Re: [PATCH] Correctly detect unknown classes in sepol_string_to_security_class

[Joshua Brindle]

Joshua Brindle wrote:

Bail before running off the end of the class index



This one correctly goes all the way to the end of the classes index, the 
last version did not.



Change-Id: I47c4eaac3c7d789f8d85047e34e37e3f0bb38b3a
Signed-off-by: Joshua Brindle
---
  libsepol/src/services.c | 4 +++-
  1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libsepol/src/services.c b/libsepol/src/services.c
index d64a8e8..665fcaa 100644
--- a/libsepol/src/services.c
+++ b/libsepol/src/services.c
@@ -1155,7 +1155,7 @@ int hidden sepol_string_to_security_class(const char 
*class_name,
char *class = NULL;
sepol_security_class_t id;

-   for (id = 1;; id++) {
+   for (id = 1; id<= policydb->p_classes.nprim; id++) {
class = policydb->p_class_val_to_name[id - 1];
if (class == NULL) {
ERR(NULL, "could not convert %s to class id", 
class_name);
@@ -1166,6 +1166,8 @@ int hidden sepol_string_to_security_class(const char 
*class_name,
return STATUS_SUCCESS;
}
}
+   ERR(NULL, "unrecognized class %s", class_name);
+   return -EINVAL;
  }

  /*


___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH] Correctly detect unknown classes in sepol_string_to_security_class

[Joshua Brindle]

Bail before running off the end of the class index

Change-Id: I47c4eaac3c7d789f8d85047e34e37e3f0bb38b3a
Signed-off-by: Joshua Brindle 
---
 libsepol/src/services.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libsepol/src/services.c b/libsepol/src/services.c
index d64a8e8..665fcaa 100644
--- a/libsepol/src/services.c
+++ b/libsepol/src/services.c
@@ -1155,7 +1155,7 @@ int hidden sepol_string_to_security_class(const char 
*class_name,
char *class = NULL;
sepol_security_class_t id;
 
-   for (id = 1;; id++) {
+   for (id = 1; id <= policydb->p_classes.nprim; id++) {
class = policydb->p_class_val_to_name[id - 1];
if (class == NULL) {
ERR(NULL, "could not convert %s to class id", 
class_name);
@@ -1166,6 +1166,8 @@ int hidden sepol_string_to_security_class(const char 
*class_name,
return STATUS_SUCCESS;
}
}
+   ERR(NULL, "unrecognized class %s", class_name);
+   return -EINVAL;
 }
 
 /*
-- 
2.1.0

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH 1/2] Modify audit2why analyze function to use loaded policy

[Joshua Brindle]

Class and perms should come from the policy being used for analysis,
not the system policy so use sepol_ interfaces

Change-Id: Ia0590ed2514249fd98810a8d4fe87f8bf5280561
Signed-off-by: Joshua Brindle 
---
 libselinux/src/audit2why.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c
index 12745b3..abe1701 100644
--- a/libselinux/src/audit2why.c
+++ b/libselinux/src/audit2why.c
@@ -343,8 +343,8 @@ static PyObject *analyze(PyObject *self 
__attribute__((unused)) , PyObject *args
if (rc < 0)
RETURN(BADTCON)
 
-   tclass = string_to_security_class(tclassstr);
-   if (!tclass)
+   rc = sepol_string_to_security_class(tclassstr, );
+   if (rc < 0)
RETURN(BADTCLASS)
 
/* Convert the permission list to an AV. */
@@ -365,8 +365,8 @@ static PyObject *analyze(PyObject *self 
__attribute__((unused)) , PyObject *args
permstr = PyString_AsString( strObj );
 #endif

-   perm = string_to_av_perm(tclass, permstr);
-   if (!perm)
+   rc = sepol_string_to_av_perm(tclass, permstr, );
+   if (rc < 0)
RETURN(BADPERM)
 
av |= perm;
-- 
2.1.0

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH 2/2] Correctly detect unknown classes in sepol_string_to_security_class

[Joshua Brindle]

Bail before running off the end of the class index

Change-Id: I47c4eaac3c7d789f8d85047e34e37e3f0bb38b3a
Signed-off-by: Joshua Brindle 
---
 libsepol/src/services.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libsepol/src/services.c b/libsepol/src/services.c
index d64a8e8..8679545 100644
--- a/libsepol/src/services.c
+++ b/libsepol/src/services.c
@@ -1155,7 +1155,7 @@ int hidden sepol_string_to_security_class(const char 
*class_name,
char *class = NULL;
sepol_security_class_t id;
 
