kernel/linux.git/security/selinux, branch v6.5.12

selinux: fix handling of empty opts in selinux_fs_context_submount()

2023-09-23T09:14:36+00:00

commit ccf1dab96be4caed7c5235b1cfdb606ac161b996 upstream. selinux_set_mnt_opts() relies on the fact that the mount options pointer is always NULL when all options are unset (specifically in its !selinux_initialized() branch. However, the new selinux_fs_context_submount() hook breaks this rule by allocating a new structure even if no options are set. That causes any submount created before a SELinux policy is loaded to be rejected in selinux_set_mnt_opts(). Fix this by making selinux_fs_context_submount() leave fc->security set to NULL when there are no options to be copied from the reference superblock. Cc: Reported-by: Adam Williamson Link: https://bugzilla.redhat.com/show_bug.cgi?id=2236345 Fixes: d80a8f1b58c2 ("vfs, security: Fix automount superblock LSM init problem, preventing NFS sb sharing") Signed-off-by: Ondrej Mosnacek Reviewed-by: Jeff Layton Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman

vfs, security: Fix automount superblock LSM init problem, preventing NFS sb sharing

2023-09-13T07:52:58+00:00

[ Upstream commit d80a8f1b58c2bc8d7c6bfb65401ea4f7ec8cddc2 ] When NFS superblocks are created by automounting, their LSM parameters aren't set in the fs_context struct prior to sget_fc() being called, leading to failure to match existing superblocks. This bug leads to messages like the following appearing in dmesg when fscache is enabled: NFS: Cache volume key already in use (nfs,4.2,2,108,106a8c0,1,,,,100000,100000,2ee,3a98,1d4c,3a98,1) Fix this by adding a new LSM hook to load fc->security for submount creation. Signed-off-by: David Howells Signed-off-by: Jeff Layton Link: https://lore.kernel.org/r/165962680944.3334508.6610023900349142034.stgit@warthog.procyon.org.uk/ # v1 Link: https://lore.kernel.org/r/165962729225.3357250.14350728846471527137.stgit@warthog.procyon.org.uk/ # v2 Link: https://lore.kernel.org/r/165970659095.2812394.6868894171102318796.stgit@warthog.procyon.org.uk/ # v3 Link: https://lore.kernel.org/r/166133579016.3678898.6283195019480567275.stgit@warthog.procyon.org.uk/ # v4 Link: https://lore.kernel.org/r/217595.1662033775@warthog.procyon.org.uk/ # v5 Fixes: 9bc61ab18b1d ("vfs: Introduce fs_context, switch vfs_kern_mount() to it.") Fixes: 779df6a5480f ("NFS: Ensure security label is set for root inode") Tested-by: Jeff Layton Acked-by: Casey Schaufler Acked-by: "Christian Brauner (Microsoft)" Acked-by: Paul Moore Reviewed-by: Jeff Layton Message-Id: <20230808-master-v9-1-e0ecde888221@kernel.org> Signed-off-by: Christian Brauner Signed-off-by: Sasha Levin

selinux: set next pointer before attaching to list

2023-08-18T20:13:03+00:00

Set the next pointer in filename_trans_read_helper() before attaching the new node under construction to the list, otherwise garbage would be dereferenced on subsequent failure during cleanup in the out goto label. Cc: Fixes: 430059024389 ("selinux: implement new format of filename transitions") Signed-off-by: Christian Göttsche Signed-off-by: Paul Moore

selinux: avoid bool as identifier name

2023-06-05T21:04:01+00:00

Avoid using the identifier `bool` to improve support with future C standards. C23 is about to make `bool` a predefined macro (see N2654). Signed-off-by: Christian Göttsche Signed-off-by: Paul Moore

selinux: fix Makefile for versions of make < v4.3

2023-06-02T19:34:29+00:00

As noted in the comments of this commit, the current SELinux Makefile requires features found in make v4.3 or later, which is problematic as the Linux Kernel currently only requires make v3.82. This patch fixes the SELinux Makefile so that it works properly on these older versions of make, and adds a couple of comments to the Makefile about how it can be improved once make v4.3 is required by the kernel. Fixes: 6f933aa7dfd0 ("selinux: more Makefile tweaks") Signed-off-by: Paul Moore

