Verify that the LSM releasing the secctx is the LSM that
allocated it. This was not necessary when only one LSM could
create a secctx, but once there can be more than one it is.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
security/apparmor/secid.c | 10 ++--------
security/selinux/hooks.c | 10 ++--------
2 files changed, 4 insertions(+), 16 deletions(-)
diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c
index 5d92fc3ab8b4..974f802cbe5a 100644
--- a/security/apparmor/secid.c
+++ b/security/apparmor/secid.c
@@ -122,14 +122,8 @@ int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
void apparmor_release_secctx(struct lsm_context *cp)
{
- /*
- * stacking scaffolding:
- * When it is possible for more than one LSM to provide a
- * release hook, do this check:
- * if (cp->id == LSM_ID_APPARMOR || cp->id == LSM_ID_UNDEF)
- */
-
- kfree(cp->context);
+ if (cp->id == LSM_ID_APPARMOR)
+ kfree(cp->context);
}
/**
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 79776a5e651d..b9286c2c5efe 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6640,14 +6640,8 @@ static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
static void selinux_release_secctx(struct lsm_context *cp)
{
- /*
- * stacking scaffolding:
- * When it is possible for more than one LSM to provide a
- * release hook, do this check:
- * if (cp->id == LSM_ID_SELINUX || cp->id == LSM_ID_UNDEF)
- */
-
- kfree(cp->context);
+ if (cp->id == LSM_ID_SELINUX)
+ kfree(cp->context);
}
static void selinux_inode_invalidate_secctx(struct inode *inode)
--
2.46.0
On Oct 14, 2024 Casey Schaufler <casey@schaufler-ca.com> wrote: > > Verify that the LSM releasing the secctx is the LSM that > allocated it. This was not necessary when only one LSM could > create a secctx, but once there can be more than one it is. > > Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> > --- > security/apparmor/secid.c | 10 ++-------- > security/selinux/hooks.c | 10 ++-------- > 2 files changed, 4 insertions(+), 16 deletions(-) > > diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c > index 5d92fc3ab8b4..974f802cbe5a 100644 > --- a/security/apparmor/secid.c > +++ b/security/apparmor/secid.c > @@ -122,14 +122,8 @@ int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) > > void apparmor_release_secctx(struct lsm_context *cp) > { > - /* > - * stacking scaffolding: > - * When it is possible for more than one LSM to provide a > - * release hook, do this check: > - * if (cp->id == LSM_ID_APPARMOR || cp->id == LSM_ID_UNDEF) > - */ > - > - kfree(cp->context); > + if (cp->id == LSM_ID_APPARMOR) > + kfree(cp->context); Should we set cp->context to NULL too? One could argue that it's an unecessary assignment, given the cp->id checks, and they wouldn't be wrong, but considering the potential for a BPF LSM to do things with a lsm_context, I wonder if resetting the pointer to NULL is the smart thing to do. This obviously applies to the SELinux code (below) too. > } > > /** > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 79776a5e651d..b9286c2c5efe 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -6640,14 +6640,8 @@ static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) > > static void selinux_release_secctx(struct lsm_context *cp) > { > - /* > - * stacking scaffolding: > - * When it is possible for more than one LSM to provide a > - * release hook, do this check: > - * if (cp->id == LSM_ID_SELINUX || cp->id == LSM_ID_UNDEF) > - */ > - > - kfree(cp->context); > + if (cp->id == LSM_ID_SELINUX) > + kfree(cp->context); > } > > static void selinux_inode_invalidate_secctx(struct inode *inode) -- paul-moore.com