-   for (id = 1;; id++) {
+   for (id = 1; id < policydb->p_classes.nprim; id++) {
class = policydb->p_class_val_to_name[id - 1];
if (class == NULL) {
ERR(NULL, "could not convert %s to class id", 
class_name);
@@ -1166,6 +1166,8 @@ int hidden sepol_string_to_security_class(const char 
*class_name,
return STATUS_SUCCESS;
}
}
+   ERR(NULL, "unrecognized class %s", class_name);
+   return -EINVAL;
 }
 
 /*
-- 
2.1.0

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [RFC 1/2] selinux: Stop looking up dentries from inodes

[Stephen Smalley]

On 06/01/2016 05:46 PM, Andreas Gruenbacher wrote:
> On Wed, Jun 1, 2016 at 3:44 PM, Stephen Smalley  wrote:
>> On 05/31/2016 11:22 AM, Andreas Gruenbacher wrote:
>>> With that fixed, could you possibly put this change to test?
>>
>> Falls over during boot in generic_getxattr(), which still needs a
>> non-NULL dentry in the work.selinux branch.
> 
> dentry->d_sb needs to be changed to inode->i_sb there.
> 
>> Is there a reason that this being done separately from work.xattr?
> 
> I don't know how much work.xattr will shift still (and what I can
> still add there), and this change is unrelated, at least so far.
> 
>> Also, if we aren't going to call d_find_alias() there, we can likely
>> also drop the dget() and dput().
> 
> Ah, yes. I'll remove those, thanks.

Looks like you lost the assignment for dentry entirely when you removed
the dget/dput.  Still need to set it to opt_dentry or just use
opt_dentry directly.

BTW, SELinux will presently never call getxattr for 9p or cifs; those
filesystem types are not configured for xattrs in policy because they do
not truly support labeling (and if they did, we would probably use
SECURITY_LSM_NATIVE_LABELS => SECURITY_FS_USE_NATIVE as with nfsv4
rather than FS_USE_XATTR).  Just because they support xattrs does not
mean that they support security labeling.
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] Modify audit2why analyze function to use loaded policy

[Joshua Brindle]

Joshua Brindle wrote:

Class and perms should come from the policy being used for analysis,
not the system policy so use sepol_ interfaces



Hrm, this solved my original problem which was that I was getting the 
wrong answer back from audit2why (classes in my policy that weren't in 
the system policy can back with BADTCLASS instead of a more appropriate 
answer) but now I have a segfault so I'll try to track that down.



Change-Id: Ia0590ed2514249fd98810a8d4fe87f8bf5280561
---
  libselinux/src/audit2why.c | 8 
  1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c
index 12745b3..abe1701 100644
--- a/libselinux/src/audit2why.c
+++ b/libselinux/src/audit2why.c
@@ -343,8 +343,8 @@ static PyObject *analyze(PyObject *self 
__attribute__((unused)) , PyObject *args
if (rc<  0)
RETURN(BADTCON)

-   tclass = string_to_security_class(tclassstr);
-   if (!tclass)
+   rc = sepol_string_to_security_class(tclassstr,);
+   if (rc<  0)
RETURN(BADTCLASS)

/* Convert the permission list to an AV. */
@@ -365,8 +365,8 @@ static PyObject *analyze(PyObject *self 
__attribute__((unused)) , PyObject *args
permstr = PyString_AsString( strObj );
  #endif

-   perm = string_to_av_perm(tclass, permstr);
-   if (!perm)
+   rc = sepol_string_to_av_perm(tclass, permstr,);
+   if (rc<  0)
RETURN(BADPERM)

av |= perm;


___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: Possible problem with e6afc8ac ("udp: remove headers from UDP packets before queueing")

[David Miller]

From: Eric Dumazet 
Date: Thu, 02 Jun 2016 19:58:26 -0700

> Arg, I totally messed up the patch title :(

I noticed it was odd, but it's not a big deal.
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: Possible problem with e6afc8ac ("udp: remove headers from UDP packets before queueing")

[David Miller]

From: Eric Dumazet 
Date: Thu, 02 Jun 2016 14:52:43 -0700

> From: Eric Dumazet 
> 
> Paul Moore tracked a regression caused by a recent commit, which
> mistakenly assumed that sk_filter() could be avoided if socket
> had no current BPF filter.
> 
> The intent was to avoid udp_lib_checksum_complete() overhead.
> 
> But sk_filter() also checks skb_pfmemalloc() and
> security_sock_rcv_skb(), so better call it.
> 
> Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing")
> Signed-off-by: Eric Dumazet 
> Reported-by: Paul Moore 
> Tested-by: Paul Moore 
> Tested-by: Stephen Smalley 
> Cc: samanthakumar 

Applied, thanks Eric.
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: Possible problem with e6afc8ac ("udp: remove headers from UDP packets before queueing")

[Eric Dumazet]

From: Eric Dumazet 

Paul Moore tracked a regression caused by a recent commit, which
mistakenly assumed that sk_filter() could be avoided if socket
had no current BPF filter.

