Re: [PATCH] Correctly detect unknown classes in sepol_string_to_security_class
Joshua Brindle wrote: Bail before running off the end of the class index This one correctly goes all the way to the end of the classes index, the last version did not. Change-Id: I47c4eaac3c7d789f8d85047e34e37e3f0bb38b3a Signed-off-by: Joshua Brindle--- libsepol/src/services.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libsepol/src/services.c b/libsepol/src/services.c index d64a8e8..665fcaa 100644 --- a/libsepol/src/services.c +++ b/libsepol/src/services.c @@ -1155,7 +1155,7 @@ int hidden sepol_string_to_security_class(const char *class_name, char *class = NULL; sepol_security_class_t id; - for (id = 1;; id++) { + for (id = 1; id<= policydb->p_classes.nprim; id++) { class = policydb->p_class_val_to_name[id - 1]; if (class == NULL) { ERR(NULL, "could not convert %s to class id", class_name); @@ -1166,6 +1166,8 @@ int hidden sepol_string_to_security_class(const char *class_name, return STATUS_SUCCESS; } } + ERR(NULL, "unrecognized class %s", class_name); + return -EINVAL; } /* ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH] Correctly detect unknown classes in sepol_string_to_security_class
Bail before running off the end of the class index Change-Id: I47c4eaac3c7d789f8d85047e34e37e3f0bb38b3a Signed-off-by: Joshua Brindle--- libsepol/src/services.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libsepol/src/services.c b/libsepol/src/services.c index d64a8e8..665fcaa 100644 --- a/libsepol/src/services.c +++ b/libsepol/src/services.c @@ -1155,7 +1155,7 @@ int hidden sepol_string_to_security_class(const char *class_name, char *class = NULL; sepol_security_class_t id; - for (id = 1;; id++) { + for (id = 1; id <= policydb->p_classes.nprim; id++) { class = policydb->p_class_val_to_name[id - 1]; if (class == NULL) { ERR(NULL, "could not convert %s to class id", class_name); @@ -1166,6 +1166,8 @@ int hidden sepol_string_to_security_class(const char *class_name, return STATUS_SUCCESS; } } + ERR(NULL, "unrecognized class %s", class_name); + return -EINVAL; } /* -- 2.1.0 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH 1/2] Modify audit2why analyze function to use loaded policy
Class and perms should come from the policy being used for analysis, not the system policy so use sepol_ interfaces Change-Id: Ia0590ed2514249fd98810a8d4fe87f8bf5280561 Signed-off-by: Joshua Brindle--- libselinux/src/audit2why.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c index 12745b3..abe1701 100644 --- a/libselinux/src/audit2why.c +++ b/libselinux/src/audit2why.c @@ -343,8 +343,8 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args if (rc < 0) RETURN(BADTCON) - tclass = string_to_security_class(tclassstr); - if (!tclass) + rc = sepol_string_to_security_class(tclassstr, ); + if (rc < 0) RETURN(BADTCLASS) /* Convert the permission list to an AV. */ @@ -365,8 +365,8 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args permstr = PyString_AsString( strObj ); #endif - perm = string_to_av_perm(tclass, permstr); - if (!perm) + rc = sepol_string_to_av_perm(tclass, permstr, ); + if (rc < 0) RETURN(BADPERM) av |= perm; -- 2.1.0 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH 2/2] Correctly detect unknown classes in sepol_string_to_security_class
Bail before running off the end of the class index Change-Id: I47c4eaac3c7d789f8d85047e34e37e3f0bb38b3a Signed-off-by: Joshua Brindle--- libsepol/src/services.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libsepol/src/services.c b/libsepol/src/services.c index d64a8e8..8679545 100644 --- a/libsepol/src/services.c +++ b/libsepol/src/services.c @@ -1155,7 +1155,7 @@ int hidden sepol_string_to_security_class(const char *class_name, char *class = NULL; sepol_security_class_t id; - for (id = 1;; id++) { + for (id = 1; id < policydb->p_classes.nprim; id++) { class = policydb->p_class_val_to_name[id - 1]; if (class == NULL) { ERR(NULL, "could not convert %s to class id", class_name); @@ -1166,6 +1166,8 @@ int hidden sepol_string_to_security_class(const char *class_name, return STATUS_SUCCESS; } } + ERR(NULL, "unrecognized class %s", class_name); + return -EINVAL; } /* -- 2.1.0 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [RFC 1/2] selinux: Stop looking up dentries from inodes