selinux: make labeled NFS work when mounted before policy load

2023-05-30T21:44:34+00:00

Currently, when an NFS filesystem that supports passing LSM/SELinux labels is mounted during early boot (before the SELinux policy is loaded), it ends up mounted without the labeling support (i.e. with Fedora policy all files get the generic NFS label system_u:object_r:nfs_t:s0). This is because the information that the NFS mount supports passing labels (communicated to the LSM layer via the kern_flags argument of security_set_mnt_opts()) gets lost and when the policy is loaded the mount is initialized as if the passing is not supported. Fix this by noting the "native labeling" in newsbsec->flags (using a new SE_SBNATIVE flag) on the pre-policy-loaded call of selinux_set_mnt_opts() and then making sure it is respected on the second call from delayed_superblock_init(). Additionally, make inode_doinit_with_dentry() initialize the inode's label from its extended attributes whenever it doesn't find it already intitialized by the filesystem. This is needed to properly initialize pre-existing inodes when delayed_superblock_init() is called. It should not trigger in any other cases (and if it does, it's still better to initialize the correct label instead of leaving the inode unlabeled). Fixes: eb9ae686507b ("SELinux: Add new labeling type native labels") Tested-by: Scott Mayhew Signed-off-by: Ondrej Mosnacek [PM: fixed 'Fixes' tag format] Signed-off-by: Paul Moore

selinux: cleanup exit_sel_fs() declaration

2023-05-30T20:43:25+00:00

exit_sel_fs() has been removed since commit f22f9aaf6c3d ("selinux: remove the runtime disable functionality"). Signed-off-by: Xiu Jianfeng Signed-off-by: Paul Moore

selinux: deprecated fs ocon

2023-05-23T19:37:56+00:00

The object context type `fs`, not to be confused with the well used object context type `fscon`, was introduced in the initial git commit 1da177e4c3f4 ("Linux-2.6.12-rc2") but never actually used since. The paper "A Security Policy Configuration for the Security-Enhanced Linux" [1] mentions it under `7.2 File System Contexts` but also states: Currently, this configuration is unused. The policy statement defining such object contexts is `fscon`, e.g.: fscon 2 3 gen_context(system_u:object_r:conA_t,s0) \ gen_context(system_u:object_r:conB_t,s0) It is not documented at selinuxproject.org or in the SELinux notebook and not supported by the Reference Policy buildsystem - the statement is not properly sorted - and thus not used in the Reference or Fedora Policy. Print a warning message at policy load for each such object context: SELinux: void and deprecated fs ocon 02:03 This topic was initially highlighted by Nicolas Iooss [2]. [1]: https://media.defense.gov/2021/Jul/29/2002815735/-1/-1/0/SELINUX-SECURITY-POLICY-CONFIGURATION-REPORT.PDF [2]: https://lore.kernel.org/selinux/CAJfZ7=mP2eJaq2BfO3y0VnwUJaY2cS2p=HZMN71z1pKjzaT0Eg@mail.gmail.com/ Signed-off-by: Christian Göttsche [PM: tweaked deprecation comment, description line wrapping] Signed-off-by: Paul Moore

selinux: make header files self-including

2023-05-18T18:12:43+00:00

Include all necessary headers in header files to enable third party applications, like LSP servers, to resolve all used symbols. ibpkey.h: include "flask.h" for SECINITSID_UNLABELED initial_sid_to_string.h: include for NULL Signed-off-by: Christian Göttsche Signed-off-by: Paul Moore

selinux: keep context struct members in sync

2023-05-18T17:38:39+00:00

Commit 53f3517ae087 ("selinux: do not leave dangling pointer behind") reset the `str` field of the `context` struct in an OOM error branch. In this struct the fields `str` and `len` are coupled and should be kept in sync. Set the length to zero according to the string be set to NULL. Fixes: 53f3517ae087 ("selinux: do not leave dangling pointer behind") Signed-off-by: Christian Göttsche Signed-off-by: Paul Moore