Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp4419766imm; Mon, 25 Jun 2018 15:38:40 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLeDhM0HwaGeFkyApYZ1bTF6BssYdMbBy37ZwWdtJhH7k7pPz1DHBv4E8TeDsfsdLnH8h/1 X-Received: by 2002:a63:7454:: with SMTP id e20-v6mr12478465pgn.410.1529966320498; Mon, 25 Jun 2018 15:38:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529966320; cv=none; d=google.com; s=arc-20160816; b=Ayhv3fTpObG9q+OMoLiBPZNCZi7zZRGXx4QKVu9zfURHKDjYtcO/j/RwARwQE1BlSr Y67rr8tj+d06sNzwe5YDcBz0xVO50w2VFIJ2tiqWdMpt5YE18u/e48EyOqXAcD8yA0Jx oG/us5YXUcxMg03R/PUkWTVXtxShpCXQBbDA94RXGm17G3Mw7YZoNzM1EVjGoHmn+gQh V/+xTsGDyXEnlNsvGKYmKpT2bjmOX3wxmySM2DmizioFeH19Wfs7PVXAvwjfBqgsiMTH IgMqh+sP9s3dXn17QjkxreBhahwYaz41mGqYt7W4Hg47crc++tibfSSCd2sDuB3eKv9H IfGA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=GZfVTcc8WiGZjHviOksOe2oQK9M8l9KVtDaK036ycWU=; b=1AGH1ghcXuGn/vPf1Q+QfYAcP5AgBBbC7eA7shhnmfXQK9fVwvqZNVAS4AP+LPcwWm Qd+mAyp2jr6Tiuzb9FS0rn5NX/MUW06URWGdyUDXyDtaG9M2OpRoE7mgTLHmUwoX5Pok 7T8CuTL7caoXToUx5Sr7mj+hvCYYhdTr0L9WZvhCSmZ6UsoQqbf2sl722bgsrUSaI3rz K+5770FUJBkWRQg7A6znh7ISflGxWhrhrl+5mR+4oc8CUg1DRrO4dDgBdqxd4D0tY/md k63qTYHzziaNcsxmfaBhQoqbn0zFV+MTuhJxuLtbHYD3X5JGX2oU7YCHdp1BticQUGC2 z7Wg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=0UFULaXg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p5-v6si51131pfb.171.2018.06.25.15.38.25; Mon, 25 Jun 2018 15:38:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=0UFULaXg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754803AbeFYWgN (ORCPT + 99 others); Mon, 25 Jun 2018 18:36:13 -0400 Received: from mail-lf0-f66.google.com ([209.85.215.66]:33512 "EHLO mail-lf0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752363AbeFYWgL (ORCPT ); Mon, 25 Jun 2018 18:36:11 -0400 Received: by mail-lf0-f66.google.com with SMTP id b7-v6so4879265lfa.0 for ; Mon, 25 Jun 2018 15:36:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GZfVTcc8WiGZjHviOksOe2oQK9M8l9KVtDaK036ycWU=; b=0UFULaXg14BZBis5bvumFUxM8AEUKDN/tkpaw7EmcTNK7OwRh5KlkeW5W7w8wyC0V3 Q9VEKhEEswzpco7N4FBCdxp407Y9zdGk+T0SpKhJX2EI24ZZ7pN5Kh7VAeshm9wkNeWy U3LxUz3LMi4HV8saeTL5SOuH96tHFzrpTv/5z5nKCS6XzzaackHIB0Tp6XiXA6+CGRMv inLw82bTWyL2wxyls94RyeSAJrNnVb/rxvUhs3KQDv6MO2CS2jAvtTE8BvUiG9VgovPT JNJwxppqhIy1pWbMoKEja1cZecJHZfoed8arcTYMdYEjY99Vm7SKHbuurDpBt/gpZyz/ +gjA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GZfVTcc8WiGZjHviOksOe2oQK9M8l9KVtDaK036ycWU=; b=kavN8m5a/qq6vRFc8gTuE71VbDt94MN9lP7LOc7ejcPs6GJLXC6u/fbZfCuxpWrgUT TS4Z/W044pgkdVq8MRhPeXcua/kVGiZdWL5mVY5ByfCux/9PvPaKnl1nof4EziDgiz/c 7DYxo/qovcwEUk4fM9G9Fuq8fhgfBD0NeNuvQWcWt+uK1pgovbvyZfTMxe8S/Ba1uwyb htN/6BntasJlbSG0w2/7C2KCjQwSkCCVr/i3Cz/bmmm3gDLM/bdnPerlrwESLyznu0s8 lyZOrvTnMiXOfOk/NNrn51w5wTN+IKhCPr9Cv1w4oC1LSoptORqH4dEMwj7sd5r3sgGJ hzvQ== X-Gm-Message-State: APt69E0tL/9b/df0WK0+PpeMeJphJwzzmT53uDnvaN/sFUeO8aXC3KzI 5nFeoZBFjl1lXT211SxYkAVcGJ49eBXidWappN6TR24= X-Received: by 2002:a19:d754:: with SMTP id o81-v6mr3188635lfg.124.1529966170287; Mon, 25 Jun 2018 15:36:10 -0700 (PDT) MIME-Version: 1.0 References: <20180625163425.216965-1-jannh@google.com> In-Reply-To: <20180625163425.216965-1-jannh@google.com> From: Paul Moore Date: Mon, 25 Jun 2018 18:35:59 -0400 Message-ID: Subject: Re: [PATCH] selinux: move user accesses in selinuxfs out of locked regions To: jannh@google.com Cc: Stephen Smalley , Eric Paris , selinux@tycho.nsa.gov, security@kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 25, 2018 at 12:34 PM Jann Horn wrote: > If a user is accessing a file in selinuxfs with a pointer to a userspace > buffer that is backed by e.g. a userfaultfd, the userspace access can > stall indefinitely, which can block fsi->mutex if it is held. > > For sel_read_policy(), remove the locking, since this method doesn't seem > to access anything that requires locking. Forgive me, I'm thinking about this quickly so I could be very wrong here, but isn't the mutex needed to prevent problems in multi-threaded apps hitting the same fd at the same time? > For sel_read_bool(), move the user access below the locked region. > > For sel_write_bool() and