|
|
95602a |
From 3f90090e70a5fa81bced17792fe08d9c46324da9 Mon Sep 17 00:00:00 2001
|
|
|
95602a |
From: "Ted X. Toth" <txtoth@flycast.org>
|
|
|
95602a |
Date: Thu, 13 Oct 2022 12:58:26 -0700
|
|
|
95602a |
Subject: [PATCH] manager: use target process context to set socket context
|
|
|
95602a |
|
|
|
95602a |
Use target process context to set socket context when using SELinuxContextFromNet
|
|
|
95602a |
not systemd's context. Currently when using the SELinuxContextFromNet option for
|
|
|
95602a |
a socket activated services, systemd calls getcon_raw which returns init_t and
|
|
|
95602a |
uses the resulting context to compute the context to be passed to the
|
|
|
95602a |
setsockcreatecon call. A socket of type init_t is created and listened on and
|
|
|
95602a |
this means that SELinux policy cannot be written to control which processes
|
|
|
95602a |
(SELinux types) can connect to the socket since the ref policy allows all
|
|
|
95602a |
'types' to connect to sockets of the type init_t. When security accessors see
|
|
|
95602a |
that any process can connect to a socket this raises serious concerns. I have
|
|
|
95602a |
spoken with SELinux contributors in person and on the mailing list and the
|
|
|
95602a |
consensus is that the best solution is to use the target executables context
|
|
|
95602a |
when computing the sockets context in all cases.
|
|
|
95602a |
|
|
|
95602a |
[zjs review/comment:
|
|
|
95602a |
|
|
|
95602a |
This removes the branch that was added in 16115b0a7b7cdf08fb38084d857d572d8a9088dc.
|
|
|
95602a |
16115b0a7b7cdf08fb38084d857d572d8a9088dc did two things: it had the branch here
|
|
|
95602a |
in 'socket_determine_selinux_label()' and a code in 'exec_child()' to call
|
|
|
95602a |
'label_get_child_mls_label(socket_fd, command->path, &label)'.
|
|
|
95602a |
|
|
|
95602a |
Before this patch, the flow was:
|
|
|
95602a |
'''
|
|
|
95602a |
mac_selinux_get_child_mls_label:
|
|
|
95602a |
peercon = getpeercon_raw(socket_fd);
|
|
|
95602a |
if (!exec_label)
|
|
|
95602a |
exec_label = getfilecon_raw(exe);
|
|
|
95602a |
|
|
|
95602a |
socket_open_fds:
|
|
|
95602a |
if (params->selinux_context_net) #
|
|
|
95602a |
label = mac_selinux_get_our_label(); # this part is removed
|
|
|
95602a |
else #
|
|
|
95602a |
label = mac_selinux_get_create_label_from_exe(path);
|
|
|
95602a |
socket_address_listen_in_cgroup(s, &p->address, label);
|
|
|
95602a |
|
|
|
95602a |
exec_child():
|
|
|
95602a |
exec_context = mac_selinux_get_child_mls_label(fd, executable, context->selinux_context);
|
|
|
95602a |
setexeccon(exec_context);
|
|
|
95602a |
'''
|
|
|
95602a |
]
|
|
|
95602a |
|
|
|
95602a |
(cherry picked from commit 29dbc62d74f7b7881dc3136e68e03a03ea055b36)
|
|
|
95602a |
|
|
|
95602a |
Resolves: #2136738
|
|
|
95602a |
---
|
|
|
95602a |
src/core/socket.c | 58 ++++++++++++++++++++---------------------------
|
|
|
95602a |
1 file changed, 24 insertions(+), 34 deletions(-)
|
|
|
95602a |
|
|
|
95602a |
