Fix SELinux wine issue again (rhbz 1013466)
This commit is contained in:
parent
7af24700f0
commit
96eedb8918
|
@ -736,6 +736,9 @@ Patch25062: 0001-HID-rmi-introduce-RMI-driver-for-Synaptics-touchpads.patch
|
|||
#rhbz 1089583
|
||||
Patch25064: 0001-HID-rmi-do-not-handle-touchscreens-through-hid-rmi.patch
|
||||
|
||||
#rhbz 1013466
|
||||
Patch25065: selinux-put-the-mmap-DAC-controls-before-the-MAC-controls.patch
|
||||
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
|
@ -1427,6 +1430,9 @@ ApplyPatch mm-page_alloc.c-change-mm-debug-routines-back-to-EXP.patch
|
|||
#rhbz 1071914
|
||||
ApplyPatch USB-serial-ftdi_sio-add-id-for-Brainboxes-serial-car.patch
|
||||
|
||||
#rhbz 1013466
|
||||
ApplyPatch selinux-put-the-mmap-DAC-controls-before-the-MAC-controls.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2238,6 +2244,9 @@ fi
|
|||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Wed Apr 23 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Fix SELinux wine issue again (rhbz 1013466)
|
||||
|
||||
* Tue Apr 22 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Add patch to fix Synaptics touchscreens and HID rmi driver (rhbz 1089583)
|
||||
|
||||
|
|
|
@ -0,0 +1,94 @@
|
|||
Bugzilla: 1013466
|
||||
Upstream-status: 3.15 (commit 98883bfd9d603a2760f6d53eccfaa3ae2c053e72)
|
||||
|
||||
It turns out that doing the SELinux MAC checks for mmap() before the
|
||||
DAC checks was causing users and the SELinux policy folks headaches
|
||||
as users were seeing a lot of SELinux AVC denials for the
|
||||
memprotect:mmap_zero permission that would have also been denied by
|
||||
the normal DAC capability checks (CAP_SYS_RAWIO).
|
||||
|
||||
Example:
|
||||
|
||||
# cat mmap_test.c
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <errno.h>
|
||||
#include <sys/mman.h>
|
||||
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
int rc;
|
||||
void *mem;
|
||||
|
||||
mem = mmap(0x0, 4096,
|
||||
PROT_READ | PROT_WRITE,
|
||||
MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
|
||||
if (mem == MAP_FAILED)
|
||||
return errno;
|
||||
printf("mem = %p\n", mem);
|
||||
munmap(mem, 4096);
|
||||
|
||||
return 0;
|
||||
}
|
||||
# gcc -g -O0 -o mmap_test mmap_test.c
|
||||
# ./mmap_test
|
||||
mem = (nil)
|
||||
# ausearch -m AVC | grep mmap_zero
|
||||
type=AVC msg=audit(...): avc: denied { mmap_zero }
|
||||
for pid=1025 comm="mmap_test"
|
||||
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
|
||||
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
|
||||
tclass=memprotect
|
||||
|
||||
This patch corrects things so that when the above example is run by a
|
||||
user without CAP_SYS_RAWIO the SELinux AVC is no longer generated as
|
||||
the DAC capability check fails before the SELinux permission check.
|
||||
|
||||
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
||||
---
|
||||
security/selinux/hooks.c | 20 ++++++++------------
|
||||
1 file changed, 8 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
|
||||
index 57b0b49..e3664ae 100644
|
||||
--- a/security/selinux/hooks.c
|
||||
+++ b/security/selinux/hooks.c
|
||||
@@ -3205,24 +3205,20 @@ error:
|
||||
|
||||
static int selinux_mmap_addr(unsigned long addr)
|
||||
{
|
||||
- int rc = 0;
|
||||
- u32 sid = current_sid();
|
||||
+ int rc;
|
||||
+
|
||||
+ /* do DAC check on address space usage */
|
||||
+ rc = cap_mmap_addr(addr);
|
||||
+ if (rc)
|
||||
+ return rc;
|
||||
|
||||
- /*
|
||||
- * notice that we are intentionally putting the SELinux check before
|
||||
- * the secondary cap_file_mmap check. This is such a likely attempt
|
||||
- * at bad behaviour/exploit that we always want to get the AVC, even
|
||||
- * if DAC would have also denied the operation.
|
||||
- */
|
||||
if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
|
||||
+ u32 sid = current_sid();
|
||||
rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
|
||||
MEMPROTECT__MMAP_ZERO, NULL);
|
||||
- if (rc)
|
||||
- return rc;
|
||||
}
|
||||
|
||||
- /* do DAC check on address space usage */
|
||||
- return cap_mmap_addr(addr);
|
||||
+ return rc;
|
||||
}
|
||||
|
||||
static int selinux_mmap_file(struct file *file, unsigned long reqprot,
|
||||
|
||||
_______________________________________________
|
||||
Selinux mailing list
|
||||
Selinux@tycho.nsa.gov
|
||||
To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
|
||||
To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
|
Loading…
Reference in New Issue