selinux: set next pointer before attaching to list

Set the next pointer in filename_trans_read_helper() before attaching
the new node under construction to the list, otherwise garbage would be
deref

selinux: set next pointer before attaching to list

Set the next pointer in filename_trans_read_helper() before attaching
the new node under construction to the list, otherwise garbage would be
dereferenced on subsequent failure during cleanup in the out goto label.

Cc: <stable@vger.kernel.org>
Fixes: 430059024389 ("selinux: implement new format of filename transitions")
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

show more ...

selinux: avoid implicit conversions in policydb code

Use the identical type for local variables, e.g. loop counters.

Declare members of struct policydb_compat_info unsigned to consistently
use unsi

selinux: avoid implicit conversions in policydb code

Use the identical type for local variables, e.g. loop counters.

Declare members of struct policydb_compat_info unsigned to consistently
use unsigned iterators. They hold read-only non-negative numbers in the
global variable policydb_compat.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

show more ...

selinux: revert SECINITSID_INIT support

This commit reverts 5b0eea835d4e ("selinux: introduce an initial SID
for early boot processes") as it was found to cause problems on
distros with old SELinux

selinux: revert SECINITSID_INIT support

This commit reverts 5b0eea835d4e ("selinux: introduce an initial SID
for early boot processes") as it was found to cause problems on
distros with old SELinux userspace tools/libraries, specifically
Ubuntu 16.04.

Hopefully we will be able to re-add this functionality at a later
date, but let's revert this for now to help ensure a stable and
backwards compatible SELinux tree.

Link: https://lore.kernel.org/selinux/87edkseqf8.fsf@mail.lhotse
Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

show more ...

selinux: use GFP_KERNEL while reading binary policy

Use GFP_KERNEL instead of GFP_ATOMIC while reading a binary policy in
sens_read() and cat_read(), similar to surrounding code.

Signed-off-by: Chr

selinux: use GFP_KERNEL while reading binary policy

Use GFP_KERNEL instead of GFP_ATOMIC while reading a binary policy in
sens_read() and cat_read(), similar to surrounding code.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

show more ...

selinux: move debug functions into debug configuration

avtab_hash_eval() and hashtab_stat() are only used in policydb.c when
the configuration SECURITY_SELINUX_DEBUG is enabled.

Move the function d

selinux: move debug functions into debug configuration

avtab_hash_eval() and hashtab_stat() are only used in policydb.c when
the configuration SECURITY_SELINUX_DEBUG is enabled.

Move the function definitions under that configuration as well and
provide empty definitions in case SECURITY_SELINUX_DEBUG is disabled, to
avoid using #ifdef in the callers.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

show more ...

selinux: introduce SECURITY_SELINUX_DEBUG configuration

The policy database code contains several debug output statements
related to hashtable utilization. Those are guarded by the macro
DEBUG_HASH

selinux: introduce SECURITY_SELINUX_DEBUG configuration

The policy database code contains several debug output statements
related to hashtable utilization. Those are guarded by the macro
DEBUG_HASHES, which is neither documented nor set anywhere.

Introduce a new Kconfig configuration guarding this and potential
other future debugging related code. Disable the setting by default.

Suggested-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
[PM: fixed line lengths in the help text]
Signed-off-by: Paul Moore <paul@paul-moore.com>

show more ...

selinux: update my email address

Update my email address; MAINTAINERS was updated some time ago.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul

selinux: update my email address

Update my email address; MAINTAINERS was updated some time ago.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

show more ...

selinux: add missing newlines in pr_err() statements

The kernel print statements do not append an implicit newline to format
strings.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
[PM:

selinux: add missing newlines in pr_err() statements

The kernel print statements do not append an implicit newline to format
strings.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
[PM: subject line tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>

show more ...

selinux: introduce an initial SID for early boot processes

Currently, SELinux doesn't allow distinguishing between kernel threads
and userspace processes that are started before the policy is first

selinux: introduce an initial SID for early boot processes

Currently, SELinux doesn't allow distinguishing between kernel threads
and userspace processes that are started before the policy is first
loaded - both get the label corresponding to the kernel SID. The only
way a process that persists from early boot can get a meaningful label
is by doing a voluntary dyntransition or re-executing itself.

