is_selinux_enabled() after chroot()

All of lore.kernel.org
 help / color / mirror / Atom feed

* is_selinux_enabled() after chroot()
@ 2018-06-18 19:24 Petr Lautrbach
  2018-06-18 20:06 ` Stephen Smalley
  0 siblings, 1 reply; 3+ messages in thread
From: Petr Lautrbach @ 2018-06-18 19:24 UTC (permalink / raw)
  To: selinux

[-- Attachment #1: Type: text/plain, Size: 1848 bytes --]

Hello,

libselinux sets selinut_mnt and has_selinux_config only in its constructor and
is_selinux_enabled() and others just use selinux_mnt to check if SELinux is
enabled. But it doesn't work correctly when you use chroot() to a directory without /proc
and /sys/fs/selinux mounted as it was discovered in
https://bugzilla.redhat.com/show_bug.cgi?id=1321375 

In this case, is_selinux_enabled() after chroot() returns true while in a new
program run from chrooted process it returns false. It can be demonstrated by
the steps below.

The solution could be to check if selinux_mnt still exists whenever a function
depending on this is called. Would this be acceptable?




$ sudo dnf --nogpg --installroot=/var/lib/machines/example  install systemd

$ cat > test_libselinux.c <<EOF
#include <selinux/selinux.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>

int main(int argc, char *argv[]) {
  pid_t pid;
  int wstatus;

  if (argc > 1) {
    printf("SELinux in chrooted process: %d\n", is_selinux_enabled());
    return 0;
  }
  if (chroot("/var/lib/machines/example") != 0)
    return -1;

  printf("SELinux in process after chroot(): %d\n", is_selinux_enabled());
  printf("/sys/fs/selinux exists: %d\n", access("/sys/fs/selinux", F_OK));
  printf("/etc/selinux/config exists: %d\n\n", access("/etc/selinux/config", F_OK));

  if ((pid = fork()) == 0 ) {
    execv("./test_is_selinux_enabled", (char *[]){ "./test_is_selinux_enabled", "chrooted", NULL});
  }

  wait(&wstatus);
  return 0;
}
EOF

$ gcc -o test_is_selinux_enabled test_libselinux.c -lselinux

$ sudo ./test_is_selinux_enabled                            
SELinux in process after chroot(): 1
/sys/fs/selinux exists: -1
/etc/selinux/config exists: -1

SELinux in chrooted process: 0


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: is_selinux_enabled() after chroot()
  2018-06-18 19:24 is_selinux_enabled() after chroot() Petr Lautrbach
@ 2018-06-18 20:06 ` Stephen Smalley
  2018-06-19 16:32   ` Petr Lautrbach
  0 siblings, 1 reply; 3+ messages in thread
From: Stephen Smalley @ 2018-06-18 20:06 UTC (permalink / raw)
  To: Petr Lautrbach, selinux

On 06/18/2018 03:24 PM, Petr Lautrbach wrote:
> Hello,
> 
> libselinux sets selinut_mnt and has_selinux_config only in its constructor and
> is_selinux_enabled() and others just use selinux_mnt to check if SELinux is
> enabled. But it doesn't work correctly when you use chroot() to a directory without /proc
> and /sys/fs/selinux mounted as it was discovered in
> https://bugzilla.redhat.com/show_bug.cgi?id=1321375 
> 
> In this case, is_selinux_enabled() after chroot() returns true while in a new
> program run from chrooted process it returns false. It can be demonstrated by
> the steps below.
> 
> The solution could be to check if selinux_mnt still exists whenever a function
> depending on this is called. Would this be acceptable?

You want to call stat() or access(F_OK) on selinux_mnt and/or SELINUXCONFIG in is_selinux_enabled()?
Could potentially trigger a permission check that wasn't previously required, thereby breaking existing policies.
Caller might just be checking to see if SELinux is enabled before using interfaces other than selinuxfs (e.g. setexeccon, setfilecon, etc) and therefore didn't previously need permissions to selinuxfs or /etc/selinux/config.
So, possible but you'd need to make sure you don't break anything.  Definitely don't want that changed in Android.

