diff options
| author | Josh Boyer <jwboyer@fedoraproject.org> | 2014-04-23 13:14:40 -0400 |
|---|---|---|
| committer | Josh Boyer <jwboyer@fedoraproject.org> | 2014-04-23 13:14:40 -0400 |
| commit | 96eedb89184a7aaef61d06c0506a579b3a923006 (patch) | |
| tree | 2354dd342dd07a3bc2a8ccb883b37dd100b55028 | |
| parent | 7af24700f032351de7eaefdd884d53bc7751dd02 (diff) | |
| download | kernel-96eedb89184a7aaef61d06c0506a579b3a923006.tar.gz kernel-96eedb89184a7aaef61d06c0506a579b3a923006.tar.xz kernel-96eedb89184a7aaef61d06c0506a579b3a923006.zip | |
Fix SELinux wine issue again (rhbz 1013466)
| -rw-r--r-- | kernel.spec | 9 | ||||
| -rw-r--r-- | selinux-put-the-mmap-DAC-controls-before-the-MAC-controls.patch | 94 |
2 files changed, 103 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec index c110a797..c60e8aeb 100644 --- a/kernel.spec +++ b/kernel.spec @@ -736,6 +736,9 @@ Patch25062: 0001-HID-rmi-introduce-RMI-driver-for-Synaptics-touchpads.patch #rhbz 1089583 Patch25064: 0001-HID-rmi-do-not-handle-touchscreens-through-hid-rmi.patch +#rhbz 1013466 +Patch25065: selinux-put-the-mmap-DAC-controls-before-the-MAC-controls.patch + # END OF PATCH DEFINITIONS @@ -1427,6 +1430,9 @@ ApplyPatch mm-page_alloc.c-change-mm-debug-routines-back-to-EXP.patch #rhbz 1071914 ApplyPatch USB-serial-ftdi_sio-add-id-for-Brainboxes-serial-car.patch +#rhbz 1013466 +ApplyPatch selinux-put-the-mmap-DAC-controls-before-the-MAC-controls.patch + # END OF PATCH APPLICATIONS %endif @@ -2238,6 +2244,9 @@ fi # ||----w | # || || %changelog +* Wed Apr 23 2014 Josh Boyer <jwboyer@fedoraproject.org> +- Fix SELinux wine issue again (rhbz 1013466) + * Tue Apr 22 2014 Josh Boyer <jwboyer@fedoraproject.org> - Add patch to fix Synaptics touchscreens and HID rmi driver (rhbz 1089583) diff --git a/selinux-put-the-mmap-DAC-controls-before-the-MAC-controls.patch b/selinux-put-the-mmap-DAC-controls-before-the-MAC-controls.patch new file mode 100644 index 00000000..5d9a4ff4 --- /dev/null +++ b/selinux-put-the-mmap-DAC-controls-before-the-MAC-controls.patch @@ -0,0 +1,94 @@ +Bugzilla: 1013466 +Upstream-status: 3.15 (commit 98883bfd9d603a2760f6d53eccfaa3ae2c053e72) + +It turns out that doing the SELinux MAC checks for mmap() before the +DAC checks was causing users and the SELinux policy folks headaches +as users were seeing a lot of SELinux AVC denials for the +memprotect:mmap_zero permission that would have also been denied by +the normal DAC capability checks (CAP_SYS_RAWIO). + +Example: + + # cat mmap_test.c + #include <stdlib.h> + #include <stdio.h> + #include <errno.h> + #include <sys/mman.h> + + int main(int argc, char *argv[]) + { + int rc; + void *mem; + + mem = mmap(0x0, 4096, + PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0); + if (mem == MAP_FAILED) + return errno; + printf("mem = %p\n", mem); + munmap(mem, 4096); + + return 0; + } + # gcc -g -O0 -o mmap_test mmap_test.c + # ./mmap_test + mem = (nil) + # ausearch -m AVC | grep mmap_zero + type=AVC msg=audit(...): avc: denied { mmap_zero } + for pid=1025 comm="mmap_test" + scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 + tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 + tclass=memprotect + +This patch corrects things so that when the above example is run by a +user without CAP_SYS_RAWIO the SELinux AVC is no longer generated as +the DAC capability check fails before the SELinux permission check. + +Signed-off-by: Paul Moore <pmoore@redhat.com> +--- + security/selinux/hooks.c | 20 ++++++++------------ + 1 file changed, 8 insertions(+), 12 deletions(-) + +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index 57b0b49..e3664ae 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -3205,24 +3205,20 @@ error: + + static int selinux_mmap_addr(unsigned long addr) + { +- int rc = 0; +- u32 sid = current_sid(); ++ int rc; ++ ++ /* do DAC check on address space usage */ ++ rc = cap_mmap_addr(addr); ++ if (rc) ++ return rc; + +- /* +- * notice that we are intentionally putting the SELinux check before +- * the secondary cap_file_mmap check. This is such a likely attempt +- * at bad behaviour/exploit that we always want to get the AVC, even +- * if DAC would have also denied the operation. +- */ + if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { ++ u32 sid = current_sid(); + rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, + MEMPROTECT__MMAP_ZERO, NULL); +- if (rc) +- return rc; + } + +- /* do DAC check on address space usage */ +- return cap_mmap_addr(addr); ++ return rc; + } + + static int selinux_mmap_file(struct file *file, unsigned long reqprot, + +_______________________________________________ +Selinux mailing list +Selinux@tycho.nsa.gov +To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. +To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. |