selinux: format all invalid context as untrusted
The userspace tools expect all fields of the same name to be logged consistently with the same encoding. Since the invalid_context fields contain untrusted strings in selinux_inode_setxattr() and selinux_setprocattr(), encode all instances of this field the same way as though they were untrusted even though compute_sid_handle_invalid_context() and security_sid_mls_copy() are trusted. Please see github issue https://github.com/linux-audit/audit-kernel/issues/57 Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
parent
464c258aa4
commit
ea74a685ad
|
@ -1584,6 +1584,7 @@ static int compute_sid_handle_invalid_context(
|
||||||
struct policydb *policydb = &state->ss->policydb;
|
struct policydb *policydb = &state->ss->policydb;
|
||||||
char *s = NULL, *t = NULL, *n = NULL;
|
char *s = NULL, *t = NULL, *n = NULL;
|
||||||
u32 slen, tlen, nlen;
|
u32 slen, tlen, nlen;
|
||||||
|
struct audit_buffer *ab;
|
||||||
|
|
||||||
if (context_struct_to_string(policydb, scontext, &s, &slen))
|
if (context_struct_to_string(policydb, scontext, &s, &slen))
|
||||||
goto out;
|
goto out;
|
||||||
|
@ -1591,12 +1592,14 @@ static int compute_sid_handle_invalid_context(
|
||||||
goto out;
|
goto out;
|
||||||
if (context_struct_to_string(policydb, newcontext, &n, &nlen))
|
if (context_struct_to_string(policydb, newcontext, &n, &nlen))
|
||||||
goto out;
|
goto out;
|
||||||
audit_log(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR,
|
ab = audit_log_start(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR);
|
||||||
"op=security_compute_sid invalid_context=%s"
|
audit_log_format(ab,
|
||||||
" scontext=%s"
|
"op=security_compute_sid invalid_context=");
|
||||||
" tcontext=%s"
|
/* no need to record the NUL with untrusted strings */
|
||||||
" tclass=%s",
|
audit_log_n_untrustedstring(ab, n, nlen - 1);
|
||||||
n, s, t, sym_name(policydb, SYM_CLASSES, tclass-1));
|
audit_log_format(ab, " scontext=%s tcontext=%s tclass=%s",
|
||||||
|
s, t, sym_name(policydb, SYM_CLASSES, tclass-1));
|
||||||
|
audit_log_end(ab);
|
||||||
out:
|
out:
|
||||||
kfree(s);
|
kfree(s);
|
||||||
kfree(t);
|
kfree(t);
|
||||||
|
@ -3003,10 +3006,16 @@ int security_sid_mls_copy(struct selinux_state *state,
|
||||||
if (rc) {
|
if (rc) {
|
||||||
if (!context_struct_to_string(policydb, &newcon, &s,
|
if (!context_struct_to_string(policydb, &newcon, &s,
|
||||||
&len)) {
|
&len)) {
|
||||||
audit_log(audit_context(),
|
struct audit_buffer *ab;
|
||||||
GFP_ATOMIC, AUDIT_SELINUX_ERR,
|
|
||||||
"op=security_sid_mls_copy "
|
ab = audit_log_start(audit_context(),
|
||||||
"invalid_context=%s", s);
|
GFP_ATOMIC,
|
||||||
|
AUDIT_SELINUX_ERR);
|
||||||
|
audit_log_format(ab,
|
||||||
|
"op=security_sid_mls_copy invalid_context=");
|
||||||
|
/* don't record NUL with untrusted strings */
|
||||||
|
audit_log_n_untrustedstring(ab, s, len - 1);
|
||||||
|
audit_log_end(ab);
|
||||||
kfree(s);
|
kfree(s);
|
||||||
}
|
}
|
||||||
goto out_unlock;
|
goto out_unlock;
|
||||||
|
|
Loading…
Reference in New Issue