Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp5689428pxb; Wed, 26 Jan 2022 18:56:13 -0800 (PST) X-Google-Smtp-Source: ABdhPJzVGwAly7XUDVeUOZNGloHsRJLND2B1iApVEg9mANhwISMuVJndjXwZm2CQPRfTqfthTm13 X-Received: by 2002:a05:6402:42cd:: with SMTP id i13mr1726627edc.121.1643252172919; Wed, 26 Jan 2022 18:56:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643252172; cv=none; d=google.com; s=arc-20160816; b=gsrxNQe6hv3NORvChO+jdoF52zKj+4KxYZ9uvITIh8S035/GjNAPoX32ARh248snse 1Y7SZzDDkzLzeRkAVML8do11Tj8DbXlhjQt3BhlQyWstcp7LDiYy701+U68UJivySmyY 9W82qKHxnbHwcMWlZe3k5iVNVYsLx5sBxnNchYxucJ4I9gdMyLfdEZhsyjUjLME2vvZi N2ErWi6azzOYjBT7sxSY6xF7FDT7r1/AF9wS6YV9AhdTp8oSUaCGLlGh0d6KNU9bwPvm T8fC3+fgD83rz+aO0vAv7We63NKm8dqoopj0v8pI3i0Y+1MpoSM23wFzbICGifu4BUHM VaYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=yQNdbADTGqyfyu/xlW8lKU6Q7NNIee/5AQO9Up6diCk=; b=Wvr+ba/yKwzDlJuyFSF4PQ8DBlTwaE9zMyl+GaoFAQ547QsdEcUA76tuqMSwdNk+t0 Czs9b6vDM9TEinIAHmtew3cTmOzjwRWX0hxudnkMmPYSm7o1kgx9PegJ0mI/jQ5WDaKO HCXC9BUD0H9vamv+ivCRYVeK6hAl7E7FysQA8yCZPZcFLyQo8buv8GEjTHThDeqhRO7P ip/PG0F8P6CJx/X0zNi5G5IgmM27nTFYKn+ssvd6i+A8jpuGI5rDn6IKOAsQdUscvZkm F1wXOmzvMIjuF863VCKMKnEpSLZOhkeWmqx/y3NaPZU8Mej0mRajjzcJhgG79hxKQVfd IcpQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=ywxG3Q0K; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id sd2si772623ejc.611.2022.01.26.18.56.07; Wed, 26 Jan 2022 18:56:12 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=ywxG3Q0K; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230503AbiAZWva (ORCPT + 22 others); Wed, 26 Jan 2022 17:51:30 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34682 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230334AbiAZWva (ORCPT ); Wed, 26 Jan 2022 17:51:30 -0500 Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9A567C061747 for ; Wed, 26 Jan 2022 14:51:29 -0800 (PST) Received: by mail-ej1-x62a.google.com with SMTP id s13so1789920ejy.3 for ; Wed, 26 Jan 2022 14:51:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=yQNdbADTGqyfyu/xlW8lKU6Q7NNIee/5AQO9Up6diCk=; b=ywxG3Q0KHzQUMQQN7Ob6DXR1DiOlvSyMsvzbbIbsVd0FsO8SQND8SPfj0XDHYexe4q /x0mOKHk/5DC1nVotLg6bErkOE8jQ74Bp9mPKS85qEt2eApquHIGAZ3QhlHibgEgBh8F YVM5m++JQJXjg4an3828MSZPln4ZgkYrWdPBJoC6WTJI7JYBmtbOqQBHOJ40iwDxzOac 9sqc52uaoZeaZ8IHptSI0U1iVdB0Z0AsOtJZuNXzsl+Grz62lL75ih5ylMSdJBA3Rsqj ls1bp3K4P4i0t9KFaUx8Z+MwlRyN99g5wvvXzxzshhEeQoK2jmfXVBJ/bRPGXcKRZgKs 10eQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=yQNdbADTGqyfyu/xlW8lKU6Q7NNIee/5AQO9Up6diCk=; b=hO2T6ht3HOQf3Ydt4/WLWUtz8wPLvyVJ9DnnJ6ACNjsgnqyUUtPd106XV6nBMDYAlh oV/7QLcX9fYPpxACsJh9c5CPpQ9JtHiPYAk/g7qD+4JtIA2oemRM3FeRWpaV8oZgB4bs J2On8G9MexgL0jK2xdF9TVDcLlCrGzcLEDNRn3jQNHUSXtiDvosZc6Chn/e5DJcZYbpD xuynZKjZSQ6V0yUBk1KzysnrdUrTmtOMapdefpeXRJRwE/f4qbaTHUZcBDPnE+agkgfA r2QL6m33GZWoYH2g59wRzMbnDKlIvccVktvkd15LTapynwbgBZDhn0CILdtQac7ycNse JmeQ== X-Gm-Message-State: AOAM5338MTXKHpgUiOTuonK9FlscH7+6M2R0LYtHJ4hSO7J5idj786Q7 va+w9fGz0g7q0KNOWl3Y/SsQkxPjfY4TehyblGUR X-Received: by 2002:a17:906:1e06:: with SMTP id g6mr689463ejj.517.1643237488104; Wed, 26 Jan 2022 14:51:28 -0800 (PST) MIME-Version: 1.0 References: <20220125145931.56831-1-cgzones@googlemail.com> In-Reply-To: <20220125145931.56831-1-cgzones@googlemail.com> From: Paul Moore Date: Wed, 26 Jan 2022 17:51:16 -0500 Message-ID: Subject: Re: [RFC PATCH] selinux: split no transition execve check To: =?UTF-8?Q?Christian_G=C3=B6ttsche?= Cc: selinux@vger.kernel.org, Stephen Smalley , Eric Paris , "David S. Miller" , Ondrej Mosnacek , Jeremy Kerr , Xiong Zhenwu , Tyler Hicks , linux-kernel@vger.kernel.org, selinux-refpolicy@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Tue, Jan 25, 2022 at 9:59 AM Christian G=C3=B6ttsche wrote: > > In case a setuid or setgid binary is mislabeled with a generic context, > either via a policy mistake or a move by the distribution package, > executing it will be checked by the file permission execute_no_trans on > the generic file context (e.g. bin_t). The setuid(2)/setgid(2) syscall > within will then be checked against