From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
With the SELinux namespace feature on the horizon it becomes important
to identify and reject malformed policies at load time. Otherwise
memory corruptions can compromise the kernel or NULL-pointer dereferences
and BUG() encounters can bring systems down. Currently this is not a
security relevant issue since loading a policy requires root privileges
and permission of the current loaded SELinux policy, making it one of the
most privileged operation.
The first 9 patches are cleanup commits with overseeable diffs.
Patch 10 unifies the underlying type used for security class identifiers.
Patch 11 to 21 add various checks at policy load time to reject malformed
policies.
Patch 22 needs some discussion:
It limits the valid set of characters and the length for strings defined
by policies. Currently there are no restrictions, so control characters
are accepted, e.g. Esc as part of a type name, and their length can be
arbitrary. Human formatted security contexts however must not be
arbitrarily long, one example is they must fit in a page size for
selinuxfs interaction and network associations.
Thus the patch introduces the following restrictions:
* Disallow control characters
* Limit characters of identifiers to alphanumeric, underscore, dash,
and dot
* Limit identifiers in length to 128, expect types to 1024 and
categories to 32, characters (excluding NUL-terminator)
p.s.:
On a related note to patch 10, the underlying type for types (and type-
attributes) is also not consistent:
In role, range and filename transitions, and the actual datum u32 is
used, while avtables use u16, practically limiting the number of
available types to 65534 (= U16_MAX - 2 (0 and U16_MAX are invalid)).
v1: https://lore.kernel.org/selinux/20241115133619.114393-23-cgoettsche@xxxxxxxxxxxxx/
v2:
- also convert ebitmap_cmp() as suggested by Daniel
- accept instead of rejecting unknown xperm specifiers to support
backwards compatibility for future ones, suggested by Thiébaud
- add wrappers for str_read() to minimize the usage of magic numbers
- limit sensitivities to a length of 32, to match categories,
suggested by Daniel
Christian Göttsche (22):
selinux: supply missing field initializers
selinux: avoid using types indicating user space interaction
selinux: align and constify functions
selinux: rework match_ipv6_addrmask()
selinux: avoid nontransitive comparison
selinux: rename comparison functions for clarity
selinux: use known type instead of void pointer
selinux: avoid unnecessary indirection in struct level_datum
selinux: make use of str_read()
selinux: use u16 for security classes
selinux: more strict policy parsing
selinux: check length fields in policies
selinux: validate constraints
selinux: pre-validate conditional expressions
selinux: introduce ebitmap_highest_set_bit()
selinux: check type attr map overflows
selinux: reorder policydb_index()
selinux: beef up isvalid checks
selinux: validate symbols
selinux: more strict bounds check
selinux: check for simple types
selinux: restrict policy strings
security/selinux/hooks.c | 2 +-
security/selinux/include/classmap.h | 2 +-
security/selinux/include/conditional.h | 2 +-
security/selinux/include/security.h | 4 +-
security/selinux/selinuxfs.c | 2 +-
security/selinux/ss/avtab.c | 58 +-
security/selinux/ss/avtab.h | 11 +-
security/selinux/ss/conditional.c | 166 +++---
security/selinux/ss/conditional.h | 6 +-
security/selinux/ss/constraint.h | 2 +-
security/selinux/ss/context.c | 2 +-
security/selinux/ss/context.h | 14 +-
security/selinux/ss/ebitmap.c | 39 +-
security/selinux/ss/ebitmap.h | 8 +-
security/selinux/ss/hashtab.h | 4 +-
security/selinux/ss/mls.c | 70 ++-
security/selinux/ss/mls.h | 6 +-
security/selinux/ss/mls_types.h | 2 +-
security/selinux/ss/policydb.c | 698 +++++++++++++++++++------
security/selinux/ss/policydb.h | 116 +++-
security/selinux/ss/services.c | 82 +--
security/selinux/ss/sidtab.c | 2 +-
security/selinux/ss/symtab.c | 2 +-
security/selinux/ss/symtab.h | 2 +-
24 files changed, 940 insertions(+), 362 deletions(-)
--
2.45.2