On 10/21/2024 4:39 PM, Paul Moore wrote: > On Oct 14, 2024 Casey Schaufler <casey@schaufler-ca.com> wrote: >> Verify that the LSM releasing the secctx is the LSM that >> allocated it. This was not necessary when only one LSM could >> create a secctx, but once there can be more than one it is. >> >> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> >> --- >> security/apparmor/secid.c | 10 ++-------- >> security/selinux/hooks.c | 10 ++-------- >> 2 files changed, 4 insertions(+), 16 deletions(-) >> >> diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c >> index 5d92fc3ab8b4..974f802cbe5a 100644 >> --- a/security/apparmor/secid.c >> +++ b/security/apparmor/secid.c >> @@ -122,14 +122,8 @@ int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) >> >> void apparmor_release_secctx(struct lsm_context *cp) >> { >> - /* >> - * stacking scaffolding: >> - * When it is possible for more than one LSM to provide a >> - * release hook, do this check: >> - * if (cp->id == LSM_ID_APPARMOR || cp->id == LSM_ID_UNDEF) >> - */ >> - >> - kfree(cp->context); >> + if (cp->id == LSM_ID_APPARMOR) >> + kfree(cp->context); > Should we set cp->context to NULL too? One could argue that it's an > unecessary assignment, given the cp->id checks, and they wouldn't be > wrong, but considering the potential for a BPF LSM to do things with > a lsm_context, I wonder if resetting the pointer to NULL is the > smart thing to do. Wouldn't hurt. I'll go ahead and add that. If a BPF LSM does anything with a lsm_context we're likely to hear about the many issues quite quickly. > > This obviously applies to the SELinux code (below) too. > >> } >> >> /** >> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c >> index 79776a5e651d..b9286c2c5efe 100644 >> --- a/security/selinux/hooks.c >> +++ b/security/selinux/hooks.c >> @@ -6640,14 +6640,8 @@ static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) >> >> static void selinux_release_secctx(struct lsm_context *cp) >> { >> - /* >> - * stacking scaffolding: >> - * When it is possible for more than one LSM to provide a >> - * release hook, do this check: >> - * if (cp->id == LSM_ID_SELINUX || cp->id == LSM_ID_UNDEF) >> - */ >> - >> - kfree(cp->context); >> + if (cp->id == LSM_ID_SELINUX) >> + kfree(cp->context); >> } >> >> static void selinux_inode_invalidate_secctx(struct inode *inode) > -- > paul-moore.com >
On Mon, Oct 21, 2024 at 8:06 PM Casey Schaufler <casey@schaufler-ca.com> wrote: > On 10/21/2024 4:39 PM, Paul Moore wrote: > > On Oct 14, 2024 Casey Schaufler <casey@schaufler-ca.com> wrote: > >> Verify that the LSM releasing the secctx is the LSM that > >> allocated it. This was not necessary when only one LSM could > >> create a secctx, but once there can be more than one it is. > >> > >> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> > >> --- > >> security/apparmor/secid.c | 10 ++-------- > >> security/selinux/hooks.c | 10 ++-------- > >> 2 files changed, 4 insertions(+), 16 deletions(-) > >> > >> diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c > >> index 5d92fc3ab8b4..974f802cbe5a 100644 > >> --- a/security/apparmor/secid.c > >> +++ b/security/apparmor/secid.c > >> @@ -122,14 +122,8 @@ int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) > >> > >> void apparmor_release_secctx(struct lsm_context *cp) > >> { > >> - /* > >> - * stacking scaffolding: > >> - * When it is possible for more than one LSM to provide a > >> - * release hook, do this check: > >> - * if (cp->id == LSM_ID_APPARMOR || cp->id == LSM_ID_UNDEF) > >> - */ > >> - > >> - kfree(cp->context); > >> + if (cp->id == LSM_ID_APPARMOR) > >> + kfree(cp->context); > > Should we set cp->context to NULL too? One could argue that it's an > > unecessary assignment, given the cp->id checks, and they wouldn't be > > wrong, but considering the potential for a BPF LSM to do things with > > a lsm_context, I wonder if resetting the pointer to NULL is the > > smart thing to do. > > Wouldn't hurt. I'll go ahead and add that. If a BPF LSM does anything > with a lsm_context we're likely to hear about the many issues quite > quickly. Yes, I suspect you're right about that, at least we can protect against a UAF in this one case :) -- paul-moore.com
© 2016 - 2024 Red Hat, Inc.