From: Paul Moore <paul@paul-moore.com>
To: "Christian Göttsche" <cgoettsche@seltendoof.de>, selinux@vger.kernel.org
Cc: "Christian Göttsche" <cgzones@googlemail.com>,
"Stephen Smalley" <stephen.smalley.work@gmail.com>,
"Ondrej Mosnacek" <omosnace@redhat.com>,
"Nathan Chancellor" <nathan@kernel.org>,
"Nick Desaulniers" <ndesaulniers@google.com>,
"Bill Wendling" <morbo@google.com>,
"Justin Stitt" <justinstitt@google.com>,
"Thiébaud Weksteen" <tweek@google.com>,
"Bram Bonné" <brambonne@google.com>,
"Masahiro Yamada" <masahiroy@kernel.org>,
linux-kernel@vger.kernel.org, llvm@lists.linux.dev,
"Casey Schaufler" <casey@schaufler-ca.com>,
"John Johansen" <john.johansen@canonical.com>,
"GUO Zihua" <guozihua@huawei.com>,
"Canfeng Guo" <guocanfeng@uniontech.com>
Subject: Re: [PATCH RFC v2 10/22] selinux: use u16 for security classes
Date: Tue, 07 Jan 2025 22:00:04 -0500 [thread overview]
Message-ID: <06eb43271d150c5003b00baef7350161@paul-moore.com> (raw)
In-Reply-To: <20241216164055.96267-10-cgoettsche@seltendoof.de>
On Dec 16, 2024 =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgoettsche@seltendoof.de> wrote:
>
> Security class identifiers are limited to 2^16, thus use the appropriate
> type u16 consistently.
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> ---
> security/selinux/ss/policydb.c | 52 +++++++++++++++++++++++++---------
> security/selinux/ss/policydb.h | 10 +++----
> security/selinux/ss/services.c | 2 +-
> 3 files changed, 45 insertions(+), 19 deletions(-)
>
> diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> index 2408c3e8ae39..eeca470cc90c 100644
> --- a/security/selinux/ss/policydb.c
> +++ b/security/selinux/ss/policydb.c
> @@ -927,7 +927,7 @@ int policydb_load_isids(struct policydb *p, struct sidtab *s)
> return 0;
> }
>
> -int policydb_class_isvalid(struct policydb *p, unsigned int class)
> +int policydb_class_isvalid(struct policydb *p, u16 class)
> {
> if (!class || class > p->p_classes.nprim)
> return 0;
> @@ -1321,7 +1321,7 @@ static int class_read(struct policydb *p, struct symtab *s, struct policy_file *
> char *key = NULL;
> struct class_datum *cladatum;
> __le32 buf[6];
> - u32 i, len, len2, ncons, nel;
> + u32 i, len, len2, ncons, nel, val;
> int rc;
>
> cladatum = kzalloc(sizeof(*cladatum), GFP_KERNEL);
> @@ -1334,9 +1334,14 @@ static int class_read(struct policydb *p, struct symtab *s, struct policy_file *
>
> len = le32_to_cpu(buf[0]);
> len2 = le32_to_cpu(buf[1]);
> - cladatum->value = le32_to_cpu(buf[2]);
> nel = le32_to_cpu(buf[4]);
>
> + val = le32_to_cpu(buf[2]);
> + rc = -EINVAL;
> + if (val >= U16_MAX)
> + goto bad;
While this is a major issue, isn't U16_MAX technically still valid? In
other words should this be: '(val > U16_MAX)'?
> @@ -1939,7 +1948,11 @@ static int filename_trans_read_helper_compat(struct policydb *p, struct policy_f
>
> stype = le32_to_cpu(buf[0]);
> key.ttype = le32_to_cpu(buf[1]);
> - key.tclass = le32_to_cpu(buf[2]);
> + val = le32_to_cpu(buf[2]);
> + rc = -EINVAL;
> + if (val > U16_MAX || !policydb_class_isvalid(p, val))
> + goto out;
We should split out the class validity check into a separate patch and
keep this just as the subject states: consolidate the class type to u16.
