[kernel/f20] Add patch to fix SELinux lables on /proc files (rhbz 1084829)
Josh Boyer
jwboyer at fedoraproject.org
Wed Apr 9 14:06:14 UTC 2014
commit c4920da303e1abf4502c4aaa37027274b7013e63
Author: Josh Boyer <jwboyer at redhat.com>
Date: Wed Apr 9 10:05:37 2014 -0400
Add patch to fix SELinux lables on /proc files (rhbz 1084829)
kernel.spec | 7 ++
...rectly-label-proc-inodes-in-use-before-th.patch | 109 ++++++++++++++++++++
2 files changed, 116 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 09bece0..bd01576 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -777,6 +777,9 @@ Patch25054: rds-prevent-dereference-of-a-NULL-device-in-rds_iw_laddr_check.patch
#rhbz 1074235
Patch25055: lib-percpu_counter.c-fix-bad-percpu-counter-state-du.patch
+#rhbz 1084829
+Patch25056: selinux-correctly-label-proc-inodes-in-use-before-th.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1510,6 +1513,9 @@ ApplyPatch rds-prevent-dereference-of-a-NULL-device-in-rds_iw_laddr_check.patch
#rhbz 1074235
ApplyPatch lib-percpu_counter.c-fix-bad-percpu-counter-state-du.patch
+#rhbz 1084829
+ApplyPatch selinux-correctly-label-proc-inodes-in-use-before-th.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2322,6 +2328,7 @@ fi
# || ||
%changelog
* Wed Apr 09 2014 Josh Boyer <jwboyer at fedoraproject.org>
+- Add patch to fix SELinux lables on /proc files (rhbz 1084829)
- Add patch to fix S3 in KVM guests (rhbz 1074235)
* Thu Apr 03 2014 Justin M. Forbes <jforbes at fedoraproject.org> - 3.13.9-200
diff --git a/selinux-correctly-label-proc-inodes-in-use-before-th.patch b/selinux-correctly-label-proc-inodes-in-use-before-th.patch
new file mode 100644
index 0000000..5c05899
--- /dev/null
+++ b/selinux-correctly-label-proc-inodes-in-use-before-th.patch
@@ -0,0 +1,109 @@
+Bugzilla: 1084829
+Upstream-status: 3.15 (needs to be on 3.13 and 3.14)
+
+From f64410ec665479d7b4b77b7519e814253ed0f686 Mon Sep 17 00:00:00 2001
+From: Paul Moore <pmoore at redhat.com>
+Date: Wed, 19 Mar 2014 16:46:18 -0400
+Subject: [PATCH] selinux: correctly label /proc inodes in use before the
+ policy is loaded
+
+This patch is based on an earlier patch by Eric Paris, he describes
+the problem below:
+
+ "If an inode is accessed before policy load it will get placed on a
+ list of inodes to be initialized after policy load. After policy
+ load we call inode_doinit() which calls inode_doinit_with_dentry()
+ on all inodes accessed before policy load. In the case of inodes
+ in procfs that means we'll end up at the bottom where it does:
+
+ /* Default to the fs superblock SID. */
+ isec->sid = sbsec->sid;
+
+ if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
+ if (opt_dentry) {
+ isec->sclass = inode_mode_to_security_class(...)
+ rc = selinux_proc_get_sid(opt_dentry,
+ isec->sclass,
+ &sid);
+ if (rc)
+ goto out_unlock;
+ isec->sid = sid;
+ }
+ }
+
+ Since opt_dentry is null, we'll never call selinux_proc_get_sid()
+ and will leave the inode labeled with the label on the superblock.
+ I believe a fix would be to mimic the behavior of xattrs. Look
+ for an alias of the inode. If it can't be found, just leave the
+ inode uninitialized (and pick it up later) if it can be found, we
+ should be able to call selinux_proc_get_sid() ..."
+
+On a system exhibiting this problem, you will notice a lot of files in
+/proc with the generic "proc_t" type (at least the ones that were
+accessed early in the boot), for example:
+
+ # ls -Z /proc/sys/kernel/shmmax | awk '{ print $4 " " $5 }'
+ system_u:object_r:proc_t:s0 /proc/sys/kernel/shmmax
+
+However, with this patch in place we see the expected result:
+
+ # ls -Z /proc/sys/kernel/shmmax | awk '{ print $4 " " $5 }'
+ system_u:object_r:sysctl_kernel_t:s0 /proc/sys/kernel/shmmax
+
+Cc: Eric Paris <eparis at redhat.com>
+Signed-off-by: Paul Moore <pmoore at redhat.com>
+Acked-by: Eric Paris <eparis at redhat.com>
+---
+ security/selinux/hooks.c | 36 +++++++++++++++++++++++++++---------
+ 1 file changed, 27 insertions(+), 9 deletions(-)
+
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index 1dd948485e48..d5d67c93b65c 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -1402,15 +1402,33 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
+ isec->sid = sbsec->sid;
+
+ if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
+- if (opt_dentry) {
+- isec->sclass = inode_mode_to_security_class(inode->i_mode);
+- rc = selinux_proc_get_sid(opt_dentry,
+- isec->sclass,
+- &sid);
+- if (rc)
+- goto out_unlock;
+- isec->sid = sid;
+- }
++ /* We must have a dentry to determine the label on
++ * procfs inodes */
++ if (opt_dentry)
++ /* Called from d_instantiate or
++ * d_splice_alias. */
++ dentry = dget(opt_dentry);
++ else
++ /* Called from selinux_complete_init, try to
++ * find a dentry. */
++ dentry = d_find_alias(inode);
++ /*
++ * This can be hit on boot when a file is accessed
++ * before the policy is loaded. When we load policy we
++ * may find inodes that have no dentry on the
++ * sbsec->isec_head list. No reason to complain as
++ * these will get fixed up the next time we go through
++ * inode_doinit() with a dentry, before these inodes
++ * could be used again by userspace.
++ */
++ if (!dentry)
++ goto out_unlock;
++ isec->sclass = inode_mode_to_security_class(inode->i_mode);
++ rc = selinux_proc_get_sid(dentry, isec->sclass, &sid);
++ dput(dentry);
++ if (rc)
++ goto out_unlock;
++ isec->sid = sid;
+ }
+ break;
+ }
+--
+1.8.5.3
+
More information about the scm-commits
mailing list