diff options
author | Richard Guy Briggs <rgb@redhat.com> | 2019-06-27 12:48:01 -0400 |
---|---|---|
committer | Paul Moore <paul@paul-moore.com> | 2019-07-01 16:29:05 -0400 |
commit | ea74a685ad819aeed316a9bae3d2a5bf762da82d (patch) | |
tree | ba13e694ed22fbd1494bdca74db130914f5d900a /security/selinux | |
parent | 464c258aa45b09f16aa0f05847ed8895873262d9 (diff) | |
download | lwn-ea74a685ad819aeed316a9bae3d2a5bf762da82d.tar.gz lwn-ea74a685ad819aeed316a9bae3d2a5bf762da82d.zip |
selinux: format all invalid context as untrusted
The userspace tools expect all fields of the same name to be logged
consistently with the same encoding. Since the invalid_context fields
contain untrusted strings in selinux_inode_setxattr()
and selinux_setprocattr(), encode all instances of this field the same
way as though they were untrusted even though
compute_sid_handle_invalid_context() and security_sid_mls_copy() are
trusted.
Please see github issue
https://github.com/linux-audit/audit-kernel/issues/57
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux')
-rw-r--r-- | security/selinux/ss/services.c | 29 |
1 files changed, 19 insertions, 10 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 20a089d0aca8..d3a8f6fbc552 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -1584,6 +1584,7 @@ static int compute_sid_handle_invalid_context( struct policydb *policydb = &state->ss->policydb; char *s = NULL, *t = NULL, *n = NULL; u32 slen, tlen, nlen; + struct audit_buffer *ab; if (context_struct_to_string(policydb, scontext, &s, &slen)) goto out; @@ -1591,12 +1592,14 @@ static int compute_sid_handle_invalid_context( goto out; if (context_struct_to_string(policydb, newcontext, &n, &nlen)) goto out; - audit_log(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR, - "op=security_compute_sid invalid_context=%s" - " scontext=%s" - " tcontext=%s" - " tclass=%s", - n, s, t, sym_name(policydb, SYM_CLASSES, tclass-1)); + ab = audit_log_start(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR); + audit_log_format(ab, + "op=security_compute_sid invalid_context="); + /* no need to record the NUL with untrusted strings */ + audit_log_n_untrustedstring(ab, n, nlen - 1); + audit_log_format(ab, " scontext=%s tcontext=%s tclass=%s", + s, t, sym_name(policydb, SYM_CLASSES, tclass-1)); + audit_log_end(ab); out: kfree(s); kfree(t); @@ -3003,10 +3006,16 @@ int security_sid_mls_copy(struct selinux_state *state, if (rc) { if (!context_struct_to_string(policydb, &newcon, &s, &len)) { - audit_log(audit_context(), - GFP_ATOMIC, AUDIT_SELINUX_ERR, - "op=security_sid_mls_copy " - "invalid_context=%s", s); + struct audit_buffer *ab; + + ab = audit_log_start(audit_context(), + GFP_ATOMIC, + AUDIT_SELINUX_ERR); + audit_log_format(ab, + "op=security_sid_mls_copy invalid_context="); + /* don't record NUL with untrusted strings */ + audit_log_n_untrustedstring(ab, s, len - 1); + audit_log_end(ab); kfree(s); } goto out_unlock; |