RFE: policydb read validation #72
Draft
+940
−362
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
It's fine if you want to post this as a draft PR here, but technical discussions and formal patch postings must be done on the selinux@vger.kernel.org mailing list. |
Please clang by supplying the missing field initializes:
security/selinux/selinuxfs.c:2004:21: warning: missing field 'ops' initializer [-Wmissing-field-initializers]
2004 | /* last one */ {""}
| ^
./security/selinux/include/classmap.h:182:9: warning: missing field 'perms' initializer [-Wmissing-field-initializers]
182 | { NULL }
| ^
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Integer types starting with a double underscore, like __u32, are intended for usage of variables interacting with user-space. Just use the plain variant. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Align the parameter names between declarations and definitions, and constify read-only parameters. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Constify parameters, add size hints, and simplify control flow. According to godbolt the same assembly is generated. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Avoid using nontransitive comparison to prevent unexpected sorting results due to (well-defined) overflows. See https://www.qualys.com/2024/01/30/qsort.txt for a related issue in glibc's qsort(3). Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
The functions context_cmp(), mls_context_cmp() and ebitmap_cmp() are not traditional C style compare functions returning -1, 0, and 1 for less than, equal, and greater than; they only return whether their arguments are equal. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- v2: also convert ebitmap_cmp() as suggested by Daniel
Improve type safety and readability by using the known type. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- v2: - move one little diff from subsequent patch to this one - reorder struct definition in policydb.h as suggested by Daniel
Store the owned member of type struct mls_level directly in the parent struct instead of an extra heap allocation. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Simplify the call sites, and enable future string validation in a single place. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Security class identifiers are limited to 2^16, thus use the appropriate type u16 consistently. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
cgzones
force-pushed
the
dev_wip_policadb_read
branch
3 times, most recently
from
ed79d0a to
ff0a443
Compare
Be more strict during parsing of policies and reject invalid values. Add some error messages in the case of policy parse failures, to enhance debugging, either on a malformed policy or a too strict check. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- v2: accept unknown xperm specifiers to support backwards compatibility for future ones, suggested by Thiébaud
cgzones
force-pushed
the
dev_wip_policadb_read
branch
from
ff0a443 to
658ac7d
Compare
In multiple places the binary policy announces how many items of some
kind are to be expected next. Before reading them the kernel already
allocates enough memory for that announced size. Validate that the
remaining input size can actually fit the announced items, to avoid OOM
issues on malformed binary policies.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
v3:
fix error branch by returning directly instead of jumping to goto
label, see
https://lore.kernel.org/all/202412241405.LK8YTZqp-lkp@intel.com/
Validate constraint expressions during reading the policy. Avoid the usage of BUG() on constraint evaluation, to mitigate malformed policies halting the system. Closes: SELinuxProject/selinux-testsuite#76 Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Validate conditional expressions while reading the policy, to avoid unexpected access decisions on malformed policies. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Introduce an ebitmap function to calculate the highest set bit. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Validate that no types with an invalid too high ID are present in the attribute map. Gaps are still not checked. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Index as soon as possible to enable isvalid() checks to fail on gaps. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Check that an ID does not refer to a gap in the global array of definitions. Constify parameters of isvalid() function and change return type to bool. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Some symbol tables need to be validated after indexing, since during indexing their referenced entries might not yet have been indexed. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Validate the types used in bounds checks. Replace the usage of BUG(), to avoid halting the system on malformed polices. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Validate that the target of AVTAB_TYPE rules and file transitions are simple types and not attributes. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Validate the characters and the lengths of strings parsed from binary
policies.
* Disallow control characters
* Limit characters of identifiers to alphanumeric, underscore, dash,
and dot
* Limit identifiers in length to 128, expect types to 1024 and
categories to 32, characters (excluding NUL-terminator)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
v2:
- add wrappers for str_read() to minimize the usage of magic numbers
- limit sensitivities to a length of 32, to match categories,
suggested by Daniel
cgzones
force-pushed
the
dev_wip_policadb_read
branch
from
658ac7d to
6a550ad
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
From https://lore.kernel.org/selinux/20241115133619.114393-23-cgoettsche@seltendoof.de/:
With the SELinux namespace feature on the horizon it becomes important
to identify and reject malformed policies at load time. Otherwise
memory corruptions can compromise the kernel or NULL-pointer dereferences
and BUG() encounters can bring systems down. Currently this is not a
security relevant issue since loading a policy requires root privileges
and permission of the current loaded SELinux policy, making it one of the
most privileged operation.
The first 9 patches are cleanup commits with overseeable diffs.
Patch 10 unifies the underlying type used for security class identifiers.
Patch 11 to 21 add various checks at policy load time to reject malformed
policies.
Patch 22 needs some discussion:
It limits the valid set of characters and the length for strings defined
by policies. Currently there are no restrictions, so control characters
are accepted, e.g. Esc as part of a type name, and their length can be
arbitrary. Human formatted security contexts however must not be
arbitrarily long, one example is they must fit in a page size for
selinuxfs interaction and network associations.
Thus the patch introduces the following restrictions:
and dot
categories to 32, characters (excluding NUL-terminator)
p.s.:
On a related note to patch 10, the underlying type for types (and type-
attributes) is also not consistent:
In role, range and filename transitions, and the actual datum u32 is
used, while avtables use u16, practically limiting the number of
available types to 65534 (= U16_MAX - 2 (0 and U16_MAX are invalid)).