Fix MAC-before-DAC check for mmap_zero (rhbz 1013466)
This commit is contained in:
parent
70c5e5d572
commit
29008169c9
|
@ -785,6 +785,9 @@ Patch25031: net-fix-for-a-race-condition-in-the-inet-frag-code.patch
|
|||
#rhbz 1027465
|
||||
Patch25032: HID-Bluetooth-hidp-make-sure-input-buffers-are-big-e.patch
|
||||
|
||||
#rhbz 1013466
|
||||
Patch25033: selinux-put-the-mmap-DAC-controls-before-the-MAC-controls.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -1526,6 +1529,9 @@ ApplyPatch net-fix-for-a-race-condition-in-the-inet-frag-code.patch
|
|||
#rhbz 1027465
|
||||
ApplyPatch HID-Bluetooth-hidp-make-sure-input-buffers-are-big-e.patch
|
||||
|
||||
#rhbz 1013466
|
||||
ApplyPatch selinux-put-the-mmap-DAC-controls-before-the-MAC-controls.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2338,6 +2344,7 @@ fi
|
|||
# || ||
|
||||
%changelog
|
||||
* Tue Mar 04 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Fix MAC-before-DAC check for mmap_zero (rhbz 1013466)
|
||||
- Fix hidp crash with apple bluetooth trackpads (rhbz 1027465)
|
||||
|
||||
* Mon Mar 03 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.13.5-202
|
||||
|
|
|
@ -0,0 +1,94 @@
|
|||
Bugzilla: 1013466
|
||||
Upstream-status: queued for 3.14/3.15? http://marc.info/?l=selinux&m=139351174702148&w=2
|
||||
|
||||
It turns out that doing the SELinux MAC checks for mmap() before the
|
||||
DAC checks was causing users and the SELinux policy folks headaches
|
||||
as users were seeing a lot of SELinux AVC denials for the
|
||||
memprotect:mmap_zero permission that would have also been denied by
|
||||
the normal DAC capability checks (CAP_SYS_RAWIO).
|
||||
|
||||
Example:
|
||||
|
||||
# cat mmap_test.c
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <errno.h>
|
||||
#include <sys/mman.h>
|
||||
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
int rc;
|
||||
void *mem;
|
||||
|
||||
mem = mmap(0x0, 4096,
|
||||
PROT_READ | PROT_WRITE,
|
||||
MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
|
||||
if (mem == MAP_FAILED)
|
||||
return errno;
|
||||
printf("mem = %p\n", mem);
|
||||
munmap(mem, 4096);
|
||||
|
||||
return 0;
|
||||
}
|
||||
# gcc -g -O0 -o mmap_test mmap_test.c
|
||||
# ./mmap_test
|
||||
mem = (nil)
|
||||
# ausearch -m AVC | grep mmap_zero
|
||||
type=AVC msg=audit(...): avc: denied { mmap_zero }
|
||||
for pid=1025 comm="mmap_test"
|
||||
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
|
||||
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
|
||||
tclass=memprotect
|
||||
|
||||
This patch corrects things so that when the above example is run by a
|
||||
user without CAP_SYS_RAWIO the SELinux AVC is no longer generated as
|
||||
the DAC capability check fails before the SELinux permission check.
|
||||
|
||||
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
||||
---
|
||||
security/selinux/hooks.c | 20 ++++++++------------
|
||||
1 file changed, 8 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
|
||||
index 57b0b49..e3664ae 100644
|
||||
--- a/security/selinux/hooks.c
|
||||
+++ b/security/selinux/hooks.c
|
||||
@@ -3205,24 +3205,20 @@ error:
|
||||
|
||||
static int selinux_mmap_addr(unsigned long addr)
|
||||
{
|
||||
- int rc = 0;
|
||||
- u32 sid = current_sid();
|
||||
+ int rc;
|
||||
+
|
||||
+ /* do DAC check on address space usage */
|
||||
+ rc = cap_mmap_addr(addr);
|
||||
+ if (rc)
|
||||
+ return rc;
|
||||
|
||||
- /*
|
||||
- * notice that we are intentionally putting the SELinux check before
|
||||
- * the secondary cap_file_mmap check. This is such a likely attempt
|
||||
- * at bad behaviour/exploit that we always want to get the AVC, even
|
||||
- * if DAC would have also denied the operation.
|
||||
- */
|
||||
if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
|
||||
+ u32 sid = current_sid();
|
||||
rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
|
||||
MEMPROTECT__MMAP_ZERO, NULL);
|
||||
- if (rc)
|
||||
- return rc;
|
||||
}
|
||||
|
||||
- /* do DAC check on address space usage */
|
||||
- return cap_mmap_addr(addr);
|
||||
+ return rc;
|
||||
}
|
||||
|
||||
static int selinux_mmap_file(struct file *file, unsigned long reqprot,
|
||||
|
||||
_______________________________________________
|
||||
Selinux mailing list
|
||||
Selinux@tycho.nsa.gov
|
||||
To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
|
||||
To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
|
Loading…
Reference in New Issue