Fix MAC-before-DAC check for mmap_zero (rhbz 1013466)

kernel.spec

@@ -791,6 +791,9 @@ Patch25031: net-fix-for-a-race-condition-in-the-inet-frag-code.patch
 #rhbz 1027465
 Patch25032: HID-Bluetooth-hidp-make-sure-input-buffers-are-big-e.patch
 
+#rhbz 1013466
+Patch25033: selinux-put-the-mmap-DAC-controls-before-the-MAC-controls.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1528,6 +1531,9 @@ ApplyPatch net-fix-for-a-race-condition-in-the-inet-frag-code.patch
 #rhbz 1027465
 ApplyPatch HID-Bluetooth-hidp-make-sure-input-buffers-are-big-e.patch
 
+#rhbz 1013466
+ApplyPatch selinux-put-the-mmap-DAC-controls-before-the-MAC-controls.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2341,6 +2347,7 @@ fi
 
 %changelog
 * Tue Mar 04 2014 Josh Boyer <jwboyer@fedoraproject.org>
+- Fix MAC-before-DAC check for mmap_zero (rhbz 1013466)
 - Fix hidp crash with apple bluetooth trackpads (rhbz 1027465)
 
 * Mon Mar 03 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.13.5-103

selinux-put-the-mmap-DAC-controls-before-the-MAC-controls.patch

@@ -0,0 +1,94 @@
+Bugzilla: 1013466
+Upstream-status: queued for 3.14/3.15? http://marc.info/?l=selinux&m=139351174702148&w=2
+
+It turns out that doing the SELinux MAC checks for mmap() before the
+DAC checks was causing users and the SELinux policy folks headaches
+as users were seeing a lot of SELinux AVC denials for the
+memprotect:mmap_zero permission that would have also been denied by
+the normal DAC capability checks (CAP_SYS_RAWIO).
+
+Example:
+
+ # cat mmap_test.c
+  #include <stdlib.h>
+  #include <stdio.h>
+  #include <errno.h>
+  #include <sys/mman.h>
+
+  int main(int argc, char *argv[])
+  {
+        int rc;
+        void *mem;
+
+        mem = mmap(0x0, 4096,
+                   PROT_READ | PROT_WRITE,
+                   MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
+        if (mem == MAP_FAILED)
+                return errno;
+        printf("mem = %p\n", mem);
+        munmap(mem, 4096);
+
+        return 0;
+  }
+ # gcc -g -O0 -o mmap_test mmap_test.c
+ # ./mmap_test
+ mem = (nil)
+ # ausearch -m AVC | grep mmap_zero
+ type=AVC msg=audit(...): avc:  denied  { mmap_zero }
+   for pid=1025 comm="mmap_test"
+   scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+   tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+   tclass=memprotect
+
+This patch corrects things so that when the above example is run by a
+user without CAP_SYS_RAWIO the SELinux AVC is no longer generated as
+the DAC capability check fails before the SELinux permission check.
+
+Signed-off-by: Paul Moore <pmoore@redhat.com>
+---
+ security/selinux/hooks.c |   20 ++++++++------------
+ 1 file changed, 8 insertions(+), 12 deletions(-)
+
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index 57b0b49..e3664ae 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -3205,24 +3205,20 @@ error:
+ 
+ static int selinux_mmap_addr(unsigned long addr)
+ {
+-	int rc = 0;
+-	u32 sid = current_sid();
++	int rc;
++
++	/* do DAC check on address space usage */
++	rc = cap_mmap_addr(addr);
++	if (rc)
++		return rc;
+ 
+-	/*
+-	 * notice that we are intentionally putting the SELinux check before
+-	 * the secondary cap_file_mmap check.  This is such a likely attempt
+-	 * at bad behaviour/exploit that we always want to get the AVC, even
+-	 * if DAC would have also denied the operation.
+-	 */
+ 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
++		u32 sid = current_sid();
+ 		rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
+ 				  MEMPROTECT__MMAP_ZERO, NULL);
+-		if (rc)
+-			return rc;
+ 	}
+ 
+-	/* do DAC check on address space usage */
+-	return cap_mmap_addr(addr);
++	return rc;
+ }
+ 
+ static int selinux_mmap_file(struct file *file, unsigned long reqprot,
+
+_______________________________________________
+Selinux mailing list
+Selinux@tycho.nsa.gov
+To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
+To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.