> 
> 
> 
> 
> $ sudo dnf --nogpg --installroot=/var/lib/machines/example  install systemd
> 
> $ cat > test_libselinux.c <<EOF
> #include <selinux/selinux.h>
> #include <stdio.h>
> #include <sys/types.h>
> #include <sys/wait.h>
> #include <unistd.h>
> 
> int main(int argc, char *argv[]) {
>   pid_t pid;
>   int wstatus;
> 
>   if (argc > 1) {
>     printf("SELinux in chrooted process: %d\n", is_selinux_enabled());
>     return 0;
>   }
>   if (chroot("/var/lib/machines/example") != 0)
>     return -1;
> 
>   printf("SELinux in process after chroot(): %d\n", is_selinux_enabled());
>   printf("/sys/fs/selinux exists: %d\n", access("/sys/fs/selinux", F_OK));
>   printf("/etc/selinux/config exists: %d\n\n", access("/etc/selinux/config", F_OK));
> 
>   if ((pid = fork()) == 0 ) {
>     execv("./test_is_selinux_enabled", (char *[]){ "./test_is_selinux_enabled", "chrooted", NULL});
>   }
> 
>   wait(&wstatus);
>   return 0;
> }
> EOF
> 
> $ gcc -o test_is_selinux_enabled test_libselinux.c -lselinux
> 
> $ sudo ./test_is_selinux_enabled                            
> SELinux in process after chroot(): 1
> /sys/fs/selinux exists: -1
> /etc/selinux/config exists: -1
> 
> SELinux in chrooted process: 0
> 
> 
> 
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: is_selinux_enabled() after chroot()
  2018-06-18 20:06 ` Stephen Smalley
@ 2018-06-19 16:32   ` Petr Lautrbach
  0 siblings, 0 replies; 3+ messages in thread
From: Petr Lautrbach @ 2018-06-19 16:32 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: selinux

[-- Attachment #1: Type: text/plain, Size: 3548 bytes --]

On Mon, Jun 18, 2018 at 04:06:11PM -0400, Stephen Smalley wrote:
> On 06/18/2018 03:24 PM, Petr Lautrbach wrote:
> > Hello,
> > 
> > libselinux sets selinut_mnt and has_selinux_config only in its constructor and
> > is_selinux_enabled() and others just use selinux_mnt to check if SELinux is
> > enabled. But it doesn't work correctly when you use chroot() to a directory without /proc
> > and /sys/fs/selinux mounted as it was discovered in
> > https://bugzilla.redhat.com/show_bug.cgi?id=1321375 
> > 
> > In this case, is_selinux_enabled() after chroot() returns true while in a new
> > program run from chrooted process it returns false. It can be demonstrated by
> > the steps below.
> > 
> > The solution could be to check if selinux_mnt still exists whenever a function
> > depending on this is called. Would this be acceptable?
> 
> You want to call stat() or access(F_OK) on selinux_mnt and/or SELINUXCONFIG in is_selinux_enabled()?

Yes. I was thinking about something like this:

@@ -16,7 +16,7 @@ int is_selinux_enabled(void)
 #ifdef ANDROID
 	return (selinux_mnt ? 1 : 0);
 #else
-	return (selinux_mnt && has_selinux_config);
+	return (selinux_mnt && (access(selinux_mnt, F_OK) == 0) && has_selinux_config);
 #endif
 }

But the problem seems to be more complex and it would probably be better to fix
it on a callers side - mount /sys/fs/selinux and /proc into chroots or do all
SELinux checks before chroot().

> Could potentially trigger a permission check that wasn't previously required, thereby breaking existing policies.
> Caller might just be checking to see if SELinux is enabled before using interfaces other than selinuxfs (e.g. setexeccon, setfilecon, etc) and therefore didn't previously need permissions to selinuxfs or /etc/selinux/config.
> So, possible but you'd need to make sure you don't break anything.  Definitely don't want that changed in Android.
> > 
> > 
> > 
> > 
> > $ sudo dnf --nogpg --installroot=/var/lib/machines/example  install systemd
> > 
> > $ cat > test_libselinux.c <<EOF
> > #include <selinux/selinux.h>
> > #include <stdio.h>
> > #include <sys/types.h>
> > #include <sys/wait.h>
> > #include <unistd.h>
> > 
> > int main(int argc, char *argv[]) {
> >   pid_t pid;
> >   int wstatus;
> > 
> >   if (argc > 1) {
> >     printf("SELinux in chrooted process: %d\n", is_selinux_enabled());
> >     return 0;
> >   }
> >   if (chroot("/var/lib/machines/example") != 0)
> >     return -1;
> > 
> >   printf("SELinux in process after chroot(): %d\n", is_selinux_enabled());
> >   printf("/sys/fs/selinux exists: %d\n", access("/sys/fs/selinux", F_OK));
> >   printf("/etc/selinux/config exists: %d\n\n", access("/etc/selinux/config", F_OK));
> > 
> >   if ((pid = fork()) == 0 ) {
> >     execv("./test_is_selinux_enabled", (char *[]){ "./test_is_selinux_enabled", "chrooted", NULL});
> >   }
> > 
> >   wait(&wstatus);
> >   return 0;
> > }
> > EOF
> > 
> > $ gcc -o test_is_selinux_enabled test_libselinux.c -lselinux
> > 
> > $ sudo ./test_is_selinux_enabled                            
> > SELinux in process after chroot(): 1
> > /sys/fs/selinux exists: -1
> > /etc/selinux/config exists: -1
> > 
> > SELinux in chrooted process: 0
> > 
> > 
> > 
> > _______________________________________________
> > Selinux mailing list
> > Selinux@tycho.nsa.gov
> > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
> > 
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2018-06-19 16:32 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-06-18 19:24 is_selinux_enabled() after chroot() Petr Lautrbach
2018-06-18 20:06 ` Stephen Smalley
2018-06-19 16:32   ` Petr Lautrbach

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.