As an aside, I'm going to do a quick review pass on the rest of the
patches in this series, but I'm not going to merge them as I keep
hitting a number of merge failures due to this patch not being applied
and I'd rather not have to fix them all up :)
--
paul-moore.com
next prev parent reply other threads:[~2025-01-08 3:00 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-16 16:39 [RFC PATCH v2 01/22] selinux: supply missing field initializers Christian Göttsche
2024-12-16 16:40 ` [RFC PATCH v2 02/22] selinux: avoid using types indicating user space interaction Christian Göttsche
2025-01-08 2:59 ` [PATCH RFC v2 2/22] " Paul Moore
2024-12-16 16:40 ` [RFC PATCH v2 03/22] selinux: align and constify functions Christian Göttsche
2025-01-08 2:59 ` [PATCH RFC v2 3/22] " Paul Moore
2024-12-16 16:40 ` [RFC PATCH v2 04/22] selinux: rework match_ipv6_addrmask() Christian Göttsche
2025-01-08 2:59 ` [PATCH RFC v2 4/22] " Paul Moore
2024-12-16 16:40 ` [RFC PATCH v2 05/22] selinux: avoid nontransitive comparison Christian Göttsche
2025-01-08 2:59 ` [PATCH RFC v2 5/22] " Paul Moore
2025-01-08 13:17 ` Christian Göttsche
2025-01-08 15:06 ` Christian Göttsche
2024-12-16 16:40 ` [RFC PATCH v2 06/22] selinux: rename comparison functions for clarity Christian Göttsche
2025-01-08 3:00 ` [PATCH RFC v2 6/22] " Paul Moore
2024-12-16 16:40 ` [RFC PATCH v2 07/22] selinux: use known type instead of void pointer Christian Göttsche
2025-01-08 3:00 ` [PATCH RFC v2 7/22] " Paul Moore
2024-12-16 16:40 ` [RFC PATCH v2 08/22] selinux: avoid unnecessary indirection in struct level_datum Christian Göttsche
2025-01-08 3:00 ` [PATCH RFC v2 8/22] " Paul Moore
2024-12-16 16:40 ` [RFC PATCH v2 09/22] selinux: make use of str_read() Christian Göttsche
2025-01-08 3:00 ` [PATCH RFC v2 9/22] " Paul Moore
2024-12-16 16:40 ` [RFC PATCH v2 10/22] selinux: use u16 for security classes Christian Göttsche
2025-01-08 3:00 ` Paul Moore [this message]
2024-12-16 16:40 ` [RFC PATCH v2 11/22] selinux: more strict policy parsing Christian Göttsche
2025-01-08 3:00 ` [PATCH RFC " Paul Moore
2025-01-08 15:49 ` Christian Göttsche
2024-12-16 16:40 ` [RFC PATCH v2 12/22] selinux: check length fields in policies Christian Göttsche
2025-01-08 3:00 ` [PATCH RFC " Paul Moore
2024-12-16 16:40 ` [RFC PATCH v2 13/22] selinux: validate constraints Christian Göttsche
2024-12-16 16:40 ` [RFC PATCH v2 14/22] selinux: pre-validate conditional expressions Christian Göttsche
2024-12-16 16:40 ` [RFC PATCH v2 15/22] selinux: introduce ebitmap_highest_set_bit() Christian Göttsche
2025-01-08 3:00 ` [PATCH RFC " Paul Moore
2024-12-16 16:40 ` [RFC PATCH v2 16/22] selinux: check type attr map overflows Christian Göttsche
2024-12-16 16:40 ` [RFC PATCH v2 17/22] selinux: reorder policydb_index() Christian Göttsche
2024-12-16 16:40 ` [RFC PATCH v2 18/22] selinux: beef up isvalid checks Christian Göttsche
2024-12-16 16:40 ` [RFC PATCH v2 19/22] selinux: validate symbols Christian Göttsche
2025-01-08 3:00 ` [PATCH RFC " Paul Moore
2025-01-08 17:02 ` Christian Göttsche
2024-12-16 16:40 ` [RFC PATCH v2 20/22] selinux: more strict bounds check Christian Göttsche
2024-12-16 16:40 ` [RFC PATCH v2 21/22] selinux: check for simple types Christian Göttsche
2024-12-16 16:40 ` [RFC PATCH v2 22/22] selinux: restrict policy strings Christian Göttsche
2025-01-03 20:12 ` Stephen Smalley
2025-01-05 23:26 ` Joe Nall
2025-01-07 14:04 ` Christian Göttsche
2025-01-07 16:09 ` Daniel Burgener
2025-01-07 16:32 ` James Carter
2024-12-16 16:40 ` [RFC PATCH v2 00/22] selinux: harden against malformed policies Christian Göttsche
2025-01-08 2:59 ` [PATCH RFC v2 1/22] selinux: supply missing field initializers Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=06eb43271d150c5003b00baef7350161@paul-moore.com \
--to=paul@paul-moore.com \
--cc=brambonne@google.com \
--cc=casey@schaufler-ca.com \
--cc=cgoettsche@seltendoof.de \
--cc=cgzones@googlemail.com \
--cc=guocanfeng@uniontech.com \
--cc=guozihua@huawei.com \
--cc=john.johansen@canonical.com \
--cc=justinstitt@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=masahiroy@kernel.org \
--cc=morbo@google.com \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=omosnace@redhat.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
--cc=tweek@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox