Kohei KaiGai | 25 Mar 22:05 2012
Picon

security_compute_create_name(3)

I noticed the security_compute_create_name(3) is not merged yet,
although its corresponding kernel feature got merged.

So, let me remind the patch I sent to the list several months ago.

I'd like to use this interface to implement special case handling
for the default labeling behavior on temporary database objects.

Thanks,

 Signed-off-by: KaiGai Kohei <kohei.kaigai@...>
---
 libselinux/include/selinux/selinux.h               |   10 ++
 libselinux/man/man3/security_compute_av.3          |   17 ++++-
 libselinux/man/man3/security_compute_create_name.3 |    1 +
 libselinux/src/compute_create.c                    |   88 +++++++++++++++++---
 libselinux/src/selinux_internal.h                  |    2 +
 5 files changed, 105 insertions(+), 13 deletions(-)

diff --git a/libselinux/include/selinux/selinux.h
b/libselinux/include/selinux/selinux.h
index 0725b57..d0ddb78 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
 <at>  <at>  -211,6 +211,16  <at>  <at>  extern int security_compute_create_raw(const
security_context_t scon,
 				       const security_context_t tcon,
 				       security_class_t tclass,
 				       security_context_t * newcon);
+extern int security_compute_create_name(const security_context_t scon,
(Continue reading)

Jeffrey Walton | 25 Mar 22:59 2012
Picon

Re: security_compute_create_name(3)

Forgive my ignorance, but it looks like the `snpintf` call to build
the mount path could suffer a silent truncation, possibly leading to
an incorrect mount. Does an attacker control the path name used?

12 	int security_compute_create_raw(security_context_t scon,
13 	                                security_context_t tcon,
14 	                                security_class_t tclass,
15 	                                security_context_t * newcon)
16 	{
17 	        char path[PATH_MAX];
18 	        char *buf;
19 	        size_t size;
20 	        int fd, ret;
21 	
22 	        if (!selinux_mnt) {
23 	                errno = ENOENT;
24 	                return -1;
25 	        }
26 	
27 	        snprintf(path, sizeof path, "%s/create", selinux_mnt);
28 	        fd = open(path, O_RDWR);
...

My apologies if
http://oss.tresys.com/projects/clip/browser/trunk/selinux-usr/libselinux/src/compute_create.c
is the incorrect file.

Jeff

On Sun, Mar 25, 2012 at 4:05 PM, Kohei KaiGai <kaigai@...> wrote:
(Continue reading)

Kohei KaiGai | 25 Mar 23:29 2012
Picon

Re: security_compute_create_name(3)

The selinux_mnt is not a variable given by external one, unless
application does not update it by itself.

It is not difficult to modify this part to return ENAMETOOLONG
when snprintf() returns larger or equal with PATH_MAX. But it
is not only one point to fix libselinux, if we try.

Thanks,

2012/3/25 Jeffrey Walton <noloader@...>:
> Forgive my ignorance, but it looks like the `snpintf` call to build
> the mount path could suffer a silent truncation, possibly leading to
> an incorrect mount. Does an attacker control the path name used?
>
> 12      int security_compute_create_raw(security_context_t scon,
> 13                                      security_context_t tcon,
> 14                                      security_class_t tclass,
> 15                                      security_context_t * newcon)
> 16      {
> 17              char path[PATH_MAX];
> 18              char *buf;
> 19              size_t size;
> 20              int fd, ret;
> 21
> 22              if (!selinux_mnt) {
> 23                      errno = ENOENT;
> 24                      return -1;
> 25              }
> 26
> 27              snprintf(path, sizeof path, "%s/create", selinux_mnt);
(Continue reading)


Gmane