lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <EF4B3759-2C4C-4A15-A721-6B2D0FAFD84F@gmail.com>
Date: Sun, 5 Jan 2025 17:26:02 -0600
From: Joe Nall <joenall@...il.com>
To: Stephen Smalley <stephen.smalley.work@...il.com>
Cc: cgzones@...glemail.com,
 selinux@...r.kernel.org,
 Paul Moore <paul@...l-moore.com>,
 Ondrej Mosnacek <omosnace@...hat.com>,
 Nathan Chancellor <nathan@...nel.org>,
 Nick Desaulniers <ndesaulniers@...gle.com>,
 Bill Wendling <morbo@...gle.com>,
 Justin Stitt <justinstitt@...gle.com>,
 Thiébaud Weksteen <tweek@...gle.com>,
 Bram Bonné <brambonne@...gle.com>,
 Masahiro Yamada <masahiroy@...nel.org>,
 linux-kernel@...r.kernel.org,
 llvm@...ts.linux.dev
Subject: Re: [RFC PATCH v2 22/22] selinux: restrict policy strings



> On Jan 3, 2025, at 2:12 PM, Stephen Smalley <stephen.smalley.work@...il.com> wrote:
> 
> On Mon, Dec 16, 2024 at 11:42 AM Christian Göttsche
> <cgoettsche@...tendoof.de> wrote:
>> 
>> From: Christian Göttsche <cgzones@...glemail.com>
>> 
>> Validate the characters and the lengths of strings parsed from binary
>> policies.
Excellent idea.

>>  * Disallow control characters
Fine here.

>>  * Limit characters of identifiers to alphanumeric, underscore, dash,
>>    and dot
Fine again.

>>  * Limit identifiers in length to 128,
Fine again, our longest
 - type is 51 characters
 - attribute is 31
 - boolean is 46
 - role is 12

>> expect types to 1024 and
I don’t understand what this means.

>>    categories to 32, characters (excluding NUL-terminator)
One category or the whole category string? A single category longer than 7 characters seems pretty unlikely and 32 is wildly short for the whole string.

Joe

> One option if we are concerned about breaking backward compatibility
> with policies in the wild would be to make these restrictions
> conditional on whether the policy is being loaded into a non-init
> SELinux namespace, similar to:
> https://lore.kernel.org/selinux/20250102164509.25606-38-stephen.smalley.work@gmail.com/T/#u
> 
> That said, it seems hard to imagine real-world policies that would
> exceed these limits, and likely could make them even smaller.
> But as Daniel said, we should make them consistently enforced in both
> userspace and kernel, and potentially these should all be #define'd
> symbols in a uapi header that can be referenced by both.
> Looks like you left the type limit at 1024 despite Daniel's
> observation that CIL uses 2048 as the limit, but as you noted, given
> the page size limit on the entire context by various kernel
> interfaces,
> this is likely fine.
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