Commit ea74a685 authored by Richard Guy Briggs's avatar Richard Guy Briggs Committed by Paul Moore
Browse files

selinux: format all invalid context as untrusted 

The userspace tools expect all fields of the same name to be logged
consistently with the same encoding.  Since the invalid_context fields
contain untrusted strings in selinux_inode_setxattr()
and selinux_setprocattr(), encode all instances of this field the same
way as though they were untrusted even though
compute_sid_handle_invalid_context() and security_sid_mls_copy() are
trusted.

Please see github issue
https://github.com/linux-audit/audit-kernel/issues/57



Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent 464c258a

security/selinux/ss/services.c

+19 −10
Original line number Original line Diff line number Diff line
@@ -1584,6 +1584,7 @@ static int compute_sid_handle_invalid_context( 
	struct policydb *policydb = &state->ss->policydb;

	struct policydb *policydb = &state->ss->policydb;

	char *s = NULL, *t = NULL, *n = NULL;

	char *s = NULL, *t = NULL, *n = NULL;

	u32 slen, tlen, nlen;

	u32 slen, tlen, nlen;

	struct audit_buffer *ab;





	if (context_struct_to_string(policydb, scontext, &s, &slen))

	if (context_struct_to_string(policydb, scontext, &s, &slen))

		goto out;

		goto out;
@@ -1591,12 +1592,14 @@ static int compute_sid_handle_invalid_context( 
		goto out;

		goto out;

	if (context_struct_to_string(policydb, newcontext, &n, &nlen))

	if (context_struct_to_string(policydb, newcontext, &n, &nlen))

		goto out;

		goto out;

	audit_log(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR,

	ab = audit_log_start(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR);

		  "op=security_compute_sid invalid_context=%s"

	audit_log_format(ab,

		  " scontext=%s"

			 "op=security_compute_sid invalid_context=");

		  " tcontext=%s"

	/* no need to record the NUL with untrusted strings */

		  " tclass=%s",

	audit_log_n_untrustedstring(ab, n, nlen - 1);

		  n, s, t, sym_name(policydb, SYM_CLASSES, tclass-1));

	audit_log_format(ab, " scontext=%s tcontext=%s tclass=%s",

			 s, t, sym_name(policydb, SYM_CLASSES, tclass-1));

	audit_log_end(ab);

out:

out:

	kfree(s);

	kfree(s);

	kfree(t);

	kfree(t);
@@ -3003,10 +3006,16 @@ int security_sid_mls_copy(struct selinux_state *state, 
		if (rc) {

		if (rc) {

			if (!context_struct_to_string(policydb, &newcon, &s,

			if (!context_struct_to_string(policydb, &newcon, &s,

						      &len)) {

						      &len)) {

				audit_log(audit_context(),

				struct audit_buffer *ab;

					  GFP_ATOMIC, AUDIT_SELINUX_ERR,



					  "op=security_sid_mls_copy "

				ab = audit_log_start(audit_context(),

					  "invalid_context=%s", s);

						     GFP_ATOMIC,

						     AUDIT_SELINUX_ERR);

				audit_log_format(ab,

						 "op=security_sid_mls_copy invalid_context=");

				/* don't record NUL with untrusted strings */

				audit_log_n_untrustedstring(ab, s, len - 1);

				audit_log_end(ab);

				kfree(s);

				kfree(s);

			}

			}

			goto out_unlock;

			goto out_unlock;

CRA Git | Maintained and supported by SUSTech CRA and CCSE