Re: cron: SE Linux support uses obsolete API and gets wrong results

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 16 Mar 2019 20:59:21 +1100 Russell Coker <russell@xxxxxxxxxxxx> wrote:

Hello,

>
> Mar 16 20:36:39 xev cron[14032]: (rjc) ENTRYPOINT FAILED (crontabs/rjc)
> Mar 16 20:36:39 xev cron[14032]: (torrent) ENTRYPOINT FAILED (crontabs/torrent)
> Mar 16 20:36:39 xev cron[14032]: (test) ENTRYPOINT FAILED (crontabs/test)
>
> When I restart crond (or run crontab for a user) on a system with the "strict" > configuration of SE Linux policy (user roles other than unconfined_r) I see
> the above in the cron log.
>
> In file included from user.c:34:
> /usr/include/selinux/flask.h:5:2: warning: #warning "Please remove any #include's of this header in your source code." [-Wcpp] > #warning "Please remove any #include's of this header in your source code."
> ^~~~~~~
> /usr/include/selinux/flask.h:6:2: warning: #warning "Instead, use string_to_security_class() to map the class name to a value." [-Wcpp] > #warning "Instead, use string_to_security_class() to map the class name to a value."
> ^~~~~~~
> In file included from user.c:35:
> /usr/include/selinux/av_permissions.h:1:2: warning: #warning "Please remove any #include of this header in your source code." [-Wcpp]
> #warning "Please remove any #include of this header in your source code."
> ^~~~~~~
> /usr/include/selinux/av_permissions.h:2:2: warning: #warning "Instead, use string_to_av_perm() to map the permission name to a value." [-Wcpp] > #warning "Instead, use string_to_av_perm() to map the permission name to a value."
> ^~~~~~~
>
> When I compile the cron package I see the above. The above is the cause of
> the incorrect processing of entry points.
>
> The following patch fixes these problems.
>
> Please note that the bug means that when the cron package that is currently in
> testing is run with the SE Linux libraries in testing it checks for
> execute_no_trans permission not entrypoint. It is unlikely that a hostile
> party could create a crontab file with a context for which execute_no_trans is > allowed without having the ability to get elevated privileges in other ways,
> but it can't be theoretically impossible.
>
> I can't be certain that there are no security implications of the bug so I

> think that getting this fix into Buster is important.

Please find here an other patch based on Russell's one.

The changes compared to the original patch are the fact that I'm cleaning context_list in case of error and I'm also using security_deny_unknown() to check whether we should allow the access in case the class or the permission is not defined.

Russel do you think you could check if this is still OK?

Are there any other comment?

Kind regards,

Laurent Bigonville

diff -u cron-3.0pl1/user.c cron-3.0pl1/user.c
--- cron-3.0pl1/user.c
+++ cron-3.0pl1/user.c
@@ -31,8 +31,6 @@
 #ifdef WITH_SELINUX
 #include <selinux/context.h>
 #include <selinux/selinux.h>
-#include <selinux/flask.h>
-#include <selinux/av_permissions.h>
 #include <selinux/get_context_list.h>
 
 static int get_security_context(char *name, int crontab_fd, security_context_t
@@ -108,13 +106,35 @@
 	* permission check for this purpose.
 	*/
 
+	security_class_t tclass = string_to_security_class("file");
+	if (!tclass) {
+		log_it(name, getpid(), "Failed to translate security class file", tabname);
+		freeconary(context_list);
+		if (security_deny_unknown() == 0) {
+			return 0;
+		} else {
+			return -1;
+		}
+	}
+
+	access_vector_t bit = string_to_av_perm(tclass, "entrypoint");
+	if (!bit) {
+		log_it(name, getpid(), "Failed to translate av perm entrypoint", tabname);
+		freeconary(context_list);
+		if (security_deny_unknown() == 0) {
+			return 0;
+		} else {
+			return -1;
+		}
+	}
+
 	for (i = 0; i < list_count; i++) {
 		retval = security_compute_av(context_list[i],
 						 file_context,
-						 SECCLASS_FILE,
-						 FILE__ENTRYPOINT,
+						 tclass,
+						 bit,
 						 &avd);
-		if (!retval && ((FILE__ENTRYPOINT & avd.allowed) == FILE__ENTRYPOINT)) {
+		if(!retval && ((bit & avd.allowed) == bit)) {
 			*rcontext = strdup(context_list[i]);
 			freecon(file_context);
 			freeconary(context_list);

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux