From: Ondrej Mosnacek <omosnace@redhat.com>
To: Stephen Smalley <stephen.smalley.work@gmail.com>
Cc: Paul Moore <paul@paul-moore.com>,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Subject: Re: [PATCH] security: fix the logic in security_inode_getsecctx()
Date: Fri, 26 Jan 2024 18:15:45 +0100 [thread overview]
Message-ID: <CAFqZXNvbm9OHvaY5rmO8fxxHCT5T+ne1kj1XiT3yTRMiff5d2A@mail.gmail.com> (raw)
In-Reply-To: <CAEjxPJ6Y4RazpOHabcv12HgMRHCqVe+k8v7f5tQ8fVT9f4QqnQ@mail.gmail.com>
On Fri, Jan 26, 2024 at 5:04 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Fri, Jan 26, 2024 at 10:03 AM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> > On Fri, Jan 26, 2024 at 5:44 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> > >
> > > The inode_getsecctx LSM hook has previously been corrected to have
> > > -EOPNOTSUPP instead of 0 as the default return value to fix BPF LSM
> > > behavior. However, the call_int_hook()-generated loop in
> > > security_inode_getsecctx() was left treating 0 as the neutral value, so
> > > after an LSM returns 0, the loop continues to try other LSMs, and if one
> > > of them returns a non-zero value, the function immediately returns with
> > > said value. So in a situation where SELinux and the BPF LSMs registered
> > > this hook, -EOPNOTSUPP would be incorrectly returned whenever SELinux
> > > returned 0.
> > >
> > > Fix this by open-coding the call_int_hook() loop and making it use the
> > > correct LSM_RET_DEFAULT() value as the neutral one, similar to what
> > > other hooks do.
> > >
> > > Reported-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> > > Link: https://lore.kernel.org/selinux/CAEjxPJ4ev-pasUwGx48fDhnmjBnq_Wh90jYPwRQRAqXxmOKD4Q@mail.gmail.com/
> > > Fixes: b36995b8609a ("lsm: fix default return value for inode_getsecctx")
> > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > > ---
> > >
> > > I ran 'tools/nfs.sh' on the patch and even though it fixes the most
> > > serious issue that Stephen reported, some of the tests are still
> > > failing under NFS (but I will presume that these are pre-existing issues
> > > not caused by the patch).
> >
> > Do you have a list of the failing tests? For me, it was hanging on
> > unix_socket and thus not getting to many of the tests. I would like to
> > triage the still-failing ones to confirm that they are in fact
> > known/expected failures for NFS.
>
> Applying your patch and removing unix_socket from the tests to be run
> (since it hangs), I get the following failures:
> mac_admin/test (Wstat: 0 Tests: 8 Failed: 2)
> Failed tests: 5-6
> filesystem/ext4/test (Wstat: 512 (exited 2) Tests: 76 Failed: 2)
> Failed tests: 1, 64
> Non-zero exit status: 2
> filesystem/xfs/test (Wstat: 512 (exited 2) Tests: 76 Failed: 2)
> Failed tests: 1, 64
> Non-zero exit status: 2
> filesystem/jfs/test (Wstat: 512 (exited 2) Tests: 83 Failed: 2)
> Failed tests: 1, 71
> Non-zero exit status: 2
> filesystem/vfat/test (Wstat: 512 (exited 2) Tests: 52 Failed: 2)
> Failed tests: 1, 46
> Non-zero exit status: 2
> fs_filesystem/ext4/test (Wstat: 512 (exited 2) Tests: 75 Failed: 2)
> Failed tests: 1, 63
> Non-zero exit status: 2
> fs_filesystem/xfs/test (Wstat: 512 (exited 2) Tests: 75 Failed: 2)
> Failed tests: 1, 63
> Non-zero exit status: 2
> fs_filesystem/jfs/test (Wstat: 512 (exited 2) Tests: 82 Failed: 2)
> Failed tests: 1, 70
> Non-zero exit status: 2
> fs_filesystem/vfat/test (Wstat: 512 (exited 2) Tests: 51 Failed: 2)
> Failed tests: 1, 45
> Non-zero exit status: 2
> Files=77, Tests=1256, 308 wallclock secs ( 0.30 usr 0.10 sys + 6.84
> cusr 21.78 csys = 29.02 CPU)
I got the same ones (I, too, removed unix_socket to allow the rest to run).
--
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
next prev parent reply other threads:[~2024-01-26 17:16 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-26 10:44 [PATCH] security: fix the logic in security_inode_getsecctx() Ondrej Mosnacek
2024-01-26 14:32 ` Ondrej Mosnacek
2024-01-26 15:03 ` Stephen Smalley
2024-01-26 16:04 ` Stephen Smalley
2024-01-26 17:15 ` Ondrej Mosnacek [this message]
2024-01-29 19:48 ` Stephen Smalley
2024-01-29 21:55 ` Paul Moore
2024-01-30 15:44 ` Stephen Smalley
2024-01-30 16:31 ` Paul Moore
2024-01-26 16:36 ` Casey Schaufler
2024-01-26 22:18 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAFqZXNvbm9OHvaY5rmO8fxxHCT5T+ne1kj1XiT3yTRMiff5d2A@mail.gmail.com \
--to=omosnace@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).