| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 18 May 2023 13:56:25 -0400
From: Paul Moore <paul@...l-moore.com>
To: Christian Göttsche <cgzones@...glemail.com>,
selinux@...r.kernel.org
Cc: Stephen Smalley <stephen.smalley.work@...il.com>,
Eric Paris <eparis@...isplace.org>,
Xiu Jianfeng <xiujianfeng@...wei.com>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] selinux: deprecated fs ocon
On May 11, 2023 =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@...glemail.com> wrote:
>
> The object context type `fs`, not to be confused with the well used
> object context type `fscon`, was introduced in the initial git commit
> 1da177e4c3f4 ("Linux-2.6.12-rc2") but never actually used since.
>
> The paper "A Security Policy Configuration for the Security-Enhanced
> Linux" [1] mentions it under `7.2 File System Contexts` but also states:
>
> Currently, this configuration is unused.
>
> The policy statement defining such object contexts is `fscon`, e.g.:
>
> fscon 2 3 gen_context(system_u:object_r:conA_t,s0) gen_context(system_u:object_r:conB_t,s0)
>
> It is not documented at selinuxproject.org or in the SELinux notebook
> and not supported by the Reference Policy buildsystem - the statement is
> not properly sorted - and thus not used in the Reference or Fedora
> Policy.
>
> Print a warning message at policy load for each such object context:
>
> SELinux: void and deprecated fs ocon 02:03
>
> This topic was initially highlighted by Nicolas Iooss [2].
>
> [1]: https://media.defense.gov/2021/Jul/29/2002815735/-1/-1/0/SELINUX-SECURITY-POLICY-CONFIGURATION-REPORT.PDF
> [2]: https://lore.kernel.org/selinux/CAJfZ7=mP2eJaq2BfO3y0VnwUJaY2cS2p=HZMN71z1pKjzaT0Eg@mail.gmail.com/
>
> Signed-off-by: Christian Göttsche <cgzones@...glemail.com>
> ---
> security/selinux/ss/policydb.c | 4 ++++
> security/selinux/ss/policydb.h | 2 +-
> 2 files changed, 5 insertions(+), 1 deletion(-)
Thanks, this is a nice catch, although some minor suggestions below ...
> diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> index 97c0074f9312..31b08b34c722 100644
> --- a/security/selinux/ss/policydb.c
> +++ b/security/selinux/ss/policydb.c
> @@ -2257,6 +2257,10 @@ static int ocontext_read(struct policydb *p, const struct policydb_compat_info *
> if (rc)
> goto out;
>
> + if (i == OCON_FS)
> + pr_warn("SELinux: void and deprecated fs ocon %s\n",
> + c->u.name);
Instead of having to check if 'i == OCON_FS', why not simply put the
pr_warn() call up in the OCON_FS case block on line ~2249 and let it
continue to fallthrough to the OCON_NETIF block?
> rc = context_read_and_validate(&c->context[0], p, fp);
> if (rc)
> goto out;
> diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
> index ffc4e7bad205..39cd6222e1a8 100644
> --- a/security/selinux/ss/policydb.h
> +++ b/security/selinux/ss/policydb.h
> @@ -225,7 +225,7 @@ struct genfs {
>
> /* object context array indices */
> #define OCON_ISID 0 /* initial SIDs */
> -#define OCON_FS 1 /* unlabeled file systems */
> +#define OCON_FS 1 /* unlabeled file systems (deprecated in 6.5) */
Since you are likely re-spinning this (see above), I would just leave
it as "(deprecated)"; those that want to know where it was deprecated
can always check the git log/tags.
> #define OCON_PORT 2 /* TCP and UDP port numbers */
> #define OCON_NETIF 3 /* network interfaces */
> #define OCON_NODE 4 /* nodes */
> --
> 2.40.1
--
paul-moore.com
Powered by blists - more mailing lists