sel_commit_bools_write(), move the user access > up above the locked region. > > Cc: stable@vger.kernel.org > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Signed-off-by: Jann Horn > --- > security/selinux/selinuxfs.c | 77 ++++++++++++++++-------------------- > 1 file changed, 33 insertions(+), 44 deletions(-) > > diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c > index f3d374d2ca04..065f8cea84e3 100644 > --- a/security/selinux/selinuxfs.c > +++ b/security/selinux/selinuxfs.c > @@ -445,18 +445,13 @@ static ssize_t sel_read_policy(struct file *filp, char __user *buf, > struct policy_load_memory *plm = filp->private_data; > int ret; > > - mutex_lock(&fsi->mutex); > - > ret = avc_has_perm(&selinux_state, > current_sid(), SECINITSID_SECURITY, > SECCLASS_SECURITY, SECURITY__READ_POLICY, NULL); > if (ret) > - goto out; > + return ret; > > - ret = simple_read_from_buffer(buf, count, ppos, plm->data, plm->len); > -out: > - mutex_unlock(&fsi->mutex); > - return ret; > + return simple_read_from_buffer(buf, count, ppos, plm->data, plm->len); > } > > static vm_fault_t sel_mmap_policy_fault(struct vm_fault *vmf) > @@ -1188,25 +1183,29 @@ static ssize_t sel_read_bool(struct file *filep, char __user *buf, > ret = -EINVAL; > if (index >= fsi->bool_num || strcmp(name, > fsi->bool_pending_names[index])) > - goto out; > + goto out_unlock; > > ret = -ENOMEM; > page = (char *)get_zeroed_page(GFP_KERNEL); > if (!page) > - goto out; > + goto out_unlock; > > cur_enforcing = security_get_bool_value(fsi->state, index); > if (cur_enforcing < 0) { > ret = cur_enforcing; > - goto out; > + goto out_unlock; > } > length = scnprintf(page, PAGE_SIZE, "%d %d", cur_enforcing, > fsi->bool_pending_values[index]); > - ret = simple_read_from_buffer(buf, count, ppos, page, length); > -out: > mutex_unlock(&fsi->mutex); > + ret = simple_read_from_buffer(buf, count, ppos, page, length); > +out_free: > free_page((unsigned long)page); > return ret; > + > +out_unlock: > + mutex_unlock(&fsi->mutex); > + goto out_free; > } > > static ssize_t sel_write_bool(struct file *filep, const char __user *buf, > @@ -1219,6 +1218,17 @@ static ssize_t sel_write_bool(struct file *filep, const char __user *buf, > unsigned index = file_inode(filep)->i_ino & SEL_INO_MASK; > const char *name = filep->f_path.dentry->d_name.name; > > + if (count >= PAGE_SIZE) > + return -ENOMEM; > + > + /* No partial writes. */ > + if (*ppos != 0) > + return -EINVAL; > + > + page = memdup_user_nul(buf, count); > + if (IS_ERR(page)) > + return PTR_ERR(page); > + > mutex_lock(&fsi->mutex); > > length = avc_has_perm(&selinux_state, > @@ -1233,22 +1243,6 @@ static ssize_t sel_write_bool(struct file *filep, const char __user *buf, > fsi->bool_pending_names[index])) > goto out; > > - length = -ENOMEM; > - if (count >= PAGE_SIZE) > - goto out; > - > - /* No partial writes. */ > - length = -EINVAL; > - if (*ppos != 0) > - goto out; > - > - page = memdup_user_nul(buf, count); > - if (IS_ERR(page)) { > - length = PTR_ERR(page); > - page = NULL; > - goto out; > - } > - > length = -EINVAL; > if (sscanf(page, "%d", &new_value) != 1) > goto out; > @@ -1280,6 +1274,17 @@ static ssize_t sel_commit_bools_write(struct file *filep, > ssize_t length; > int new_value; > > + if (count >= PAGE_SIZE) > + return -ENOMEM; > + > + /* No partial writes. */ > + if (*ppos != 0) > + return -EINVAL; > + > + page = memdup_user_nul(buf, count); > + if (IS_ERR(page)) > + return PTR_ERR(page); > + > mutex_lock(&fsi->mutex); > > length = avc_has_perm(&selinux_state, > @@ -1289,22 +1294,6 @@ static ssize_t sel_commit_bools_write(struct file *filep, > if (length) > goto out; > > - length = -ENOMEM; > - if (count >= PAGE_SIZE) > - goto out; > - > - /* No partial writes. */ > - length = -EINVAL; > - if (*ppos != 0) > - goto out; > - > - page = memdup_user_nul(buf, count); > - if (IS_ERR(page)) { > - length = PTR_ERR(page); > - page = NULL; > - goto out; > - } > - > length = -EINVAL; > if (sscanf(page, "%d", &new_value) != 1) > goto out; > -- > 2.18.0.rc2.346.g013aa6912e-goog > -- paul moore www.paul-moore.com