Received: by 2002:a05:6358:701b:b0:131:369:b2a3 with SMTP id 27csp1230737rwo; Sat, 22 Jul 2023 09:00:08 -0700 (PDT) X-Google-Smtp-Source: APBJJlHSBgYumvxMnNoMyWjDKMtASgW7JRuZYtClbmJGUu+X3AUoMftarrpJLuMffYMEqF1E5QlY X-Received: by 2002:a17:907:7791:b0:97c:64bd:50a5 with SMTP id ky17-20020a170907779100b0097c64bd50a5mr4742611ejc.53.1690041608614; Sat, 22 Jul 2023 09:00:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690041608; cv=none; d=google.com; s=arc-20160816; b=DeHO9OuxOdGHpDyF+xFgV6nv6RLwzzas8MxGcYyNab8K6MquX1twC55k+Nyfz6jc4P 6cnZPAkbVB272Ctg8hTIcBqQXqNfeb9gvV1ffHsUMR0PEGf9YGsdQS9teqFMDeZo2bva H/z61UqulJM3pTOBMOdn4dx5NQwxQQcwxy5vad613VrbMr/fj3C688G+EuwarxEb16ZV OeHuIa6fqtpfASqG+5sS6vvYZHPWVF58cYySf5X567KwTl8LZZf9Vn7wI7OC2VuGI+eU 9Iib2BVy8Spvuezt8CQHiSk+IAmG8qXNrv6uJB5Ka/zwNuTRM7YUDTH+8we7PEtSCvrU roag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=dl3kjTmeisaenWV1hFG6e2Uin26namN1YT4lqRWCihU=; fh=K3/F8HNgdLVvZTca2MgRiiFo3EbS4RqN1caHfm4Dido=; b=bP/PHjH+CYH6I11WftGdSxGZGRkFmWNmEaSZoc2okYABLno8I2kUcipJ0p5FGoBxPa 0+IIeTccUmU+Jou5SqfPnNiJg+To97eugMEFm5nU7fb1jclpKge2VsNHhDK8KwvO5vWR QAJYhqeTp7ZE6HfbCtqh9OFx7L0z2BDTksFQ23yl/XEqoKqT+02Vq6YZXhh+MNtg6Mg9 vvnIaIYzEvYqWFxPhbwCtovrTZAHAzBfSb+PKbUKDdmO8w1uKKTSCPWeZ4yZ0S4sqLHz +QGCeul/6LTPfbYbqWMMlcIcVq8HtcI9kCnnG9HAXdb8oJ67rVPyGSIHOufZx86U91V4 /mJg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@googlemail.com header.s=20221208 header.b=CeViR0BA; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=googlemail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s15-20020a170906354f00b00993a37985dfsi3564486eja.179.2023.07.22.09.00.01; Sat, 22 Jul 2023 09:00:08 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@googlemail.com header.s=20221208 header.b=CeViR0BA; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=googlemail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229731AbjGVPN7 (ORCPT + 21 others); Sat, 22 Jul 2023 11:13:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44554 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229456AbjGVPN6 (ORCPT ); Sat, 22 Jul 2023 11:13:58 -0400 Received: from mail-qk1-x729.google.com (mail-qk1-x729.google.com [IPv6:2607:f8b0:4864:20::729]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 94AFA26A2; Sat, 22 Jul 2023 08:13:56 -0700 (PDT) Received: by mail-qk1-x729.google.com with SMTP id af79cd13be357-7658430eb5dso300665585a.2; Sat, 22 Jul 2023 08:13:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20221208; t=1690038835; x=1690643635; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=dl3kjTmeisaenWV1hFG6e2Uin26namN1YT4lqRWCihU=; b=CeViR0BABdGBHqwQw1GRZhIX1A7EBB5OfrPuMrXD1avRP+XTnKtHbDq9RAP8hDhAw+ L0v2Hy66z154nlQfpG4rA+zBSu2dBoVNxUr+aBXYmywPHR/Se3pin7hwP1MDHvdcnADQ GL8YAZI2DfXpTD/awJ13PS2KFPyen3vWUc20Yb2urssffc7QfoUX1Bisu1M6tsueoru8 t8B2xtfi4/Hi5/SXmv4oU5OQK7xpERSlOidNW4vgxVsyEEgcuCWQyL5gK+gLD2qTiRNc KlSFTR5+opAZMpAdccZl2cj9a9FuAmT2H7POp5J5sK6Ub5zZCI4u2Gl4n2THHkgOc8nK mkYg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690038835; x=1690643635; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=dl3kjTmeisaenWV1hFG6e2Uin26namN1YT4lqRWCihU=; b=QRZG2BmqBgQgf5UcyZx3dnx6me2iY3Yy0oClKYWeZjeIK3j1SfEhwmHIuQxyBRMoKy Y3n4lW4Ib/DqepY+5smHicpORhqqVS0iozV/HmlBG2OPxQ3/Fg8xIZPklC1zHDP1GfH/ 2mSqeb8eCr9U+RiIGQ+mz17AnA9P8ba9XMyAn0+WVv4cFx5ezjRufssDoMc7zwFgRTYJ bAtwI69C6Ble0tEZDa+E7B+36GM56RWorUM2HstaoP0pr/qhl4P2DDAZmqXJruJIl9bD cgxiwDzjNPjQRP82KbkpnUHBSZUADukKjOhclLDWupq1dQfyrDinQ4bM4KhwD1QIXstY lMTQ== X-Gm-Message-State: ABy/qLYVYRVbFgz1vb7ptqoUSwIgHaGeZbqBuRLMyuWEfVAjNCYXEwJk jFhLJyylE0f2Txscy3bdOgC74QY1Ov0bFHROKpLOeMh3KE73NMGB X-Received: by 2002:a05:620a:4610:b0:767:464e:c529 with SMTP id br16-20020a05620a461000b00767464ec529mr3958017qkb.2.1690038835579; Sat, 22 Jul 2023 08:13:55 -0700 (PDT) MIME-Version: 1.0 References: <20220125145931.56831-1-cgzones@googlemail.com> <8ea4d17a-f2fd-b6a5-b988-0edbc63022f6@ieee.org> In-Reply-To: From: =?UTF-8?Q?Christian_G=C3=B6ttsche?= Date: Sat, 22 Jul 2023 17:13:44 +0200 Message-ID: Subject: Re: [RFC PATCH] selinux: split no transition execve check To: selinux@vger.kernel.org Cc: Chris PeBenito , Paul Moore , selinux-refpolicy@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Fri, 28 Jan 2022 at 02:47, Paul Moore wrote: > > On Thu, Jan 27, 2022 at 8:42 AM Chris PeBenito wrote: > > On 1/26/22 17:51, Paul Moore wrote: > > > On Tue, Jan 25, 2022 at 9:59 AM Christian G=C3=B6ttsche > > > wrote: > > >> > > >> In case a setuid or setgid binary is mislabeled with a generic conte= xt, > > >> either via a policy mistake or a move by the distribution package, > > >> executing it will be checked by the file permission execute_no_trans= on > > >> the generic file context (e.g. bin_t). The setuid(2)/setgid(2) sysc= all > > >> within will then be checked against the unchanged caller process > > >> context, which might have been granted the capability permission set= uid/ > > >> setgid to initially drop privileges. To avoid that scenario split t= he > > >> execute_no_trans permission in case of a setuid/setgid binary into a= new > > >> permission execute_sxid_no_trans. > > >> > > >> For backward compatibility this behavior is contained in a new polic= y > > >> capability. > > >> > > >> Signed-off-by: Christian G=C3=B6ttsche > > >> --- > > >> security/selinux/hooks.c | 9 ++++++++- > > >> security/selinux/include/classmap.h | 2 +- > > >> security/selinux/include/policycap.h | 1 + > > >> security/selinux/include/policycap_names.h | 3 ++- > > >> security/selinux/include/security.h | 8 ++++++++ > > >> 5 files changed, 20 insertions(+), 3 deletions(-) > > > > > > Adding the refpolicy list to this thread as their opinion seems > > > particularly relevant to this discussion. > > > > > > FWIW, this looks reasonable to me but I would like to hear what other= s > > > have to say. > > > > I think this a band-aid to cover up the real problem, which is the misl= abeled files. > > It's hard to disagree with that, and the kernel is probably the wrong > place to apply a band-aid unless it is the only option left. > Adding a new datapoint to this RFC: An unprivileged user can via the setuid binary newgrp(1) write arbitrary content to files he can open in write mode but not actually write to, e.g. /proc/sys/kernel/ns_last_pid [1]. This also is reproducible on Fedora where /usr/bin/newgrp has the generic context bin_t, so the write (and capable check) happens in the caller context of unconfined_t. With the proposed permission split applied and instead of granting unconfined_t the new permission execute_sxid_no_trans but relying on an intermediate template domain $1_newgrp_t the access would have been denied, due to lack of permissions of the templated newgrp domain. With a generic file type of bin_t newgrp would not be executable for callers otherwise. Most setuid binaries are already labeled with a private type, newgrp and pkexec are the only ones left on a head-less Fedora system. One could still argue this is a policy neglect, but normally policy neglects result in missing permissions and reduced functionality, not in unintended privilege escalation. [1]: https://github.com/shadow-maint/shadow/pull/758 > > >> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > > >> index 5b6895e4fc29..b825fee39a70 100644 > > >> --- a/security/selinux/hooks.c > > >> +++ b/security/selinux/hooks.c > > >> @@ -2348,9 +2348,16 @@ static int selinux_bprm_creds_for_exec(struct= linux_binprm *bprm) > > >> ad.u.file =3D bprm->file; > > >> > > >> if (new_tsec->sid =3D=3D old_tsec->sid) { > > >> + u32 perm; > > >> + > > >> + if (selinux_policycap_execute_sxid_no_trans() && is_= sxid(inode->i_mode)) > > >> + perm =3D FILE__EXECUTE_SXID_NO_TRANS; > > >> + else > > >> + perm =3D FILE__EXECUTE_NO_TRANS; > > >> + > > >> rc =3D avc_has_perm(&selinux_state, > > >> old_tsec->sid, isec->sid, > > >> - SECCLASS_FILE, FILE__EXECUTE_NO_TR= ANS, &ad); > > >> + SECCLASS_FILE, perm, &ad); > > >> if (rc) > > >> return rc; > > >> } else { > > >> diff --git a/security/selinux/include/classmap.h b/security/selinux/= include/classmap.h > > >> index 35aac62a662e..53a1eeeb86fb 100644 > > >> --- a/security/selinux/include/classmap.h > > >> +++ b/security/selinux/include/classmap.h > > >> @@ -65,7 +65,7 @@ struct security_class_mapping secclass_map[] =3D { > > >> "quotaget", "watch", NULL } }, > > >> { "file", > > >> { COMMON_FILE_PERMS, > > >> - "execute_no_trans", "entrypoint", NULL } }, > > >> + "execute_no_trans", "entrypoint", "execute_sxid_no_trans= ", NULL } }, > > >> { "dir", > > >> { COMMON_FILE_PERMS, "add_name", "remove_name", > > >> "reparent", "search", "rmdir", NULL } }, > > >> diff --git a/security/selinux/include/policycap.h b/security/selinux= /include/policycap.h > > >> index 2ec038efbb03..23929dc3e1db 100644 > > >> --- a/security/selinux/include/policycap.h > > >> +++ b/security/selinux/include/policycap.h > > >> @@ -11,6 +11,7 @@ enum { > > >> POLICYDB_CAPABILITY_CGROUPSECLABEL, > > >> POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION, > > >> POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS, > > >> + POLICYDB_CAPABILITY_EXECUTE_SXID_NO_TRANS, > > >> __POLICYDB_CAPABILITY_MAX > > >> }; > > >> #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) > > >> diff --git a/security/selinux/include/policycap_names.h b/security/s= elinux/include/policycap_names.h > > >> index b89289f092c9..4c014c2cf352 100644 > > >> --- a/security/selinux/include/policycap_names.h > > >> +++ b/security/selinux/include/policycap_names.h > > >> @@ -12,7 +12,8 @@ const char *selinux_policycap_names[__POLICYDB_CAP= ABILITY_MAX] =3D { > > >> "always_check_network", > > >> "cgroup_seclabel", > > >> "nnp_nosuid_transition", > > >> - "genfs_seclabel_symlinks" > > >> + "genfs_seclabel_symlinks", > > >> + "execute_sxid_no_trans", > > >> }; > > >> > > >> #endif /* _SELINUX_POLICYCAP_NAMES_H_ */ > > >> diff --git a/security/selinux/include/security.h b/security/selinux/= include/security.h > > >> index ac0ece01305a..ab95241b6b7b 100644 > > >> --- a/security/selinux/include/security.h > > >> +++ b/security/selinux/include/security.h > > >> @@ -219,6 +219,14 @@ static inline bool selinux_policycap_genfs_secl= abel_symlinks(void) > > >> return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_GENFS= _SECLABEL_SYMLINKS]); > > >> } > > >> > > >> +static inline bool selinux_policycap_execute_sxid_no_trans(void) > > >> +{ > > >> + struct selinux_state *state =3D &selinux_state; > > >> + > > >> + return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_EXECUT= E_SXID_NO_TRANS]); > > >> +} > > >> + > > >> + > > >> struct selinux_policy_convert_data; > > >> > > >> struct selinux_load_state { > > >> -- > > >> 2.34.1 > > >> > > > > > > > > > > > > -- > > Chris PeBenito > > > > -- > paul-moore.com