the unchanged caller process > context, which might have been granted the capability permission setuid/ > setgid to initially drop privileges. To avoid that scenario split the > execute_no_trans permission in case of a setuid/setgid binary into a new > permission execute_sxid_no_trans. > > For backward compatibility this behavior is contained in a new policy > capability. > > Signed-off-by: Christian G=C3=B6ttsche > --- > security/selinux/hooks.c | 9 ++++++++- > security/selinux/include/classmap.h | 2 +- > security/selinux/include/policycap.h | 1 + > security/selinux/include/policycap_names.h | 3 ++- > security/selinux/include/security.h | 8 ++++++++ > 5 files changed, 20 insertions(+), 3 deletions(-) Adding the refpolicy list to this thread as their opinion seems particularly relevant to this discussion. FWIW, this looks reasonable to me but I would like to hear what others have to say. > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 5b6895e4fc29..b825fee39a70 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -2348,9 +2348,16 @@ static int selinux_bprm_creds_for_exec(struct linu= x_binprm *bprm) > ad.u.file =3D bprm->file; > > if (new_tsec->sid =3D=3D old_tsec->sid) { > + u32 perm; > + > + if (selinux_policycap_execute_sxid_no_trans() && is_sxid(= inode->i_mode)) > + perm =3D FILE__EXECUTE_SXID_NO_TRANS; > + else > + perm =3D FILE__EXECUTE_NO_TRANS; > + > rc =3D avc_has_perm(&selinux_state, > old_tsec->sid, isec->sid, > - SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, = &ad); > + SECCLASS_FILE, perm, &ad); > if (rc) > return rc; > } else { > diff --git a/security/selinux/include/classmap.h b/security/selinux/inclu= de/classmap.h > index 35aac62a662e..53a1eeeb86fb 100644 > --- a/security/selinux/include/classmap.h > +++ b/security/selinux/include/classmap.h > @@ -65,7 +65,7 @@ struct security_class_mapping secclass_map[] =3D { > "quotaget", "watch", NULL } }, > { "file", > { COMMON_FILE_PERMS, > - "execute_no_trans", "entrypoint", NULL } }, > + "execute_no_trans", "entrypoint", "execute_sxid_no_trans", NU= LL } }, > { "dir", > { COMMON_FILE_PERMS, "add_name", "remove_name", > "reparent", "search", "rmdir", NULL } }, > diff --git a/security/selinux/include/policycap.h b/security/selinux/incl= ude/policycap.h > index 2ec038efbb03..23929dc3e1db 100644 > --- a/security/selinux/include/policycap.h > +++ b/security/selinux/include/policycap.h > @@ -11,6 +11,7 @@ enum { > POLICYDB_CAPABILITY_CGROUPSECLABEL, > POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION, > POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS, > + POLICYDB_CAPABILITY_EXECUTE_SXID_NO_TRANS, > __POLICYDB_CAPABILITY_MAX > }; > #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) > diff --git a/security/selinux/include/policycap_names.h b/security/selinu= x/include/policycap_names.h > index b89289f092c9..4c014c2cf352 100644 > --- a/security/selinux/include/policycap_names.h > +++ b/security/selinux/include/policycap_names.h > @@ -12,7 +12,8 @@ const char *selinux_policycap_names[__POLICYDB_CAPABILI= TY_MAX] =3D { > "always_check_network", > "cgroup_seclabel", > "nnp_nosuid_transition", > - "genfs_seclabel_symlinks" > + "genfs_seclabel_symlinks", > + "execute_sxid_no_trans", > }; > > #endif /* _SELINUX_POLICYCAP_NAMES_H_ */ > diff --git a/security/selinux/include/security.h b/security/selinux/inclu= de/security.h > index ac0ece01305a..ab95241b6b7b 100644 > --- a/security/selinux/include/security.h > +++ b/security/selinux/include/security.h > @@ -219,6 +219,14 @@ static inline bool selinux_policycap_genfs_seclabel_= symlinks(void) > return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_GENFS_SECLA= BEL_SYMLINKS]); > } > > +static inline bool selinux_policycap_execute_sxid_no_trans(void) > +{ > + struct selinux_state *state =3D &selinux_state; > + > + return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_EXECUTE_SXI= D_NO_TRANS]); > +} > + > + > struct selinux_policy_convert_data; > > struct selinux_load_state { > -- > 2.34.1 > --=20 paul-moore.com