lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20241216164055.96267-23-cgoettsche@seltendoof.de>
Date: Mon, 16 Dec 2024 17:40:21 +0100
From: Christian Göttsche <cgoettsche@...tendoof.de>
To: selinux@...r.kernel.org
Cc: Christian Göttsche <cgzones@...glemail.com>,
	Paul Moore <paul@...l-moore.com>,
	Stephen Smalley <stephen.smalley.work@...il.com>,
	Ondrej Mosnacek <omosnace@...hat.com>,
	Nathan Chancellor <nathan@...nel.org>,
	Nick Desaulniers <ndesaulniers@...gle.com>,
	Bill Wendling <morbo@...gle.com>,
	Justin Stitt <justinstitt@...gle.com>,
	Thiébaud Weksteen <tweek@...gle.com>,
	Bram Bonné <brambonne@...gle.com>,
	Masahiro Yamada <masahiroy@...nel.org>,
	linux-kernel@...r.kernel.org,
	llvm@...ts.linux.dev
Subject: [RFC PATCH v2 00/22] selinux: harden against malformed policies

From: Christian Göttsche <cgzones@...glemail.com>

With the SELinux namespace feature on the horizon it becomes important
to identify and reject malformed policies at load time.  Otherwise
memory corruptions can compromise the kernel or NULL-pointer dereferences
and BUG() encounters can bring systems down.  Currently this is not a
security relevant issue since loading a policy requires root privileges
and permission of the current loaded SELinux policy, making it one of the
most privileged operation.

The first 9 patches are cleanup commits with overseeable diffs.

Patch 10 unifies the underlying type used for security class identifiers.

Patch 11 to 21 add various checks at policy load time to reject malformed
policies.

Patch 22 needs some discussion:
It limits the valid set of characters and the length for strings defined
by policies.  Currently there are no restrictions, so control characters
are accepted, e.g. Esc as part of a type name, and their length can be
arbitrary.  Human formatted security contexts however must not be
arbitrarily long, one example is they must fit in a page size for
selinuxfs interaction and network associations.
Thus the patch introduces the following restrictions:
  * Disallow control characters
  * Limit characters of identifiers to alphanumeric, underscore, dash,
    and dot
  * Limit identifiers in length to 128, expect types to 1024 and
    categories to 32, characters (excluding NUL-terminator)
    
p.s.:
On a related note to patch 10, the underlying type for types (and type-
attributes) is also not consistent:
In role, range and filename transitions, and the actual datum u32 is
used, while avtables use u16, practically limiting the number of
available types to 65534 (= U16_MAX - 2 (0 and U16_MAX are invalid)).

v1: https://lore.kernel.org/selinux/20241115133619.114393-23-cgoettsche@seltendoof.de/

v2: 
  - also convert ebitmap_cmp() as suggested by Daniel
  - accept instead of rejecting unknown xperm specifiers to support
    backwards compatibility for future ones, suggested by Thiébaud
  - add wrappers for str_read() to minimize the usage of magic numbers
  - limit sensitivities to a length of 32, to match categories,
    suggested by Daniel
 
Christian Göttsche (22):
  selinux: supply missing field initializers
  selinux: avoid using types indicating user space interaction
  selinux: align and constify functions
  selinux: rework match_ipv6_addrmask()
  selinux: avoid nontransitive comparison
  selinux: rename comparison functions for clarity
  selinux: use known type instead of void pointer
  selinux: avoid unnecessary indirection in struct level_datum
  selinux: make use of str_read()
  selinux: use u16 for security classes
  selinux: more strict policy parsing
  selinux: check length fields in policies
  selinux: validate constraints
  selinux: pre-validate conditional expressions
  selinux: introduce ebitmap_highest_set_bit()
  selinux: check type attr map overflows
  selinux: reorder policydb_index()
  selinux: beef up isvalid checks
  selinux: validate symbols
  selinux: more strict bounds check
  selinux: check for simple types
  selinux: restrict policy strings

 security/selinux/hooks.c               |   2 +-
 security/selinux/include/classmap.h    |   2 +-
 security/selinux/include/conditional.h |   2 +-
 security/selinux/include/security.h    |   4 +-
 security/selinux/selinuxfs.c           |   2 +-
 security/selinux/ss/avtab.c            |  58 +-
 security/selinux/ss/avtab.h            |  11 +-
 security/selinux/ss/conditional.c      | 166 +++---
 security/selinux/ss/conditional.h      |   6 +-
 security/selinux/ss/constraint.h       |   2 +-
 security/selinux/ss/context.c          |   2 +-
 security/selinux/ss/context.h          |  14 +-
 security/selinux/ss/ebitmap.c          |  39 +-
 security/selinux/ss/ebitmap.h          |   8 +-
 security/selinux/ss/hashtab.h          |   4 +-
 security/selinux/ss/mls.c              |  70 ++-
 security/selinux/ss/mls.h              |   6 +-
 security/selinux/ss/mls_types.h        |   2 +-
 security/selinux/ss/policydb.c         | 698 +++++++++++++++++++------
 security/selinux/ss/policydb.h         | 116 +++-
 security/selinux/ss/services.c         |  82 +--
 security/selinux/ss/sidtab.c           |   2 +-
 security/selinux/ss/symtab.c           |   2 +-
 security/selinux/ss/symtab.h           |   2 +-
 24 files changed, 940 insertions(+), 362 deletions(-)

-- 
2.45.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