* Re: [PATCH 1/2] selinux: log errors when loading new policy
[not found] ` <1482007719-14313-2-git-send-email-gary.tierney@gmx.com>
@ 2016-12-19 14:43 ` Stephen Smalley
2016-12-19 15:08 ` Steve Grubb
2016-12-19 15:19 ` Gary Tierney
0 siblings, 2 replies; 5+ messages in thread
From: Stephen Smalley @ 2016-12-19 14:43 UTC (permalink / raw)
To: Gary Tierney, selinux; +Cc: linux-audit
On Sat, 2016-12-17 at 20:48 +0000, Gary Tierney wrote:
> Adds error and warning messages to the codepaths which can fail when
> loading a new policy. If a policy fails to load, an error message
> will
> be printed to dmesg with a description of what failed. Previously if
> there was an error during policy loading there would be no indication
> that it failed.
>
> Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
> ---
> security/selinux/selinuxfs.c | 26 +++++++++++++++++++++-----
> 1 file changed, 21 insertions(+), 5 deletions(-)
>
> diff --git a/security/selinux/selinuxfs.c
> b/security/selinux/selinuxfs.c
> index 0aac402..2139cc7 100644
> --- a/security/selinux/selinuxfs.c
> +++ b/security/selinux/selinuxfs.c
> @@ -522,20 +522,32 @@ static ssize_t sel_write_load(struct file
> *file, const char __user *buf,
> goto out;
>
> length = security_load_policy(data, count);
> - if (length)
> + if (length) {
> + pr_err("SELinux: %s: failed to load policy\n",
> + __func__);
Not sure about your usage of pr_err() vs pr_warn();
security_load_policy() may simply fail due to invalid policy from
userspace, not a kernel-internal error per se.
I would tend to omit the function name; I don't think it is especially
helpful.
There was an earlier discussion about augmenting the audit logging from
this function, so this might overlap with that. I don't know where
that stands.
> goto out;
> + }
>
> length = sel_make_bools();
> - if (length)
> + if (length) {
> + pr_warn("SELinux: %s: failed to load policy
> booleans\n",
> + __func__);
> goto out1;
> + }
>
> length = sel_make_classes();
> - if (length)
> + if (length) {
> + pr_warn("SELinux: %s: failed to load policy
> classes\n",
> + __func__);
> goto out1;
> + }
>
> length = sel_make_policycap();
> - if (length)
> + if (length) {
> + pr_warn("SELinux: %s: failed to load policy
> capabilities\n",
> + __func__);
> goto out1;
> + }
>
> length = count;
>
> @@ -1299,9 +1311,13 @@ static int sel_make_bools(void)
>
> isec = (struct inode_security_struct *)inode-
> >i_security;
> ret = security_genfs_sid("selinuxfs", page,
> SECCLASS_FILE, &sid);
> - if (ret)
> + if (ret) {
> + pr_warn_ratelimited("SELinux: %s: failed to
> lookup sid for %s\n",
> + __func__, page);
> goto out;
>
> + }
> +
> isec->sid = sid;
> isec->initialized = LABEL_INITIALIZED;
> inode->i_fop = &sel_bool_ops;
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] selinux: log errors when loading new policy
2016-12-19 14:43 ` [PATCH 1/2] selinux: log errors when loading new policy Stephen Smalley
@ 2016-12-19 15:08 ` Steve Grubb
2016-12-19 15:19 ` Gary Tierney
1 sibling, 0 replies; 5+ messages in thread
From: Steve Grubb @ 2016-12-19 15:08 UTC (permalink / raw)
To: Stephen Smalley; +Cc: linux-audit, selinux
On Monday, December 19, 2016 9:43:06 AM EST Stephen Smalley wrote:
> On Sat, 2016-12-17 at 20:48 +0000, Gary Tierney wrote:
> > Adds error and warning messages to the codepaths which can fail when
> > loading a new policy. If a policy fails to load, an error message
> > will
> > be printed to dmesg with a description of what failed. Previously if
> > there was an error during policy loading there would be no indication
> > that it failed.
> >
> > Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
> > ---
> > security/selinux/selinuxfs.c | 26 +++++++++++++++++++++-----
> > 1 file changed, 21 insertions(+), 5 deletions(-)
> >
> > diff --git a/security/selinux/selinuxfs.c
> > b/security/selinux/selinuxfs.c
> > index 0aac402..2139cc7 100644
> > --- a/security/selinux/selinuxfs.c
> > +++ b/security/selinux/selinuxfs.c
> > @@ -522,20 +522,32 @@ static ssize_t sel_write_load(struct file
> > *file, const char __user *buf,
> > goto out;
> >
> > length = security_load_policy(data, count);
> > - if (length)
> > + if (length) {
> > + pr_err("SELinux: %s: failed to load policy\n",
> > + __func__);
>
> Not sure about your usage of pr_err() vs pr_warn();
> security_load_policy() may simply fail due to invalid policy from
> userspace, not a kernel-internal error per se.
