lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250511173055.406906-15-cgoettsche@seltendoof.de>
Date: Sun, 11 May 2025 19:30:15 +0200
From: Christian Göttsche <cgoettsche@...tendoof.de>
To: selinux@...r.kernel.org
Cc: Christian Göttsche <cgzones@...glemail.com>,
	Paul Moore <paul@...l-moore.com>,
	Stephen Smalley <stephen.smalley.work@...il.com>,
	Ondrej Mosnacek <omosnace@...hat.com>,
	linux-kernel@...r.kernel.org
Subject: [PATCH v3 00/14] selinux: harden against malformed policies

From: Christian Göttsche <cgzones@...glemail.com>

With the SELinux namespace feature on the horizon it becomes important
to identify and reject malformed policies at load time.  Otherwise
memory corruptions can compromise the kernel or NULL-pointer dereferences
and BUG() encounters can bring systems down.  Currently this is not a
security relevant issue since loading a policy requires root privileges
and permission of the current loaded SELinux policy, making it one of the
most privileged operation.

Patch 13 limits the valid set of characters and the length for strings
defined by policies.  Currently there are no restrictions, so control
characters are accepted, e.g. Esc as part of a type name, and their
length can be arbitrary.  Human formatted security contexts however must
not be arbitrarily long, one example is they must fit in a page size for
selinuxfs interaction and network associations.
Thus the patch introduces the following restrictions:
  * Disallow control characters
  * Limit characters of identifiers to alphanumeric, underscore, dash,
    and dot
  * Limit identifiers in length to 128, expect types to 1024 and
    categories to 32, characters (excluding NUL-terminator)
    
v1: https://lore.kernel.org/selinux/20241115133619.114393-23-cgoettsche@seltendoof.de/

v2: https://lore.kernel.org/selinux/20241216164055.96267-23-cgoettsche@seltendoof.de/
  - also convert ebitmap_cmp() as suggested by Daniel
  - accept instead of rejecting unknown xperm specifiers to support
    backwards compatibility for future ones, suggested by Thiébaud
  - add wrappers for str_read() to minimize the usage of magic numbers
  - limit sensitivities to a length of 32, to match categories,
    suggested by Daniel
    
v3:
  - rename comparison macro to cmp_int()
  - move some portions from patch 2 to patch 3
  - minimize magic value usage
  - fix error branch reported by kernel test robot
  - merge ebitmap_highest_set_bit() patch into patch making use of it
  - introduce a central limits.h header
  - add limits for all kinds of string: filesystem names, filetrans
    keys, genfs paths, infiniband device names
  - add patch 14 for MLS stringification hardening

Christian Göttsche (14):
  selinux: avoid nontransitive comparison
  selinux: use u16 for security classes
  selinux: more strict policy parsing
  selinux: check length fields in policies
  selinux: validate constraints
  selinux: pre-validate conditional expressions
  selinux: check type attr map overflows
  selinux: reorder policydb_index()
  selinux: beef up isvalid checks
  selinux: validate symbols
  selinux: more strict bounds check
  selinux: check for simple types
  selinux: restrict policy strings
  selinux: harden MLS context string generation against overflows

 security/selinux/include/limits.h   |  90 +++++
 security/selinux/include/security.h |   1 +
 security/selinux/ss/avtab.c         |  49 ++-
 security/selinux/ss/avtab.h         |  13 +
 security/selinux/ss/conditional.c   | 152 ++++---
 security/selinux/ss/conditional.h   |   2 -
 security/selinux/ss/constraint.h    |   3 +-
 security/selinux/ss/ebitmap.c       |  27 ++
 security/selinux/ss/ebitmap.h       |   1 +
 security/selinux/ss/hashtab.h       |   4 +-
 security/selinux/ss/mls.c           |  84 ++--
 security/selinux/ss/mls.h           |   6 +-
 security/selinux/ss/policydb.c      | 597 +++++++++++++++++++++++-----
 security/selinux/ss/policydb.h      | 106 ++++-
 security/selinux/ss/services.c      | 111 ++++--
 security/selinux/ss/symtab.c        |   2 +-
 security/selinux/ss/symtab.h        |   2 +-
 17 files changed, 1008 insertions(+), 242 deletions(-)
 create mode 100644 security/selinux/include/limits.h

-- 
2.49.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