Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp192996pxb; Thu, 27 Jan 2022 18:56:14 -0800 (PST) X-Google-Smtp-Source: ABdhPJzDsfZqCxx93c3ZKQgjQUD6/n8fARon6u5c1Bo1z7i1TqSAnhNfP9nQ89Vn4qTCxXfYgFY+ X-Received: by 2002:a17:907:1b21:: with SMTP id mp33mr5245903ejc.374.1643338574600; Thu, 27 Jan 2022 18:56:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643338574; cv=none; d=google.com; s=arc-20160816; b=YpHp94PJOQw7swjwd3qtnJ/9j+9mVE1bR8e2EvbVwcP19QLwAyP42joxEvSoS8ygaN 62DVdW7J75v+K8ot6chXmVKmU/6UeieRLZkSzfeMgd/XTgRaHS6db5XQTh3Z2pWi9nTD KYmyosnUepAX51LXxigP4FVf8ISlVVWX6+7q9irjNRWPe450o0rx4thrJmpR9zHG9cKt r8jNFNBp+Ape4pd+fpZ96DXYkRWmLaxBCmXZjk+vFMCjgf242zm2NXIivO1SEqI05reC ZxOIclsRZqWpINmR3kfv0iSG9DVZhno/YO+2i6KmtaIrMBleKUA5+5e9JrLi7nQ/qxFz QNlA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=QjHSgp9NDZjwilBZjtCVf/HVJNNWGbMrAyQkrXXKVgQ=; b=ycBEb9AdbNXgRbKh6ybRgVBtG99DwHR9jPqSLtH6zwRTwGqObjYCo3AqQzIeC/8xZW K9dPLkCyHzd4a4L6auRAbb3/IkNPU9WJCCvXbDSuhLtZTEdySBX13dyBZe5chsFaT7RJ UO6SFWLhyiUsP3cs+EKiw53+CQuDQhb4gi0XX8xzV/HbxCK308PDMYsawhb3C6HpMN3a djGf6bKVpnPGhB8bq/+llOYBIJmQHRRS9Rkp98Ux3V5rTPyrEwbJAPhYfwWogKg1pM7k RDaZvzns71N77y0alhWELC5CJEdHv43BK7qxc9Qk3HU/amjXT0q1V4JmSRczQtFnDrfd QvRA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=EdVizB6A; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y16si2685794eda.629.2022.01.27.18.56.03; Thu, 27 Jan 2022 18:56:14 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=EdVizB6A; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230213AbiA0Nma (ORCPT + 22 others); Thu, 27 Jan 2022 08:42:30 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38416 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229898AbiA0Nma (ORCPT ); Thu, 27 Jan 2022 08:42:30 -0500 Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com [IPv6:2607:f8b0:4864:20::834]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BC3BBC061747 for ; Thu, 27 Jan 2022 05:42:29 -0800 (PST) Received: by mail-qt1-x834.google.com with SMTP id o3so2428569qtm.12 for ; Thu, 27 Jan 2022 05:42:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=message-id:date:mime-version:user-agent:subject:content-language:to :cc:references:from:in-reply-to:content-transfer-encoding; bh=QjHSgp9NDZjwilBZjtCVf/HVJNNWGbMrAyQkrXXKVgQ=; b=EdVizB6Aw2GIp0A1mq1fuR0buPb+iZRus81DLE3TD5gDFftGAa65Ae8wJkdcuqxyV5 K66LTf0B+iKC0hWKqw/kqBNyF//IfpdQpc1ZXcIMgC0SCioaHVUvNNjDjG7wYRLSkv2C XhjLmGbqkhsWgjyV6dzrS3bZvdGUe6eibHQ9M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=QjHSgp9NDZjwilBZjtCVf/HVJNNWGbMrAyQkrXXKVgQ=; b=6IhWiXzuu93jS3+E1LeaPjOGKoas87QZpQC2gSqD4Tr3M/GRdIgSHTcu8T7D2P+Vja Lvc30wQnmSZekw4jO+auwEa8lqasSruAALeZCv86KsAuhoU4tb5PWe8P+eo8LsMdFb+o sZG/giioUqzGbNn5dKFdwATLqZoLPYRWGVW0Lc1BO46TsDI5Zz/eGyC6aZY+/ESGnPio 5qrK3tSFFuApF615Gdx2WM4QaidFSMEkM++sxeDZVKPEM/W+saQQt0smobzPmgV6h8JY T7Ezz4w2gKZehoAYJqwzKZim58GeW+bU3fJGEjaY/Vblq0HJcxmTbIRLgAJECZs+vQYU DY8g== X-Gm-Message-State: AOAM531D/3IetgE6Qy9/T2Z5DAGJlRAH9wZDQ4cVZOrVLDEt5I8W7PW0 LyT6L3nCFymT4PRb3RdM8/y1CQ== X-Received: by 2002:ac8:704f:: with SMTP id y15mr2592444qtm.550.1643290948798; Thu, 27 Jan 2022 05:42:28 -0800 (PST) Received: from [192.168.1.126] ([72.85.44.115]) by smtp.gmail.com with ESMTPSA id u16sm1440115qko.130.2022.01.27.05.42.27 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 27 Jan 2022 05:42:28 -0800 (PST) Message-ID: <8ea4d17a-f2fd-b6a5-b988-0edbc63022f6@ieee.org> Date: Thu, 27 Jan 2022 08:42:26 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0 Subject: Re: [RFC PATCH] selinux: split no transition execve check Content-Language: en-US To: Paul Moore , =?UTF-8?Q?Christian_G=c3=b6ttsche?= Cc: selinux@vger.kernel.org, Stephen Smalley , Eric Paris , "David S. Miller" , Ondrej Mosnacek , Jeremy Kerr , Xiong Zhenwu , Tyler Hicks , linux-kernel@vger.kernel.org, selinux-refpolicy@vger.kernel.org References: <20220125145931.56831-1-cgzones@googlemail.com> From: Chris PeBenito In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/26/22 17:51, Paul Moore wrote: > On Tue, Jan 25, 2022 at 9:59 AM Christian Göttsche > wrote: >> >> In case a setuid or setgid binary is mislabeled with a generic context, >> either via a policy mistake or a move by the distribution package, >> executing it will be checked by the file permission