>
> I would tend to omit the function name; I don't think it is especially
> helpful.
>
> There was an earlier discussion about augmenting the audit logging from
> this function, so this might overlap with that. I don't know where
> that stands.
I have a new patch that I'm going to send soon that addresses this. But I also
have a second patch that fixes the setboolean auditing as well, but it
deadlocks the system. I talked about it with Paul and I have an idea on how to
fix the deadlock but I haven't sent the updated patches yet. I plan to get to
them later this week.
-Steve
> > goto out;
> > + }
> >
> > length = sel_make_bools();
> > - if (length)
> > + if (length) {
> > + pr_warn("SELinux: %s: failed to load policy
> > booleans\n",
> > + __func__);
> > goto out1;
> > + }
> >
> > length = sel_make_classes();
> > - if (length)
> > + if (length) {
> > + pr_warn("SELinux: %s: failed to load policy
> > classes\n",
> > + __func__);
> > goto out1;
> > + }
> >
> > length = sel_make_policycap();
> > - if (length)
> > + if (length) {
> > + pr_warn("SELinux: %s: failed to load policy
> > capabilities\n",
> > + __func__);
> > goto out1;
> > + }
> >
> > length = count;
> >
> > @@ -1299,9 +1311,13 @@ static int sel_make_bools(void)
> >
> > isec = (struct inode_security_struct *)inode-
> >
> > >i_security;
> >
> > ret = security_genfs_sid("selinuxfs", page,
> > SECCLASS_FILE, &sid);
> > - if (ret)
> > + if (ret) {
> > + pr_warn_ratelimited("SELinux: %s: failed to
> > lookup sid for %s\n",
> > + __func__, page);
> > goto out;
> >
> > + }
> > +
> > isec->sid = sid;
> > isec->initialized = LABEL_INITIALIZED;
> > inode->i_fop = &sel_bool_ops;
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] selinux: log errors when loading new policy
2016-12-19 14:43 ` [PATCH 1/2] selinux: log errors when loading new policy Stephen Smalley
2016-12-19 15:08 ` Steve Grubb
@ 2016-12-19 15:19 ` Gary Tierney
2016-12-19 15:32 ` Stephen Smalley
1 sibling, 1 reply; 5+ messages in thread
From: Gary Tierney @ 2016-12-19 15:19 UTC (permalink / raw)
To: sds; +Cc: selinux, linux-audit
On Mon, Dec 19, 2016 at 09:43:06AM -0500, Stephen Smalley wrote:
> On Sat, 2016-12-17 at 20:48 +0000, Gary Tierney wrote:
> > Adds error and warning messages to the codepaths which can fail when
> > loading a new policy. If a policy fails to load, an error message
> > will
> > be printed to dmesg with a description of what failed. Previously if
> > there was an error during policy loading there would be no indication
> > that it failed.
> >
> > Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
> > ---
> > security/selinux/selinuxfs.c | 26 +++++++++++++++++++++-----
> > 1 file changed, 21 insertions(+), 5 deletions(-)
> >
> > diff --git a/security/selinux/selinuxfs.c
> > b/security/selinux/selinuxfs.c
> > index 0aac402..2139cc7 100644
> > --- a/security/selinux/selinuxfs.c
> > +++ b/security/selinux/selinuxfs.c
> > @@ -522,20 +522,32 @@ static ssize_t sel_write_load(struct file
> > *file, const char __user *buf,
> > goto out;
> >
> > length = security_load_policy(data, count);
> > - if (length)
> > + if (length) {
> > + pr_err("SELinux: %s: failed to load policy\n",
> > + __func__);
>
> Not sure about your usage of pr_err() vs pr_warn();
> security_load_policy() may simply fail due to invalid policy from
> userspace, not a kernel-internal error per se.
>
The intention was to make a distinction between failures on or after
security_load_policy(). If security_load_policy() fails then no audit message
will be logged about loading a new policy, so it seemed more appropriate to
treat that case as KERN_ERROR. Though with what you said in mind, it is
probably better to change this to pr_warn() as security_load_policy() is
unlikely to cause an actual kernel-internal error.
