* [PATCH v2] selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID. @ 2014-08-04 17:36 Stephen Smalley 2014-08-12 18:01 ` Andy Lutomirski 0 siblings, 1 reply; 11+ messages in thread From: Stephen Smalley @ 2014-08-04 17:36 UTC (permalink / raw) To: selinux; +Cc: Stephen Smalley, luto If the callee SID is bounded by the caller SID, then allowing the transition to occur poses no risk of privilege escalation and we can therefore safely allow the transition to occur. Add this exemption for both the case where a transition was explicitly requested by the application and the case where an automatic transition is defined in policy. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> --- security/selinux/hooks.c | 59 ++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 47 insertions(+), 12 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 83d06db..d96c91a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2086,6 +2086,41 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) /* binprm security operations */ +static int check_nnp_nosuid(const struct linux_binprm *bprm, + const struct task_security_struct *old_tsec, + const struct task_security_struct *new_tsec) +{ + int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); + int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID); + int rc; + + if (!nnp && !nosuid) + return 0; /* neither NNP nor nosuid */ + + if (new_tsec->sid == old_tsec->sid) + return 0; /* No change in credentials */ + + /* + * The only transitions we permit under NNP or nosuid + * are transitions to bounded SIDs, i.e. SIDs that are + * guaranteed to only be allowed a subset of the permissions + * of the current SID. + */ + rc = security_bounded_transition(old_tsec->sid, new_tsec->sid); + if (rc) { + /* + * On failure, preserve the errno values for NNP vs nosuid. + * NNP: Operation not permitted for caller. + * nosuid: Permission denied to file. + */ + if (nnp) + return -EPERM; + else + return -EACCES; + } + return 0; +} + static int selinux_bprm_set_creds(struct linux_binprm *bprm) { const struct task_security_struct *old_tsec; @@ -2122,14 +2157,10 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) /* Reset exec SID on execve. */ new_tsec->exec_sid = 0; - /* - * Minimize confusion: if no_new_privs or nosuid and a - * transition is explicitly requested, then fail the exec. - */ - if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) - return -EPERM; - if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) - return -EACCES; + /* Fail on NNP or nosuid if not an allowed transition. */ + rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); + if (rc) + return rc; } else { /* Check for a default transition on this program. */ rc = security_transition_sid(old_tsec->sid, isec->sid, @@ -2137,15 +2168,19 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) &new_tsec->sid); if (rc) return rc; + + /* + * Fallback to old SID on NNP or nosuid if not an allowed + * transition. + */ + rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); + if (rc) + new_tsec->sid = old_tsec->sid; } ad.type = LSM_AUDIT_DATA_PATH; ad.u.path = bprm->file->f_path; - if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) || - (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) - new_tsec->sid = old_tsec->sid; - if (new_tsec->sid == old_tsec->sid) { rc = avc_has_perm(old_tsec->sid, isec->sid, SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); -- 1.8.3.1 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH v2] selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID. 2014-08-04 17:36 [PATCH v2] selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID Stephen Smalley @ 2014-08-12 18:01 ` Andy Lutomirski 2014-08-12 18:06 ` Stephen Smalley 0 siblings, 1 reply; 11+ messages in thread From: Andy Lutomirski @ 2014-08-12 18:01 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux-NSA On Mon, Aug 4, 2014 at 10:36 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > If the callee SID is bounded by the caller SID, then allowing > the transition to occur poses no risk of privilege escalation and we can > therefore safely allow the transition to occur. Add this exemption > for both the case where a transition was explicitly requested by the > application and the case where an automatic transition is defined in > policy. This still wants something like security_bounded_transition_noaudit, right? (Or just a parameter about whether to audit -- there will only be two callers, I think.) --Andy > > Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> > --- > security/selinux/hooks.c | 59 ++++++++++++++++++++++++++++++++++++++---------- > 1 file changed, 47 insertions(+), 12 deletions(-) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 83d06db..d96c91a 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -2086,6 +2086,41 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) > > /* binprm security operations */ > > +static int check_nnp_nosuid(const struct linux_binprm *bprm, > + const struct task_security_struct *old_tsec, > + const struct task_security_struct *new_tsec) > +{ > + int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); > + int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID); > + int