lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <cover.1692804730.git.aclaudi@redhat.com>
Date: Wed, 23 Aug 2023 19:29:58 +0200
From: Andrea Claudi <aclaudi@...hat.com>
To: netdev@...r.kernel.org
Cc: Stephen Hemminger <stephen@...workplumber.org>,
	David Ahern <dsahern@...il.com>
Subject: [PATCH iproute2-next 0/4] make ip vrf exec SELinux-aware

In order to execute a service with VRF, a user should start it using
"ip vrf exec". For example, using systemd, the user can encapsulate the
ExecStart command in ip vrf exec as shown below:

ExecStart=/usr/sbin/ip vrf exec vrf1 /usr/sbin/httpd $OPTIONS -DFOREGROUND 

Assuming SELinux is in permissive mode, starting the service with the
current ip vrf implementation results in:

# systemctl start httpd
# ps -eafZ | grep httpd
system_u:system_r:ifconfig_t:s0 root      597448       1  1 19:22 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:ifconfig_t:s0 apache    597452  597448  0 19:22 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
[snip]

This is incorrect, as the context for httpd should be httpd_t, not
ifconfig_t.

This happens because ipvrf_exec invokes cmd_exec without setting the
correct SELinux context before. Without the correct setting, the process
is executed using ip's SELinux context.

This patch series makes "ip vrf exec" SELinux-aware using the
setexecfilecon functions, which retrieves the correct context to be used
on the next execvp() call.

After this series:
# systemctl start httpd
# ps -eafZ | grep httpd
system_u:system_r:httpd_t:s0    root      595805       1  0 19:01 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0    apache    595809  595805  0 19:01 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND


Patch series description:
- 1/4 and 2/4 are preliminary changes to make SELinux helper functions
  used in ss conformant to the SELinux API definitions;
- 3/4 makes SELinux helper functions into a library, so they can be used
  in other iproute tools - such as ip - when iproute is compiled without
  SELinux support; 
- 4/4, finally, add setexecfilecon to the SELinux stubs, and uses it to
  actually set the correct file context for the command to be executed.

Andrea Claudi (4):
  ss: make is_selinux_enabled stub work like in SELinux
  ss: make SELinux stub functions conformant to API definitions
  lib: add SELinux include and stub functions
  ip vrf: make ipvrf_exec SELinux-aware

 include/selinux.h | 10 ++++++++++
 ip/ipvrf.c        |  6 ++++++
 lib/Makefile      |  4 ++++
 lib/selinux.c     | 37 +++++++++++++++++++++++++++++++++++++
 misc/ss.c         | 36 ++----------------------------------
 5 files changed, 59 insertions(+), 34 deletions(-)
 create mode 100644 include/selinux.h
 create mode 100644 lib/selinux.c

-- 
2.41.0


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