aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPaul Moore <pmoore@redhat.com>2014-02-28 07:23:24 -0500
committerMark Salyzyn <salyzyn@google.com>2015-01-20 19:06:18 +0000
commit3d14663dd6a16ae50ed9f3d893e2be04c39b39a5 (patch)
tree182f4d823ea24fad0d9efd73763804b803c6150e
parent5b5b6febcab05ef9e8972ead4cc3cf8381d45a95 (diff)
downloadlinux-linaro-stable-3d14663dd6a16ae50ed9f3d893e2be04c39b39a5.tar.gz
selinux: put the mmap() DAC controls before the MAC controls
commit 0909c0ae999c325b9d34c6f4710f40730ae3bc24 upstream. It turns out that doing the SELinux MAC checks for mmap() before the DAC checks was causing users and the SELinux policy folks headaches as users were seeing a lot of SELinux AVC denials for the memprotect:mmap_zero permission that would have also been denied by the normal DAC capability checks (CAP_SYS_RAWIO). Example: # cat mmap_test.c #include <stdlib.h> #include <stdio.h> #include <errno.h> #include <sys/mman.h> int main(int argc, char *argv[]) { int rc; void *mem; mem = mmap(0x0, 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0); if (mem == MAP_FAILED) return errno; printf("mem = %p\n", mem); munmap(mem, 4096); return 0; } # gcc -g -O0 -o mmap_test mmap_test.c # ./mmap_test mem = (nil) # ausearch -m AVC | grep mmap_zero type=AVC msg=audit(...): avc: denied { mmap_zero } for pid=1025 comm="mmap_test" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect This patch corrects things so that when the above example is run by a user without CAP_SYS_RAWIO the SELinux AVC is no longer generated as the DAC capability check fails before the SELinux permission check. Change-Id: Ic3b2ef30d13c15ca7c60adbd3c3b93ebe251c7bc Signed-off-by: Paul Moore <pmoore@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
-rw-r--r--security/selinux/hooks.c20
1 files changed, 8 insertions, 12 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 8923208b4be7..0436fe9bbe0e 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3178,24 +3178,20 @@ error:
static int selinux_mmap_addr(unsigned long addr)
{
- int rc = 0;
- u32 sid = current_sid();
+ int rc;
+
+ /* do DAC check on address space usage */
+ rc = cap_mmap_addr(addr);
+ if (rc)
+ return rc;
- /*
- * notice that we are intentionally putting the SELinux check before
- * the secondary cap_file_mmap check. This is such a likely attempt
- * at bad behaviour/exploit that we always want to get the AVC, even
- * if DAC would have also denied the operation.
- */
if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
+ u32 sid = current_sid();
rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
MEMPROTECT__MMAP_ZERO, NULL);
- if (rc)
- return rc;
}
- /* do DAC check on address space usage */
- return cap_mmap_addr(addr);
+ return rc;
}
static int selinux_mmap_file(struct file *file, unsigned long reqprot,