> I would tend to omit the function name; I don't think it is especially
> helpful.
>
Agreed. It seems to be used as a convention throughout security/selinux,
though am happy to drop it from the patch.
I was planning to send a v2 with pr_err() swapped for pr_warn() and __func__
dropped from the log message, though keeping in mind that Steve has prepared a
patch for this (also, logging to the audit subsystem might be more
appropriate) would it be better to drop #1 and keep #2?
> There was an earlier discussion about augmenting the audit logging from
> this function, so this might overlap with that. I don't know where
> that stands.
>
> > goto out;
> > + }
> >
> > length = sel_make_bools();
> > - if (length)
> > + if (length) {
> > + pr_warn("SELinux: %s: failed to load policy
> > booleans\n",
> > + __func__);
> > goto out1;
> > + }
> >
> > length = sel_make_classes();
> > - if (length)
> > + if (length) {
> > + pr_warn("SELinux: %s: failed to load policy
> > classes\n",
> > + __func__);
> > goto out1;
> > + }
> >
> > length = sel_make_policycap();
> > - if (length)
> > + if (length) {
> > + pr_warn("SELinux: %s: failed to load policy
> > capabilities\n",
> > + __func__);
> > goto out1;
> > + }
> >
> > length = count;
> >
> > @@ -1299,9 +1311,13 @@ static int sel_make_bools(void)
> >
> > isec = (struct inode_security_struct *)inode-
> > >i_security;
> > ret = security_genfs_sid("selinuxfs", page,
> > SECCLASS_FILE, &sid);
> > - if (ret)
> > + if (ret) {
> > + pr_warn_ratelimited("SELinux: %s: failed to
> > lookup sid for %s\n",
> > + __func__, page);
> > goto out;
> >
> > + }
> > +
> > isec->sid = sid;
> > isec->initialized = LABEL_INITIALIZED;
> > inode->i_fop = &sel_bool_ops;
--
Gary Tierney
GPG fingerprint: 412C 0EF9 C305 68E6 B660 BDAF 706E D765 85AA 79D8
https://sks-keyservers.net/pks/lookup?op=get&search=0x706ED76585AA79D8
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] selinux: log errors when loading new policy
2016-12-19 15:19 ` Gary Tierney
@ 2016-12-19 15:32 ` Stephen Smalley
2016-12-19 16:00 ` Gary Tierney
0 siblings, 1 reply; 5+ messages in thread
From: Stephen Smalley @ 2016-12-19 15:32 UTC (permalink / raw)
To: Gary Tierney; +Cc: selinux, linux-audit
On Mon, 2016-12-19 at 15:19 +0000, Gary Tierney wrote:
> On Mon, Dec 19, 2016 at 09:43:06AM -0500, Stephen Smalley wrote:
> >
> > On Sat, 2016-12-17 at 20:48 +0000, Gary Tierney wrote:
> > >
> > > Adds error and warning messages to the codepaths which can fail
> > > when
> > > loading a new policy. If a policy fails to load, an error
> > > message
> > > will
> > > be printed to dmesg with a description of what
> > > failed. Previously if
> > > there was an error during policy loading there would be no
> > > indication
> > > that it failed.
> > >
> > > Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
> > > ---
> > > security/selinux/selinuxfs.c | 26 +++++++++++++++++++++-----
> > > 1 file changed, 21 insertions(+), 5 deletions(-)
> > >
> > > diff --git a/security/selinux/selinuxfs.c
> > > b/security/selinux/selinuxfs.c
> > > index 0aac402..2139cc7 100644
> > > --- a/security/selinux/selinuxfs.c
> > > +++ b/security/selinux/selinuxfs.c
> > > @@ -522,20 +522,32 @@ static ssize_t sel_write_load(struct file
> > > *file, const char __user *buf,
> > > goto out;
> > >
> > > length = security_load_policy(data, count);
> > > - if (length)
> > > + if (length) {
> > > + pr_err("SELinux: %s: failed to load policy\n",
> > > + __func__);
> >
> > Not sure about your usage of pr_err() vs pr_warn();
> > security_load_policy() may simply fail due to invalid policy from
> > userspace, not a kernel-internal error per se.
> >
>
> The intention was to make a distinction between failures on or after
> security_load_policy(). If security_load_policy() fails then no
> audit message
> will be logged about loading a new policy, so it seemed more
> appropriate to
> treat that case as KERN_ERROR. Though with what you said in mind, it
> is
> probably better to change this to pr_warn() as security_load_policy()
> is
> unlikely to cause an actual kernel-internal error.
