From 0a9876f36b08706d9954d8ccb42d0cd85f210333 Mon Sep 17 00:00:00 2001 From: Michal Orzel Date: Thu, 31 Mar 2022 19:33:57 +0200 Subject: selinux: Remove redundant assignments Get rid of redundant assignments which end up in values not being read either because they are overwritten or the function ends. Reported by clang-tidy [deadcode.DeadStores] Signed-off-by: Michal Orzel Signed-off-by: Paul Moore --- security/selinux/hooks.c | 1 - 1 file changed, 1 deletion(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index e9e959343de9..f792835b3fb6 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6487,7 +6487,6 @@ static int selinux_setprocattr(const char *name, void *value, size_t size) goto abort_change; /* Only allow single threaded processes to change context */ - error = -EPERM; if (!current_is_single_threaded()) { error = security_bounded_transition(&selinux_state, tsec->sid, sid); -- cgit v1.2.3-70-g09d2 From 81200b0265b15609dcecf192e3f7fb238ec0d3da Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Tue, 8 Mar 2022 17:11:57 -0500 Subject: selinux: checkreqprot is deprecated, add some ssleep() discomfort The checkreqprot functionality was disabled by default back in Linux v4.4 (2015) with commit 2a35d196c160e3 ("selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default") and it was officially marked as deprecated in Linux v5.7. It was always a bit of a hack to workaround very old userspace and to the best of our knowledge, the checkreqprot functionality has been disabled by Linux distributions for quite some time. This patch moves the deprecation messages from KERN_WARNING to KERN_ERR and adds a five second sleep to anyone using it to help draw their attention to the deprecation and provide a URL which helps explain things in more detail. Signed-off-by: Paul Moore --- security/selinux/hooks.c | 4 +++- security/selinux/include/security.h | 6 ++++++ security/selinux/selinuxfs.c | 4 ++-- 3 files changed, 11 insertions(+), 3 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f792835b3fb6..f1ee1bfc11de 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -145,7 +145,7 @@ static int __init checkreqprot_setup(char *str) if (!kstrtoul(str, 0, &checkreqprot)) { selinux_checkreqprot_boot = checkreqprot ? 1 : 0; if (checkreqprot) - pr_warn("SELinux: checkreqprot set to 1 via kernel parameter. This is deprecated and will be rejected in a future kernel release.\n"); + pr_err("SELinux: checkreqprot set to 1 via kernel parameter. This is deprecated and will be rejected in a future kernel release.\n"); } return 1; } @@ -7293,6 +7293,8 @@ static __init int selinux_init(void) memset(&selinux_state, 0, sizeof(selinux_state)); enforcing_set(&selinux_state, selinux_enforcing_boot); + if (CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE) + pr_err("SELinux: CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE is non-zero. This is deprecated and will be rejected in a future kernel release.\n"); checkreqprot_set(&selinux_state, selinux_checkreqprot_boot); selinux_avc_init(&selinux_state.avc); mutex_init(&selinux_state.status_lock); diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index ace4bd13e808..f7e6be63adfb 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -16,6 +16,8 @@ #include #include #include +#include +#include #include "flask.h" #include "policycap.h" @@ -150,6 +152,10 @@ static inline bool checkreqprot_get(const struct selinux_state *state) static inline void checkreqprot_set(struct selinux_state *state, bool value) { + if (value) { + pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-checkreqprot\n"); + ssleep(5); + } WRITE_ONCE(state->checkreqprot, value); } diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 6568bc48cd3e..6c8b6a0ddecf 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -757,8 +757,8 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf, char comm[sizeof(current->comm)]; memcpy(comm, current->comm, sizeof(comm)); - pr_warn_once("SELinux: %s (%d) set checkreqprot to 1. This is deprecated and will be rejected in a future kernel release.\n", - comm, current->pid); + pr_err("SELinux: %s (%d) set checkreqprot to 1. This is deprecated and will be rejected in a future kernel release.\n", + comm, current->pid); } checkreqprot_set(fsi->state, (new_value ? 1 : 0)); -- cgit v1.2.3-70-g09d2 From c29722fad4aabbf6bb841b8f058f858ec911df56 Mon Sep 17 00:00:00 2001 From: Christian Göttsche Date: Tue, 8 Mar 2022 18:09:26 +0100 Subject: selinux: log anon inode class name MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Log the anonymous inode class name in the security hook inode_init_security_anon. This name is the key for name based type transitions on the anon_inode security class on creation. Example: type=AVC msg=audit(02/16/22 22:02:50.585:216) : avc: granted \ { create } for pid=2136 comm=mariadbd anonclass=[io_uring] \ scontext=system_u:system_r:mysqld_t:s0 \ tcontext=system_u:system_r:mysqld_iouring_t:s0 tclass=anon_inode Add a new LSM audit data type holding the inode and the class name. Signed-off-by: Christian Göttsche [PM: adjusted 'anonclass' to be a trusted string, cgzones approved] Signed-off-by: Paul Moore --- include/linux/lsm_audit.h | 2 ++ security/lsm_audit.c | 3 +++ security/selinux/hooks.c | 4 ++-- 3 files changed, 7 insertions(+), 2 deletions(-) (limited to 'security/selinux/hooks.c') diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h index 17d02eda9538..97a8b21eb033 100644 --- a/include/linux/lsm_audit.h +++ b/include/linux/lsm_audit.h @@ -76,6 +76,7 @@ struct common_audit_data { #define LSM_AUDIT_DATA_IBENDPORT 14 #define LSM_AUDIT_DATA_LOCKDOWN 15 #define LSM_AUDIT_DATA_NOTIFICATION 16 +#define LSM_AUDIT_DATA_ANONINODE 17 union { struct path path; struct dentry *dentry; @@ -96,6 +97,7 @@ struct common_audit_data { struct lsm_ibpkey_audit *ibpkey; struct lsm_ibendport_audit *ibendport; int reason; + const char *anonclass; } u; /* this union contains LSM specific data */ union { diff --git a/security/lsm_audit.c b/security/lsm_audit.c index 1897cbf6fc69..78a278f28e49 100644 --- a/security/lsm_audit.c +++ b/security/lsm_audit.c @@ -433,6 +433,9 @@ static void dump_common_audit_data(struct audit_buffer *ab, audit_log_format(ab, " lockdown_reason=\"%s\"", lockdown_reasons[a->u.reason]); break; + case LSM_AUDIT_DATA_ANONINODE: + audit_log_format(ab, " anonclass=%s", a->u.anonclass); + break; } /* switch (a->type) */ } diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f1ee1bfc11de..beceb89f68d9 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2964,8 +2964,8 @@ static int selinux_inode_init_security_anon(struct inode *inode, * allowed to actually create this type of anonymous inode. */ - ad.type = LSM_AUDIT_DATA_INODE; - ad.u.inode = inode; + ad.type = LSM_AUDIT_DATA_ANONINODE; + ad.u.anonclass = name ? (const char *)name->name : "?"; return avc_has_perm(&selinux_state, tsec->sid, -- cgit v1.2.3-70-g09d2