secid, u32 *oldsecid)
+{
+	return security_ops->fscreate_as_secid(secid, oldsecid);
+}
+
+static inline u32 security_fscreate_as_self(void)
+{
+	return security_ops->fscreate_as_self();
+}
+
 static inline int security_cachefiles_get_secid(u32 secid, u32 *modsecid)
 {
 	return security_ops->cachefiles_get_secid(secid, modsecid);
@@ -2899,6 +2922,18 @@ static inline u32 security_act_as_self(v
 	return 0;
 }
 
+static inline int security_fscreate_as_secid(u32 secid, u32 *oldsecid)
+{
+	if (oldsecid)
+		*oldsecid = 0;
+	return 0;
+}
+
+static inline u32 security_fscreate_as_self(void)
+{
+	return 0;
+}
+
 static inline int security_cachefiles_get_secid(u32 secid, u32 *modsecid)
 {
 	*modsecid = 0;
diff --git a/security/dummy.c b/security/dummy.c
index 30096ec..b31bd4c 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -952,6 +952,18 @@ static u32 dummy_act_as_self(void)
 	return 0;
 }
 
+static int dummy_fscreate_as_secid(u32 secid, u32 *oldsecid)
+{
+	if (oldsecid)
+		*oldsecid = 0;
+	return 0;
+}
+
+static u32 dummy_fscreate_as_self(void)
+{
+	return 0;
+}
+
 static int dummy_cachefiles_get_secid(u32 secid, u32 *modsecid)
 {
 	*modsecid = 0;
@@ -1117,6 +1129,8 @@ void security_fixup_ops (struct security
  	set_to_dummy_if_null(ops, set_fscreate_secid);
  	set_to_dummy_if_null(ops, act_as_secid);
  	set_to_dummy_if_null(ops, act_as_self);
+ 	set_to_dummy_if_null(ops, fscreate_as_secid);
+ 	set_to_dummy_if_null(ops, fscreate_as_self);
  	set_to_dummy_if_null(ops, cachefiles_get_secid);
 #ifdef CONFIG_SECURITY_NETWORK
 	set_to_dummy_if_null(ops, unix_stream_connect);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3a52698..c9388e3 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1170,8 +1170,9 @@ static int may_create(struct inode *dir,
 	if (rc)
 		return rc;
 
-	if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
-		newsid = tsec->create_sid;
+	if (tsec->create_as_sid &&
+	    sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
+		newsid = tsec->create_as_sid;
 	} else {
 		rc = security_transition_sid(tsec->actor_sid, dsec->sid,
 					     tclass, &newsid);
@@ -1606,7 +1607,7 @@ static int selinux_bprm_set_security(str
 	bsec->sid = tsec->actor_sid;
 
 	/* Reset fs, key, and sock SIDs on execve. */
-	tsec->create_sid = 0;
+	tsec->create_as_sid = tsec->create_sid = 0;
 	tsec->keycreate_sid = 0;
 	tsec->sockcreate_sid = 0;
 
@@ -2088,8 +2089,9 @@ static int selinux_inode_init_security(s
 	dsec = dir->i_security;
 	sbsec = dir->i_sb->s_security;
 
-	if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
-		newsid = tsec->create_sid;
+	if (tsec->create_as_sid &&
+	    sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
+		newsid = tsec->create_as_sid;
 	} else {
 		rc = security_transition_sid(tsec->actor_sid, dsec->sid,
 					     inode_mode_to_security_class(inode->i_mode),
@@ -2711,7 +2713,7 @@ static int selinux_task_alloc_security(s
 
 	/* Retain the exec, fs, key, and sock SIDs across fork */
 	tsec2->exec_sid = tsec1->exec_sid;
-	tsec2->create_sid = tsec1->create_sid;
+	tsec2->create_as_sid = tsec2->create_sid = tsec1->create_sid;
 	tsec2->keycreate_sid = tsec1->keycreate_sid;
 	tsec2->sockcreate_sid = tsec1->sockcreate_sid;
 