rc; > + > + if (!nnp && !nosuid) > + return 0; /* neither NNP nor nosuid */ > + > + if (new_tsec->sid == old_tsec->sid) > + return 0; /* No change in credentials */ > + > + /* > + * The only transitions we permit under NNP or nosuid > + * are transitions to bounded SIDs, i.e. SIDs that are > + * guaranteed to only be allowed a subset of the permissions > + * of the current SID. > + */ > + rc = security_bounded_transition(old_tsec->sid, new_tsec->sid); > + if (rc) { > + /* > + * On failure, preserve the errno values for NNP vs nosuid. > + * NNP: Operation not permitted for caller. > + * nosuid: Permission denied to file. > + */ > + if (nnp) > + return -EPERM; > + else > + return -EACCES; > + } > + return 0; > +} > + > static int selinux_bprm_set_creds(struct linux_binprm *bprm) > { > const struct task_security_struct *old_tsec; > @@ -2122,14 +2157,10 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) > /* Reset exec SID on execve. */ > new_tsec->exec_sid = 0; > > - /* > - * Minimize confusion: if no_new_privs or nosuid and a > - * transition is explicitly requested, then fail the exec. > - */ > - if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) > - return -EPERM; > - if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) > - return -EACCES; > + /* Fail on NNP or nosuid if not an allowed transition. */ > + rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); > + if (rc) > + return rc; > } else { > /* Check for a default transition on this program. */ > rc = security_transition_sid(old_tsec->sid, isec->sid, > @@ -2137,15 +2168,19 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) > &new_tsec->sid); > if (rc) > return rc; > + > + /* > + * Fallback to old SID on NNP or nosuid if not an allowed > + * transition. > + */ > + rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); > + if (rc) > + new_tsec->sid = old_tsec->sid; > } > > ad.type = LSM_AUDIT_DATA_PATH; > ad.u.path = bprm->file->f_path; > > - if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) || > - (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) > - new_tsec->sid = old_tsec->sid; > - > if (new_tsec->sid == old_tsec->sid) { > rc = avc_has_perm(old_tsec->sid, isec->sid, > SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); > -- > 1.8.3.1 > -- Andy Lutomirski AMA Capital Management, LLC ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v2] selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID. 2014-08-12 18:01 ` Andy Lutomirski @ 2014-08-12 18:06 ` Stephen Smalley 2014-08-12 18:56 ` Andy Lutomirski 0 siblings, 1 reply; 11+ messages in thread From: Stephen Smalley @ 2014-08-12 18:06 UTC (permalink / raw) To: Andy Lutomirski; +Cc: SELinux-NSA On 08/12/2014 02:01 PM, Andy Lutomirski wrote: > On Mon, Aug 4, 2014 at 10:36 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote: >> If the callee SID is bounded by the caller SID, then allowing >> the transition to occur poses no risk of privilege escalation and we can >> therefore safely allow the transition to occur. Add this exemption >> for both the case where a transition was explicitly requested by the >> application and the case where an automatic transition is defined in >> policy. > > This still wants something like security_bounded_transition_noaudit, > right? (Or just a parameter about whether to audit -- there will only > be two callers, I think.) I think generating an audit record is correct in this case; the operation would have succeeded if the type were bounded, so it is correct and helpful to report this to the audit log for diagnosing failures. I think Paul's prior objection was that you could end up with an audit record even when the operation succeeded when we allowed the transitions on either a bounded transition or dyntransition permission, but that is no longer the case. > > --Andy > >> >> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> >> --- >> security/selinux/hooks.c | 59 ++++++++++++++++++++++++++++++++++++++---------- >> 1 file changed, 47 insertions(+), 12 deletions(-) >> >> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c >> index 83d06db..d96c91a 100644 >> --- a/security/selinux/hooks.c >> +++ b/security/selinux/hooks.c >> @@ -2086,6 +2086,41 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) >> >> /* binprm security operations */ >> >> +static int check_nnp_nosuid(const struct linux_binprm *bprm, >> + const struct task_security_struct *old_tsec, >> + const struct task_security_struct *new_tsec) >> +{ >> + int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); >> + int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID); >> + int rc; >> + >> + if (!nnp && !nosuid) >> + return 0; /* neither NNP nor nosuid */ >> + >> + if (new_tsec->sid == old_tsec->sid) >> + return 0; /* No change in credentials */ >> + >> + /* >> + * The only transitions we permit under NNP or nosuid >> + * are transitions to bounded SIDs, i.e. SIDs that are >> + * guaranteed to only be allowed a subset of the permissions >> + * of the current SID. >> + */ >> + rc = security_bounded_transition(old_tsec->sid, new_tsec->sid); >> + if (rc) { >> + /* >> + * On