linux/security/selinux
Paul Moore f64410ec66 selinux: correctly label /proc inodes in use before the policy is loaded
This patch is based on an earlier patch by Eric Paris, he describes
the problem below:

  "If an inode is accessed before policy load it will get placed on a
   list of inodes to be initialized after policy load.  After policy
   load we call inode_doinit() which calls inode_doinit_with_dentry()
   on all inodes accessed before policy load.  In the case of inodes
   in procfs that means we'll end up at the bottom where it does:

     /* Default to the fs superblock SID. */
     isec->sid = sbsec->sid;

     if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
             if (opt_dentry) {
                     isec->sclass = inode_mode_to_security_class(...)
                     rc = selinux_proc_get_sid(opt_dentry,
                                               isec->sclass,
                                               &sid);
                     if (rc)
                             goto out_unlock;
                     isec->sid = sid;
             }
     }

   Since opt_dentry is null, we'll never call selinux_proc_get_sid()
   and will leave the inode labeled with the label on the superblock.
   I believe a fix would be to mimic the behavior of xattrs.  Look
   for an alias of the inode.  If it can't be found, just leave the
   inode uninitialized (and pick it up later) if it can be found, we
   should be able to call selinux_proc_get_sid() ..."

On a system exhibiting this problem, you will notice a lot of files in
/proc with the generic "proc_t" type (at least the ones that were
accessed early in the boot), for example:

   # ls -Z /proc/sys/kernel/shmmax | awk '{ print $4 " " $5 }'
   system_u:object_r:proc_t:s0 /proc/sys/kernel/shmmax

However, with this patch in place we see the expected result:

   # ls -Z /proc/sys/kernel/shmmax | awk '{ print $4 " " $5 }'
   system_u:object_r:sysctl_kernel_t:s0 /proc/sys/kernel/shmmax

Cc: Eric Paris <eparis@redhat.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Acked-by: Eric Paris <eparis@redhat.com>
2014-03-19 16:46:18 -04:00
..
include selinux: look for IPsec labels on both inbound and outbound packets 2013-12-12 17:21:31 -05:00
ss SELinux: Fix memory leak upon loading policy 2014-01-07 10:21:44 -05:00
.gitignore SELinux: add .gitignore files for dynamic classes 2009-10-24 09:42:27 +08:00
avc.c selinux: remove 'flags' parameter from avc_audit() 2013-10-04 14:13:25 -07:00
exports.c selinux: sparse fix: include selinux.h in exports.c 2011-09-09 16:56:32 -07:00
hooks.c selinux: correctly label /proc inodes in use before the policy is loaded 2014-03-19 16:46:18 -04:00
Kconfig selinux: Deprecate and schedule the removal of the the compat_net functionality 2008-12-31 12:54:11 -05:00
Makefile selinux: change to new flag variable 2010-10-21 10:12:40 +11:00
netif.c net: pass info struct via netdevice notifier 2013-05-28 13:11:01 -07:00
netlabel.c selinux: ensure that the cached NetLabel secattr matches the desired SID 2013-12-04 16:08:17 -05:00
netlink.c selinux: replace obsolete NLMSG_* with type safe nlmsg_* 2013-03-28 14:25:49 -04:00
netnode.c selinux: fix problems in netnode when BUG() is compiled out 2013-07-25 13:03:27 -04:00
netport.c SELinux: avc: remove the useless fields in avc_add_callback 2012-04-09 12:23:44 -04:00
nlmsgtab.c selinux: apply selinux checks on new audit message types 2013-11-05 11:07:35 -05:00
selinuxfs.c security: replace strict_strto*() with kstrto*() 2014-02-06 19:11:04 +11:00
xfrm.c selinux: look for IPsec labels on both inbound and outbound packets 2013-12-12 17:21:31 -05:00