Yes, I tend to view them in the reverse; a failure on
security_load_policy() is just a typical userspace-induced (or OOM)
failure, whereas failure on any of the later calls will leave the
kernel in an inconsistent internal state, so if anything, those should
be the pr_err() cases instead, while security_load_policy() failure
might even need/want a pr_warn_ratelimited() since it can be induced by
userspace (albeit only root with :security load_policy permission).
>
> >
> > I would tend to omit the function name; I don't think it is
> > especially
> > helpful.
> >
>
> Agreed. It seems to be used as a convention throughout
> security/selinux,
> though am happy to drop it from the patch.
>
> I was planning to send a v2 with pr_err() swapped for pr_warn() and
> __func__
> dropped from the log message, though keeping in mind that Steve has
> prepared a
> patch for this (also, logging to the audit subsystem might be more
> appropriate) would it be better to drop #1 and keep #2?
Not sure - I'd have to see Steve's patch or at least hear more details
from him to know whether his patch would obsolete yours or just
complement it.
>
> >
> > There was an earlier discussion about augmenting the audit logging
> > from
> > this function, so this might overlap with that. I don't know where
> > that stands.
> >
> > >
> > > goto out;
> > > + }
> > >
> > > length = sel_make_bools();
> > > - if (length)
> > > + if (length) {
> > > + pr_warn("SELinux: %s: failed to load policy
> > > booleans\n",
> > > + __func__);
> > > goto out1;
> > > + }
> > >
> > > length = sel_make_classes();
> > > - if (length)
> > > + if (length) {
> > > + pr_warn("SELinux: %s: failed to load policy
> > > classes\n",
> > > + __func__);
> > > goto out1;
> > > + }
> > >
> > > length = sel_make_policycap();
> > > - if (length)
> > > + if (length) {
> > > + pr_warn("SELinux: %s: failed to load policy
> > > capabilities\n",
> > > + __func__);
> > > goto out1;
> > > + }
> > >
> > > length = count;
> > >
> > > @@ -1299,9 +1311,13 @@ static int sel_make_bools(void)
> > >
> > > isec = (struct inode_security_struct *)inode-
> > > >
> > > > i_security;
> > > ret = security_genfs_sid("selinuxfs", page,
> > > SECCLASS_FILE, &sid);
> > > - if (ret)
> > > + if (ret) {
> > > + pr_warn_ratelimited("SELinux: %s: failed
> > > to
> > > lookup sid for %s\n",
> > > + __func__, page);
> > > goto out;
> > >
> > > + }
> > > +
> > > isec->sid = sid;
> > > isec->initialized = LABEL_INITIALIZED;
> > > inode->i_fop = &sel_bool_ops;
>
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] selinux: log errors when loading new policy
2016-12-19 15:32 ` Stephen Smalley
@ 2016-12-19 16:00 ` Gary Tierney
0 siblings, 0 replies; 5+ messages in thread
From: Gary Tierney @ 2016-12-19 16:00 UTC (permalink / raw)
To: sds; +Cc: selinux, linux-audit
On Mon, Dec 19, 2016 at 10:32:09AM -0500, Stephen Smalley wrote:
> On Mon, 2016-12-19 at 15:19 +0000, Gary Tierney wrote:
> > On Mon, Dec 19, 2016 at 09:43:06AM -0500, Stephen Smalley wrote:
> > >
> > > On Sat, 2016-12-17 at 20:48 +0000, Gary Tierney wrote:
> > > >
> > > > Adds error and warning messages to the codepaths which can fail
> > > > when
> > > > loading a new policy. If a policy fails to load, an error
> > > > message
> > > > will
> > > > be printed to dmesg with a description of what
> > > > failed. Previously if
> > > > there was an error during policy loading there would be no
> > > > indication
> > > > that it failed.
> > > >
> > > > Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
> > > > ---
> > > > security/selinux/selinuxfs.c | 26 +++++++++++++++++++++-----
> > > > 1 file changed, 21 insertions(+), 5 deletions(-)
> > > >
> > > > diff --git a/security/selinux/selinuxfs.c
> > > > b/security/selinux/selinuxfs.c
> > > > index 0aac402..2139cc7 100644
> > > > --- a/security/selinux/selinuxfs.c
> > > > +++ b/security/selinux/selinuxfs.c
> > > > @@ -522,20 +522,32 @@ static ssize_t sel_write_load(struct file
> > > > *file, const char __user *buf,
> > > > goto out;
> > > >
> > > > length = security_load_policy(data, count);
> > > > - if (length)
> > > > + if (length) {
> > > > + pr_err("SELinux: %s: failed to load policy\n",
> > > > + __func__);
> > >
> > > Not sure about your usage of pr_err() vs pr_warn();
> > > security_load_policy() may simply fail due to invalid policy from
> > > userspace, not a kernel-internal error per se.