failure, preserve the errno values for NNP vs nosuid. >> + * NNP: Operation not permitted for caller. >> + * nosuid: Permission denied to file. >> + */ >> + if (nnp) >> + return -EPERM; >> + else >> + return -EACCES; >> + } >> + return 0; >> +} >> + >> static int selinux_bprm_set_creds(struct linux_binprm *bprm) >> { >> const struct task_security_struct *old_tsec; >> @@ -2122,14 +2157,10 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) >> /* Reset exec SID on execve. */ >> new_tsec->exec_sid = 0; >> >> - /* >> - * Minimize confusion: if no_new_privs or nosuid and a >> - * transition is explicitly requested, then fail the exec. >> - */ >> - if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) >> - return -EPERM; >> - if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) >> - return -EACCES; >> + /* Fail on NNP or nosuid if not an allowed transition. */ >> + rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); >> + if (rc) >> + return rc; >> } else { >> /* Check for a default transition on this program. */ >> rc = security_transition_sid(old_tsec->sid, isec->sid, >> @@ -2137,15 +2168,19 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) >> &new_tsec->sid); >> if (rc) >> return rc; >> + >> + /* >> + * Fallback to old SID on NNP or nosuid if not an allowed >> + * transition. >> + */ >> + rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); >> + if (rc) >> + new_tsec->sid = old_tsec->sid; >> } >> >> ad.type = LSM_AUDIT_DATA_PATH; >> ad.u.path = bprm->file->f_path; >> >> - if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) || >> - (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) >> - new_tsec->sid = old_tsec->sid; >> - >> if (new_tsec->sid == old_tsec->sid) { >> rc = avc_has_perm(old_tsec->sid, isec->sid, >> SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); >> -- >> 1.8.3.1 >> > > > ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v2] selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID. 2014-08-12 18:06 ` Stephen Smalley @ 2014-08-12 18:56 ` Andy Lutomirski 2014-08-12 19:08 ` Paul Moore 0 siblings, 1 reply; 11+ messages in thread From: Andy Lutomirski @ 2014-08-12 18:56 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux-NSA On Aug 12, 2014 11:07 AM, "Stephen Smalley" <sds@tycho.nsa.gov> wrote: > > On 08/12/2014 02:01 PM, Andy Lutomirski wrote: > > On Mon, Aug 4, 2014 at 10:36 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > >> If the callee SID is bounded by the caller SID, then allowing > >> the transition to occur poses no risk of privilege escalation and we can > >> therefore safely allow the transition to occur. Add this exemption > >> for both the case where a transition was explicitly requested by the > >> application and the case where an automatic transition is defined in > >> policy. > > > > This still wants something like security_bounded_transition_noaudit, > > right? (Or just a parameter about whether to audit -- there will only > > be two callers, I think.) > > I think generating an audit record is correct in this case; the > operation would have succeeded if the type were bounded, so it is > correct and helpful to report this to the audit log for diagnosing > failures. I think Paul's prior objection was that you could end up with > an audit record even when the operation succeeded when we allowed the > transitions on either a bounded transition or dyntransition permission, > but that is no longer the case. Fair enough. Does this have any chance of making 3.17? --Andy ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v2] selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID. 2014-08-12 18:56 ` Andy Lutomirski @ 2014-08-12 19:08 ` Paul Moore 2014-08-12 19:12 ` Andy Lutomirski 2014-08-12 19:21 ` Stephen Smalley 0 siblings, 2 replies; 11+ messages in thread From: Paul Moore @ 2014-08-12 19:08 UTC (permalink / raw) To: Andy Lutomirski, Stephen Smalley; +Cc: SELinux-NSA On Tuesday, August 12, 2014 11:56:42 AM Andy Lutomirski wrote: > On Aug 12, 2014 11:07 AM, "Stephen Smalley" <sds@tycho.nsa.gov> wrote: > > On 08/12/2014 02:01 PM, Andy Lutomirski wrote: > > > On Mon, Aug 4, 2014 at 10:36 AM, Stephen Smalley wrote: > > >> If the callee SID is bounded by the caller SID, then allowing > > >> the transition to occur poses no risk of privilege escalation and we > > >> can therefore safely allow the transition to occur. Add this exemption > > >> for both the case where a transition was explicitly requested by the > > >> application and the case where an automatic transition is defined in > > >> policy. > > > > > > This still wants something like security_bounded_transition_noaudit, > > > right? (Or just a parameter about whether to audit -- there will only > > > be two callers, I think.) > > > > I think generating an audit record is correct in this case; the > > operation would have succeeded if the type were bounded, so it is > > correct and helpful to report this to the audit log for diagnosing > > failures. I think Paul's prior objection was that you could end up with > > an audit record even when the operation succeeded when we allowed the > > transitions on either a bounded transition or dyntransition permission, > > but that is no longer the case. > > Fair enough. Yes, the audit problem is no longer an issue and the comments look good to me. > Does this have any chance of making 3.17? No. That ship has sailed. However, I would still like to see some more Reviewed-by/Tested-by mails before we merge this for 3.18. Andy, based on discussion on this thread and previous threads, I assume you're happy with this patch? -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v2] selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID. 2014-08-12 19:08 ` Paul Moore @ 2014-08-12 19:12 ` Andy Lutomirski 2014-08-12 19:21 ` Stephen Smalley 1 sibling, 0 replies; 11+ messages in thread From: Andy Lutomirski @ 2014-08-12 19:12 UTC (permalink / raw) To: Paul Moore; +Cc: Stephen Smalley, SELinux-NSA On Tue, Aug 12, 2014 at 12:08 PM, Paul Moore <paul@paul-moore.com> wrote: > On Tuesday, August 12, 2014 11:56:42 AM Andy Lutomirski wrote: >> On Aug 12, 2014 11:07 AM, "Stephen Smalley" <sds@tycho.nsa.gov> wrote: >> > On 08/12/2014 02:01 PM, Andy Lutomirski wrote: >> > > On Mon, Aug 4, 2014 at 10:36 AM, Stephen Smalley wrote: >> > >> If the callee SID is bounded by the caller SID, then allowing >> > >> the transition to occur poses no risk of privilege escalation and we >> > >> can therefore safely allow the transition to occur. Add this exemption >> > >> for both the case where a transition was explicitly requested by the >> > >> application and the case where an automatic transition is defined in >> > >> policy. >> > > >> > > This still wants something like security_bounded_transition_noaudit, >> > > right? (Or just a parameter about whether to audit -- there will only >> > > be two callers, I think.) >> > >> > I think generating an audit record is correct in this case; the >> > operation would have succeeded if the type were bounded, so it is >> > correct and helpful to report this to the audit log for diagnosing >> > failures. I think Paul's prior objection was that you could end up with >> > an audit record even when the operation succeeded when we allowed the >> > transitions on either a bounded transition or dyntransition permission, >> > but that is no longer the case. >> >> Fair enough. > > Yes, the audit problem is no longer an issue and the comments look good to me. > >> Does this have any chance of making 3.17? > > No. That ship has sailed. > > However, I would still like to see some more Reviewed-by/Tested-by mails > before we merge this for 3.18. Andy, based on discussion on this thread and > previous threads, I assume you're happy with this patch? Yes. Reviewed-by: Andy Lutomirski <luto@amacapital.net> Not actually tested-by because I don't have the slightest clue how to write a bounded transition rule to test with. --Andy > > -- > paul moore > www.paul-moore.com > -- Andy Lutomirski AMA Capital Management, LLC ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v2] selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID. 2014-08-12 19:08 ` Paul Moore 2014-08-12 19:12 ` Andy Lutomirski @ 2014-08-12 19:21 ` Stephen Smalley 2014-08-12 19:29 ` Andy Lutomirski 2014-08-28 21:36 ` Paul Moore 1 sibling, 2 replies; 11+ messages in thread From: Stephen Smalley @ 2014-08-12 19:21 UTC (permalink / raw) To: Paul Moore, Andy Lutomirski; +Cc: SELinux-NSA [-- Attachment #1: Type: text/plain, Size: 1978 bytes --] On 08/12/2014 03:08 PM, Paul Moore wrote: > On Tuesday, August 12, 2014 11:56:42 AM Andy Lutomirski wrote: >> On Aug 12, 2014 11:07 AM, "Stephen Smalley" <sds@tycho.nsa.gov> wrote: >>> On 08/12/2014 02:01 PM, Andy Lutomirski wrote: >>>> On Mon, Aug 4, 2014 at 10:36 AM, Stephen Smalley wrote: >>>>> If the callee SID is bounded by the caller SID, then allowing >>>>> the transition to occur poses no risk of privilege escalation and we >>>>> can therefore safely allow the transition to occur. Add this exemption >>>>> for both the case where a transition was explicitly requested by the >>>>> application and the case where an automatic transition is defined in >>>>> policy. >>>> >>>> This still wants something like security_bounded_transition_noaudit, >>>> right? (Or just a parameter about whether to audit -- there will only >>>> be two callers, I think.) >>> >>> I think generating an audit record is correct in this case; the >>> operation would have succeeded if the type were bounded, so it is >>> correct and helpful to report this to the audit log for diagnosing >>> failures. I think Paul's prior objection was that you could end up with >>> an audit record even when the operation succeeded when we allowed the >>> transitions on either a bounded transition or dyntransition permission, >>> but that is no longer the case. >> >> Fair enough. > > Yes, the audit problem is no longer an issue and the comments look good to me. > >> Does this have any chance of making 3.17? > > No. That ship has sailed. > > However, I would still like to see some more Reviewed-by/Tested-by mails > before we merge this for 3.18. Andy, based on discussion on this thread and > previous threads, I assume you're happy with this patch? Attached is the patch for the selinux-testsuite, against git://git.selinuxproject.org/~serge/selinux-testsuite. Once it goes into a kernel I can make the test kernel version-specific and thus ensure it passes on old and new kernels. [-- Attachment #2: 0001-Add-tests-for-bounded-transitions-under-NO_NEW_PRIVS.patch --] [-- Type: text/x-patch, Size: 7215 bytes --] >From b9df9e4ed35e036603143c4ead39c26a3af5787d Mon Sep 17 00:00:00 2001 From: Stephen Smalley <sds@tycho.nsa.gov> Date: Fri, 13 Jun 2014 12:40:16 -0400 Subject: [PATCH] Add tests for bounded transitions under NO_NEW_PRIVS. