[PATCH] selinux: Use kfree_sensitive for certain code paths of security

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ronald Monthero <debug.penguin32@gmail.com>
To: paul@paul-moore.com
Cc: selinux@vger.kernel.org, stephen.smalley.work@gmail.com,
	cgzones@googlemail.com, omosnace@redhat.com,
	Ronald Monthero <debug.penguin32@gmail.com>
Subject: [PATCH] selinux: Use kfree_sensitive for certain code paths of security
Date: Sun, 28 Jan 2024 20:00:35 +1000	[thread overview]
Message-ID: <20240128100035.82170-1-debug.penguin32@gmail.com> (raw)

As with kfree_sensitive() it does kfree() and memzero_explicit()
internally to clear sensitive data. The patch includes some of
the code paths to free data such as keys, hash table and
scontext and tcontext of selinux, which would benefit
from kfree_sensitive() to replace kfree()

Signed-off-by: Ronald Monthero <debug.penguin32@gmail.com>
---
 security/selinux/avc.c            |  4 ++--
 security/selinux/ima.c            |  2 +-
 security/selinux/selinuxfs.c      | 16 ++++++++--------
 security/selinux/ss/conditional.c |  4 ++--
 security/selinux/ss/hashtab.c     |  2 +-
 security/selinux/ss/policydb.c    |  6 +++---
 6 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 32eb67fb3e42..c6d7f52a11c1 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -723,8 +723,8 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
 		audit_log_format(ab, " permissive=%u", sad->result ? 0 : 1);
 
 	trace_selinux_audited(sad, scontext, tcontext, tclass);
-	kfree(tcontext);
-	kfree(scontext);
+	kfree_sensitive(tcontext);
+	kfree_sensitive(scontext);
 
 	/* in case of invalid context report also the actual context string */
 	rc = security_sid_to_context_inval(sad->ssid, &scontext,
diff --git a/security/selinux/ima.c b/security/selinux/ima.c
index aa34da9b0aeb..b5d923d272a0 100644
--- a/security/selinux/ima.c
+++ b/security/selinux/ima.c
@@ -86,7 +86,7 @@ void selinux_ima_measure_state_locked(void)
 				  state_str, strlen(state_str), false,
 				  NULL, 0);
 
-	kfree(state_str);
+	kfree_sensitive(state_str);
 
 	/*
 	 * Measure SELinux policy only after initialization is completed.
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 6c596ae7fef9..6c2490dbfaa6 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -183,7 +183,7 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
 	}
 	length = count;
 out:
-	kfree(page);
+	kfree_sensitive(page);
 	return length;
 }
 #else
@@ -299,7 +299,7 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf,
 	}
 
 out:
-	kfree(page);
+	kfree_sensitive(page);
 	return length;
 }
 
@@ -725,7 +725,7 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
 	selinux_ima_measure_state();
 
 out:
-	kfree(page);
+	kfree_sensitive(page);
 	return length;
 }
 static const struct file_operations sel_checkreqprot_ops = {
@@ -1290,7 +1290,7 @@ static ssize_t sel_write_bool(struct file *filep, const char __user *buf,
 
 out:
 	mutex_unlock(&selinux_state.policy_mutex);
-	kfree(page);
+	kfree_sensitive(page);
 	return length;
 }
 
@@ -1342,7 +1342,7 @@ static ssize_t sel_commit_bools_write(struct file *filep,
 
 out:
 	mutex_unlock(&selinux_state.policy_mutex);
-	kfree(page);
+	kfree_sensitive(page);
 	return length;
 }
 
@@ -1481,7 +1481,7 @@ static ssize_t sel_write_avc_cache_threshold(struct file *file,
 
 	ret = count;
 out:
-	kfree(page);
+	kfree_sensitive(page);
 	return ret;
 }
 
@@ -1831,7 +1831,7 @@ static int sel_make_perm_files(struct selinux_policy *newpolicy,
 out:
 	for (i = 0; i < nperms; i++)
 		kfree(perms[i]);
-	kfree(perms);
+	kfree_sensitive(perms);
 	return rc;
 }
 
@@ -1900,7 +1900,7 @@ static int sel_make_classes(struct selinux_policy *newpolicy,
 out:
 	for (i = 0; i < nclasses; i++)
 		kfree(classes[i]);
-	kfree(classes);
+	kfree_sensitive(classes);
 	return rc;
 }
 
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index 81ff676f209a..51409a74eb74 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -176,8 +176,8 @@ int cond_init_bool_indexes(struct policydb *p)
 
 int cond_destroy_bool(void *key, void *datum, void *p)
 {
-	kfree(key);
-	kfree(datum);
+	kfree_sensitive(key);
+	kfree_sensitive(datum);
 	return 0;
 }
 
diff --git a/security/selinux/ss/hashtab.c b/security/selinux/ss/hashtab.c
index c05d8346a94a..73b867fa4726 100644
--- a/security/selinux/ss/hashtab.c
+++ b/security/selinux/ss/hashtab.c
@@ -79,7 +79,7 @@ void hashtab_destroy(struct hashtab *h)
 		h->htable[i] = NULL;
 	}
 
-	kfree(h->htable);
+	kfree_sensitive(h->htable);
 	h->htable = NULL;
 }
 
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 595a435ea9c8..fd58a6a1ef8f 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -179,8 +179,8 @@ static const struct policydb_compat_info *policydb_lookup_compat(unsigned int ve
 
 static int perm_destroy(void *key, void *datum, void *p)
 {
-	kfree(key);
-	kfree(datum);
+	kfree_sensitive(key);
+	kfree_sensitive(datum);
 	return 0;
 }
 
@@ -369,7 +369,7 @@ static void ocontext_destroy(struct ocontext *c, unsigned int i)
 	if (i == OCON_ISID || i == OCON_FS ||
 	    i == OCON_NETIF || i == OCON_FSUSE)
 		kfree(c->u.name);
-	kfree(c);
+	kfree_sensitive(c);
 }
 
 /*
-- 
2.34.1

next             reply	other threads:[~2024-01-28 10:02 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-01-28 10:00 Ronald Monthero [this message]
2024-01-28 18:05 ` [PATCH] selinux: Use kfree_sensitive for certain code paths of security Casey Schaufler
2024-01-29 21:58 ` Paul Moore
2024-02-07 22:10   ` Ronald Monthero

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:32eb67fb3e4 dfblob:c6d7f52a11c dfblob:aa34da9b0ae
dfblob:b5d923d272a dfblob:6c596ae7fef dfblob:6c2490dbfaa
dfblob:81ff676f209 dfblob:51409a74eb7 dfblob:c05d8346a94
dfblob:73b867fa472 dfblob:595a435ea9c dfblob:fd58a6a1ef8 )
 OR (
bs:"[PATCH] selinux: Use kfree_sensitive for certain code paths of security" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240128100035.82170-1-debug.penguin32@gmail.com \
    --to=debug.penguin32@gmail.com \
    --cc=cgzones@googlemail.com \
    --cc=omosnace@redhat.com \
    --cc=paul@paul-moore.com \
    --cc=selinux@vger.kernel.org \
    --cc=stephen.smalley.work@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.