RFE: policydb read validation #72
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
|
It's fine if you want to post this as a draft PR here, but technical discussions and formal patch postings must be done on the selinux@vger.kernel.org mailing list. |
cgzones
force-pushed
the
dev_wip_policadb_read
branch
4 times, most recently
from
ff0a443 to
658ac7d
Compare
cgzones
force-pushed
the
dev_wip_policadb_read
branch
2 times, most recently
from
6a550ad to
7bbb841
Compare
cgzones
force-pushed
the
dev_wip_policadb_read
branch
2 times, most recently
from
f62e687 to
de42bbd
Compare
Avoid using nontransitive comparison to prevent unexpected sorting results due to (well-defined) overflows. See https://www.qualys.com/2024/01/30/qsort.txt for a related issue in glibc's qsort(3). Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- v3: rename macro to cmp_int()
Security class identifiers are limited to 2^16, thus use the appropriate
type u16 consistently.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
v3: only change type, move the validation (> U16_MAX) to the subsequent
patch
cgzones
force-pushed
the
dev_wip_policadb_read
branch
from
de42bbd to
a065bde
Compare
Be more strict during parsing of policies and reject invalid values.
Add some error messages in the case of policy parse failures, to
enhance debugging, either on a malformed policy or a too strict check.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
v3:
- incorporate the overflow checks on security classes from the
previous patch, and permit U16_MAX as class ID
- minimize the usage of magic values, by using macros or trivial
helper functions
v2:
accept unknown xperm specifiers to support backwards compatibility for
future ones, suggested by Thiébaud
In multiple places the binary policy announces how many items of some
kind are to be expected next. Before reading them the kernel already
allocates enough memory for that announced size. Validate that the
remaining input size can actually fit the announced items, to avoid OOM
issues on malformed binary policies.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
v3:
- fix error branch by returning directly instead of jumping to goto
label, see
https://lore.kernel.org/all/202412241405.LK8YTZqp-lkp@intel.com/
- rename to size_check()
- add comments for magic values
Validate constraint expressions during reading the policy. Avoid the usage of BUG() on constraint evaluation, to mitigate malformed policies halting the system. Closes: SELinuxProject/selinux-testsuite#76 Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Validate conditional expressions while reading the policy, to avoid unexpected access decisions on malformed policies. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Validate that no types with an invalid too high ID are present in the
attribute map. Gaps are still not checked.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
v3: squash with previous patch ("selinux: introduce
ebitmap_highest_set_bit()")
Index as soon as possible to enable isvalid() checks to fail on gaps. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Check that an ID does not refer to a gap in the global array of definitions. Constify parameters of isvalid() function and change return type to bool. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Some symbol tables need to be validated after indexing, since during indexing their referenced entries might not yet have been indexed. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Validate the types used in bounds checks. Replace the usage of BUG(), to avoid halting the system on malformed polices. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Validate that the target of AVTAB_TYPE rules and file transitions are simple types and not attributes. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Validate the characters and the lengths of strings parsed from binary
policies.
* Disallow control characters
* Limit characters of identifiers to alphanumeric, underscore, dash,
and dot
* Limit identifiers in length to 64, expect types to 1024,
sensitivities to 32 and categories to 16, characters
(excluding NUL-terminator)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
v3:
- introduce a central limits.h header
- add limits for all kinds of string: filesystem names, filetrans
keys, genfs paths, infiniband device names
v2:
- add wrappers for str_read() to minimize the usage of magic numbers
- limit sensitivities to a length of 32, to match categories,
suggested by Daniel
cgzones
force-pushed
the
dev_wip_policadb_read
branch
2 times, most recently
from
86661a2 to
2f32d51
Compare
Check the length accumulator for the MLS component of security contexts does not overflow in mls_compute_context_len() resulting in out-of-buffer writes in mls_sid_to_context(). Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- v3: add patch
cgzones
force-pushed
the
dev_wip_policadb_read
branch
from
2f32d51 to
f31bd61
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
From https://lore.kernel.org/selinux/20241115133619.114393-23-cgoettsche@seltendoof.de/:
With the SELinux namespace feature on the horizon it becomes important
to identify and reject malformed policies at load time. Otherwise
memory corruptions can compromise the kernel or NULL-pointer dereferences
and BUG() encounters can bring systems down. Currently this is not a
security relevant issue since loading a policy requires root privileges
and permission of the current loaded SELinux policy, making it one of the
most privileged operation.
The first 9 patches are cleanup commits with overseeable diffs.
Patch 10 unifies the underlying type used for security class identifiers.
Patch 11 to 21 add various checks at policy load time to reject malformed
policies.
Patch 22 needs some discussion:
It limits the valid set of characters and the length for strings defined
by policies. Currently there are no restrictions, so control characters
are accepted, e.g. Esc as part of a type name, and their length can be
arbitrary. Human formatted security contexts however must not be
arbitrarily long, one example is they must fit in a page size for
selinuxfs interaction and network associations.
Thus the patch introduces the following restrictions:
and dot
categories to 32, characters (excluding NUL-terminator)
p.s.:
On a related note to patch 10, the underlying type for types (and type-
attributes) is also not consistent:
In role, range and filename transitions, and the actual datum u32 is
used, while avtables use u16, practically limiting the number of
available types to 65534 (= U16_MAX - 2 (0 and U16_MAX are invalid)).