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> --- policy/Makefile | 2 +- policy/test_nnp.te | 33 +++++++++++++++++++++++++++++++++ tests/Makefile | 2 +- tests/nnp/Makefile | 7 +++++++ tests/nnp/checkcon.c | 40 ++++++++++++++++++++++++++++++++++++++++ tests/nnp/execnnp.c | 25 +++++++++++++++++++++++++ tests/nnp/test | 42 ++++++++++++++++++++++++++++++++++++++++++ 7 files changed, 149 insertions(+), 2 deletions(-) create mode 100644 policy/test_nnp.te create mode 100644 tests/nnp/Makefile create mode 100644 tests/nnp/checkcon.c create mode 100644 tests/nnp/execnnp.c create mode 100755 tests/nnp/test diff --git a/policy/Makefile b/policy/Makefile index a0a6c88..683f454 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -14,7 +14,7 @@ TARGETS = \ test_entrypoint.te test_execshare.te test_exectrace.te \ test_execute_no_trans.te test_fdreceive.te test_file.te \ test_inherit.te test_ioctl.te test_ipc.te test_link.te test_mkdir.te \ - test_open.te test_ptrace.te test_readlink.te \ + test_nnp.te test_open.te test_ptrace.te test_readlink.te \ test_relabel.te test_rename.te test_rxdir.te test_setattr.te \ test_setnice.te test_sigkill.te test_stat.te test_sysctl.te \ test_task_create.te test_task_getpgid.te test_task_getsched.te \ diff --git a/policy/test_nnp.te b/policy/test_nnp.te new file mode 100644 index 0000000..55eccd8 --- /dev/null +++ b/policy/test_nnp.te @@ -0,0 +1,33 @@ +################################# +# +# Policy for testing NO_NEW_PRIVS transitions. +# + +# A domain bounded by the unconfined domain. +type test_nnp_bounded_t; +domain_type(test_nnp_bounded_t) +typeattribute test_nnp_bounded_t testdomain; +typebounds unconfined_t test_nnp_bounded_t; + +# The entrypoint type for this domain. +type test_nnp_bounded_exec_t; +files_type(test_nnp_bounded_exec_t) +domain_entry_file(test_nnp_bounded_t, test_nnp_bounded_exec_t) + +# Run it! This should succeed on patched kernels, fail on old ones. +unconfined_runs_test(test_nnp_bounded_t) +unconfined_run_to(test_nnp_bounded_t, test_nnp_bounded_exec_t) + +# A domain that is not bounded by the calling domain. +type test_nnp_notbounded_t; +domain_type(test_nnp_notbounded_t) +typeattribute test_nnp_notbounded_t testdomain; + +# The entrypoint type for this domain. +type test_nnp_notbounded_exec_t; +files_type(test_nnp_notbounded_exec_t) +domain_entry_file(test_nnp_notbounded_t, test_nnp_notbounded_exec_t) + +# Run it! This should fail always. +unconfined_runs_test(test_nnp_notbounded_t) +unconfined_run_to(test_nnp_notbounded_t, test_nnp_notbounded_exec_t) diff --git a/tests/Makefile b/tests/Makefile index 5886403..4cfecdf 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -1,6 +1,6 @@ REDHAT_RELEASE=$(shell rpm -q redhat-release) -SUBDIRS=domain_trans entrypoint execshare exectrace execute_no_trans fdreceive inherit link mkdir msg open ptrace readlink relabel rename rxdir sem setattr setnice shm sigkill stat sysctl task_create task_setnice task_setscheduler task_getscheduler task_getsid task_getpgid task_setpgid wait file ioctl capable_file capable_net capable_sys dyntrans dyntrace bounds +SUBDIRS=domain_trans entrypoint execshare exectrace execute_no_trans fdreceive inherit link mkdir msg nnp open ptrace readlink relabel rename rxdir sem setattr setnice shm sigkill stat sysctl task_create task_setnice task_setscheduler task_getscheduler task_getsid task_getpgid task_setpgid wait file ioctl capable_file capable_net capable_sys dyntrans dyntrace bounds #SUBDIRS=socket unix_socket unix_secure ifeq (redhat-release-4, $(findstring redhat-release-4, $(REDHAT_RELEASE))) diff --git a/tests/nnp/Makefile b/tests/nnp/Makefile new file mode 100644 index 0000000..4e8e400 --- /dev/null +++ b/tests/nnp/Makefile @@ -0,0 +1,7 @@ +TARGETS=execnnp checkcon + +LDLIBS += -lselinux + +all: $(TARGETS) +clean: + rm -f $(TARGETS) diff --git a/tests/nnp/checkcon.c b/tests/nnp/checkcon.c new file mode 100644 index 0000000..1967506 --- /dev/null +++ b/tests/nnp/checkcon.c @@ -0,0 +1,40 @@ +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> +#include <selinux/selinux.h> +#include <selinux/context.h> + +int main(int argc, char **argv) +{ + char *con = NULL; + context_t c; + const char *type; + int rc; + + if (argc != 2) { + fprintf(stderr, "usage: %s expected-type\n", argv[0]); + exit(-1); + } + + if (getcon(&con) < 0) { + perror("getcon"); + exit(-1); + } + + c = context_new(con); + if (!c) { + perror("context_new"); + exit(-1); + } + + type = context_type_get(c); + if (!type) { + perror("context_type_get"); + exit(-1); + + } + + rc = strcmp(type, argv[1]); + exit(rc); +} diff --git a/tests/nnp/execnnp.c b/tests/nnp/execnnp.c new file mode 100644 index 0000000..9de5967 --- /dev/null +++ b/tests/nnp/execnnp.c @@ -0,0 +1,25 @@ +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> +#include <sys/prctl.h> + +int main(int argc, char **argv) +{ + int rc; + + if (argc < 2) { + fprintf(stderr, "usage: %s command [args...]