Re: selinux_check_access is not thread-safe

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, May 24, 2021 at 1:24 PM Seth Moore <sethmo@xxxxxxxxxx> wrote:
>
> Originally posted here: https://github.com/SELinuxProject/selinux/issues/287
>
> By default, selinux_check_access does not appear to be thread-safe. It
> calls avc_open, which then calls avc_init, passing NULL for all
> callback function tables. The result is that no locking is done for
> the AVC, which can corrupt the cache if multiple threads are calling
> selinux_check_access.
>
> It looks like calling avc_init, supplying lock callbacks, is the
> "easy" answer. However, the avc_init man page says that avc_init is
> deprecated. There's a new function for setting callbacks,
> selinux_set_callback, but it does not seem to support locking.
>
> I see a few possible solutions:
> 1. Update selinux_set_callback to support AVC lock functions.
> 2. Update the man pages to indicate selinux is not intended to be
> thread-safe anymore.
> 3. Update the avc_init man page, indicating it's safe to use (un-deprecate?)
>
> Note that we have observed buggy behavior with Android keystore2. Our
> quick-n-dirty fix was a serializing lock around all selinux calls:
> https://android.googlesource.com/platform/system/security/+/ff188d3a6ca38919e568f0c89f74d90c011526e9
>
> My prefered fix is either #1 or #3, as they provide slightly
> finger-grained locking than our fix.

I would recommend #1.



[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux