Re: [PATCH v4] libselinux: Eliminate use of security_compute_user()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Petr Lautrbach <plautrba@redhat.com>
To: selinux@vger.kernel.org
Cc: Petr Lautrbach <plautrba@redhat.com>,
	Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [PATCH v4] libselinux: Eliminate use of security_compute_user()
Date: Mon, 10 Feb 2020 20:10:22 +0100	[thread overview]
Message-ID: <pjdr1z28di9.fsf@redhat.com> (raw)
In-Reply-To: <5e88f99a-555c-9467-4cb4-6949b7cfdc98@tycho.nsa.gov>


Stephen Smalley <sds@tycho.nsa.gov> writes:

> On 2/10/20 1:23 PM, Petr Lautrbach wrote:
>> get_ordered_context_list() code used to ask the kernel to compute the complete
>> set of reachable contexts using /sys/fs/selinux/user aka
>> security_compute_user(). This set can be so huge so that it doesn't fit into a
>> kernel page and security_compute_user() fails. Even if it doesn't fail,
>> get_ordered_context_list() throws away the vast majority of the returned
>> contexts because they don't match anything in
>> /etc/selinux/targeted/contexts/default_contexts or
>> /etc/selinux/targeted/contexts/users/
>> get_ordered_context_list() is rewritten to compute set of contexts based on
>> /etc/selinux/targeted/contexts/users/ and
>> /etc/selinux/targeted/contexts/default_contexts files and to return only valid
>> contexts, using security_check_context(), from this set.
>> Fixes: https://github.com/SELinuxProject/selinux/issues/28
>> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
>> ---
>
>> diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c
>> index 689e46589f30..fb53fd436650 100644
>> --- a/libselinux/src/get_context_list.c
>> +++ b/libselinux/src/get_context_list.c
>> @@ -243,23 +222,84 @@ static int get_context_order(FILE * fp,
>>   		if (*end)
>>   			*end++ = 0;
>>   -		/* Check for a match in the reachable list. */
>> -		rc = find_partialcon(reachable, nreach, start);
>> -		if (rc < 0) {
>> -			/* No match, skip it. */
>> +		/* Check whether a new context is valid */
>> +		if (SIZE_MAX - user_len < strlen(start) + 2) {
>> +			fprintf(stderr, "%s: one of partial contexts is too big\n", __FUNCTION__);
>> +			errno = EINVAL;
>> +			rc = -1;
>> +			goto out;
>> +		}
>> +		usercon_len = user_len + strlen(start) + 2;
>> +		usercon_str = malloc(usercon_len);
>> +		if (!usercon_str) {
>> +			rc = -1;
>> +			goto out;
>> +		}
>> +
>> +		/* set range from fromcon in the new usercon */
>> +		snprintf(usercon_str, usercon_len, "%s:%s", user, start);
>> +		usercon = context_new(usercon_str);
>> +		if (!usercon) {
>> +			if (errno != EINVAL) {
>> +				free(usercon_str);
>> +				rc = -1;
>> +				goto out;
>> +			}
>> +			fprintf(stderr,
>> +				"%s: can't create a context from %s, skipping\n",
>> +				__FUNCTION__, usercon_str);
>> +			free(usercon_str);
>>   			start = end;
>>   			continue;
>
> Feel free to make this a fatal error too; I can't see a valid scenario for it.
> The only cases where context_new() can fail are a syntactically invalid context
> or out of memory.

My idea was that if there's a wrong entry, it would be better to skip it
and try to parse and use the rest.

>>   		}
>
> I think we could lift the free(usercon_str); to here or even immediately after
> the context_new() if we stopped including it in the error message above.  Then
> we don't have to repeat it below multiple times.

I'd like to preserve this string in the error message as it can help users with
investigation problem when there's a wrong syntax or typo.


>> +		if (context_range_set(usercon, fromlevel) != 0) {
>> +			free(usercon_str);
>> +			context_free(usercon);
>> +			rc = -1;
>> +			goto out;
>> +		}
>> +		free(usercon_str);
>> +		usercon_str = context_str(usercon);
>> +		if (!usercon_str) {
>> +			context_free(usercon);
>> +			rc = -1;
>> +			goto out;
>> +		}
>>   -		/* If a match is found and the entry is not already ordered
>> -		   (e.g. due to prior match in prior config file), then set
>> -		   the ordering for it. */
>> -		i = rc;
>> -		if (ordering[i] == nreach)
>> -			ordering[i] = (*nordered)++;
>> +		/* check whether usercon is already in reachable */
>> +		if (is_in_reachable(*reachable, usercon_str)) {
>> +			start = end;
>
> Still need a context_free(usercon); here in order to avoid leaking its memory.
>

I'm sorry I missed it. It will be fixed in the next patch version (hopefully)

>> +			continue;
>
> [...]


-- 
()  ascii ribbon campaign - against html e-mail 
/\  www.asciiribbon.org   - against proprietary attachments

     prev parent reply	other threads:[~2020-02-10 19:10 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-02-10 18:23 [PATCH v4] libselinux: Eliminate use of security_compute_user() Petr Lautrbach
2020-02-10 18:40 ` Stephen Smalley
2020-02-10 19:10   ` Petr Lautrbach [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=pjdr1z28di9.fsf@redhat.com \
    --to=plautrba@redhat.com \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.