\n", argv[0]); + exit(-1); + } + + rc = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + if (rc < 0) { + perror("prctl PR_SET_NO_NEW_PRIVS"); + exit(-1); + } + + execvp(argv[1], &argv[1]); + perror(argv[1]); + exit(1); +} diff --git a/tests/nnp/test b/tests/nnp/test new file mode 100755 index 0000000..4ac961a --- /dev/null +++ b/tests/nnp/test @@ -0,0 +1,42 @@ +#!/usr/bin/perl + +# Depends on kernel patch with the following subject line: +# selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID. + +use Test; +BEGIN { plan tests => 4} + +$basedir = $0; $basedir =~ s|(.*)/[^/]*|$1|; + +# Remove any leftover programs from prior failed runs. +system("rm -f $basedir/true"); + +# Set entrypoint type for bounded domain. +system("chcon -t test_nnp_bounded_exec_t $basedir/checkcon"); + +# Transition to bounded type via setexec. +$result = system("$basedir/execnnp runcon -t test_nnp_bounded_t $basedir/checkcon test_nnp_bounded_t 2>&1"); +ok($result,0); #this should pass + +# Automatic transition to bounded domain via exec. +$result = system("$basedir/execnnp $basedir/checkcon test_nnp_bounded_t 2>&1"); +ok($result,0); #this should pass + +# Use true as an entrypoint program to test ability to exec at all. +system("cp /bin/true $basedir/true"); + +# Set entrypoint type for notbounded domain. +system("chcon -t test_nnp_notbounded_exec_t $basedir/checkcon $basedir/true"); + +# Transition to notbounded domain via setexec. +$result = system("$basedir/execnnp runcon -t test_nnp_notbounded_t $basedir/true 2>&1"); +ok($result); #this should fail + +# Automatic transition to notbounded domain via exec. +$result = system("$basedir/execnnp $basedir/checkcon test_nnp_notbounded_t 2>&1"); +ok($result); #this should fail + +# Cleanup. +system("rm -f $basedir/true"); + +exit; -- 1.9.3 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH v2] selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID. 2014-08-12 19:21 ` Stephen Smalley @ 2014-08-12 19:29 ` Andy Lutomirski 2014-08-28 21:36 ` Paul Moore 1 sibling, 0 replies; 11+ messages in thread From: Andy Lutomirski @ 2014-08-12 19:29 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux-NSA On Tue, Aug 12, 2014 at 12:21 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On 08/12/2014 03:08 PM, Paul Moore wrote: >> On Tuesday, August 12, 2014 11:56:42 AM Andy Lutomirski wrote: >>> On Aug 12, 2014 11:07 AM, "Stephen Smalley" <sds@tycho.nsa.gov> wrote: >>>> On 08/12/2014 02:01 PM, Andy Lutomirski wrote: >>>>> On Mon, Aug 4, 2014 at 10:36 AM, Stephen Smalley wrote: >>>>>> If the callee SID is bounded by the caller SID, then allowing >>>>>> the transition to occur poses no risk of privilege escalation and we >>>>>> can therefore safely allow the transition to occur. Add this exemption >>>>>> for both the case where a transition was explicitly requested by the >>>>>> application and the case where an automatic transition is defined in >>>>>> policy. >>>>> >>>>> This still wants something like security_bounded_transition_noaudit, >>>>> right? (Or just a parameter about whether to audit -- there will only >>>>> be two callers, I think.) >>>> >>>> I think generating an audit record is correct in this case; the >>>> operation would have succeeded if the type were bounded, so it is >>>> correct and helpful to report this to the audit log for diagnosing >>>> failures. I think Paul's prior objection was that you could end up with >>>> an audit record even when the operation succeeded when we allowed the >>>> transitions on either a bounded transition or dyntransition permission, >>>> but that is no longer the case. >>> >>> Fair enough. >> >> Yes, the audit problem is no longer an issue and the comments look good to me. >> >>> Does this have any chance of making 3.17? >> >> No. That ship has sailed. >> >> However, I would still like to see some more Reviewed-by/Tested-by mails >> before we merge this for 3.18. Andy, based on discussion on this thread and >> previous threads, I assume you're happy with this patch? > > Attached is the patch for the selinux-testsuite, > against git://git.selinuxproject.org/~serge/selinux-testsuite. > Once it goes into a kernel I can make the test kernel version-specific > and thus ensure it passes on old and new kernels. > The test case looks good to me. Arguably it could check the error code, too, but that's minor. --Andy ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v2] selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID. 2014-08-12 19:21 ` Stephen Smalley 2014-08-12 19:29 ` Andy Lutomirski @ 2014-08-28 21:36 ` Paul Moore 2014-08-29 13:12 ` Stephen Smalley 1 sibling, 1 reply; 11+ messages in thread From: Paul Moore @ 2014-08-28 21:36 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux-NSA, Andy Lutomirski On Tuesday, August 12, 2014 03:21:14 PM Stephen Smalley wrote: > Attached is the patch for the selinux-testsuite, > against git://git.selinuxproject.org/~serge/selinux-testsuite. > Once it goes into a kernel I can make the test kernel version-specific > and thus ensure it passes on old and new kernels. I just applied the kernel patch to the SELinux next branch and ran the testsuite against it to ensure everything was okay and ran into the problems below: <<<< Running as user root with context unconfined_u:unconfined_r:unconfined_t domain_trans/test ....... ok entrypoint/test ......... ok execshare/test .......... ok exectrace/test .......... ok execute_no_trans/test ... ok fdreceive/test .......... ok inherit/test ............ ok link/test ............... ok mkdir/test .............. ok msg/test ................ ok nnp/test ................ 1/4 # Test 1 got: "32256" (nnp/test at line 19) # Expected: "0" # nnp/test line 19 is: ok($result,0); #this should pass # Test 2 got: "256" (nnp/test at line 23) # Expected: "0" # nnp/test line 23 is: ok($result,0); #this should pass nnp/test ................ Failed 2/4 subtests open/test ............... ok ptrace/test ............. ok readlink/test ........... ok relabel/test ............ ok rename/test ............. ok rxdir/test .............. ok sem/test ................ ok setattr/test ............ ok setnice/test ............ ok shm/test ................ ok sigkill/test ............ ok stat/test ............... ok sysctl/test ............. ok task_create/test ........ ok task_setnice/test ....... ok task_setscheduler/test .. ok task_getscheduler/test .. ok task_getsid/test ........ ok task_getpgid/test ....... ok task_setpgid/test ....... ok wait/test ............... ok file/test ............... ok ioctl/test .............. ok capable_file/test ....... ok capable_net/test ........ ok capable_sys/test ........ ok dyntrans/test ........... ok dyntrace/test ........... ok bounds/test ............. ok <<<< When I run the test by hand using the command line below, the following appears in the audit log: # ls -Z checkcon unconfined_u:object_r:test_nnp_bounded_exec_t:s0 checkcon # ./execnnp runcon -t test_nnp_bounded_t ./checkcon test_nnp_bounded_t runcon: ./checkcon: Permission denied <<<< type=SELINUX_ERR msg=audit(1409261360.961:1953): op=security_compute_av reason=bounds scontext=unconfined_u:unconfined_r:test_nnp_bounded_t:s0- s0:c0.c1023 tcontext=unconfined_u:object_r:test_nnp_bounded_exec_t:s0 tclass=file perms=entrypoint type=AVC msg=audit(1409261360.961:1953): avc: denied { entrypoint } for pid=15556 comm="runcon" path="/root/sources/selinux_testsuite- upstream/tests/nnp/checkcon" dev="vda3" ino=423593 scontext=unconfined_u:unconfined_r:test_nnp_bounded_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_nnp_bounded_exec_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1409261360.961:1953): arch=c000003e syscall=59 success=no exit=-13 a0=7fffd720e76c a1=7fffd720df50 a2=7fffd720df68 a3=6e5f747365743a72 items=0 ppid=4569 pid=15556 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="runcon" exe="/usr/bin/runcon" subj=unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1023 key=(null) <<<< Unfortunately that is about as far as I'm going to be able to get today on this, so I'm tossing this out hoping you'll have an answer before I can touch this next. -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v2] selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID. 2014-08-28 21:36 ` Paul Moore @ 2014-08-29 13:12 ` Stephen Smalley 2014-08-29 18:20 ` Paul Moore 0 siblings, 1 reply; 11+ messages in thread From: Stephen Smalley @ 2014-08-29 13:12 UTC (permalink / raw) To: Paul Moore; +Cc: SELinux-NSA, Andy Lutomirski [-- Attachment #1: Type: text/plain, Size: 4387 bytes --] On 08/28/2014 05:36 PM, Paul Moore wrote: > On Tuesday, August 12, 2014 03:21:14 PM Stephen Smalley wrote: >> Attached is the patch for the selinux-testsuite, >> against git://git.selinuxproject.org/~serge/selinux-testsuite. >> Once it goes into a kernel I can make the test kernel version-specific >> and thus ensure it passes on old and new kernels. > > I just applied the kernel patch to the SELinux next branch and ran the > testsuite against it to ensure everything was okay and ran into the problems > below: > > <<<< > Running as user root with context unconfined_u:unconfined_r:unconfined_t > > domain_trans/test ....... ok > entrypoint/test ......... ok > execshare/test .......... ok > exectrace/test .......... ok > execute_no_trans/test ... ok > fdreceive/test .......... ok > inherit/test ............ ok > link/test ............... ok > mkdir/test .............. ok > msg/test ................ ok > nnp/test ................ 1/4 # Test 1 got: "32256" (nnp/test at line 19) > # Expected: "0" > # nnp/test line 19 is: ok($result,0); #this should pass > # Test 2 got: "256" (nnp/test at line 23) > # Expected: "0" > # nnp/test line 23 is: ok($result,0); #this should pass > nnp/test ................ Failed 2/4 subtests This is the output I get on an unpatched kernel. On the patched kernel, all tests pass. > open/test ............... ok > ptrace/test ............. ok > readlink/test ........... ok > relabel/test ............ ok > rename/test ............. ok > rxdir/test .............. ok > sem/test ................ ok > setattr/test ............ ok > setnice/test ............ ok > shm/test ................ ok > sigkill/test ............ ok > stat/test ............... ok > sysctl/test ............. ok > task_create/test ........ ok > task_setnice/test ....... ok > task_setscheduler/test .. ok > task_getscheduler/test .. ok > task_getsid/test ........ ok > task_getpgid/test ....... ok > task_setpgid/test ....... ok > wait/test ............... ok > file/test ............... ok > ioctl/test .............. ok > capable_file/test ....... ok > capable_net/test ........ ok > capable_sys/test ........ ok > dyntrans/test ........... ok > dyntrace/test ........... ok > bounds/test ............. ok > <<<< > > When I run the test by hand using the command line below, the following > appears in the audit log: Just FYI, you can more easily re-run the failed test just by running its test script, e.g. ./nnp/test, rather than manually running individual commands from it. > > # ls -Z checkcon > unconfined_u:object_r:test_nnp_bounded_exec_t:s0 checkcon > # ./execnnp runcon -t test_nnp_bounded_t ./checkcon test_nnp_bounded_t > runcon: ./checkcon: Permission denied > > <<<< > type=SELINUX_ERR msg=audit(1409261360.961:1953): op=security_compute_av > reason=bounds scontext=unconfined_u:unconfined_r:test_nnp_bounded_t:s0- > s0:c0.c1023 tcontext=unconfined_u:object_r:test_nnp_bounded_exec_t:s0 > tclass=file perms=entrypoint Ok, so since your base policy does not allow unconfined_t entrypoint to all file types, it was denied to test_nnp_bounded_t since it is bounded by unconfined_t. > type=AVC msg=audit(1409261360.961:1953): avc: denied { entrypoint } for > pid=15556 comm="runcon" path="/root/sources/selinux_testsuite- > upstream/tests/nnp/checkcon" dev="vda3" ino=423593 > scontext=unconfined_u:unconfined_r:test_nnp_bounded_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:test_nnp_bounded_exec_t:s0 tclass=file > permissive=0 > type=SYSCALL msg=audit(1409261360.961:1953): arch=c000003e syscall=59 > success=no exit=-13 a0=7fffd720e76c a1=7fffd720df50 a2=7fffd720df68 > a3=6e5f747365743a72 items=0 ppid=4569 pid=15556 auid=0 uid=0 gid=0 euid=0 > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="runcon" > exe="/usr/bin/runcon" subj=unconfined_u:unconfined_r:unconfined_t:s0- > s0:c0.c1023 key=(null) > <<<< > > Unfortunately that is about as far as I'm going to be able to get today on > this, so I'm tossing this out hoping you'll have an answer before I can touch > this next. It runs fine on Fedora 20. I am guessing you are running on rawhide / Fedora 21, and that this is a difference in your base policy. Try this patch for selinux-testsuite on top of the current one. [-- Attachment #2: 0001-Explicitly-allow-unconfined_t-entrypoint-to-test_nnp.patch --] [-- Type: text/x-patch, Size: 864 bytes --] >From fb7a3f11041213e3babba1b7b65d8aff014799bc Mon Sep 17 00:00:00 2001 From: Stephen Smalley <sds@tycho.nsa.gov> Date: Fri, 29 Aug 2014 08:50:20 -0400 Subject: [PATCH] Explicitly allow unconfined_t entrypoint to test_nnp_bounded_exec_t. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> --- policy/test_nnp.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/test_nnp.te b/policy/test_nnp.te index 55eccd8..206882d 100644 --- a/policy/test_nnp.te +++ b/policy/test_nnp.te @@ -13,6 +13,7 @@ typebounds unconfined_t test_nnp_bounded_t; type test_nnp_bounded_exec_t; files_type(test_nnp_bounded_exec_t) domain_entry_file(test_nnp_bounded_t, test_nnp_bounded_exec_t) +domain_entry_file(unconfined_t, test_nnp_bounded_exec_t) # Run it! This should succeed on patched kernels, fail on old ones. unconfined_runs_test(test_nnp_bounded_t) -- 1.9.3 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH v2] selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID. 2014-08-29 13:12 ` Stephen Smalley @ 2014-08-29 18:20 ` Paul Moore 0 siblings, 0 replies; 11+ messages in thread From: Paul Moore @ 2014-08-29 18:20 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux-NSA, Andy Lutomirski On Friday, August 29, 2014 09:12:10 AM Stephen Smalley wrote: > It runs fine on Fedora 20. I am guessing you are running on rawhide / > Fedora 21, and that this is a difference in your base policy. Yep. In general I test the SELinux next patches against Fedora Rawhide. > Try this patch for selinux-testsuite on top of the current one. That solved it, thanks. The kernel patch is now merged upstream and in should be in the next linux-next tree. -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2014-08-29 18:20 UTC | newest] Thread overview: 11+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2014-08-04 17:36 [PATCH v2] selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID Stephen Smalley 2014-08-12 18:01 ` Andy Lutomirski 2014-08-12 18:06 ` Stephen Smalley 2014-08-12 18:56 ` Andy Lutomirski 2014-08-12 19:08 ` Paul Moore 2014-08-12 19:12 ` Andy Lutomirski 2014-08-12 19:21 ` Stephen Smalley 2014-08-12 19:29 ` Andy Lutomirski 2014-08-28 21:36 ` Paul Moore 2014-08-29 13:12 ` Stephen Smalley 2014-08-29 18:20 ` Paul Moore
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.