diff --git a/src/core/socket.c b/src/core/socket.c
|
|
|
95602a |
index d1ca0a07c5..8aa5463b25 100644
|
|
|
95602a |
--- a/src/core/socket.c
|
|
|
95602a |
+++ b/src/core/socket.c
|
|
|
95602a |
@@ -1434,47 +1434,37 @@ static int socket_determine_selinux_label(Socket *s, char **ret) {
|
|
|
95602a |
assert(s);
|
|
|
95602a |
assert(ret);
|
|
|
95602a |
|
|
|
95602a |
- if (s->selinux_context_from_net) {
|
|
|
95602a |
- /* If this is requested, get label from the network label */
|
|
|
95602a |
-
|
|
|
95602a |
- r = mac_selinux_get_our_label(ret);
|
|
|
95602a |
- if (r == -EOPNOTSUPP)
|
|
|
95602a |
- goto no_label;
|
|
|
95602a |
-
|
|
|
95602a |
- } else {
|
|
|
95602a |
- /* Otherwise, get it from the executable we are about to start */
|
|
|
95602a |
- r = socket_instantiate_service(s);
|
|
|
95602a |
- if (r < 0)
|
|
|
95602a |
- return r;
|
|
|
95602a |
+ r = socket_instantiate_service(s);
|
|
|
95602a |
+ if (r < 0)
|
|
|
95602a |
+ return r;
|
|
|
95602a |
|
|
|
95602a |
- if (!UNIT_ISSET(s->service))
|
|
|
95602a |
- goto no_label;
|
|
|
95602a |
- service = SERVICE(UNIT_DEREF(s->service));
|
|
|
95602a |
+ if (!UNIT_ISSET(s->service))
|
|
|
95602a |
+ goto no_label;
|
|
|
95602a |
+ service = SERVICE(UNIT_DEREF(s->service));
|
|
|
95602a |
|
|
|
95602a |
- exec_context = service->exec_context.selinux_context;
|
|
|
95602a |
- if (exec_context) {
|
|
|
95602a |
- char *con;
|
|
|
95602a |
+ exec_context = service->exec_context.selinux_context;
|
|
|
95602a |
+ if (exec_context) {
|
|
|
95602a |
+ char *con;
|
|
|
95602a |
|
|
|
95602a |
- con = strdup(exec_context);
|
|
|
95602a |
- if (!con)
|
|
|
95602a |
- return -ENOMEM;
|
|
|
95602a |
+ con = strdup(exec_context);
|
|
|
95602a |
+ if (!con)
|
|
|
95602a |
+ return -ENOMEM;
|
|
|
95602a |
|
|
|
95602a |
- *ret = TAKE_PTR(con);
|
|
|
95602a |
- return 0;
|
|
|
95602a |
- }
|
|
|
95602a |
+ *ret = TAKE_PTR(con);
|
|
|
95602a |
+ return 0;
|
|
|
95602a |
+ }
|
|
|
95602a |
|
|
|
95602a |
- c = service->exec_command[SERVICE_EXEC_START];
|
|
|
95602a |
- if (!c)
|
|
|
95602a |
- goto no_label;
|
|
|
95602a |
+ c = service->exec_command[SERVICE_EXEC_START];
|
|
|
95602a |
+ if (!c)
|
|
|
95602a |
+ goto no_label;
|
|
|
95602a |
|
|
|
95602a |
- r = chase_symlinks(c->path, service->exec_context.root_directory, CHASE_PREFIX_ROOT, &path);
|
|
|
95602a |
- if (r < 0)
|
|
|
95602a |
- goto no_label;
|
|
|
95602a |
+ r = chase_symlinks(c->path, service->exec_context.root_directory, CHASE_PREFIX_ROOT, &path);
|
|
|
95602a |
+ if (r < 0)
|
|
|
95602a |
+ goto no_label;
|
|
|
95602a |
|
|
|
95602a |
- r = mac_selinux_get_create_label_from_exe(path, ret);
|
|
|
95602a |
- if (IN_SET(r, -EPERM, -EOPNOTSUPP))
|
|
|
95602a |
- goto no_label;
|
|
|
95602a |
- }
|
|
|
95602a |
+ r = mac_selinux_get_create_label_from_exe(path, ret);
|
|
|
95602a |
+ if (IN_SET(r, -EPERM, -EOPNOTSUPP))
|
|
|
95602a |
+ goto no_label;
|
|
|
95602a |
|
|
|
95602a |
return r;
|
|
|
95602a |
|