The intent was to avoid udp_lib_checksum_complete() overhead.

But sk_filter() also checks skb_pfmemalloc() and
security_sock_rcv_skb(), so better call it.

Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing")
Signed-off-by: Eric Dumazet 
Reported-by: Paul Moore 
Tested-by: Paul Moore 
Tested-by: Stephen Smalley 
Cc: samanthakumar 
---
 net/ipv4/udp.c |   10 +-
 net/ipv6/udp.c |   12 ++--
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index d56c0559b477..0ff31d97d485 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1618,12 +1618,12 @@ int udp_queue_rcv_skb(struct sock *sk, struct sk_buff 
*skb)
}
}
 
-   if (rcu_access_pointer(sk->sk_filter)) {
-   if (udp_lib_checksum_complete(skb))
+   if (rcu_access_pointer(sk->sk_filter) &&
+   udp_lib_checksum_complete(skb))
goto csum_error;
-   if (sk_filter(sk, skb))
-   goto drop;
-   }
+
+   if (sk_filter(sk, skb))
+   goto drop;
 
udp_csum_pull_header(skb);
if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) {
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 2da1896af934..f421c9f23c5b 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -653,12 +653,12 @@ int udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff 
*skb)
}
}
 
-   if (rcu_access_pointer(sk->sk_filter)) {
-   if (udp_lib_checksum_complete(skb))
-   goto csum_error;
-   if (sk_filter(sk, skb))
-   goto drop;
-   }
+   if (rcu_access_pointer(sk->sk_filter) &&
+   udp_lib_checksum_complete(skb))
+   goto csum_error;
+
+   if (sk_filter(sk, skb))
+   goto drop;
 
udp_csum_pull_header(skb);
if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) {


___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: Possible problem with e6afc8ac ("udp: remove headers from UDP packets before queueing")

[Eric Dumazet]

On Thu, 2016-06-02 at 17:36 -0400, Paul Moore wrote:
> On Wed, Jun 1, 2016 at 4:44 PM, Stephen Smalley  wrote:
> > On 06/01/2016 03:18 PM, Eric Dumazet wrote:
> >> On Wed, 2016-06-01 at 15:01 -0400, Paul Moore wrote:
> >>> Hello,
> >>>
> >>> I'm currently trying to debug a problem with 4.7-rc1 and labeled
> >>> networking over UDP.  I'm having some difficulty with the latest
> >>> 4.7-rc1 builds on my test system at the moment so I haven't been able
> >>> to concisely identify the problem, but looking through the commits in
> >>> 4.7-rc1 I think there may be a problem with the following:
> >>>
> >>>   commit e6afc8ace6dd5cef5e812f26c72579da8806f5ac
> >>>   Author: samanthakumar 
> >>>   Date:   Tue Apr 5 12:41:15 2016 -0400
> >>>
> >>>udp: remove headers from UDP packets before queueing
> >>>
> >>>Remove UDP transport headers before queueing packets for reception.
> >>>This change simplifies a follow-up patch to add MSG_PEEK support.
> >>>
> >>>Signed-off-by: Sam Kumar 
> >>>Signed-off-by: Willem de Bruijn 
> >>>Signed-off-by: David S. Miller 
> >>>
> >>> ... it appears that this commit changes things so that sk_filter() is
> >>> only called when sk->sk_filter is not NULL.  While this is fine for
> >>> the traditional socket filter case, it causes problems with LSMs that
> >>> make use of security_sock_rcv_skb() to enforce per-packet access
> >>> controls.
> >>>
> >>> Hopefully I'll get 4.7-rc1 booting soon and I can do a proper
> >>> bisection test around this patch, but I wanted to mention this now in
> >>> case others are seeing the same problem.
> >>
> >> Thanks for the report. Please try following fix.
> >>
> >> sk_filter() got additional features like the skb_pfmemalloc() things and
> >> security_sock_rcv_skb()
> >
> > This resolved the SELinux regression for me.
> >
> > Tested-by: Stephen Smalley 
> 
> The patch works for me too.  Eric, are you going to send this to DaveM
> (assuming he isn't listening in on this thread and picking it up
> himself)?
> 
> Tested-by: Paul Moore 

I am going to send the official patch right away, thanks !


___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.