On 06/01/2016 05:46 PM, Andreas Gruenbacher wrote: > On Wed, Jun 1, 2016 at 3:44 PM, Stephen Smalleywrote: >> On 05/31/2016 11:22 AM, Andreas Gruenbacher wrote: >>> With that fixed, could you possibly put this change to test? >> >> Falls over during boot in generic_getxattr(), which still needs a >> non-NULL dentry in the work.selinux branch. > > dentry->d_sb needs to be changed to inode->i_sb there. > >> Is there a reason that this being done separately from work.xattr? > > I don't know how much work.xattr will shift still (and what I can > still add there), and this change is unrelated, at least so far. > >> Also, if we aren't going to call d_find_alias() there, we can likely >> also drop the dget() and dput(). > > Ah, yes. I'll remove those, thanks. Looks like you lost the assignment for dentry entirely when you removed the dget/dput. Still need to set it to opt_dentry or just use opt_dentry directly. BTW, SELinux will presently never call getxattr for 9p or cifs; those filesystem types are not configured for xattrs in policy because they do not truly support labeling (and if they did, we would probably use SECURITY_LSM_NATIVE_LABELS => SECURITY_FS_USE_NATIVE as with nfsv4 rather than FS_USE_XATTR). Just because they support xattrs does not mean that they support security labeling. ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH] Modify audit2why analyze function to use loaded policy
Joshua Brindle wrote: Class and perms should come from the policy being used for analysis, not the system policy so use sepol_ interfaces Hrm, this solved my original problem which was that I was getting the wrong answer back from audit2why (classes in my policy that weren't in the system policy can back with BADTCLASS instead of a more appropriate answer) but now I have a segfault so I'll try to track that down. Change-Id: Ia0590ed2514249fd98810a8d4fe87f8bf5280561 --- libselinux/src/audit2why.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c index 12745b3..abe1701 100644 --- a/libselinux/src/audit2why.c +++ b/libselinux/src/audit2why.c @@ -343,8 +343,8 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args if (rc< 0) RETURN(BADTCON) - tclass = string_to_security_class(tclassstr); - if (!tclass) + rc = sepol_string_to_security_class(tclassstr,); + if (rc< 0) RETURN(BADTCLASS) /* Convert the permission list to an AV. */ @@ -365,8 +365,8 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args permstr = PyString_AsString( strObj ); #endif - perm = string_to_av_perm(tclass, permstr); - if (!perm) + rc = sepol_string_to_av_perm(tclass, permstr,); + if (rc< 0) RETURN(BADPERM) av |= perm; ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: Possible problem with e6afc8ac ("udp: remove headers from UDP packets before queueing")
From: Eric DumazetDate: Thu, 02 Jun 2016 19:58:26 -0700 > Arg, I totally messed up the patch title :( I noticed it was odd, but it's not a big deal. ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: Possible problem with e6afc8ac ("udp: remove headers from UDP packets before queueing")
From: Eric DumazetDate: Thu, 02 Jun 2016 14:52:43 -0700 > From: Eric Dumazet > > Paul Moore tracked a regression caused by a recent commit, which > mistakenly assumed that sk_filter() could be avoided if socket > had no current BPF filter. > > The intent was to avoid udp_lib_checksum_complete() overhead. > > But sk_filter() also checks skb_pfmemalloc() and > security_sock_rcv_skb(), so better call it. > > Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing") > Signed-off-by: Eric Dumazet > Reported-by: Paul Moore > Tested-by: Paul Moore > Tested-by: Stephen Smalley > Cc: samanthakumar Applied, thanks Eric. ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: Possible problem with e6afc8ac ("udp: remove headers from UDP packets before queueing")