> > >
> >
> > The intention was to make a distinction between failures on or after
> > security_load_policy(). If security_load_policy() fails then no
> > audit message
> > will be logged about loading a new policy, so it seemed more
> > appropriate to
> > treat that case as KERN_ERROR. Though with what you said in mind, it
> > is
> > probably better to change this to pr_warn() as security_load_policy()
> > is
> > unlikely to cause an actual kernel-internal error.
>
> Yes, I tend to view them in the reverse; a failure on
> security_load_policy() is just a typical userspace-induced (or OOM)
> failure, whereas failure on any of the later calls will leave the
> kernel in an inconsistent internal state, so if anything, those should
> be the pr_err() cases instead, while security_load_policy() failure
> might even need/want a pr_warn_ratelimited() since it can be induced by
> userspace (albeit only root with :security load_policy permission).
>
Noted.
> >
> > >
> > > I would tend to omit the function name; I don't think it is
> > > especially
> > > helpful.
> > >
> >
> > Agreed. It seems to be used as a convention throughout
> > security/selinux,
> > though am happy to drop it from the patch.
> >
> > I was planning to send a v2 with pr_err() swapped for pr_warn() and
> > __func__
> > dropped from the log message, though keeping in mind that Steve has
> > prepared a
> > patch for this (also, logging to the audit subsystem might be more
> > appropriate) would it be better to drop #1 and keep #2?
>
> Not sure - I'd have to see Steve's patch or at least hear more details
> from him to know whether his patch would obsolete yours or just
> complement it.
>
Right, I'll spin up a v2 with the recommended changes and CC in Steve for his
feedback.
> >
> > >
> > > There was an earlier discussion about augmenting the audit logging
> > > from
> > > this function, so this might overlap with that. I don't know where
> > > that stands.
> > >
> > > >
> > > > goto out;
> > > > + }
> > > >
> > > > length = sel_make_bools();
> > > > - if (length)
> > > > + if (length) {
> > > > + pr_warn("SELinux: %s: failed to load policy
> > > > booleans\n",
> > > > + __func__);
> > > > goto out1;
> > > > + }
> > > >
> > > > length = sel_make_classes();
> > > > - if (length)
> > > > + if (length) {
> > > > + pr_warn("SELinux: %s: failed to load policy
> > > > classes\n",
> > > > + __func__);
> > > > goto out1;
> > > > + }
> > > >
> > > > length = sel_make_policycap();
> > > > - if (length)
> > > > + if (length) {
> > > > + pr_warn("SELinux: %s: failed to load policy
> > > > capabilities\n",
> > > > + __func__);
> > > > goto out1;
> > > > + }
> > > >
> > > > length = count;
> > > >
> > > > @@ -1299,9 +1311,13 @@ static int sel_make_bools(void)
> > > >
> > > > isec = (struct inode_security_struct *)inode-
> > > > >
> > > > > i_security;
> > > > ret = security_genfs_sid("selinuxfs", page,
> > > > SECCLASS_FILE, &sid);
> > > > - if (ret)
> > > > + if (ret) {
> > > > + pr_warn_ratelimited("SELinux: %s: failed
> > > > to
> > > > lookup sid for %s\n",
> > > > + __func__, page);
> > > > goto out;
> > > >
> > > > + }
> > > > +
> > > > isec->sid = sid;
> > > > isec->initialized = LABEL_INITIALIZED;
> > > > inode->i_fop = &sel_bool_ops;
> >
--
Gary Tierney
GPG fingerprint: 412C 0EF9 C305 68E6 B660 BDAF 706E D765 85AA 79D8
https://sks-keyservers.net/pks/lookup?op=get&search=0x706ED76585AA79D8
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-12-19 16:00 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <1482007719-14313-1-git-send-email-gary.tierney@gmx.com>
[not found] ` <1482007719-14313-2-git-send-email-gary.tierney@gmx.com>
2016-12-19 14:43 ` [PATCH 1/2] selinux: log errors when loading new policy Stephen Smalley
2016-12-19 15:08 ` Steve Grubb
2016-12-19 15:19 ` Gary Tierney
2016-12-19 15:32 ` Stephen Smalley
2016-12-19 16:00 ` Gary Tierney
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).