| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <cover.1692804730.git.aclaudi@redhat.com> Date: Wed, 23 Aug 2023 19:29:58 +0200 From: Andrea Claudi <aclaudi@...hat.com> To: netdev@...r.kernel.org Cc: Stephen Hemminger <stephen@...workplumber.org>, David Ahern <dsahern@...il.com> Subject: [PATCH iproute2-next 0/4] make ip vrf exec SELinux-aware In order to execute a service with VRF, a user should start it using "ip vrf exec". For example, using systemd, the user can encapsulate the ExecStart command in ip vrf exec as shown below: ExecStart=/usr/sbin/ip vrf exec vrf1 /usr/sbin/httpd $OPTIONS -DFOREGROUND Assuming SELinux is in permissive mode, starting the service with the current ip vrf implementation results in: # systemctl start httpd # ps -eafZ | grep httpd system_u:system_r:ifconfig_t:s0 root 597448 1 1 19:22 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND system_u:system_r:ifconfig_t:s0 apache 597452 597448 0 19:22 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND [snip] This is incorrect, as the context for httpd should be httpd_t, not ifconfig_t. This happens because ipvrf_exec invokes cmd_exec without setting the correct SELinux context before. Without the correct setting, the process is executed using ip's SELinux context. This patch series makes "ip vrf exec" SELinux-aware using the setexecfilecon functions, which retrieves the correct context to be used on the next execvp() call. After this series: # systemctl start httpd # ps -eafZ | grep httpd system_u:system_r:httpd_t:s0 root 595805 1 0 19:01 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND system_u:system_r:httpd_t:s0 apache 595809 595805 0 19:01 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND Patch series description: - 1/4 and 2/4 are preliminary changes to make SELinux helper functions used in ss conformant to the SELinux API definitions; - 3/4 makes SELinux helper functions into a library, so they can be used in other iproute tools - such as ip - when iproute is compiled without SELinux support; - 4/4, finally, add setexecfilecon to the SELinux stubs, and uses it to actually set the correct file context for the command to be executed. Andrea Claudi (4): ss: make is_selinux_enabled stub work like in SELinux ss: make SELinux stub functions conformant to API definitions lib: add SELinux include and stub functions ip vrf: make ipvrf_exec SELinux-aware include/selinux.h | 10 ++++++++++ ip/ipvrf.c | 6 ++++++ lib/Makefile | 4 ++++ lib/selinux.c | 37 +++++++++++++++++++++++++++++++++++++ misc/ss.c | 36 ++---------------------------------- 5 files changed, 59 insertions(+), 34 deletions(-) create mode 100644 include/selinux.h create mode 100644 lib/selinux.c -- 2.41.0
Powered by blists - more mailing lists