summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorPaul Moore <paul@paul-moore.com>2023-08-07 22:57:22 -0400
committerPaul Moore <paul@paul-moore.com>2023-08-09 10:51:13 -0400
commit817199e006e514e6c39a17ed2e9fece1bd56b898 (patch)
treef450f46e3941356c1b9aae3d7fbe26af4e2f9cd4 /security
parent2b86e04bce141311c3a68940be2c8d5984274fca (diff)
downloadlwn-817199e006e514e6c39a17ed2e9fece1bd56b898.tar.gz
lwn-817199e006e514e6c39a17ed2e9fece1bd56b898.zip
selinux: revert SECINITSID_INIT support
This commit reverts 5b0eea835d4e ("selinux: introduce an initial SID for early boot processes") as it was found to cause problems on distros with old SELinux userspace tools/libraries, specifically Ubuntu 16.04. Hopefully we will be able to re-add this functionality at a later date, but let's revert this for now to help ensure a stable and backwards compatible SELinux tree. Link: https://lore.kernel.org/selinux/87edkseqf8.fsf@mail.lhotse Acked-by: Ondrej Mosnacek <omosnace@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/hooks.c28
-rw-r--r--security/selinux/include/initial_sid_to_string.h2
-rw-r--r--security/selinux/include/policycap.h1
-rw-r--r--security/selinux/include/policycap_names.h1
-rw-r--r--security/selinux/include/security.h6
-rw-r--r--security/selinux/ss/policydb.c27
6 files changed, 1 insertions, 64 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index cf787eaca755..7138083c5bef 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2313,19 +2313,6 @@ static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
new_tsec->keycreate_sid = 0;
new_tsec->sockcreate_sid = 0;
- /*
- * Before policy is loaded, label any task outside kernel space
- * as SECINITSID_INIT, so that any userspace tasks surviving from
- * early boot end up with a label different from SECINITSID_KERNEL
- * (if the policy chooses to set SECINITSID_INIT != SECINITSID_KERNEL).
- */
- if (!selinux_initialized()) {
- new_tsec->sid = SECINITSID_INIT;
- /* also clear the exec_sid just in case */
- new_tsec->exec_sid = 0;
- return 0;
- }
-
if (old_tsec->exec_sid) {
new_tsec->sid = old_tsec->exec_sid;
/* Reset exec SID on execve. */
@@ -4542,21 +4529,6 @@ static int sock_has_perm(struct sock *sk, u32 perms)
if (sksec->sid == SECINITSID_KERNEL)
return 0;
- /*
- * Before POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT, sockets that
- * inherited the kernel context from early boot used to be skipped
- * here, so preserve that behavior unless the capability is set.
- *
- * By setting the capability the policy signals that it is ready
- * for this quirk to be fixed. Note that sockets created by a kernel
- * thread or a usermode helper executed without a transition will
- * still be skipped in this check regardless of the policycap
- * setting.
- */
- if (!selinux_policycap_userspace_initial_context() &&
- sksec->sid == SECINITSID_INIT)
- return 0;
-
ad_net_init_from_sk(&ad, &net, sk);
return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
diff --git a/security/selinux/include/initial_sid_to_string.h b/security/selinux/include/initial_sid_to_string.h
index 5e5f0993dac2..ecc6e74fa09b 100644
--- a/security/selinux/include/initial_sid_to_string.h
+++ b/security/selinux/include/initial_sid_to_string.h
@@ -10,7 +10,7 @@ static const char *const initial_sid_to_string[] = {
NULL,
"file",
NULL,
- "init",
+ NULL,
"any_socket",
"port",
"netif",
diff --git a/security/selinux/include/policycap.h b/security/selinux/include/policycap.h
index c7373e6effe5..f35d3458e71d 100644
--- a/security/selinux/include/policycap.h
+++ b/security/selinux/include/policycap.h
@@ -12,7 +12,6 @@ enum {
POLICYDB_CAP_NNP_NOSUID_TRANSITION,
POLICYDB_CAP_GENFS_SECLABEL_SYMLINKS,
POLICYDB_CAP_IOCTL_SKIP_CLOEXEC,
- POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT,
__POLICYDB_CAP_MAX
};
#define POLICYDB_CAP_MAX (__POLICYDB_CAP_MAX - 1)
diff --git a/security/selinux/include/policycap_names.h b/security/selinux/include/policycap_names.h
index 28e4c9ee2399..49bbe120d173 100644
--- a/security/selinux/include/policycap_names.h
+++ b/security/selinux/include/policycap_names.h
@@ -14,7 +14,6 @@ const char *const selinux_policycap_names[__POLICYDB_CAP_MAX] = {
"nnp_nosuid_transition",
"genfs_seclabel_symlinks",
"ioctl_skip_cloexec",
- "userspace_initial_context",
};
#endif /* _SELINUX_POLICYCAP_NAMES_H_ */
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 074d439fe9ad..a9de89af8fdc 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -189,12 +189,6 @@ static inline bool selinux_policycap_ioctl_skip_cloexec(void)
selinux_state.policycap[POLICYDB_CAP_IOCTL_SKIP_CLOEXEC]);
}
-static inline bool selinux_policycap_userspace_initial_context(void)
-{
- return READ_ONCE(
- selinux_state.policycap[POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT]);
-}
-
struct selinux_policy_convert_data;
struct selinux_load_state {
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index bb850b608dc6..cd44b13b8d3f 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -864,8 +864,6 @@ void policydb_destroy(struct policydb *p)
int policydb_load_isids(struct policydb *p, struct sidtab *s)
{
struct ocontext *head, *c;
- bool isid_init_supported = ebitmap_get_bit(&p->policycaps,
- POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT);
int rc;
rc = sidtab_init(s);
@@ -889,13 +887,6 @@ int policydb_load_isids(struct policydb *p, struct sidtab *s)
if (!name)
continue;
- /*
- * Also ignore SECINITSID_INIT if the policy doesn't declare
- * support for it
- */
- if (sid == SECINITSID_INIT && !isid_init_supported)
- continue;
-
rc = sidtab_set_initial(s, sid, &c->context[0]);
if (rc) {
pr_err("SELinux: unable to load initial SID %s.\n",
@@ -903,24 +894,6 @@ int policydb_load_isids(struct policydb *p, struct sidtab *s)
sidtab_destroy(s);
return rc;
}
-
- /*
- * If the policy doesn't support the "userspace_initial_context"
- * capability, set SECINITSID_INIT to the same context as
- * SECINITSID_KERNEL. This ensures the same behavior as before
- * the reintroduction of SECINITSID_INIT, where all tasks
- * started before policy load would initially get the context
- * corresponding to SECINITSID_KERNEL.
- */
- if (sid == SECINITSID_KERNEL && !isid_init_supported) {
- rc = sidtab_set_initial(s, SECINITSID_INIT, &c->context[0]);
- if (rc) {
- pr_err("SELinux: unable to load initial SID %s.\n",
- name);
- sidtab_destroy(s);
- return rc;
- }
- }
}
return 0;
}