Reusing the kernel label for userspace processes is problematic for
several reasons:
1. The kernel is considered to be a privileged domain and generally
needs to have a wide range of permissions allowed to work correctly,
which prevents the policy writer from effectively hardening against
early boot processes that might remain running unintentionally after
the policy is loaded (they represent a potential extra attack surface
that should be mitigated).
2. Despite the kernel being treated as a privileged domain, the policy
writer may want to impose certain special limitations on kernel
threads that may conflict with the requirements of intentional early
boot processes. For example, it is a good hardening practice to limit
what executables the kernel can execute as usermode helpers and to
confine the resulting usermode helper processes. However, a
(legitimate) process surviving from early boot may need to execute a
different set of executables.
3. As currently implemented, overlayfs remembers the security context of
the process that created an overlayfs mount and uses it to bound
subsequent operations on files using this context. If an overlayfs
mount is created before the SELinux policy is loaded, these "mounter"
checks are made against the kernel context, which may clash with
restrictions on the kernel domain (see 2.).

To resolve this, introduce a new initial SID (reusing the slot of the
former "init" initial SID) that will be assigned to any userspace
process started before the policy is first loaded. This is easy to do,
as we can simply label any process that goes through the
bprm_creds_for_exec LSM hook with the new init-SID instead of
propagating the kernel SID from the parent.

To provide backwards compatibility for existing policies that are
unaware of this new semantic of the "init" initial SID, introduce a new
policy capability "userspace_initial_context" and set the "init" SID to
the same context as the "kernel" SID unless this capability is set by
the policy.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

show more ...

selinux: deprecated fs ocon

The object context type `fs`, not to be confused with the well used
object context type `fscon`, was introduced in the initial git commit
1da177e4c3f4 ("Linux-2.6.12-rc2"

selinux: deprecated fs ocon

The object context type `fs`, not to be confused with the well used
object context type `fscon`, was introduced in the initial git commit
1da177e4c3f4 ("Linux-2.6.12-rc2") but never actually used since.

The paper "A Security Policy Configuration for the Security-Enhanced
Linux" [1] mentions it under `7.2 File System Contexts` but also states:

Currently, this configuration is unused.

The policy statement defining such object contexts is `fscon`, e.g.:

fscon 2 3 gen_context(system_u:object_r:conA_t,s0) \
gen_context(system_u:object_r:conB_t,s0)

It is not documented at selinuxproject.org or in the SELinux notebook
and not supported by the Reference Policy buildsystem - the statement is
not properly sorted - and thus not used in the Reference or Fedora
Policy.

Print a warning message at policy load for each such object context:

SELinux: void and deprecated fs ocon 02:03

This topic was initially highlighted by Nicolas Iooss [2].

[1]: https://media.defense.gov/2021/Jul/29/2002815735/-1/-1/0/SELINUX-SECURITY-POLICY-CONFIGURATION-REPORT.PDF
[2]: https://lore.kernel.org/selinux/CAJfZ7=mP2eJaq2BfO3y0VnwUJaY2cS2p=HZMN71z1pKjzaT0Eg@mail.gmail.com/

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
[PM: tweaked deprecation comment, description line wrapping]
Signed-off-by: Paul Moore <paul@paul-moore.com>

show more ...

selinux: declare read-only data arrays const

The array of mount tokens in only used in match_opt_prefix() and never
modified.

The array of symtab names is never modified and only used in the
DEBUG_

selinux: declare read-only data arrays const

The array of mount tokens in only used in match_opt_prefix() and never
modified.

The array of symtab names is never modified and only used in the
DEBUG_HASHES configuration as output.

The array of files for the SElinux filesystem sub-directory `ss` is
similar to the other `struct tree_descr` usages only read from to
construct the containing entries.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

show more ...

selinux: declare data arrays const

The arrays for the policy capability names, the initial sid identifiers
and the class and permission names are not changed at runtime. Declare
them const to avoid

selinux: declare data arrays const

The arrays for the policy capability names, the initial sid identifiers
and the class and permission names are not changed at runtime. Declare
them const to avoid accidental modification.

Do not override the classmap and the initial sid list in the build time
script genheaders.

Check flose(3) is successful in genheaders.c, otherwise the written data
might be corrupted or incomplete.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
[PM: manual merge due to fuzz, minor style tweaks]
Signed-off-by: Paul Moore <paul@paul-moore.com>

show more ...

selinux: resolve checkpatch errors

Reported by checkpatch:

security/selinux/nlmsgtab.c
---------------------------
ERROR: that open brace { should be on the previous line
#29: FILE:

selinux: resolve checkpatch errors

Reported by checkpatch:

security/selinux/nlmsgtab.c
---------------------------
ERROR: that open brace { should be on the previous line
#29: FILE: security/selinux/nlmsgtab.c:29:
+static const struct nlmsg_perm nlmsg_route_perms[] =
+{

ERROR: that open brace { should be on the previous line
#97: FILE: security/selinux/nlmsgtab.c:97:
+static const struct nlmsg_perm nlmsg_tcpdiag_perms[] =
+{