@@ -4586,6 +4588,30 @@ static u32 selinux_act_as_self(void)
 	return oldactor_sid;
 }
 
+static int selinux_fscreate_as_secid(u32 secid, u32 *oldsecid)
+{
+	struct task_security_struct *tsec = current->security;
+	int error;
+
+	error = task_has_perm(current, current, PROCESS__SETFSCREATE);
+	if (error < 0)
+		return error;
+
+	if (oldsecid)
+		*oldsecid = tsec->create_as_sid;
+	tsec->create_as_sid = secid;
+	return 0;
+}
+
+static u32 selinux_fscreate_as_self(void)
+{
+	struct task_security_struct *tsec = current->security;
+	u32 oldcreate_sid = tsec->create_as_sid;
+
+	tsec->create_as_sid = tsec->create_sid;
+	return oldcreate_sid;
+}
+
 static int selinux_cachefiles_get_secid(u32 secid, u32 *modsecid)
 {
 	return security_transition_sid(secid, SECINITSID_KERNEL,
@@ -4779,6 +4805,8 @@ static struct security_operations selinu
 	.set_fscreate_secid =		selinux_set_fscreate_secid,
 	.act_as_secid =			selinux_act_as_secid,
 	.act_as_self =			selinux_act_as_self,
+	.fscreate_as_secid =		selinux_fscreate_as_secid,
+	.fscreate_as_self =		selinux_fscreate_as_self,
 	.cachefiles_get_secid =		selinux_cachefiles_get_secid,
 
         .unix_stream_connect =		selinux_socket_unix_stream_connect,
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 4e8da30..70a6f00 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -33,6 +33,7 @@ struct task_security_struct {
 	u32 actor_sid;       /* act-as SID (normally == sid) */
 	u32 exec_sid;        /* exec SID */
 	u32 create_sid;      /* fscreate SID */
+	u32 create_as_sid;   /* fscreate-as SID (normally == create_sid) */
 	u32 keycreate_sid;   /* keycreate SID */
 	u32 sockcreate_sid;  /* fscreate SID */
 	u32 ptrace_sid;      /* SID of ptrace parent */
diff --git a/fs/cachefiles/internal.h b/fs/cachefiles/internal.h
index 4715de5..bd4529d 100644
--- a/fs/cachefiles/internal.h
+++ b/fs/cachefiles/internal.h
@@ -196,7 +196,7 @@ extern int cachefiles_determine_cache_se
 static inline
 void cachefiles_set_fscreate_secid(struct cachefiles_cache *cache)
 {
-	security_set_fscreate_secid(cache->cache_secid);
+	security_fscreate_as_secid(cache->cache_secid, NULL);
 }
 #else
 #define cachefiles_get_security_ID(cache) (0)
@@ -217,7 +217,6 @@ static inline void cachefiles_begin_secu
 {
 #ifdef CONFIG_SECURITY
 	security_act_as_secid(cache->access_secid);
-	ctx->fscreate_secid = security_get_fscreate_secid();
 #endif
 	ctx->fsuid = current->fsuid;
 	ctx->fsgid = current->fsgid;
@@ -230,7 +229,7 @@ static inline void cachefiles_begin_secu
 {
 #ifdef CONFIG_SECURITY
 	security_act_as_secid(cache->access_secid);
-	ctx->fscreate_secid = security_set_fscreate_secid(cache->cache_secid);
+	security_fscreate_as_secid(cache->cache_secid, NULL);
 #endif
 	ctx->fsuid = current->fsuid;
 	ctx->fsgid = current->fsgid;
@@ -244,7 +243,7 @@ static inline void cachefiles_end_secure
 	current->fsuid = ctx->fsuid;
 	current->fsgid = ctx->fsgid;
 #ifdef CONFIG_SECURITY
-	security_set_fscreate_secid(ctx->fscreate_secid);
+	security_fscreate_as_self();
 	security_act_as_self();
 #endif
 }
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