| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.LRH.2.02.1312241054230.22564@tundra.namei.org>
Date: Tue, 24 Dec 2013 10:55:18 +1100 (EST)
From: James Morris <jmorris@...ei.org>
To: Linus Torvalds <torvalds@...ux-foundation.org>
cc: linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [GIT] SELinux fixes
Hi Linus,
Please pull these SELinux fixes to your current tree.
The following changes since commit f5835372ebedf26847c2b9e193284075cc9c1f7f:
Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux (2013-12-23 11:49:16 -0800)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git for-linus
Chad Hanson (1):
selinux: fix broken peer recv check
Oleg Nesterov (1):
selinux: selinux_setprocattr()->ptrace_parent() needs rcu_read_lock()
security/selinux/hooks.c | 8 +++++---
1 files changed, 5 insertions(+), 3 deletions(-)
---
commit c0c1439541f5305b57a83d599af32b74182933fe
Author: Oleg Nesterov <oleg@...hat.com>
Date: Mon Dec 23 17:45:01 2013 -0500
selinux: selinux_setprocattr()->ptrace_parent() needs rcu_read_lock()
selinux_setprocattr() does ptrace_parent(p) under task_lock(p),
but task_struct->alloc_lock doesn't pin ->parent or ->ptrace,
this looks confusing and triggers the "suspicious RCU usage"
warning because ptrace_parent() does rcu_dereference_check().
And in theory this is wrong, spin_lock()->preempt_disable()
doesn't necessarily imply rcu_read_lock() we need to access
the ->parent.
Reported-by: Evan McNabb <emcnabb@...hat.com>
Signed-off-by: Oleg Nesterov <oleg@...hat.com>
Cc: stable@...r.kernel.org
Signed-off-by: Paul Moore <pmoore@...hat.com>
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 5db2646..6625699 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5588,11 +5588,11 @@ static int selinux_setprocattr(struct task_struct *p,
/* Check for ptracing, and update the task SID if ok.
Otherwise, leave SID unchanged and fail. */
ptsid = 0;
- task_lock(p);
+ rcu_read_lock();
tracer = ptrace_parent(p);
if (tracer)
ptsid = task_sid(tracer);
- task_unlock(p);
+ rcu_read_unlock();
if (tracer) {
error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
commit 46d01d63221c3508421dd72ff9c879f61053cffc
Author: Chad Hanson <chanson@...stedcs.com>
Date: Mon Dec 23 17:45:01 2013 -0500
selinux: fix broken peer recv check
Fix a broken networking check. Return an error if peer recv fails. If
secmark is active and the packet recv succeeds the peer recv error is
ignored.
Signed-off-by: Chad Hanson <chanson@...stedcs.com>
Cc: stable@...r.kernel.org
Signed-off-by: Paul Moore <pmoore@...hat.com>
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 419491d..5db2646 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4334,8 +4334,10 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
}
err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
PEER__RECV, &ad);
- if (err)
+ if (err) {
selinux_netlbl_err(skb, err, 0);
+ return err;
+ }
}
if (secmark_active) {
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists