From: Daniel Burgener <dburgener@linux.microsoft.com>
To: cgzones@googlemail.com, selinux@vger.kernel.org
Subject: Re: [RFC PATCH 00/22] selinux: harden against malformed policies
Date: Mon, 18 Nov 2024 10:35:56 -0500 [thread overview]
Message-ID: <342b4afd-3a1a-41bd-8e2d-63eebb1fbcd2@linux.microsoft.com> (raw)
In-Reply-To: <20241115133619.114393-23-cgoettsche@seltendoof.de>
On 11/15/2024 8:35 AM, Christian Göttsche wrote:
> From: Christian Göttsche <cgzones@googlemail.com>
>
> With the SELinux namespace feature on the horizon it becomes important
> to identify and reject malformed policies at load time. Otherwise
> memory corruptions can compromise the kernel or NULL-pointer dereferences
> and BUG() encounters can bring systems down. Currently this is not a
> security relevant issue since loading a policy requires root privileges
> and permission of the current loaded SELinux policy, making it one of the
> most privileged operation.
>
> The first 9 patches are cleanup commits with overseeable diffs.
>
> Patch 10 unifies the underlying type used for security class identifiers.
>
> Patch 11 to 21 add various checks at policy load time to reject malformed
> policies.
>
> Patch 22 needs some discussion:
> It limits the valid set of characters and the length for strings defined
> by policies. Currently there are no restrictions, so control characters
> are accepted, e.g. Esc as part of a type name, and their length can be
> arbitrary. Human formatted security contexts however must not be
> arbitrarily long, one example is they must fit in a page size for
> selinuxfs interaction and network associations.
> Thus the patch introduces the following restrictions:
> * Disallow control characters
> * Limit characters of identifiers to alphanumeric, underscore, dash,
> and dot
> * Limit identifiers in length to 128, expect types to 1024 and
> categories to 32, characters (excluding NUL-terminator)
I believe that those first two restrictions match what CIL will do today
(https://github.com/SELinuxProject/selinux/blob/9b4eff9222b24d4b5f2784db281f4f53019263b0/libsepol/cil/src/cil_verify.c#L96),
but the length restriction in CIL is 2048.
https://github.com/SELinuxProject/selinux/blob/9b4eff9222b24d4b5f2784db281f4f53019263b0/libsepol/cil/src/cil_internal.h#L49
I would think that we'd want to end up in a situation where the kernel
is either equally restrictive or less restrictive than CIL.
-Daniel
next prev parent reply other threads:[~2024-11-18 15:35 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-15 13:35 [RFC PATCH 01/22] selinux: supply missing field initializers Christian Göttsche
2024-11-15 13:35 ` [RFC PATCH 02/22] selinux: avoid using types indicating user space interaction Christian Göttsche
2024-11-15 13:35 ` [RFC PATCH 03/22] selinux: align and constify functions Christian Göttsche
2024-11-15 13:35 ` [RFC PATCH 04/22] selinux: rework match_ipv6_addrmask() Christian Göttsche
2024-11-15 13:35 ` [RFC PATCH 05/22] selinux: avoid nontransitive comparison Christian Göttsche
2024-11-15 13:35 ` [RFC PATCH 06/22] selinux: rename comparison functions for clarity Christian Göttsche
2024-12-16 14:28 ` Daniel Burgener
2024-11-15 13:35 ` [RFC PATCH 07/22] selinux: use known type instead of void pointer Christian Göttsche
2024-12-16 14:36 ` Daniel Burgener
2024-11-15 13:35 ` [RFC PATCH 08/22] selinux: avoid unnecessary indirection in struct level_datum Christian Göttsche
2024-11-15 13:35 ` [RFC PATCH 09/22] selinux: make use of str_read() Christian Göttsche
2024-11-15 13:35 ` [RFC PATCH 10/22] selinux: use u16 for security classes Christian Göttsche
2024-11-15 13:35 ` [RFC PATCH 11/22] selinux: more strict policy parsing Christian Göttsche
2024-12-03 0:34 ` Thiébaud Weksteen
2024-11-15 13:35 ` [RFC PATCH 12/22] selinux: check length fields in policies Christian Göttsche
2024-11-15 13:35 ` [RFC PATCH 13/22] selinux: validate constraints Christian Göttsche
2024-11-15 13:35 ` [RFC PATCH 14/22] selinux: pre-validate conditional expressions Christian Göttsche
2024-11-15 13:35 ` [RFC PATCH 15/22] selinux: introduce ebitmap_highest_set_bit() Christian Göttsche
2024-11-15 13:35 ` [RFC PATCH 16/22] selinux: check type attr map overflows Christian Göttsche
2024-11-15 13:35 ` [RFC PATCH 17/22] selinux: reorder policydb_index() Christian Göttsche
2024-11-15 13:35 ` [RFC PATCH 18/22] selinux: beef up isvalid checks Christian Göttsche
2024-11-15 13:35 ` [RFC PATCH 19/22] selinux: validate symbols Christian Göttsche
2024-11-15 13:35 ` [RFC PATCH 20/22] selinux: more strict bounds check Christian Göttsche
2024-11-15 13:35 ` [RFC PATCH 21/22] selinux: check for simple types Christian Göttsche
2024-11-15 13:35 ` [RFC PATCH 22/22] selinux: restrict policy strings Christian Göttsche
2024-12-13 22:14 ` Daniel Burgener
2024-12-16 16:02 ` Christian Göttsche
2024-11-15 13:35 ` [RFC PATCH 00/22] selinux: harden against malformed policies Christian Göttsche
2024-11-18 15:35 ` Daniel Burgener [this message]
2024-11-25 17:26 ` Christian Göttsche
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=342b4afd-3a1a-41bd-8e2d-63eebb1fbcd2@linux.microsoft.com \
--to=dburgener@linux.microsoft.com \
--cc=cgzones@googlemail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.