lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 9 Jul 2019 09:23:16 -0700
From:   Mark Salyzyn <salyzyn@...roid.com>
To:     linux-kernel@...r.kernel.org, Stephen Smalley <sds@...ho.nsa.gov>,
        Miklos Szeredi <miklos@...redi.hu>,
        James Morris <jmorris@...ei.org>,
        "Serge E. Hallyn" <serge@...lyn.com>,
        Paul Moore <paul@...l-moore.com>,
        Eric Paris <eparis@...isplace.org>, selinux@...r.kernel.org,
        kernel-team@...roid.com
Subject: RFC: BUG: overlayfs getxattr recursion leaves a poison sid.

For EACCES return for getxattr, sid appears to be expected updated in 
parent node. For some accesses purely cosmetic for correct avc logging, 
and depending on kernel vintage for others (older than 4.4) the lack of 
the corrected sid in the parent overlay inode poisons the security cache 
and results in false denials.

The avc denials would contain an (incorrect) unlabelled target 
references, we could fix this by copying up the sid to the parent inode. 
However the test (below) needs to refactored to the pleasure of the 
security, selinux and overlayfs maintainers. The security_socket_accept 
function is _close_, it will copy sid and class from the old socket to 
the new. Along those lines, we probably need to add a new 
security_copy_to_upper handler that takes the upper and lower dentries 
and ensures that the upper contains all the security information 
associated with the lower.

Prototype adjustment (tested in 3.18 to ToT)

int ovl_xattr_get(struct dentry *dentry, struct inode *inode, const char 
*name, { ssize_t res; const struct cred *old_cred; struct dentry 
*realdentry = ovl_i_dentry_upper(inode) ?: ovl_dentry_lower(dentry); 
old_cred = ovl_override_creds(dentry->d_sb); res = 
vfs_getxattr(realdentry, name, value, size); ovl_revert_creds(old_cred); 
+ if (res == -EACCES) { + selinux_copy_sid(dentry, realdentry); return 
res; }

. . .

+ void selinux_copy_sid(struct dentry *parent, struct dentry *child) + { 
+ struct inode *pinode, *cinode; + struct inode_security_struct *pisec, 
*cisec; + + if (!parent || !child) + return; + pinode = parent->d_inode; 
+ cinode = child->d_inode; + if (!pinode || !cinode) + return; + pisec = 
pinode->i_security; + cisec = cinode->i_security; + if (!pisec || 
!cisec) + return; + pisec->sid = cisec->sid; + } + 
EXPORT_SYMBOL_GPL(selinux_copy_sid);

Sincerely -- Mark Salyzyn

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