lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Tue, 24 Dec 2013 10:55:18 +1100 (EST)
From:	James Morris <jmorris@...ei.org>
To:	Linus Torvalds <torvalds@...ux-foundation.org>
cc:	linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [GIT] SELinux fixes

Hi Linus,

Please pull these SELinux fixes to your current tree.

The following changes since commit f5835372ebedf26847c2b9e193284075cc9c1f7f:

  Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux (2013-12-23 11:49:16 -0800)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git for-linus

Chad Hanson (1):
      selinux: fix broken peer recv check

Oleg Nesterov (1):
      selinux: selinux_setprocattr()->ptrace_parent() needs rcu_read_lock()

 security/selinux/hooks.c |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

---

commit c0c1439541f5305b57a83d599af32b74182933fe
Author: Oleg Nesterov <oleg@...hat.com>
Date:   Mon Dec 23 17:45:01 2013 -0500

    selinux: selinux_setprocattr()->ptrace_parent() needs rcu_read_lock()
    
    selinux_setprocattr() does ptrace_parent(p) under task_lock(p),
    but task_struct->alloc_lock doesn't pin ->parent or ->ptrace,
    this looks confusing and triggers the "suspicious RCU usage"
    warning because ptrace_parent() does rcu_dereference_check().
    
    And in theory this is wrong, spin_lock()->preempt_disable()
    doesn't necessarily imply rcu_read_lock() we need to access
    the ->parent.
    
    Reported-by: Evan McNabb <emcnabb@...hat.com>
    Signed-off-by: Oleg Nesterov <oleg@...hat.com>
    Cc: stable@...r.kernel.org
    Signed-off-by: Paul Moore <pmoore@...hat.com>

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 5db2646..6625699 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5588,11 +5588,11 @@ static int selinux_setprocattr(struct task_struct *p,
 		/* Check for ptracing, and update the task SID if ok.
 		   Otherwise, leave SID unchanged and fail. */
 		ptsid = 0;
-		task_lock(p);
+		rcu_read_lock();
 		tracer = ptrace_parent(p);
 		if (tracer)
 			ptsid = task_sid(tracer);
-		task_unlock(p);
+		rcu_read_unlock();
 
 		if (tracer) {
 			error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,

commit 46d01d63221c3508421dd72ff9c879f61053cffc
Author: Chad Hanson <chanson@...stedcs.com>
Date:   Mon Dec 23 17:45:01 2013 -0500

    selinux: fix broken peer recv check
    
    Fix a broken networking check. Return an error if peer recv fails.  If
    secmark is active and the packet recv succeeds the peer recv error is
    ignored.
    
    Signed-off-by: Chad Hanson <chanson@...stedcs.com>
    Cc: stable@...r.kernel.org
    Signed-off-by: Paul Moore <pmoore@...hat.com>

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 419491d..5db2646 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4334,8 +4334,10 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
 		}
 		err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
 				   PEER__RECV, &ad);
-		if (err)
+		if (err) {
 			selinux_netlbl_err(skb, err, 0);
+			return err;
+		}
 	}
 
 	if (secmark_active) {
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