execute_no_trans on >> the generic file context (e.g. bin_t). The setuid(2)/setgid(2) syscall >> within will then be checked against the unchanged caller process >> context, which might have been granted the capability permission setuid/ >> setgid to initially drop privileges. To avoid that scenario split the >> execute_no_trans permission in case of a setuid/setgid binary into a new >> permission execute_sxid_no_trans. >> >> For backward compatibility this behavior is contained in a new policy >> capability. >> >> Signed-off-by: Christian Göttsche >> --- >> security/selinux/hooks.c | 9 ++++++++- >> security/selinux/include/classmap.h | 2 +- >> security/selinux/include/policycap.h | 1 + >> security/selinux/include/policycap_names.h | 3 ++- >> security/selinux/include/security.h | 8 ++++++++ >> 5 files changed, 20 insertions(+), 3 deletions(-) > > Adding the refpolicy list to this thread as their opinion seems > particularly relevant to this discussion. > > FWIW, this looks reasonable to me but I would like to hear what others > have to say. I think this a band-aid to cover up the real problem, which is the mislabeled files. >> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c >> index 5b6895e4fc29..b825fee39a70 100644 >> --- a/security/selinux/hooks.c >> +++ b/security/selinux/hooks.c >> @@ -2348,9 +2348,16 @@ static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm) >> ad.u.file = bprm->file; >> >> if (new_tsec->sid == old_tsec->sid) { >> + u32 perm; >> + >> + if (selinux_policycap_execute_sxid_no_trans() && is_sxid(inode->i_mode)) >> + perm = FILE__EXECUTE_SXID_NO_TRANS; >> + else >> + perm = FILE__EXECUTE_NO_TRANS; >> + >> rc = avc_has_perm(&selinux_state, >> old_tsec->sid, isec->sid, >> - SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); >> + SECCLASS_FILE, perm, &ad); >> if (rc) >> return rc; >> } else { >> diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h >> index 35aac62a662e..53a1eeeb86fb 100644 >> --- a/security/selinux/include/classmap.h >> +++ b/security/selinux/include/classmap.h >> @@ -65,7 +65,7 @@ struct security_class_mapping secclass_map[] = { >> "quotaget", "watch", NULL } }, >> { "file", >> { COMMON_FILE_PERMS, >> - "execute_no_trans", "entrypoint", NULL } }, >> + "execute_no_trans", "entrypoint", "execute_sxid_no_trans", NULL } }, >> { "dir", >> { COMMON_FILE_PERMS, "add_name", "remove_name", >> "reparent", "search", "rmdir", NULL } }, >> diff --git a/security/selinux/include/policycap.h b/security/selinux/include/policycap.h >> index 2ec038efbb03..23929dc3e1db 100644 >> --- a/security/selinux/include/policycap.h >> +++ b/security/selinux/include/policycap.h >> @@ -11,6 +11,7 @@ enum { >> POLICYDB_CAPABILITY_CGROUPSECLABEL, >> POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION, >> POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS, >> + POLICYDB_CAPABILITY_EXECUTE_SXID_NO_TRANS, >> __POLICYDB_CAPABILITY_MAX >> }; >> #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) >> diff --git a/security/selinux/include/policycap_names.h b/security/selinux/include/policycap_names.h >> index b89289f092c9..4c014c2cf352 100644 >> --- a/security/selinux/include/policycap_names.h >> +++ b/security/selinux/include/policycap_names.h >> @@ -12,7 +12,8 @@ const char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX] = { >> "always_check_network", >> "cgroup_seclabel", >> "nnp_nosuid_transition", >> - "genfs_seclabel_symlinks" >> + "genfs_seclabel_symlinks", >> + "execute_sxid_no_trans", >> }; >> >> #endif /* _SELINUX_POLICYCAP_NAMES_H_ */ >> diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h >> index ac0ece01305a..ab95241b6b7b 100644 >> --- a/security/selinux/include/security.h >> +++ b/security/selinux/include/security.h >> @@ -219,6 +219,14 @@ static inline bool selinux_policycap_genfs_seclabel_symlinks(void) >> return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS]); >> } >> >> +static inline bool selinux_policycap_execute_sxid_no_trans(void) >> +{ >> + struct selinux_state *state = &selinux_state; >> + >> + return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_EXECUTE_SXID_NO_TRANS]); >> +} >> + >> + >> struct selinux_policy_convert_data; >> >> struct selinux_load_state { >> -- >> 2.34.1 >> > > -- Chris PeBenito