lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 6 Jun 2017 17:45:24 -0700 From: John Stultz <john.stultz@...aro.org> To: Stephen Smalley <sds@...ho.nsa.gov>, Paul Moore <paul@...l-moore.com> Cc: Jeffrey Vander Stoep <jeffv@...gle.com>, Android Kernel Team <kernel-team@...roid.com>, Nick Kralevich <nnk@...gle.com>, lkml <linux-kernel@...r.kernel.org>, Satish Patel <satish.patel@...aro.org>, Rob Herring <rob.herring@...aro.org> Subject: "selinux: support distinctions among all network address families" causing existing bluetooth sepolicies to not work properly with Android? Hey folks, Recently I was working to validate/enable a new bluetooth HAL on HiKey with Android, and after getting it working properly with a 4.9 based kernel, I found that I was seeing failures trying to run with an upstream (4.12-rc3 based) kernel. It seemed a call to: socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI); was suddenly failing, and running "setenforce 0" would allow it to continue properly. I chased the issue down to da69a5306ab9 ("selinux: support distinctions among all network address families"). And work around it with the following (whitespace corrupted, sorry) hack: diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index e67a526..42dfd0f 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1379,8 +1379,8 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc return SECCLASS_CAN_SOCKET; case PF_TIPC: return SECCLASS_TIPC_SOCKET; - case PF_BLUETOOTH: - return SECCLASS_BLUETOOTH_SOCKET; +// case PF_BLUETOOTH: +// return SECCLASS_BLUETOOTH_SOCKET; case PF_IUCV: return SECCLASS_IUCV_SOCKET; case PF_RXRPC: Obviously this isn't ideal. The commit message claims that " Backward compatibility is provided by only enabling the finer-grained socket classes if a new policy capability is set in the policy; older policies will behave as before." Which makes it seem like the older sepolicy should be fine with newer kernels, but this doesn't seem to be the case here? Am I missing something? Is Android doing something odd with their POLICYDB that is causing the kernel to think the sepolicy is newer? thanks -john
Powered by blists - more mailing lists