[PATCH] selinux: log raw contexts as untrusted strings

Wed Jun 12 07:37:47 UTC 2019

On Wed, Jun 12, 2019 at 12:56 AM Paul Moore <paul at paul-moore.com> wrote:
> On Tue, Jun 11, 2019 at 4:07 AM Ondrej Mosnacek <omosnace at redhat.com> wrote:
> > These strings may come from untrusted sources (e.g. file xattrs) so they
> > need to be properly escaped.
> >
> > Reproducer:
> >     # setenforce 0
> >     # touch /tmp/test
> >     # setfattr -n security.selinux -v 'kuřecí řízek' /tmp/test
> >     # runcon system_u:system_r:sshd_t:s0 cat /tmp/test
> >     (look at the generated AVCs)
> >
> > Actual result:
> >     type=AVC [...] trawcon=kuřecí řízek
> >
> > Expected result:
> >     type=AVC [...] trawcon=6B75C5996563C3AD20C599C3AD7A656B
> >
> > Fixes: fede148324c3 ("selinux: log invalid contexts in AVCs")
> > Cc: stable at vger.kernel.org # v5.1+
> > Signed-off-by: Ondrej Mosnacek <omosnace at redhat.com>
> > ---
> >  security/selinux/avc.c | 10 ++++++++--
> >  1 file changed, 8 insertions(+), 2 deletions(-)
>
> Thanks, the patch looks fine to me, but it is borderline -stable
> material in my opinion.  I'll add it to the stable-5.2 branch, but in
> the future I would prefer if you left the stable marking off patches
> and sent a reply discussing *why* this should go to stable so we can
> discuss it.  I realize Greg likes to pull a lot of stuff into stable,
> but I try to be a bit more conservative about what gets marked.  Even
> the simplest fix can still break things :)

OK, I was a bit unsure whether to mark it as stable or not and
eventually inclined to do so... I'll try be more careful about it in
the future.

>
> I'm going to start building a test kernel now with this fix, but I
> might hold off on sending this up to Linus for a couple of days to see
> if I can catch Gen Zhang's patches in the same PR.
>
> > diff --git a/security/selinux/avc.c b/security/selinux/avc.c
> > index 8346a4f7c5d7..a99be508f93d 100644
> > --- a/security/selinux/avc.c
> > +++ b/security/selinux/avc.c
> > @@ -739,14 +739,20 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
> >         rc = security_sid_to_context_inval(sad->state, sad->ssid, &scontext,
> >                                            &scontext_len);
> >         if (!rc && scontext) {
> > -               audit_log_format(ab, " srawcon=%s", scontext);
> > +               if (scontext_len && scontext[scontext_len - 1] == '\0')
> > +                       scontext_len--;
> > +               audit_log_format(ab, " srawcon=");
> > +               audit_log_n_untrustedstring(ab, scontext, scontext_len);
> >                 kfree(scontext);
> >         }
> >
> >         rc = security_sid_to_context_inval(sad->state, sad->tsid, &scontext,
> >                                            &scontext_len);
> >         if (!rc && scontext) {
> > -               audit_log_format(ab, " trawcon=%s", scontext);
> > +               if (scontext_len && scontext[scontext_len - 1] == '\0')
> > +                       scontext_len--;
> > +               audit_log_format(ab, " trawcon=");
> > +               audit_log_n_untrustedstring(ab, scontext, scontext_len);
> >                 kfree(scontext);
> >         }
> >  }
> > --
> > 2.20.1
>
> --
> paul moore
> www.paul-moore.com

-- 
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.