ERROR: that open brace { should be on the previous line
#105: FILE: security/selinux/nlmsgtab.c:105:
+static const struct nlmsg_perm nlmsg_xfrm_perms[] =
+{

ERROR: that open brace { should be on the previous line
#134: FILE: security/selinux/nlmsgtab.c:134:
+static const struct nlmsg_perm nlmsg_audit_perms[] =
+{

security/selinux/ss/policydb.c
------------------------------
ERROR: that open brace { should be on the previous line
#318: FILE: security/selinux/ss/policydb.c:318:
+static int (*destroy_f[SYM_NUM]) (void *key, void *datum, void *datap) =
+{

ERROR: that open brace { should be on the previous line
#674: FILE: security/selinux/ss/policydb.c:674:
+static int (*index_f[SYM_NUM]) (void *key, void *datum, void *datap) =
+{

ERROR: that open brace { should be on the previous line
#1643: FILE: security/selinux/ss/policydb.c:1643:
+static int (*read_f[SYM_NUM]) (struct policydb *p, struct symtab *s, void *fp) =
+{

ERROR: that open brace { should be on the previous line
#3246: FILE: security/selinux/ss/policydb.c:3246:
+ void *datap) =
+{

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

show more ...

selinux: drop unused macro

The macro _DEBUG_HASHES is nowhere used. The configuration DEBUG_HASHES
enables debugging of the SELinux hash tables, but the with an underscore
prefixed macro definition

selinux: drop unused macro

The macro _DEBUG_HASHES is nowhere used. The configuration DEBUG_HASHES
enables debugging of the SELinux hash tables, but the with an underscore
prefixed macro definition has no direct impact or any documentation.

Reported by clang [-Wunused-macros]

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

show more ...

selinux: declare name parameter of hash_eval const

String literals are passed as second argument to hash_eval(). Also the
parameter is already declared const in the DEBUG_HASHES configuration.

Repo

selinux: declare name parameter of hash_eval const

String literals are passed as second argument to hash_eval(). Also the
parameter is already declared const in the DEBUG_HASHES configuration.

Reported by clang [-Wwrite-strings]:

security/selinux/ss/policydb.c:1881:26: error: passing
'const char [8]' to parameter of type 'char *' discards
qualifiers
hash_eval(&p->range_tr, rangetr);
^~~~~~~~~
security/selinux/ss/policydb.c:707:55: note: passing argument to
parameter 'hash_name' here
static inline void hash_eval(struct hashtab *h, char *hash_name)
^
security/selinux/ss/policydb.c:2099:32: error: passing
'const char [11]' to parameter of type 'char *' discards
qualifiers
hash_eval(&p->filename_trans, filenametr);
^~~~~~~~~~~~
security/selinux/ss/policydb.c:707:55: note: passing argument to
parameter 'hash_name' here
static inline void hash_eval(struct hashtab *h, char *hash_name)
^

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
[PM: line wrapping in description]
Signed-off-by: Paul Moore <paul@paul-moore.com>

show more ...

selinux: correct the return value when loads initial sids

It should not return 0 when SID 0 is assigned to isids.
This patch fixes it.

Cc: stable@vger.kernel.org
Fixes: e3e0b582c321a ("selinux: rem

selinux: correct the return value when loads initial sids

It should not return 0 when SID 0 is assigned to isids.
This patch fixes it.

Cc: stable@vger.kernel.org
Fixes: e3e0b582c321a ("selinux: remove unused initial SIDs and improve handling")
Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
[PM: remove changelog from description]
Signed-off-by: Paul Moore <paul@paul-moore.com>

show more ...

selinux: Remove redundant assignment to rc

Variable rc is set to '-EINVAL' but this value is never read as
it is overwritten or not used later on, hence it is a redundant
assignment and can be remov

selinux: Remove redundant assignment to rc

Variable rc is set to '-EINVAL' but this value is never read as
it is overwritten or not used later on, hence it is a redundant
assignment and can be removed.

Cleans up the following clang-analyzer warning:

security/selinux/ss/services.c:2103:3: warning: Value stored to 'rc' is
never read [clang-analyzer-deadcode.DeadStores].

security/selinux/ss/services.c:2079:2: warning: Value stored to 'rc' is
never read [clang-analyzer-deadcode.DeadStores].

security/selinux/ss/services.c:2071:2: warning: Value stored to 'rc' is
never read [clang-analyzer-deadcode.DeadStores].

security/selinux/ss/services.c:2062:2: warning: Value stored to 'rc' is
never read [clang-analyzer-deadcode.DeadStores].

security/selinux/ss/policydb.c:2592:3: warning: Value stored to 'rc' is
never read [clang-analyzer-deadcode.DeadStores].