From: Eric DumazetPaul Moore tracked a regression caused by a recent commit, which mistakenly assumed that sk_filter() could be avoided if socket had no current BPF filter. The intent was to avoid udp_lib_checksum_complete() overhead. But sk_filter() also checks skb_pfmemalloc() and security_sock_rcv_skb(), so better call it. Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing") Signed-off-by: Eric Dumazet Reported-by: Paul Moore Tested-by: Paul Moore Tested-by: Stephen Smalley Cc: samanthakumar --- net/ipv4/udp.c | 10 +- net/ipv6/udp.c | 12 ++-- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index d56c0559b477..0ff31d97d485 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -1618,12 +1618,12 @@ int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) } } - if (rcu_access_pointer(sk->sk_filter)) { - if (udp_lib_checksum_complete(skb)) + if (rcu_access_pointer(sk->sk_filter) && + udp_lib_checksum_complete(skb)) goto csum_error; - if (sk_filter(sk, skb)) - goto drop; - } + + if (sk_filter(sk, skb)) + goto drop; udp_csum_pull_header(skb); if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) { diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c index 2da1896af934..f421c9f23c5b 100644 --- a/net/ipv6/udp.c +++ b/net/ipv6/udp.c @@ -653,12 +653,12 @@ int udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) } } - if (rcu_access_pointer(sk->sk_filter)) { - if (udp_lib_checksum_complete(skb)) - goto csum_error; - if (sk_filter(sk, skb)) - goto drop; - } + if (rcu_access_pointer(sk->sk_filter) && + udp_lib_checksum_complete(skb)) + goto csum_error; + + if (sk_filter(sk, skb)) + goto drop; udp_csum_pull_header(skb); if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) { ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: Possible problem with e6afc8ac ("udp: remove headers from UDP packets before queueing")
On Thu, 2016-06-02 at 17:36 -0400, Paul Moore wrote: > On Wed, Jun 1, 2016 at 4:44 PM, Stephen Smalleywrote: > > On 06/01/2016 03:18 PM, Eric Dumazet wrote: > >> On Wed, 2016-06-01 at 15:01 -0400, Paul Moore wrote: > >>> Hello, > >>> > >>> I'm currently trying to debug a problem with 4.7-rc1 and labeled > >>> networking over UDP. I'm having some difficulty with the latest > >>> 4.7-rc1 builds on my test system at the moment so I haven't been able > >>> to concisely identify the problem, but looking through the commits in > >>> 4.7-rc1 I think there may be a problem with the following: > >>> > >>> commit e6afc8ace6dd5cef5e812f26c72579da8806f5ac > >>> Author: samanthakumar > >>> Date: Tue Apr 5 12:41:15 2016 -0400 > >>> > >>>udp: remove headers from UDP packets before queueing > >>> > >>>Remove UDP transport headers before queueing packets for reception. > >>>This change simplifies a follow-up patch to add MSG_PEEK support. > >>> > >>>Signed-off-by: Sam Kumar > >>>Signed-off-by: Willem de Bruijn > >>>Signed-off-by: David S. Miller > >>> > >>> ... it appears that this commit changes things so that sk_filter() is > >>> only called when sk->sk_filter is not NULL. While this is fine for > >>> the traditional socket filter case, it causes problems with LSMs that > >>> make use of security_sock_rcv_skb() to enforce per-packet access > >>> controls. > >>> > >>> Hopefully I'll get 4.7-rc1 booting soon and I can do a proper > >>> bisection test around this patch, but I wanted to mention this now in > >>> case others are seeing the same problem. > >> > >> Thanks for the report. Please try following fix. > >> > >> sk_filter() got additional features like the skb_pfmemalloc() things and > >> security_sock_rcv_skb() > > > > This resolved the SELinux regression for me. > > > > Tested-by: Stephen Smalley > > The patch works for me too. Eric, are you going to send this to DaveM > (assuming he isn't listening in on this thread and picking it up > himself)? > > Tested-by: Paul Moore I am going to send the official patch right away, thanks ! ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.