Reported-by: Abaci Robot <abaci@linux.alibaba.com>
Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

show more ...

selinux: correct the return value when loads initial sids

commit 4c156084daa8ee70978e4b150b5eb5fc7b1f15be upstream.

It should not return 0 when SID 0 is assigned to isids.
This patch fixes it.

Cc:

selinux: correct the return value when loads initial sids

commit 4c156084daa8ee70978e4b150b5eb5fc7b1f15be upstream.

It should not return 0 when SID 0 is assigned to isids.
This patch fixes it.

Cc: stable@vger.kernel.org
Fixes: e3e0b582c321a ("selinux: remove unused initial SIDs and improve handling")
Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
[PM: remove changelog from description]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

show more ...

selinux: prepare for inlining of hashtab functions

Refactor searching and inserting into hashtabs to pave the way for
converting hashtab_search() and hashtab_insert() to inline functions in
the next

selinux: prepare for inlining of hashtab functions

Refactor searching and inserting into hashtabs to pave the way for
converting hashtab_search() and hashtab_insert() to inline functions in
the next patch. This will avoid indirect calls and allow the compiler to
better optimize individual callers, leading to a significant performance
improvement.

In order to avoid the indirect calls, the key hashing and comparison
callbacks need to be extracted from the hashtab struct and passed
directly to hashtab_search()/_insert() by the callers so that the
callback address is always known at compile time. The kernel's
rhashtable library (<linux/rhashtable*.h>) does the same thing.

This of course makes the hashtab functions slightly easier to misuse by
passing a wrong callback set, but unfortunately there is no better way
to implement a hash table that is both generic and efficient in C. This
patch tries to somewhat mitigate this by only calling the hashtab
functions in the same file where the corresponding callbacks are
defined (wrapping them into more specialized functions as needed).

Note that this patch doesn't bring any benefit without also moving the
definitions of hashtab_search() and -_insert() to the header file, which
is done in a follow-up patch for easier review of the hashtab.c changes
in this patch.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

show more ...

selinux: specialize symtab insert and search functions

This encapsulates symtab a little better and will help with further
refactoring later.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Ac

selinux: specialize symtab insert and search functions

This encapsulates symtab a little better and will help with further
refactoring later.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

show more ...

selinux: log error messages on required process class / permissions

In general SELinux no longer treats undefined object classes or permissions
in the policy as a fatal error, instead handling them

selinux: log error messages on required process class / permissions

In general SELinux no longer treats undefined object classes or permissions
in the policy as a fatal error, instead handling them in accordance with
handle_unknown. However, the process class and process transition and
dyntransition permissions are still required to be defined due to
dependencies on these definitions for default labeling behaviors,
role and range transitions in older policy versions that lack an explicit
class field, and role allow checking. Log error messages in these cases
since otherwise the policy load will fail silently with no indication
to the user as to the underlying cause. While here, fix the checking for
process transition / dyntransition so that omitting either permission is
handled as an error; both are needed in order to ensure that role allow
checking is consistently applied.

Reported-by: bauen1 <j2468h@googlemail.com>
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

show more ...

selinux: do not allocate hashtabs dynamically

It is simpler to allocate them statically in the corresponding
structure, avoiding unnecessary kmalloc() calls and pointer
dereferencing.

Signed-off-by

selinux: do not allocate hashtabs dynamically

It is simpler to allocate them statically in the corresponding
structure, avoiding unnecessary kmalloc() calls and pointer
dereferencing.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
[PM: manual merging required in policydb.c]
Signed-off-by: Paul Moore <paul@paul-moore.com>

show more ...

selinux: fix return value on error in policydb_read()

The value of rc is still zero from the last assignment when the error
path is taken. Fix it by setting it to -ENOMEM before the
hashtab_create()

selinux: fix return value on error in policydb_read()

The value of rc is still zero from the last assignment when the error
path is taken. Fix it by setting it to -ENOMEM before the
hashtab_create() call.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Fixes: e67b2ec9f617 ("selinux: store role transitions in a hash table")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

show more ...

selinux: simplify range_write()

No need to traverse the hashtab to count its elements, hashtab already
tracks it for us.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Paul Moo

selinux: simplify range_write()

No need to traverse the hashtab to count its elements, hashtab already
tracks it for us.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

show more ...

selinux: fix error return code in policydb_read()

Fix to return negative error code -ENOMEM from the kvcalloc() error
handling case instead of 0, as done elsewhere in this function.

Fixes: acdf52d9

selinux: fix error return code in policydb_read()

Fix to return negative error code -ENOMEM from the kvcalloc() error
handling case instead of 0, as done elsewhere in this function.

Fixes: acdf52d97f82 ("selinux: convert to kvmalloc")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

show more ...